european data compliance needs of 2016
TRANSCRIPT
© 2015 IBM Corporation
Vikalp PaliwalProduct Manager, Guardium
Michel BoumaData Governance & Security Solutions Sales Leader Europe
European Data Compliance Needs of 2016
2© 2015 IBM Corporation
Data is challenging to secure
DYNAMICData multiplies
continuously andmoves quickly
DISTRIBUTEDData is everywhere,across applicationsand infrastructure
IN DEMANDUsers need to constantly access
and share data to do their jobs
3© 2015 IBM Corporation
4 main areas in EU GDPR
easier access to your own dataindividuals will have more information on how their data is processed and this information should be available in a clear and understandable way
a right to data portability: it will be easier to transfer your personal data between service providers
a clarified "right to be forgotten": when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted
the right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
4© 2015 IBM Corporation
EU General Data Protection Regulation - for organisations
• Only one set of laws across all 28 states
• Organisations (‘controllers’) will only have to work with one authority instead of 28
• Organisations with “sensitive” records held must appoint a Data Protection Officer (DPO). This post can be shared with other organisations and can be outsourced
• Non-EU companies will also have to comply.
• Every organisation will have to design in data protection during roll-out of new services and technology
• Fines have been set at up to 4 percent of turnover or €20 million, whichever is higher. A two percent figure will apply for more minor breaches.
• Requirement to notify of data breaches within 72 hours.
• Encryption may avoid breach notification, but only if it has been competently implemented
• Data processors (not only Data Controllers) will be held responsible for data protection
5© 2015 IBM Corporation
Managing compliance for sensitive data is stressful
Monitoring
Auditing
Classification
Discovery
Assessment
File Analysis
Configuration
Entitlement
Compliance
PCI - DSS
SOX
HIPPA
CISCVESTIGNIST
6© 2015 IBM Corporationhttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Guardium DiscoveryGuardium DAM
Guardium VAGuardium Encryption
92% of breaches are discovered by an external party
7© 2015 IBM Corporation
IBM Security Guardium value
Protect all data against unauthorized access and enable organizations to comply with government regulations and industry standards
Identify RiskDiscovery sensitive information, identify dormant data, assess configuration gaps and vulnerabilities
Prevent data breachesPrevent disclosure or leakages of sensitive data
Ensure data privacyPrevent unauthorized changes to data
Reduce the cost of complianceAutomate and centralize controls across diverse regulations and heterogeneous environments
On Premise On Cloud
Data at Rest Data in Motion
Data Repositories
Sensitive Documents
OS Files
1
2
3
4
8© 2015 IBM Corporation
Audit Requirements PCI DSS COBIT(SOX) ISO 27002
Data Privacy & Protection
Laws
NISTSP 800-53 (FISMA)
1. Access to Sensitive Data(Successful/Failed SELECTs)
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)(Insert, Update, Delete)
4. Security Exceptions(Failed logins, SQL errors, etc.)
5. Accounts, Roles & Permissions (DCL)(GRANT, REVOKE)
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language
9© 2015 IBM Corporation
Guardium uses intelligence and automation to safeguard data
PROTECTComplete protection for sensitive
data, including compliance automation
ADAPTSeamlessly handle
changes within your IT environment
ANALYZEAutomatically
discover critical data and uncover risk
10© 2015 IBM Corporation
ANALYZE. PROTECT. ADAPT.
