Platform changes and upgrade roadmap - Important survey question
As you’ll see in this presentation, IBM has simplified the messaging around data protection to three key themes: Analyze, adapt, and protect. And that’s how we’ve grouped together the related V10 enhancements as well. We’ll also do a quick overview of the appliance platform changes because it has implications for upgrade. We have an important survey question at the end about migration and upgrade, so please try to stay through to the end. If you cannot, please post in the chat that you would be interested in migration services.
Guardium uses intelligence and automation to safeguard data
PROTECTComplete protection for sensitive
data, including compliance automation
ADAPTSeamlessly handle
changes within your IT environment
ANALYZEAutomatically
discover critical data and uncover risk
IBM CONFIDENTIAL: NDA until August 25, 2015
At the highest level, Guardium offers complete data protection, using analytics to help automate risk identification and by providing broad coverage and ability to dynamically adapt and scale to a wide variety of IT environments.
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
The analyze, protect and adapt themes are manifested through a broad set of data security capabilities, which are all under one umbrella and are integrated with each other to help you implement a complete solution. Analytics makes it possible to deal with the quantity of data you have, the quantity and velocity of data access to track, and being unable to uncover patterns and detect and pinpoint suspicious activities. Centralization is the glue that makes the whole data security functions manageable within a whole array of heterogeneous data sources required to run the IT environment. This is the beauty of this approach: You get a central place to ask the common data security questions (for security, privacy or compliance) across all the enterprise data resources in a normalized way. And you can start at any point in accordance to your needs, maybe with simple compliance reporting, …. and grow..
Quick Search for Enterprise and Investigation Dashboard
Classifier enhancements (backup)
David will be doing a demo of some of the new capabilities in the user interface and also the enterprise quick search and investigation dashboard. There are additional enhancements that are included in backup slides.
Before I turn it over to David, I just want to briefly give an overview. The new UI has evolved and will continue to evolve along the lines of simplicity and modernization. The design is more task-oriented and provides guided processes such as the end to end discovery scenario that David will demonstrate. IT’s also much easier to customize the UI, as David will demonstrate. For example to create a view-only user with limited access is very easy to do.
The banner is a powerful control center with alerts, to-dos and an enhanced search bar. The UI search bar will be your best friend in helping you find a tool or report quickly by name. Notifications are covered in more detail in backup slide.
Guardium includes hundreds of built-in reports as well as a flexible reporting capability to let you create as many custom reports as you need. The sheer number of reports can make finding your own important reports a bit more challenging. Version 10 introduces the concept of “My Dashboards”. A dashboard is a user-personalized space in which you can drop reports and organize reports for easy access. Each user can name the dashboards and create as many dashboards as they need. Using favorites enables you to filter reports in audit processes or when creating new dashboards so you don’t need to scroll down through hundreds of reports or devising your own naming scheme to ensure that your reports filter to the top of the list. When adding a report to a dashboard you can find them easily by name by typing in the first few characters in a field that requires selection from a list
Administrators will love this new central location to see the status of Guardium services. And it provides one-stop launchpad to get to where you need to go to configure the service.
Prior to V10, the compliance accelerators (PCI, SOX, Basel II, and Data Privacy) had to be installed using separate patches. Now they are part of the base product offering and can be added to user interface simply by configuring users with any of the corresponding roles (pci, sox, etc). The first screenshot above shows that the Guardium Access Manager is giving a user the PCI and SOX roles. When that user next logs into Guardium, she sees the Accelerators navigation menu and can see the content for both accelerators.
The process to customize the user interface and manage permissions for different roles has been dramatically simplified in Version 10. Everything is in one central location and uses a simple "slushbucket" approach. For example, if you want to create a very simple interface with only a few read only reports for a particular auditor, it can be done quickly and easily. The Guardium access manager creates a new role called "Myfavoriteauditor". For the role, she goes to Manage Permissions and gives very limited permissions to the user as shown below, which includes report builder, results viewing and audit to-do lists.
An example of the direction that the Guardium UI is taking can be seen in a new task flow that takes you end to end through a guided workflow that goes from sensitive data discovery, to data protection (defining security policies), to compliance (defining audit process), without requiring users to jump from place to place in the user interface. If you go through the entire workflow, relevant artifacts are created such as a classification policy, an audit process to schedule the classification and even a security policy with the relevant access rules to protect discovered sensitive data.
