Information Management White Paper

Understanding holistic security 8 steps to successfully securing enterprise data sources 2 Understanding holistic database security

News headlines about the increasing frequency of stolen information and identity theft have focused awareness on data security breaches—and their consequences. In response to this issue, regulations have been enacted around the world. Although the specifics of the regulations may differ, failure to ensure compliance can result in significant financial penalties, loss of customer loyalty and even criminal prosecution.

In addition to the growing number of compliance mandates, organizations are under pressure to embrace the new era of computing, which brings with it new security challenges and a complex security landscape. Hackers are becoming more skilled; they are building sophisticated networks and in some cases are state sponsored. The rise of social media, cloud computing, mobility and big data are making threats harder to identify. Thus unscrupulous insiders are finding more ways to pass protected information to outsiders with less chance of detection. Organizations need to adopt a more proactive and Figure 1: Analysis of malicious or criminal attacks experienced according to systematic approach to securing sensitive data and addressing the 2011 Cost of Data Breach Study, Ponemon Institute published March 2012 compliance requirements amid the digital information explosion. This approach must span across complex, attacks are increasing. The number of SQL injection attacks geographically dispersed systems. A paradox exists where has jumped by more than two thirds: from 277,770 in Q1 2012 organizations are able to process more information than at any to 469,983 in Q2 2012.1 Ponemon reports that SQL injection other point in history, yet they are unable to understand what accounts for 28% of all breaches. (See Figure 1) data exists and how to protect it from both internal and external attacks. SQL injection attacks have been around for a long time, but, according to the 2012 IBM Security Systems X-Force Report, Sensitive data is found in commercial database systems, such as they are still the most common type of attack on the Internet. Oracle, Microsoft SQL Server, IBM DB2 and Sybase, in warehouses like Teradata and Netezza, and also in Hadoop- based systems. This paper discusses the eight essential best practices that provide a holistic approach to safeguarding data “It’s really not surprising that servers seem to sources and achieving compliance with key regulations, such as SOX, PCI DSS, GLBA and data protection laws. have a lock on first place when it comes to the types of assets impacted by data breaches. They Safeguard and achieve store and process data, and that fact isn’t lost compliance on data thieves.” Most of the world’s sensitive data is stored in commercial database systems, such as Oracle, Microsoft SQL Server, IBM ­—Verizon Data Breach Investigations Report, 2012 DB2 and Sybase— increasingly making databases a favorite target for criminals. This may explain why SQL injection

1 http://www.zdnet.com/sql-injection-attacks-up-69-7000001742 Information Management 3

Previously, most of the attention has been focused on securing network perimeters and client systems (firewalls, IDS/IPS, anti-virus, and so on). However, with the era of computing “Start with discovery, classification, and , professionals are being tasked with building policies and implementing data ensuring that corporate databases, data warehouses, file security controls.” repositories and Hadoop-based environments are secure from breaches and unauthorized changes. — Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc This paper discusses the eight essential best practices that provide a holistic approach to safeguarding databases as well as the array of enterprise data sources across the organization across multiple sources to determine the complex rules and while achieving compliance with key regulations such as SOX, transformations that may hide sensitive content. By automating PCI DSS, GLBA, HIPAA and data protection laws. the discovery process, this ensures greater data accuracy and reliability than manual analysis. Step 1: Discovery Ignorance is not an excuse. Organizations are held Mature discovery solutions also find malware placed in accountable to protect all data even if the data isn’t obvious or databases as a result of SQL injection attacks. In addition revealed only through understanding relationships between to exposing confidential information, SQL injection databases. Start with a good mapping of sensitive assets—both vulnerabilities allow attackers to embed other attacks of database instances and sensitive data inside the databases inside the database that can then be used against visitors (see Figure 2). Discovery works by examining data values to the website.

