© 2016 IBM Corporation
DB2 for i data security and compliance
Scott Forstie,IBM
DB2 for i Business Architect
Kathy Zeidenstein
Guardium Evangelist and Community Advocate
IBM Security Guardium Tech Talk
2© 2016 IBM Corporation
Next tech talk: Guarding against insider threats to Hadoop: What’s new in Guardium
Speaker: Sundari Voruganti, Big Data QA Lead and Solutions
Architect
Date and time: Thursday, April 7th08:00 AM PDT, 11:00 AM EDTc
Register here: http://ibm.biz/GTechHadoop
Upcoming Tech Talk
3© 2016 IBM Corporation
Agenda
The problem of insider threats (one attack vector)
Guardium & DB2 for i – overview
Classifier & DB2 for i
Vulnerability Assessment (VA) & IBM i
Database Activity Monitor (DAM) & DB2 for i
Demo
4© 2016 IBM Corporation
What’s on the inside counts
Damaging security incidents involve loss or illicit modification or destruction of sensitive data
Many security programs only focus on what’s happening beyond the
perimeter
**Source: 2Q15 X-Force Report
55% of all attacks are caused by insider threats**
5© 2016 IBM Corporation
Not all insider threats are created equal
Who represents an insider threat?
An employee that clicks on the ‘dancing bear’ (OOPS!)
A disgruntled employee
A malicious employee
A 3rd party/partner that has access to your sensitive data
(And falls into one of the categories above)
Employees with privileged access to sensitive data carry
the greatest risks!
6© 2016 IBM Corporation
How are most companies combating insider threats today?
62% of organizations do not
monitor and audit the actions of users with privileges more closely than non-privileged users*
*According to a 2015 UBM study of more than 200 organizations
What can you do?
57% of organizations do not have
a data security solution that supports
entitlement reporting
7© 2016 IBM Corporation
Intelligent data security safeguards sensitive data – wherever it resides
Discovery, classification,vulnerability assessment, entitlement reporting
Encryption, masking, and redaction
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
8© 2016 IBM Corporation
2014 2015
Enhancements in 2014:
• Reduced CPU overhead for aggressive
monitoring of SQL
• Multiple User Name SQL Filtering
• Guardium on i Technical article
• Other High Priority feature requests
IBM i 7.1 TR97.2 TR1
IBM i TR8
Enhancements delivered in 2015:
• Guardium Vulnerability Assessment support for IBM i
• Guardium Classifier support for IBM i
• High availability / failover / session load balancing
• Encrypted communication between iS-TAP & collector
• Add micro-seconds to exception entity reports
• Improved “out of the box” IBM i Activity & Exception reports
• Improved detail for CP audit journal entries
IBM i 7.1 TR107.2 TR2
IBM i 7.1 TR117.2 TR3
https://ibm.biz/GuardiumDAMonIBMi
Guardium & DB2 for iProduct Enhancement Timeline
9© 2016 IBM Corporation
Guardium on i - education resources
https://ibm.biz/GuardiumONi_Education
Managed by Kathy
10© 2016 IBM Corporation
Guardium on i – Client resources
https://ibm.biz/GuardiumDAMonIBMi
IBM i - Service Level Requirements
Guardium on i – Serviceability Document
Links to education videos
Links to articlesManaged by Scott
11© 2016 IBM Corporation
Audit journal & SQL activity is recognized and sent to the off-board Guardium collector
Guardium Database Activity Monitor (DAM)
Comprehensive SQL capture
SQL Statement Text with Bind Variables
Data-centric solution, integrated into DB2 for i
Extensive filtering capability
Safe to run in production environments
One software product to handle all databases vs IBM i specific solution
Audit Journal (real-time) and Data Journal coverage (scheduled upload)
Supported with:
Guardium V9.x & V10
IBM i 6.1, 7.1 and 7.2 releases
Guardium DAM & DB2 for i S-TAP
12© 2016 IBM Corporation
Guardium V10 - Architecture
What's new in IBM Security Guardium V10
www.ibm.com/developerworks/library/se-guardium-v10/index.html
13© 2016 IBM Corporation
Guardium V10 & IBM i
Appliance – New look, great usability features
14© 2016 IBM Corporation
Guardium Classifier
&
DB2 for i
15© 2016 IBM Corporation
Classifier & DB2 for i
16© 2016 IBM Corporation
Classifier & DB2 for i
17© 2016 IBM Corporation
Classifier & DB2 for i
18© 2016 IBM Corporation
Classifier & DB2 for i
19© 2016 IBM Corporation
Classifier & DB2 for i
20© 2016 IBM Corporation
Classifier & DB2 for i
21© 2016 IBM Corporation
Classifier & DB2 for i
22© 2016 IBM Corporation
Match found on SSN rule
(regular expression)
Classifier & DB2 for i
23© 2016 IBM Corporation
Guardium