Investigation Dashboard•Color depth represents Intensity of
usage
•Hover over cells for details
•Click a cell or title for interactive
filtering
Click to view details in
Quick Search without
losing context.
We leverage the analytic tools to provide better ways to understand activity flows, even in a multi-dimensional environment. This allows for drill downs on specific areas of activity and to see how they affect other attributes in the environment. You will see in the demo how a set of two dimensional heat maps can give you a glimpse of where most activity happens, and then filter from there into how other relationships are affected.
Adds a time dimension to the investigation dashboard.
New animation chart The animation chart adds an important dimension, time, to the Investigation Dashboard. This helps analysts to visualize activity behavior over time using data in motion. This chart uses animated bubbles to represent activity over the last 48 hours (at most). The data is “auto-played”, where each frame is an hour in time, and can be paused, much as you would when watching any video. All 4 dimensions used in the chart are configurable: The bubbles, their sizes, as well as the X and Y axes. For example, a bubble can be defined as a DB User, its area to the number of client IPs, its horizontal position to ACCESS activity, and its vertical position to the number of ERRORS, as shown in the following image. This view supports drill down; clicking on a
bubble adds the data elements selected to the filters and all charts are filtered accordingly.
Dynamic load balancing is available in centrally managed environments and reduces the workload on Guardium administrators by automating several tasks that required previously manual tracking and intervention. Dynamic load balancing: Eliminates the need to manually evaluate the load of managed units before assigning those managed units to an S-TAP agent. Eliminates the need to define fail-over managed units as part of post-installation S-TAP configuration because the load balancer dynamically manages fail-over scenarios. Eliminates the need to manually relocate S-TAP agents from loaded managed units to less loaded managed units. Restrictions: Dynamic load balancing is not supported for z/OS and IBM i S-TAPs.
Enterprise load balancer keeps track of how busy the collectors are
MU 1
Central Manager
Load
Balancer
Load Map
MU 1=loaded
…
MU n= vacant
Change
tracker
MU
DB
MU n
Change
tracker
MU
DB
Two types of collection:
• Full load collection
• Single MU load collection
Full load collection happens
dynamically (recommended)
or statically
Single MU collection when
load characteristics change
(such as number of S-TAPs)
Rebalancing occurs only
after full load collection
Load balancer is a servlet running on the Central Manager Change trackers are running on the managed units (MUs) Load balancer dynamically reallocates Mus based on current load • Collects a variety of statistics from each
MU to make a determination of ‘loaded’ vs. ‘vacant’.
The dynamic load balancer is an application that runs only in the Central Manager. It requires no special configuration to run. The load balancer application is enabled on the Central Manager by setting LOAD_BALANCER_ENABLED=1. It will affect the behavior only of those S-TAPs that are installed with the load_balancer_IP (the Central Manager IP) specified. The dynamic load balancer performs “load collection” periodically, which entails getting a snapshot of current activity load for all active managed units and storing it in a load map. This load collection does not affect other activity on the Central Manager. You can specify the load collection to happen using a fixed interval or dynamically. Dynamic collection is the default and recommended setting. With dynamic collection, intervals will be determined by the number of Managed
Units (1 additional hour for every 10 managed units). Dynamic intervals will guarantee more accurate load map without the overhead of loading the CM with unnecessary load collections. When is single load collection triggered? • Used when load patterns have been
changed on the MU. (e.g. If the number of STAPs connected to specific MU has changed)
Load change tracker agents on each MU track load-contributing factor changes • A tracker agent is a load balancer
instance (servlet) running on each MU.. This (mostly dormant) agent tracks specific 'load change tracker' factors changes (e.g. the SOFTWARE_TAP_PROPERTY table)
Load Balancer transparently supports two types of collections • Full Load Collection
– Load Information collection from all the managed units in the site
• Single MU Load Collection
– Load Information collection from a single MU caused by 'load-contributing' factor changes.