Databases andData Warehouses
File Systems
Applications
Big Data Platforms
Cloud EnvironmentsDiscovery, classification,
vulnerability assessment, entitlement reporting
Encryption, masking, and redaction
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
11© 2015 IBM Corporation
Discover and Classify Sensitive Data in Databases and Files
Discover database instances on network Catalog Search: Search the database catalog
for table or column name– Example: Search for tables where column name
is like “%card%” Search by Permission: Search for the types of
access that have been granted to users or roles Search for Data: Match specific values or
patterns in the data– Example: Search for objects matching
guardium://CREDIT_CARD (a built-in pattern defining various credit card patterns)
Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)
Classify Data: put data in actionable groups, automatically or manually
12© 2015 IBM Corporation
Managing vulnerabilities in data repositories is the first step to compliance
Default Username
and Password
Excessive Privilege
Default settings
and misconfigu
rations
Un-patched
Databases
Non supported
product versions
Unknown sensitive
data
Non Compliance
Audit Fail
Insider Theft
Data breach
Implications
13© 2015 IBM Corporation
IBM Security Guardium Vulnerability Assessment :Analyze risk, automate compliance and harden your data environment
• Compliance Workflow• Exception management• Export to other security tools
Sensitive Data Discovery
Extensible design
• Identifies Sensitive Data (credit cards, transactions or PII)
• Reporting on sensitive objects• Discover database instances•Entitlement reporting
• Using industry best-practices and primary research • 2000+ Predefined tests to uncover database and OS
vulnerabilities• Recommendations for remediation• Vulnerability Assessment scorecard• Configuration audit system (CAS) monitors
configuration changes• View graphical representation of trends• Includes Quarterly DPS Updates
• Enables custom designed defined tests• Tuning existing tests to match needs• Report builder for custom reports
Comprehensive testing and reporting
Collaborate to protect
14© 2015 IBM Corporation
Key best practices to consider when assessing vulnerabilities
• Zero impact on performance
Identify gaps:
Using privilege, configuration, patch, password policy, and OS-level file permission tests
Enforce bestpractices: Such as DoD STIG, CIS, CVE, PCI DSS
Create a baseline:
With custom or out-of-the-box tests for your Organization, Industry or Application
Beanalytical:
And apply advanced forensics & analytics to understand sensitive data risk and exposure
Perform: Using a solution that has zero performance impact
15© 2015 IBM Corporation
Transparent, non-invasive, real-time Data Activity Monitoring
Guardium Collector Appliance
Application Servers
Guardium host-based probes
Data Servers(DB, Warehouses, Files, Big Data)
• DISCOVER• MONITOR• PROTECT• AUTOMATE
100% visibility including local privileged access Minimal performance impact Does not rely on resident logs that can easily be
erased by attackers, rogue insiders No environment changes Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc. Growing integration with broader security and
compliance management vision
Single Integrated Appliance Non-invasive/disruptive, cross-platform architecture Dynamically scalable SOD enforcement for privileged access Auto discover sensitive resources and data Detect or block unauthorized & suspicious activity Granular, real-time policies and normalized audit
Who, what, when, how
16© 2015 IBM Corporation
Guardium Collector
Scalable, multi-tier architecture
16
.
LOB Marketing Big Data Analytics
Americas data centers
Cloud Environments
GuardiumCentral Manager and Aggregator
IBM z/OS Mainframe
Central management: Policies pushed to collectors from central manager Central aggregation: Collectors aggregate data to central audit repository Unified solution for both distributed and IBM System z: Enterprise-wide compliance reporting,
analytics and forensics Enforcement (S-GATE): Prevents privileged users from accessing sensitive information Heterogeneous data source support: Databases, Data Warehouses, Files, Big Data
Guardium Collector
Guardium Collector
Integration with LDAP/AD, IAM, change management, SIEM, Archiving, etc
Europe data centers
Asia Pacific data centers
17© 2015 IBM Corporation
Guardium makes the compliance burden manageable, less painful, and less costly through:
COLLECTOR
Automation for change management Pre-packaged knowledge Integration Performance and Scalability Centralization
18© 2015 IBM Corporation
Guardium helps support the most complex of IT environments …Examples of supported databases, Big Data environments, file shares, etc
Applications Databases
DB2Informix IMS
Data Warehouses
NetezzaPureData for AnalyticsDB2 BLU
CICSWebSphere
SiebelPeopleSoftE-Business
Database Tools Enterprise Content Managers
Big Data Environments
Files
VSAMz/OS Datasets FTP
DB
Cloud Environments
Windows, Linux, Unix
19© 2015 IBM Corporation
Recommendations
1. Understand where your crown jewels are located and
calculate the risk
– Discovery, Classification and Vulnerability Assessment
2. Look for (DAM) suspicious activity
– Hackers are inside networks long before organizations
understands what’s going on with their data
3. Have a plan for when data is exfiltrated
4. Encryption covers a multitude of sins
Greater than 200 Days!!
2015 Ponemon Study
20© 2015 IBM Corporation
Guardium supports the whole data protection journey
Perform vulnerability assessment, discovery and classification
Dynamic blocking, alerting, quarantine, encryption and integration with security intelligence
Comprehensivedata protection
Big data platforms, file systems or other platforms also require monitoring, blocking, reporting
Find and address PII, determine who is reading data, leverage masking
Database monitoring focused on changed data, automated reporting
Acutecompliance
need
Expandplatform coverage
Addressdata privacy
Sensitivedata discovery
21© 2015 IBM Corporation
133 countries where IBM delivers managed security services
20 industry analyst reports rankIBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan, North America, and Australia
Learn more about IBM Security
Visit our websiteibm.com/guardium
Watch our videoshttps://ibm.biz/youtubeguardium
Read new blog postsSecurityIntelligence.com
Follow us on Twitter@ibmsecurity
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security