don't risk it! data security and risk governance
DESCRIPTION
IBM's Chris Mallon explores DataSec best practices for the public and private sectors. Presented at the Smarter Enterprise Summit in Ottawa, October 9, 2014.TRANSCRIPT
26 #SmarterEnterprise
OttawaOctober 9, 2014
#SmarterEnterprise
27 #SmarterEnterprise
Big Data SecurityDon’t Risk it: Gain Trust Worthy Insights with Enterprise Risk Governance
Chris Mallon,Software Business Executive, IBM Canada Middleware Group
28 #SmarterEnterprise
A new security reality is here
61%data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study
of organizations say
Average cost of adata breach
2014 Cost of Data Breach, Ponemon Institute
$3.5M
70%of security
executives have cloud and mobile security concerns2013 IBM CISO Survey
Mobile malware growthin just one year
2012 - 2013 Juniper Mobile Threat Report
614% security tools from
vendors
8545
IBM client example
83%of enterprises
have difficulty finding the security skills they need2012 ESG Research
29 #SmarterEnterprise
We are in an era of continuous breachesNear Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
500,000,000+ records were leaked, while the future
shows no sign of change
2011 2012 2013
Note: Size of circle estimates relative impact of incident in terms of cost to business.
SQL injection
Spear phishing
DDoS Third-party software
Physical access
Malware XSS Watering hole
Undisclosed
Attack types
30 #SmarterEnterprise
Security is a board room discussion, and security leaders are more accountable than ever before
31 #SmarterEnterprise
Applications SYSTEMS APPLICATIONS
WEB APPLICATIONS WEB 2.0 MOBILE
APPLICATIONS
DATACENTERS PCs LAPTOPSInfrastructure
CLOUDMOBILE NON-TRADITIONALMOBILE
Security challenges are a complex, four-dimensional puzzle…
PeopleEMPLOYEES ATTACKERS OUTSOURCERS SUPPLIERS
CONSULTANTS PARTNES CONSUMERS
Data STRUCTURED UNSTRUCTURED AT REST IN MOTION
…a holistic approach is needed
CONSUMERS
IN MOTION
MOBILEAPPLICATIONS
MOBILE
EMPLOYEES
UNSTRUCTURED
WEB 2.0
CLOUDPCs
OUTSOURCERS
STRUCTURED
SYSTEMSAPPLICATIONS
32 #SmarterEnterprise
Ensuring data is secure and sensitive data is kept private
Security & Privacy are related, both are needed to protect data across the enterprise
Allow forAuthorized Use Only
Access to Authorized Users Only
Mask/Redact/Monitor/Audit
Mask/Redact/Encrypt/Monitor/Audit
Securitythe infrastructure-level lockdown, preventing or granting access to certain areas or data based on
authorization.
Privacythe functionality that controls access for users who are authorized
to access that data, but only have privileges to see & use a subset of the data for legitimate business purposes.
33 #SmarterEnterprise
IBM Security strategy• Delivering intelligence, integration and expertise across a comprehensive framework
Advanced threats
Cloud
Mobile
Compliance
Skills shortage
The IBM Security Framework
Security mega trendsCISO’s changing role
34 #SmarterEnterprise
Security and Compliance Concerns in Big Data Environments
Structured
Unstructured
Streaming
Massive volume of structured data movement• 2.38 TB / Hour load to data warehouse• High-volume load to Hadoop file system
Ingest unstructured data
Integrate streaming data sources
Big Data Platform
Hadoop Cluster
Clients
•Who is running big data requests? •How is privacy protected? •Is there an exceptional number of file permission exceptions?•Are these jobs part of an authorized program list accessing the data? •Has some new query application been developed that you were previously unaware existed?
35 #SmarterEnterprise
InfoSphere Data Privacy and Security
for Hadoop
InfoSphere Data Privacy and Security for Data Warehousing
Exadata
InfoSphere Data Privacy and Security
Define and ShareDiscover and Classify
Mask and RedactMonitor Data Activity
Purpose-Built Capabilities
IBM’s Approach to Hadoop (BigInsights) and Data Warehouse Appliances (PDA/Netezza)InfoSphere Data Privacy and Security Solutions
36 #SmarterEnterprise
Data Security• Discover and harden your most valuable assets while enabling access
CLIENT SUCCESS
Identify andClassify Data
RecordEvents
AssessVulnerabilities
ProtectSensitive Data
MonitorPrivileged Users
A global financial services companysecured
2,000 critical databases
and saved
$21Min compliance costs
Protect data at rest,in motion, and in use
IBM Security Solutions
• Guardium DatabaseActivity Monitoring
• Guardium Encryption Expert
• Guardium / OptimData Masking
• Key Lifecycle Manager
37 #SmarterEnterprise
Sources, Systems, Silos, Data Marts
Big Data Platform
User Access Request
Identification of Sensitive DataDiscovery/Classification
Masking Structured and Unstructured Data
Access Monitoring and Auditing
IBM’s Approach to Data Privacy and Security
InfoSphere Optim Data PrivacyInfoSphere Guardium Data Redaction
InfoSphere DiscoveryInfoSphere Information Governance Catalogue
InfoSphere Guardium Data Activity Monitor
InfoSphere Guardium Data EncryptionInfoSphere Guardium Vulnerability Assessment
Encrypting Databases and FilesTesting for Infrastructure Vulnerabilities
38 #SmarterEnterprise
Secure and Protect Enterprise Data with the InfoSphere Platform InfoSphere Guardium
InfoSphere Optim
InfoSphere Identity Insight
InfoSphere Business Glossary
InfoSphere Discovery
Holistic Scalable Integrated
Reduce the cost of compliance
Prevent data breaches
Ensure data integrity
The Difference