If something changes for a particular managed unit that affects its load, such as a reduction or increase in the number of S-TAPs connected to it, the load balancer will be notified through a change tracker on the MU, updated information will be sent to the load balancer. Once the load balancer has the load map, it can make informed decisions about which collectors are best suited to failover, new allocations, or for rebalancing of S-TAPs. (Note that rebalancing can only happen after a full load collection and is controllable via a load balancer configuration parameter.)
It’s likely that you have different ‘zones’ for different groupings of database servers/S-TAPs and managed units. You can use the following two types of groups to set up your environment for load balancing: S-TAP groups MU groups You can create and associate these groups ahead of time in the Central Manager interface. The group names are case-sensitive. For the S-TAP groups, you must specify exactly what you will use to install the S-TAP itself (either the host name or IP). You can use wildcards in your IP addresses, such as 192.168.1.*. You can also specify these groups during S-TAP installation. (The MU group must exist already. For S-TAP groups, if it doesn’t already exist, Guardium will create it for you. )
Improved security using remote certification authority
– Install the GIM client with the relevant certificate
information or update it using the GIM GUI or API.
Installer enhancements to specify failover GIM server
when installing GIM Client for first time
– --failover_sqlguardip <ip or hostname>'
What is GIM? GIM eases the burden of maintaining modules that reside on the database server such as CAS, S-TAP and Discovery GIM Modules: Consists of GIM Server (on Guardium appliance) and GIM Client, a set of Perl scripts that run on each managed server. GIM: Checks for updates to installed software Transfers and installs new software Uninstalls software Updates software parameters Monitors and stops processes running on the database server Easier deployment of GIM clients Before V10, whenever a new database server was configured with the GIM client on it, it was required to know the IP address of the Guardium appliance it was connecting to. For organizations that stand up new database servers, this required additional communication between the DBA and the Guardium administrator, slowing down the deployment of the database server with Guardium monitoring. Now, using remote activation, a database server can be installed without specifying a Guardium IP address, thereby putting the GIM Client in “listener” mode. Any GIM
client in listener mode can be remotely activated from a collector) without requiring additional configuration changes on the database server. You can also auto-discover any servers that have GIM clients in listener mode and then remotely activate any or all of those discovered clients. In sum, this enhancement enables IT organizations to roll out Guardium on all new servers without requiring further interactions with the Guardium team, which can activate Guardium on the database server on their own Prior to V10, GIM connections between the database server and the GIM server used Guardium self-signed certificates. With V10, you can now use an external certificate authority to authenticate these connections. It is fully backward compatible with older GIM clients. GIM client bundles are pre-installed with Guardium self-signed certificates. By default, new installations of GIM clients will attempt to establish secure and authenticated connections with GIM server over port 8446. You can use your own keys and certificates either by installing the GIM client with the relevant certificate information or by updating it using the GIM GUI or API. Updating key/certificates throughout a large site can be a long process. During that time there might be a mismatch between GIM server and GIM client's certificates/keys. When GIM client fails to connect to a GIM server (appliance) over port 8446 (secured and authenticated), it will switch to the traditional secured port 8444 and write an event in the GIM Events report.
When S-TAP is installed, inspection engines will be configured for discovered instances
After install, invoke process from S-TAP control
Can also invoke inspection engine creation via API from Discovered Instances report
Guardium with auto-discovery enabled, lets you use the power of S-TAP to discover running instances on that server, including the information you need to automatically populate the inspection engine definitions. V10 makes it much easier by not requiring Java or any external libraries to accomplish this task. To enable instance discovery, use the following flags during S-TAP installation: Noninteractive install flag --use-discovery GIM install – set STAP_USE_DISCOVERY to 1 When installation is completed, S-TAP will be configured with Inspection Engines for all running databases.
To invoke instance discovery after installation, go to Manage > Activity Monitoring > S-TAP Control and select the Send Command icon as shown in the screenshot below. Notice that you can optionally replace all inspection engines in that S-TAP with the newly discovered configurations. The other option is to review the results in the Discovered Instances report and invoke the create_stap_inspection_engine API for one or more discovered instances.
S-TAP enhancements S-TAP multithreading for intensive workloads such as warehouse
– Preserves ‘threadedness’ from point of interception through to the collector
– Configure using participate_in_load_balancing = 4 and specify sql_guard sections up to 5 - this
determines number of main threads
– No failover support in this release.
64-bit UNIX/Linux binaries, which increases amount of data that can be buffered (approx.