Figure 2: Use discovery solutions as a foundation for all security activities. Map database instances as well as where sensitive data is located 4 Understanding holistic database security

Step 2. Vulnerability and configuration about database structures and expected behavior, nor can assessment they issue SQL queries (via credentialed access to the Organizations need to assess the configuration of databases, database) in order to reveal database configuration warehouses and Hadoop-based systems to ensure they don’t have information. Automating the scanning of your database security holes (see Figure 3). This includes verifying both the infrastructure to find vulnerabilities provides an ongoing way the database is installed on the operating system (for evaluation of your security posture and combines historical example, checking file privileges for database configuration files and real-time analysis. and executables) and configuration options within the database itself (such as how many failed logins will result in a locked Step 3. Hardening account, or which privileges have been assigned to critical tables). The result of a vulnerability assessment is often a set of Plus, organizations need to verify that they are not running specific recommendations to eliminate as many security database versions with known vulnerabilities. Don’t build your risks as possible. Implementing these recommendations, such own checklists. There are several benchmarks from organizations as setting a baseline for system configuration settings and such as DISA, STIG, CIS and CVE that provide tests to check locking user access to data, is the first step to hardening the for common vulnerabilities including missing patches, weak database, warehouse or Hadoop-based system. Other elements passwords, and misconfigured privileges and default accounts, of hardening involve removing all functions and options not as well as unique vulnerabilities for each DBMS platform. in use. IT security professionals must be vigilant in establishing security policies, access controls and data usage policies to Traditional network vulnerability scanners weren’t designed ensure that both security and business requirements of the for this because they don’t have embedded knowledge organization are being met.

Figure 3: Vulnerability assessment and change tracking use case Information Management 5

Step 4. Change auditing Step 5. Activity monitoring After discovering data sources, classifying the sensitive data Real-time monitoring of database, data warehouse or types and hardening configurations, organizations must Hadoop-based system activity is key to limiting security risks. continually track data sources to ensure they don’t deviate from Activity monitoring across systems collects information from the “gold” (secure) configuration. Change auditing tools that different sources for advanced analytics. Organizations can compare snapshots of the configurations (at both the operating then create policies based on this security intelligence, such as system level and at the database level) and immediately send an alerting, masking or even halting malicious activity. Purpose- alert whenever a change is made will improve the security of built activity monitoring solutions offer a level of granular enterprise data sources and maintain continuous compliance. inspection of databases and repositories not found in any other tool. Use activity monitoring to provide immediate Change auditing is required by many legal mandates such as detection of intrusions, misuse and unusual access patterns the Sarbanes–Oxley Act (SOX). You must audit changes to data (which are characteristic of SQL injection attacks), and the database executables. A database installation has unauthorized changes to financial data, elevation of account numerous executables, and each one can be used by an attacker privileges, configuration changes executed via SQL to compromise an environment. An attacker can replace one commands, and other malicious events. In addition to sending executable with a version that, in addition to doing the regular alerts, mature activity monitoring solutions can help prevent a work, also stores user names and passwords in a readable file. disaster by taking corrective actions in real time, such as Change auditing would detect changes to the executable file transaction blocking, user quarantine or data masking on the and any other file created by the attacker. fly. (See Figure 4)

Figure 4: Use case for database activity monitoring and auditing 6 Understanding holistic database security

Monitoring privileged users or implementing controls for separation of duties is a requirement for data governance regulations such as SOX and data privacy regulations such as “Not all data and not all users are created PCI DSS. It is important to detect intrusions because attacks equally. You must authenticate users, are frequently the result of gaining privileged user access (such ensure full accountability per user, and as via credentials owned by your business applications). Activity monitoring also helps with vulnerability assessment manage privileges to limit access to data.” because it goes beyond traditional static assessments to include dynamic assessments of “behavioral vulnerabilities,” such as multiple users sharing privileged credentials or an excessive number of failed database logins. Step 6. Auditing and compliance reporting Comprehensive activity monitoring technologies also offer Secure, non-repudiable audit trails must be generated and application-layer monitoring, allowing organizations to detect maintained for any data source activity that impacts security fraud conducted via multi-tier applications such as PeopleSoft, posture, data integrity or viewing sensitive data. In addition to SAP and Oracle e-Business Suite, rather than via direct being a key compliance requirement, having granular audit connections to the database. trails is also important for forensic investigations.