Vulnerability Assessment
&
IBM i
24© 2016 IBM Corporation
Automate IBM i vulnerability, configuration and behavioral
assessment
Grade, report and enable action
Over 130+ IBM i specific vulnerability tests
Entitlement reports
Supported with:
Guardium V10
IBM i 6.1, 7.1 and 7.2 partitions
HardenDiscover
Repeat
Vulnerability Assessment (VA) & IBM i
25© 2016 IBM Corporation
VA – IBM i reporting
26© 2016 IBM Corporation
130
Tests
for
IBM i
Choose some or all IBM i specific assessments
27© 2016 IBM Corporation
Choose the Datasources (IBM i partitions)
28© 2016 IBM Corporation
Execute VA assessment
29© 2016 IBM Corporation
Track progress of reports on the Guardium Job Queue
30© 2016 IBM Corporation
Guardium Job Queue
31© 2016 IBM Corporation
Review results…
32© 2016 IBM Corporation
VA reports are extensive, consumable & interactive
33© 2016 IBM Corporation
Assessments are explained and include remediation details
34© 2016 IBM Corporation
IBM i specific security remediation detail
35© 2016 IBM Corporation
Assessments include configuration options
36© 2016 IBM Corporation
Exclude uninteresting DB2 for i objects
37© 2016 IBM Corporation
Result
History
Shows
Trends
Detailed
Remediation
Suggestions
Detailed
Test
Results
Overall Score
Detailed Scoring Matrix
Filter/Sort
controls for
easy use
Summary
Test
Results
Anatomy of a VA report
38© 2016 IBM Corporation
Guardium
Database Activity Monitor &
DB2 for i
39© 2016 IBM Corporation
Use Guardium DAM to discover when/where tables are duplicated
To secure data, you also need to identify when data is copied
Guardium DAM & DB2 for i
40© 2016 IBM Corporation
Guardium V10 dashboards enable efficient customization
Guardium V10 – IBM i Dashboard (i dash)
41© 2016 IBM Corporation
A custom dashboard provides an overview
Organize your favorite reports
42© 2016 IBM Corporation
Database Activity (SQL & Audit Journal entries)
Use the built-in DB2 for i SQL activity
43© 2016 IBM Corporation
Privilege User Activity (SQL & Audit Journal entries)
Verbs reflect action area, for a summary level view
Easily track privileged users in different ways
44© 2016 IBM Corporation
Exception report covers failures
SQL or Audit Journal
IBM i Security configuration options
Exception reports capture SQL and Audit journal failures
45© 2016 IBM Corporation
Sensitive data report
Useful for discovering users who should be tracked
Sensitive data reports allow you to focus on tables
46© 2016 IBM Corporation
User sessions by server IP
Session counts, activity and duration
Observe user connectivity and SQL activity
© 2016 IBM Corporation
DemoDB2 for i & Guardium
© 2015 IBM Corporation
Q&A
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
50© 2016 IBM Corporation
133 countries where IBM delivers
managed security services
20 industry analyst reports rank
IBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan,
North America, and Australia
Learn more about IBM Security
Visit our web page
IBM.com/Security
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
51© 2016 IBM Corporation
Contrasting DB2 for i – Data Governance
Technology
Use case
SQL Activity Audit Journal Data Journal
IBM i releases 6.1, 7.1, 7.2 6.1, 7.1, 7.2 6.1, 7.1, 7.2
Analysis & Reporting • InfoSphere Guardium
DAM
• PowerSC Tools for IBM i
• IBM i Security ISVs
• InfoSphere Guardium
DAM
• PowerSC Tools for IBM i
• IBM i Security ISVs
• InfoSphere Guardium
DAM
• PowerSC Tools for IBM i
Solution infrastructure
beyond IBM i
Yes No No
Capture SQL
statements
Yes No No
Capture SQL host
variable values and
environment
Yes No No
Capture database
specific Audit Journal
details
Yes Yes No
Capture before and
after images of data
No No Yes
Able to track which
rows are seen by
users
No No No
52© 2016 IBM Corporation
Contrasting DB2 for i – Data Security
Technology
Use case
Field Procedures Column Masks Row Permissions Views &
Logical
Files
IBM i releases 7.1, 7.2 7.2 7.2 6.1, 7.1, 7.2
Limit access to some/all
data within a column
Yes Yes No Yes
Limit access to rows No No Yes Yes
Security logic payload
(customer experience)
External program
(complex)
SQL rule
(simple)
SQL rule
(simple)
DDS or SQL
(varies)
Software Vendor
component
• Townsend Security
• Linoma
• Enforcive
• IBM Lab Services DB2
CoE
• SkyView Risk
Assessor for IBM i
• IBM Lab Services
DB2 CoE
• SkyView Risk
Assessor for IBM i
• IBM Lab Services DB2
CoE
N/A
Data encrypted at rest Yes No No No
Data encrypted in journal Yes No No No
Masked values apply to
selection criteria
Yes No N/A N/A
Data-Centric Solution Yes Yes Yes No