2GB per collector IP)
Recommended performance parameters turned on by default
– ktap_fast_tcp_verdict: Port information loaded into K-TAP on startup
– ktap_fast _shmem_verdict: Used for DB2 shared memory improvements
New platforms
– RHEL 7 x86_64
– SUSE 12 x86_64
– Ubuntu 14 x86_64
– Debian (supported via Ubuntu installer)
– Dropped support for AIX 5.3, SLES 9, Solaris 9
S -TAP multithreading S-TAP multithreading can be used in certain workloads to prevent overrunning buffers in the S-TAP and associated K-TAP. It works by preserving multiple threads from the point of traffic interception through to the point at which traffic is sent to the appliance. To enable S-TAP multithreading, configure the guard_tap.ini file with participate_in_load_balancing=4 and specify multiple sqlguard sections. The number of sqlguard sections determines the number of main threads up to a maximum of 5. When used with pooled connections, the total number of threads to handle data can be up to 50 (10 * 5). Considerations for use: In this configuration, no one Guardium receives all the data from the S-TAP. The distribution is similar to that used when participate_in_load_balancing is set to 1. However, when a Guardium system becomes unavailable, no failover is provided in this release. Data will be queued until the reconnection occurs or the buffer is full. Important: Although participate_in_load_balancing 1 and 4 are similar, they do notsend the same sessions to the same place, so if you are using 1 and switch to 4, your sessions will move machines and you'll lose the access information for those sessions. Also, as when participate_in_load_balancing is set to 1, encrypted and unencrypted A-TAP traffic may not be sent to the same Guardium system. Make sure to use the same policy on all the connected Guardium systems. If the policies are different, there's no guarantee which policy is in effect on a given session. 64bit session keys reduce the likelihood of collisions causing dropped traffic - Part of the improvement for STAP multi-threading improvements and the change to 64bit - multi-threading preserves some of the threadedness from the kernel side through to the collector to reduce lock contention and improve the amount of traffic we're able to collect - multi-threading helps primarily when there
are large numbers of sessions, but a 32bit session key has an increased likelihood of colliding on an existing session and causing a loss of interception in this environment - switching to a 64bit session key reduces the chances of a collision impacting the traffic collected ktap_fast_tcp_verdict: This is an existing parameter that is now on by default. When set to 1, the TCP port information is loaded into K-TAP when S-TAP starts up. The result is that K-TAP is no longer dependent on S-TAP to determine which TCP connections should be monitored, which reduces the likelihood of experiencing database performance degradation if S-TAP becomes slow . For more information about this parameter, see the IBM Redbook, Deployment Guide for InfoSphere Guardium. ktap_fast _shmem_verdict: Similar to the behavior that is already supported Informix, this is a new parameter that pushes the recommended information for DB2 shared memory configurations to the K-TAP. This means that K-TAP is not dependent on S-TAP to determine which shared memory connections should be monitored. In general, don't turn this off.
Guardium supports complex IT environments …Examples of supported databases, Big Data environments, file shares,
etc
Applications Databases
DB2Informix
IMS
Data Warehouses
NetezzaPureData for AnalyticsDB2 BLU
CICSWebSphere
SiebelPeopleSoftE-Business
Database ToolsEnterprise
Content Managers
Big Data Environments
Files
VSAMz/OS Datasets
FTP
DB
Cloud Environments
Windows, Linux,
Unix
In V10, Guardium has expanded its DAM capabilities to keep current with new releases. In addition, there are sometimes significant enhancements in our support, such as improved support for Teradata encryption and improved capabilities for parsing and logging Hadoop activity. Please read the release notes or the what’s
new article for more details. And of course, the biggest enhancement was in adding support for files beyond what we have already on z/OS. This is a whole new offering, and our next tech talk will cover that in much more detail.
Blocking and redaction for Hadoop queries from Hive and Impala (Backup)
The biggest enhancement in this space is called fine-grained access control, which is a dynamic, policy-based method to change queries on the way to the database. You may hear this called ‘query rewrite’ since that is what we call the tooling inside Guardium. We’ve also added blocking and redaction for hive and impala queries in Hadoop. We already support both for big sql, so now it’s included also for Hive queries and impala, which is Cloudera’s query language. That is covered in the backup.