Figure 5: Manage the entire compliance lifecycle Information Management 7

Most organizations currently employ some form of manual Organizations must authenticate users, ensure full auditing utilizing traditional native database logging accountability per user and manage privileges to limit access to capabilities. However, these approaches are often found to be data. Organizations should enforce these privileges, even for lacking because of their complexity and high operational costs the most privileged database users. Periodic review of due to manual efforts. Other disadvantages include high entitlement reports (also called User Right Attestation reports) performance overhead, lack of separation of duties (DBAs can as part of a formal audit process will result in better enterprise easily tamper with the contents of database logs, thereby data security. A holistic database security solution should affecting non-repudiation) and the need to purchase and include reporting capabilities that automatically aggregate user manage large amounts of storage capacity to handle massive entitlement information across the entire heterogeneous amounts of unfiltered transaction information. database infrastructure and identify which users have particular special privileges, what new rights have been granted by whom Fortunately, next-generation activity monitoring solutions are and what entitlements particular users have. available to provide granular, DBMS-independent auditing with minimal impact on performance, while reducing Step 8. Data transformation operational costs via automation, centralized cross-DBMS A key component of an information governance strategy, data policies and audit repositories, filtering, and compression. transformation helps organizations address the challenges of information volume and variety with solutions for data Without the ability to quickly provide independent access protection and privacy—regardless of the type of data, the security reporting, organizations will face significant costs and location or the usage. Use , masking or redaction to possible audit failure even with the best security controls. A render sensitive data unusable, so that an attacker cannot gain data security solution should centralize reporting across unauthorized access to data from outside the data repository or databases, data warehouses, file shares and Hadoop-based inadvertently reveal sensitive data. systems with a customizable workflow automation solution to generate compliance reports on a scheduled basis. The ability Data transformation techniques should protect data in transit, to distribute compliance reports to oversight teams for so that an attacker cannot eavesdrop at the networking layer electronic sign-offs and escalation and to store the results of (and gain access to the data when it is sent to the database remediation activities promotes automation and reduces the client), as well as protect data at rest, so that an attacker cannot cost of compliance. (See Figure 5) extract the data (even with access to the media files). Employing the correct data transformation technique will Step 7. , access control and ensure that both structured and unstructured data is protected, entitlement management while still allowing the needed business data to be shared. Not all data and not all users are created equally. Regulatory Organizations must validate the flow of trusted information by mandates and security requirements are requiring organizations applying the appropriate business rules and privacy procedures to adopt strong, multifactor authentication methods to protect to manage data and continue to demonstrate and prove against unauthorized and unidentified access. compliance to third-party auditors on an ongoing basis. About IBM InfoSphere Guardium IBM InfoSphere Guardium has the ability to identify and © Copyright IBM Corporation 2012 protect against internal and external threats through a distinc- IBM Corporation tive combination of robust monitoring and auditing, vulner- Software Group ability management, data transformation, real-time security Route 100 Somers, NY 10589 policies, and intelligent reporting. IBM InfoSphere Gurdium helps protect valuable data assets such as PII, customer data, Produced in the United States of America October 2012 business data, corporate secrets and more, foster secure and efficient collaboration, and effectively integrate security into IBM, the IBM logo, ibm.com, DB2, Guardium and InfoSphere are existing business processes. trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is InfoSphere Guardium is the most widely-used solution for available on the Web at “Copyright and trademark information” at www. preventing information leaks from the data center and ensuring ibm.com/legal/copytrade.shtml. the integrity of enterprise data. It is installed in more than 400 This document is current as of the initial date of publication and may be customers worldwide, including five of the top five global changed by IBM at any time. Not all offerings are available in every country in which IBM operates. banks; four of the top six insurers; top government agencies; two of the top three retailers; 20 of the world’s top telcos; two THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, of the world’s favorite beverage brands; the most recognized INCLUDING WITHOUT ANY WARRANTIES OF MERCHANT­ name in PCs; a top three auto maker; a top three aerospace ABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY company; and a leading supplier of business intelligence WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the software. InfoSphere Guardium was the first solution to address agreements under which they are provided. the core data security gap by providing a scalable, cross-DBMS enterprise platform that both protects databases in real-time Please Recycle and automates the entire compliance auditing process.

IBM InfoSphere provides an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The InfoSphere Platform provides all the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The InfoSphere Platform provides an enterprise-class foundation for information-inten- sive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster.

InfoSphere® software IMW14277-USEN-02