Sie sind auf Seite 1von 9

IBM Security Systems

Encryption is Fundamental: A Technical Overview of


Guardium Data Encryption

2013 IBM Corporation


Introducing IBM InfoSphere Guardium Data Encryption

EnsureEnsure compliance
compliance with
and protect
Requirements
enterprise data
datawith encryption
encryption Protect sensitive enterprise
information and avoid data
breaches
Data Encryption
Minimize impact to production
Enforce separation of duties by
keeping security and data
administration separate
Meet government and industry
regulations (eg. PCI-DSS)

Benefits
Protect data from misuse
Satisfy compliance
requirements including
proactive separation of duties
Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes

7 2014 IBM Corporation


InfoSphere Guardium Data Encryption Value Proposition:
Continuously restrict access to sensitive data including databases, data
warehouses, big data environments and file shares to.
1 Prevent data breaches
Prevent disclosure or leakages of sensitive data
2 Ensure the integrity of sensitive data
Prevent unauthorized changes to data, database
structures, configuration files and logs
3 Reduce cost of compliance
Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy
regulations, HIPAA/HITECH etc.
o Across heterogeneous environments such as databases,
applications, data warehouses and Big Data platforms like Hadoop
4 Protect data in an efficient, scalable, and cost effective
way
Increase operational efficiency
No degradation of infrastructure or business processes

8 2014 IBM Corporation


Guardium Data Encryption Use Cases Big Picture

Data Files Unstructured Data Cloud

Usage: Sensitive data used Usage: Monitor and know


Usage: Monitor WHO is
by systems and end users WHO is touching your data
touching the files and for
touched by privileged users stored in the cloud and for
WHAT purpose.
(DBAs), Activity Monitoring WHAT purpose
requirement for separation of Usage: Encrypt and Control
duties and consistent audit access to any type of data
Usage: Encrypt and Control
policy. Also: Encrypt used by LUW server
Access to data used by Cloud
Tablespace, Log, and other Common Data Types: Instances
Data files at File System to Logs, Reports, Images, ETL,
protect against System OS Audio/Video Recordings, Common Cloud Providers:
privileged user cred Documents, Big Data IBM, Amazon EC2,
Examples: FileNet, Rackspace, MS Azure
Common Databases: DB2,
Documentum, Nice, Hadoop,
Informix, Oracle, MSSQL,
Home Grown, etc
Sybase, MySQL

11 2014 IBM Corporation


GDE File/Table/Volume based Encryption

Authentication/ Authorization Data Security Manager


Authentication/ Authorization
Centralized Key Management
Policy Decision Point
Applications Highly Available
Applications
Rules-Policy Engine
Detailed Auditing
Databases/Applications
Databases/Applications

File Level

LAN/
WAN
File System Security Manager
File System

Implements Encryption, Access Control,


Device Level Auditing on Host
Support for file systems and raw
partitions

Volume Manager
Volume Manager

SAN / NAS / DAS / VM / Cloud Protect ALL sensitive data


SAN / NAS / DAS / VM / Cloud
wherever/however its stored

12 2014 IBM Corporation


Enterprise/HA Architecture

Remote

Web Server

Primary
Application
Application Servers
Servers

DSM
Secondary

Encrypted Folder/Guardpoint
Web Server Application
Servers GDE File System Agent

Data Security Manager/DSM

DSM
Secure High Availability Connection

13 2014 IBM Corporation


InfoSphere Guardium Data Encryption (GDE) - Addresses
compliance requirements and protects data at the File System Level
File And Volume Encryption
High Performance / Low overhead Intel/AMD X86 processor
AES-NI hardware encryption available
Transparent No changes to application or management required
Broad OS, file system and volume support

Data File & Distributed File System Encryption


Heterogeneous, transparent and high performance
Encrypts the tablespace at the file and volume level
Broad support for multiple database and big data vendors

Policy Based Access Control to Encrypted Data


Policy-based - Transparent
Linked to LDAP and system level accounts
By process, user, time and more
Prevents Privileged User access to protected data while allowing
normal application and systems management use

Key Management
Securely stores and manages keys used in the implementation

14 2014 IBM Corporation


File Encryption Management
Data
Clear Text Encryption

Name: Jsmith.doc Name: Jsmith.doc


File System
Created: 6/4/99 Created: 6/4/99
Metadata
Modified: 8/15/02 Modified: 8/15/02

Name: J Smith
dfjdNk%(Amg
Credit Card #:
8nGmwlNskd 9f
6011579389213 Block-Writes
Sk9ineo93o2n*&*^
File Data
Bal: $5,145,789
xIu2Ks0BKsjd
Social Sec No: Block-Reads Nac0&6mKcoS
514-73-8970
File File qCio9M*sdopF
File
Data Data Data

File systems always read and write in fixed block sizes


Encryption takes place on the block IOs to a protected file
GDE simply encrypts or decrypts the block reads and writes

15 2014 IBM Corporation


Policy Rules

WHO is attempting to access protected data?


Configure one or more users, groups, or applications users may invoke who can access protected
data
WHAT data is being accessed?
Configure a mix of files and directories
WHEN is the data being accessed?
Configure a range of hours and days of the week for authorized access
HOW is the data being accessed?
Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, etc.
EFFECT: Permit; Deny; Apply Key; Audit

16 2014 IBM Corporation