Fine-grained access control Protect sensitive data without impacting your business
Row-Level Masking (only dept #20)
Column-Level Masking (only dept#)
Use cases:
• Outsource production DB access
• Protect PII from privileged users
• Testing on production data
• Honey pot
Supported databases: DB2 (LUW), Oracle,
SQL Server
With Guardium’s implementation of fine-grained access control, administrators have the ability to protect sensitive data without making database changes. Basically, it provides the ability to modify the SQL statement that gets sent to the database, based on the current runtime user and the other policy conditions you specify, such as client IP, database object, time of day, etc.
For a classic dynamic data masking scenario, you can mask which columns are returned, so you can make sure that salary and commission data are not returned to unauthorized users. Or you can hide the rows that are returned by adding a WHERE clause for example, In this case you could evaluate the dbuser and ensure that the managers of the relevant departments see only data from their departments. In both cases shown here, you can see that the statement entered by the user is the same. All the magic happens behind the scenes. This is extremely powerful. You can even use this capability to RESTRICT activity. For example, to prevent deletions from a database, you could always change a delete statement to be a noop. . Use cases could be: • Need to open up production DB
perhaps to an outsourced DBA without affecting DB access controls or compromise private information
• Need to Enforce access to PII to comply with PCI, HIPAA. Keep track of who requested masked data
Need to transform data (anonymization) without affecting application logic, but protecting original data privacy.
Provide fictitious data to possible attackers to allow time for investigation .
Here’s the runtime architecture for the solution. For those of you familiar with S-GATE terminate, it’s much the same. You need to set up the S-TAP ahead of time to enable query rewrite. The flow is, the user enters a SQL statement for
one of the supported databases. We can assume in this case that this particular user session has put a query rewrite “watch” on their session.
When this user enters a SQL statement in a watched session, the STAP holds the statement and checks against the policy rules.
If the conditions are met –maybe in this case the object is employee and the user is DB2inst, Guardium rewrites the query and sends it back to the S-TAP. It rewrites the query based on query definitions that the administrator has already defined. The query rewrite policy rule points to that definition.
The S-TAP releases it to the database server.
The results from the rewritten query are sent back to the user.
Output: a modified SQL based on the user-specified QRW definitions User gets the query results evaluated by the modified SQL New rule actions in v10 - Query Rewrite Attach - Query Rewrite Detach - Query Rewrite: Apply Definition Triggered by installed access policy rules.
This just shows the overall workflow and an example of the UI in which you create the query rewrite definitions. The UI provides an interface in which you can enter a model query and modify it by adding a WHERE clause, adding a UDF, or basically changing it any way. In this case, any select on customer is rewritten to add a WHERE clause to not return customers of type government. (hiding rows). That query write definition is applied in the query rewrite apply definition policy action by name. So only when the specific conditions are met will the query rewrite rule be applied on customer queries and only when Joe is the user and the database type is Oracle.
Exposing a database to a production environment for testing purposes without
exposing private data
Before – Displaying all values in the database
After – Guardium uses fine grained access
control to change columns / mask data
Query rewrite report
shows actual
runtime queries.
You can see here that Guardium does record the input and output SQL when a query definition has been applied at runtime. In this example, we want to mask data for testing purposes … so you can call UDF to change the results.
Enhance access controls in which multiple users and applications share a
single database.
• Display data based on run
time parameters (eg
USER)
• Enhance existing access
controls
Rows and columns
returned for non-
government customers
User TSHIRAI cannot
see name or birth date
User ADMIN cannot see
name
Enforcing security in multi-tenancy scenarios where multiple users and applications share a single database, but where not all users and applications should have access to all data. In this case, we’ve restricted the rows that are returned to show only nongovernment customers for all users. Also, in this case user Tshirai is not allowed to see complete values for name or birthdate, but ADMIN is restricted only from name.
So, Guardium has had dynamic data masking that allowed you to apply regular expressions based on results sets. The capability provided by query rewrite is much more powerful and flexible. We’ve demonstrated a few possible use cases. If you have SQL skills, you do not necessarily need to involve the DBA in this. And you can the centralized policy management capabilities provided by Guardium across all supported platforms.
