European Data Compliance Needs of 2016

© 2015 IBM Corporation

Vikalp PaliwalProduct Manager, Guardium

Michel BoumaData Governance & Security Solutions Sales Leader Europe

European Data Compliance Needs of 2016

2© 2015 IBM Corporation

Data is challenging to secure

DYNAMICData multiplies

continuously andmoves quickly

DISTRIBUTEDData is everywhere,across applicationsand infrastructure

IN DEMANDUsers need to constantly access

and share data to do their jobs


4 main areas in EU GDPR

easier access to your own dataindividuals will have more information on how their data is processed and this information should be available in a clear and understandable way

a right to data portability: it will be easier to transfer your personal data between service providers

a clarified "right to be forgotten": when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted

the right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.


EU General Data Protection Regulation - for organisations

• Only one set of laws across all 28 states

• Organisations (‘controllers’) will only have to work with one authority instead of 28

• Organisations with “sensitive” records held must appoint a Data Protection Officer (DPO). This post can be shared with other organisations and can be outsourced

• Non-EU companies will also have to comply.

• Every organisation will have to design in data protection during roll-out of new services and technology

• Fines have been set at up to 4 percent of turnover or €20 million, whichever is higher. A two percent figure will apply for more minor breaches.

• Requirement to notify of data breaches within 72 hours.

• Encryption may avoid breach notification, but only if it has been competently implemented

• Data processors (not only Data Controllers) will be held responsible for data protection


Managing compliance for sensitive data is stressful

Monitoring

Auditing

Classification

Discovery

Assessment

File Analysis

Configuration

Entitlement

Compliance

PCI - DSS

SOX

HIPPA

CISCVESTIGNIST

6© 2015 IBM Corporationhttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

Guardium DiscoveryGuardium DAM

Guardium VAGuardium Encryption

92% of breaches are discovered by an external party


IBM Security Guardium value

Protect all data against unauthorized access and enable organizations to comply with government regulations and industry standards

Identify RiskDiscovery sensitive information, identify dormant data, assess configuration gaps and vulnerabilities

Prevent data breachesPrevent disclosure or leakages of sensitive data

Ensure data privacyPrevent unauthorized changes to data

Reduce the cost of complianceAutomate and centralize controls across diverse regulations and heterogeneous environments

On Premise On Cloud

Data at Rest Data in Motion

Data Repositories

Sensitive Documents

OS Files

1

2

3

4


Audit Requirements PCI DSS COBIT(SOX) ISO 27002

Data Privacy & Protection

Laws

NISTSP 800-53 (FISMA)

1. Access to Sensitive Data(Successful/Failed SELECTs)

2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)

3. Data Changes (DML)(Insert, Update, Delete)

4. Security Exceptions(Failed logins, SQL errors, etc.)

5. Accounts, Roles & Permissions (DCL)(GRANT, REVOKE)

The Compliance Mandate – What do you need to monitor?

DDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language


Guardium uses intelligence and automation to safeguard data

PROTECTComplete protection for sensitive

data, including compliance automation

ADAPTSeamlessly handle

changes within your IT environment

ANALYZEAutomatically

discover critical data and uncover risk


ANALYZE. PROTECT. ADAPT.

Databases andData Warehouses

File Systems

Applications

Big Data Platforms

Cloud EnvironmentsDiscovery, classification,

vulnerability assessment, entitlement reporting

Encryption, masking, and redaction

Data and file activity monitoring

Dynamic blocking and masking, alerts, and quarantine

Compliance automation and auditing

ANALYTICS


Discover and Classify Sensitive Data in Databases and Files

Discover database instances on network Catalog Search: Search the database catalog

for table or column name– Example: Search for tables where column name

is like “%card%” Search by Permission: Search for the types of

access that have been granted to users or roles Search for Data: Match specific values or

patterns in the data– Example: Search for objects matching

guardium://CREDIT_CARD (a built-in pattern defining various credit card patterns)

Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)

Classify Data: put data in actionable groups, automatically or manually


Managing vulnerabilities in data repositories is the first step to compliance

Default Username

and Password

Excessive Privilege

Default settings

and misconfigu

rations

Un-patched

Databases

Non supported

product versions

Unknown sensitive

data

Non Compliance

Audit Fail

Insider Theft

Data breach

Implications


IBM Security Guardium Vulnerability Assessment :Analyze risk, automate compliance and harden your data environment

• Compliance Workflow• Exception management• Export to other security tools

Sensitive Data Discovery

Extensible design

• Identifies Sensitive Data (credit cards, transactions or PII)

• Reporting on sensitive objects• Discover database instances•Entitlement reporting