We don’t have much time to spend on this and we’ll have a separate tech talk on this subject. But I wante to make sure we give you a brief overview of the new appliance specs and please do stick around for the survey question.
Underlying appliance OS upgraded to RHEL v6.5 64-bit version (v9.5 RHEL 5.11)
MySQL DB version upgraded to v5.6.24
RAM -Minimum 24GB
CPU/vCPU – Minimum 4 cores
HD – Minimum 300 GB
– Upgraded system hard drive range (300 < 2 TB)
– Newly built system (300 GB to >2TB (MUCH GREATER)
Original v9.5 OS - RHEL 5.11 Original v9.5 MySQL – to v5.6.24 We’re enforcing the 24GB minimums. Hard drive support is vastly extended for those of you who do new installations on V10. GPT (GUID Partition Tables) allocates 64 bits for logical block addresses, therefore allowing a maximum disk size of 264 = 9.4 Zettabytes
This is a high level roadmap. Basically it says what I said before in terms of when you HAVE to use rebuild/ restore from backup vs an upgrade path. For those of you who are already yon a 64bit 9.5 environment, you may wish to get some added assistance from the lab to try the upgrade out on a limited number of appliances.
and integration with security intelligence Comprehensivedata protection
Big data platforms, file systems or other platforms
also require monitoring, blocking, reporting
Find and address PII, determine who is reading
data, leverage masking
Database monitoring focused on changed data,
automated reporting
Acutecompliance
need
Expandplatform coverage
Addressdata privacy
Sensitivedata discovery
Today we’ve talked about one slice of the Guardium data protection suite and even with that we could have talked for hours. Guardium includes so much more to support your data protection roadmap, no matter where you are starting from, such as those who have an immediate compliance need through to those who grow to comprehensive data protection that includes full use of our analytics capabilities and integration with IBM Security intelligence capabilities.
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced)
IBM Security Guardium Virtual User Group. Open, technical
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessari ly involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
Mandatory closing slide with copyright and legal disclaimers
Classifier has seen an upsurge of interest from the user community
Improvements in user experience, performance, and management of false positives
Easy to set up exclusion groups
One match per column Classifier will record the first hit for any given column and ignore it thereafter for subsequent rules.
In addition to the incorporation of classification into an overall workflow as described above, the following enhancements are also included: Better controlling false positives by using “excluded groups” for schema, table, and table/column. Previously, it could be a complex process to set up Guardium to ignore false positive results for future classification scans. Now, when you review classifier results, you can easily add false positive results to an exclusion group as shown below, and add that group to the classification policy to ensure those results are ignored in future scans.
DB2 for i TLS encryption to collector and S-tAP-based load balancing
z/OS
platforms
Multi-stream load balancing. Quarantine for DB2 users. (many more to be
covered in a separate talk).
Hadoop Improved collection/parsing (targeted inspection engines). Blocking and
redaction for Hive and Impala. (will be coveredin detail in a separate talk)
Informix New exit (ifxguard) for Informix shared memory processing (replaces A-TAP).
Supports firewall (blocking) and UID chaining. Informix 12.10xC5W1 and later.
Oracle Added SSL for 12c. Added ASO for Windows 12c
Sybase Added support for 16
Sybase IQ Added shared memory support via A-TAP
Teradata Added support for 15.10 including A-TAP for encrypted user names and traffic
NOT a complete list.