• Using industry best-practices and primary research • 2000+ Predefined tests to uncover database and OS

vulnerabilities• Recommendations for remediation• Vulnerability Assessment scorecard• Configuration audit system (CAS) monitors

configuration changes• View graphical representation of trends• Includes Quarterly DPS Updates

• Enables custom designed defined tests• Tuning existing tests to match needs• Report builder for custom reports

Comprehensive testing and reporting

Collaborate to protect


Key best practices to consider when assessing vulnerabilities

• Zero impact on performance

Identify gaps:

Using privilege, configuration, patch, password policy, and OS-level file permission tests

Enforce bestpractices: Such as DoD STIG, CIS, CVE, PCI DSS

Create a baseline:

With custom or out-of-the-box tests for your Organization, Industry or Application

Beanalytical:

And apply advanced forensics & analytics to understand sensitive data risk and exposure

Perform: Using a solution that has zero performance impact


Transparent, non-invasive, real-time Data Activity Monitoring

Guardium Collector Appliance

Application Servers

Guardium host-based probes

Data Servers(DB, Warehouses, Files, Big Data)

• DISCOVER• MONITOR• PROTECT• AUTOMATE

100% visibility including local privileged access Minimal performance impact Does not rely on resident logs that can easily be

erased by attackers, rogue insiders No environment changes Prepackaged vulnerability knowledge base and

compliance reports for SOX, PCI, etc. Growing integration with broader security and

compliance management vision

Single Integrated Appliance Non-invasive/disruptive, cross-platform architecture Dynamically scalable SOD enforcement for privileged access Auto discover sensitive resources and data Detect or block unauthorized & suspicious activity Granular, real-time policies and normalized audit

Who, what, when, how


Guardium Collector

Scalable, multi-tier architecture

16

.

LOB Marketing Big Data Analytics

Americas data centers

Cloud Environments

GuardiumCentral Manager and Aggregator

IBM z/OS Mainframe

Central management: Policies pushed to collectors from central manager Central aggregation: Collectors aggregate data to central audit repository Unified solution for both distributed and IBM System z: Enterprise-wide compliance reporting,

analytics and forensics Enforcement (S-GATE): Prevents privileged users from accessing sensitive information Heterogeneous data source support: Databases, Data Warehouses, Files, Big Data

Guardium Collector

Guardium Collector

Integration with LDAP/AD, IAM, change management, SIEM, Archiving, etc

Europe data centers

Asia Pacific data centers


Guardium makes the compliance burden manageable, less painful, and less costly through:

COLLECTOR

Automation for change management Pre-packaged knowledge Integration Performance and Scalability Centralization


Guardium helps support the most complex of IT environments …Examples of supported databases, Big Data environments, file shares, etc

Applications Databases

DB2Informix IMS

Data Warehouses

NetezzaPureData for AnalyticsDB2 BLU

CICSWebSphere

SiebelPeopleSoftE-Business

Database Tools Enterprise Content Managers

Big Data Environments

Files

VSAMz/OS Datasets FTP

DB

Cloud Environments

Windows, Linux, Unix


Recommendations

1. Understand where your crown jewels are located and

calculate the risk

– Discovery, Classification and Vulnerability Assessment

2. Look for (DAM) suspicious activity

– Hackers are inside networks long before organizations

understands what’s going on with their data

3. Have a plan for when data is exfiltrated

4. Encryption covers a multitude of sins

Greater than 200 Days!!

2015 Ponemon Study


Guardium supports the whole data protection journey

Perform vulnerability assessment, discovery and classification

Dynamic blocking, alerting, quarantine, encryption and integration with security intelligence

Comprehensivedata protection

Big data platforms, file systems or other platforms also require monitoring, blocking, reporting

Find and address PII, determine who is reading data, leverage masking

Database monitoring focused on changed data, automated reporting

Acutecompliance

need

Expandplatform coverage

Addressdata privacy

Sensitivedata discovery


133 countries where IBM delivers managed security services

20 industry analyst reports rankIBM Security as a LEADER

TOP 3 enterprise security software vendor in total revenue

10K clients protected including…

24 of the top 33 banks in Japan, North America, and Australia

Learn more about IBM Security

Visit our websiteibm.com/guardium

Watch our videoshttps://ibm.biz/youtubeguardium

Read new blog postsSecurityIntelligence.com

Follow us on Twitter@ibmsecurity

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.

IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security

Date post:	16-Apr-2017
Category:	Technology
Upload:	ibm-security
View:	1,297 times
Download:	1 times

European Data Compliance Needs of 2016

Technology