Current informix interception via standard IEs on UNIX and ATAP on Linux has a number of limitations (limitation of 50 or less shm connections per poll thread, occasional blank DB_USER and SOURCE_PROGRAM). New exit relieves those. KTAP and ATAP interception have been improved to significantly reduce the blank DB_USER and SOURCE_PROGRAM issues and other traffic loss issues - Improved Informix ATAP applicable only to Informix 11.50+ - Informix EXIT library developed in conjunction with Informix team for the most reliable interception - similar to DB2 exit - supports firewall and UID chain
- applicable to Informix 12.10xC5W1 and above Sybase ASE ATAP supports IPs and ports - Previously, IP and ports would not be populated in the decrypted session. ANALYZE_CLIENT_IP, unlike Oracle, would not get populated by the collector. - When ports are configured during ATAP configuration, real IPs and ports will be captured along with the decrypted traffic and sent to the collector for population in the tables - Classic Sybase ASE ATAP without IPs
and ports is still usable by not specifying the ports during configuration
Oracle 12 SSL ATAP (not just Linux) - Version 9 supports Oracle 12 with ATAP for ASO but not SSL - SSL requires instrumentation on all platforms (unlike previous Oracle versions which only required instrumentation on AIX)
Audit data is written simultaneously to Guardium repo and JSON files on collector
Use grdapi to send JSON data to a MongoDB database
Some organizations would like to write audit data outside of Guardium collector for reasons such as: To “post-process" the audit information for fraud and other analytic analysis To store information into another data store that can scale larger than our current collector capacity for longer on-line retention requirements. In Version 10, it’s possible to concurrently write audit data to both the collector database and JSON-formatted files that can be transferred to a MongoDB document database. Important: Unlike the Guardium collector, the MongoDB database is not a hardened repository. Access to the audit data should be carefully restricted and monitored using Guardium. How it works whn properly configured, the parsed audit data is sent simultaneously to the Guardium collector repository and written in JSON format to a file in the following directory: /var/IBM/Guardium/data/auditlog When a file is ready to be loaded into to MongoDB, it will be marked with the suffix .ready. Use the Guardium API command grdapi mongodb_load to send all ready files to MongoDB.
Helps ensure accurate data before running a job (eg groups populated from classifier)
Applies to all ‘schedulable’ jobs (audit processes, policy installations, group population from
query…
Scheduler will automatically find all the subordinate jobs and run them in order
– For example, group population for groups in the policy should run first
There is a retry sequence in case of a failure (default is 3 tries)
APIs to list job dependency tree, scheduled jobs, job dependencies….
Job Dependency Scheduler The Guardium collector has many tasks such as Policy Installation, Audit Processes, Group updates, etc. that are scheduled to run periodically. The Job dependencies feature finds all jobs that have a direct relationship and impact on the success of the execution of the task you are trying to schedule. Unless you find the jobs that are defined as prerequisites for the job you are trying to schedule, there is a chance the task will relay on inaccurate data , which might lead to false or inaccurate results. Feature Highlights User marks a scheduled job to find and run dependencies at run time. When the scheduler runs the job, it automatically finds all the subordinate jobs and runs them in order. There is a retry sequence in case of a failure. Find dependencies Identify scenarios that require dependencies. Identify Runnable vs. Non-Runnable jobs. Calculate pre-defined job dependencies.
Long term storage is a critical consideration for satisfying audit requirements that may require storage of audit data for up to 7 years. The ability to archive and backup to the cloud gives you another option for storage off premises. In addition, backing up the configuration of Guardium appliances to the cloud is useful for maintaining a disaster recovery environment so that if a local data center has a failure, you can restore the configuration of the appliance from the image that is stored in the cloud. Guardium now supports SoftLayer Object Storage as a repository for both audit data and configurations, whether your Guardium system is in a local data center or in the cloud. SoftLayer object storage provides self-healing, storage for massive amounts of data. There are object storage centers around the world so you can avoid issues of moving sensitive data across country boundaries.
Update notifications filtered based on the relevancy to the specific customers appliance: Filtering based on the Guardium Appliance major version (only v10 or later) Filtering based on the GPU level of the appliance. – AdHoc patches dependent on the same
GPU level – Universal sniffer updates (no
dependency) – Security updates (no dependency) – More recent GPU patches
Redaction is configured by using extrusion rules in Guardium policies. Again, be sure to specify Hive or Impala in the DBTYPE for these rules. Here is an example of a Hive query in which social security and credit card numbers have been redacted.
Query rewrite workflowCreate query definitions based on
what you want to control
• Restrict columns
•Restrict rows
•Limit what users can do
•Restrict what user can access
•Completely replace part or all of a query
Query
Rewrite
Builder
Determine the conditions in which to
rewrite the query
•specific users, client IPs, objects,
commands?
Policy
Builder
Test the query rewrite definitions
with real test queries..
(Note, you will likely need to use
policies to fine tune the behavior)
Query
Rewrite
Builder
Validate runtime effect in a QA
environment
Query
rewrite
report
Slide 62 Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
Mandatory legal notices and disclaimers slide for external presentations