Completely protects across diverse data environments and types, including big data
Scales across small and large heterogeneous enterprises
Delivers both processes and technologies
Customer streamlines testing and protects test data saving $240K/year in administrative costs
Monitoring database activity protects data and provides 239% ROI
Customer saves $1M per month by preventing fraud
39 #SmarterEnterprise
Safeguarding Customer Information for Washington Metropolitan Area Transit Authority (Metro)
• Who: Operates 2nd largest U.S. rail transit system and transports more than a third of the federal government to work
• Need: Metro needed to safeguard sensitive customer data and simplify compliance with PCI-DSS -- without impacting performance or changing database configurations– Protecting customer data– Passing audits more quickly and easily– Monitoring for potential fraud in PeopleSoft system
• Environment– More than 9 million transactions per year (Level 1 merchant)– Complex, multi-tier heterogeneous environment
• Alternatives considered: Native logging and auditing impractical
• Customer Impact: “Our customers trust us to transport them safely and safeguard their personal information.”– “We looked at native DBMS logging and auditing, but it’s impractical because of its high
overhead, especially when you’re capturing every SELECT in a high-volume environment like ours. In addition, native auditing doesn’t enforce separation of duties or prevent unauthorized access by privileged insiders.”
40 #SmarterEnterprise
IBM UseIBM InfoSphere Guardium
• Guardium presently monitors a subset of IBM’s internal applications. The focus of our Guardium deployments is on Sarbanes-Oxley regulatory controlled data, and the primary benefit being derived is privileged user activity monitoring. Internal use of Guardium is set to expand in 2013/2014.
IBM Key Lifecycle Manager• IBM HR has been using its Key Lifecycle
Manager product for 6 years, to manage the keys for tape encryption. They are a public reference for this product.
Examples of IBM Internal Use of the IBM Security portfolio
Identify andClassify Data
RecordEvents
AssessVulnerabilities
ProtectSensitive Data
MonitorPrivileged Users
Protect data at rest,in motion, and in use
IBM Security Solutions• Guardium Database
Activity Monitoring• Guardium Encryption
Expert
• Guardium / OptimData Masking
• Key Lifecycle Manager
41 #SmarterEnterprise
IBM Security market-changing milestones
Mainframeand server
security
SOA management and security
Network intrusion prevention
Access management
Application securityRisk management Data management
1976
1999
2006
2007
2008
2009
2010
2005
2013
2002
Identity managementDirectory integration
2011
2012
Enterprisesingle-
sign-on
Database monitoring and protection
Applicationsecurity
Endpoint managementand securityInformation
and analyticsmanagement
Securityintelligence
Secure mobile management
Advanced fraud protection
• 6,000+ IBM Security experts worldwide
• 3,000+ IBM security patents
• 4,000+ IBM managed security services clients worldwide
• 25 IBM Security labs worldwide
IBM Securityis created
42 #SmarterEnterprise
IBM Security• Integrated capabilities delivered across a comprehensive security framework
QRadar
Trusteer
Identity and Access Management
InfoSphere Guardium
AppScan
Network andEndpoint Protection
IBM X-ForceMonitor and evaluate today’s threats
Detect, analyze, and prioritize threats
Reduce fraud and malware
Manage users and their access
Discover and harden valuable assets
Secure critical business applications
Protect infrastructure against attacks
The IBM Security Framework
43 #SmarterEnterprise
IBM Security latest industry rankings
44 #SmarterEnterprise
At IBM, the world is our security lab
45 #SmarterEnterprise
IBM X-Force® Research and DevelopmentExpert analysis and data sharing on the global threat landscape
The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow’s security challenges Educate our customers and the general public Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
VulnerabilityProtection
IPReputation
Anti-Spam
MalwareAnalysis
WebApplication
Control
URL / WebFiltering
Zero-dayResearch
46 #SmarterEnterprise
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework
Intelligence
Integration
Expertise
Join us at IBM Insight 2014.
the largest big data conference in the world
sessions and innovativeStreams on Business Analytics,Enterprise Content ManagementAnd Information Management
foundnetworkingopportunitiesinvaluable
business- and industry-focused sessions featuringtop experts from around the world
technical sessions, hands- on labs and developer activities that include cloud, mobile, security, social, Watson and more
exhibitors at the EXPOIncluding showcasesfrom 250+ Business Partners
in training, certification, hands-on labs,networking, executive one-on-one meetings,expert talks and food and entertainment
client andBusiness Partner speakers fromacross all industries
IBM, the IBM logo, and ibm.com are trademarks of IBM Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.© Copyright IBM Corporation 2014.
attendees at the one-day Business Partner Summit
Attend IBM Insight to learn how big data and analytics can help you outperform your peers. With IBM business and technical solutions forbig data and analytics, you can turn cloud,mobile and social into competitive advantage.
48 #SmarterEnterprise
Potential next stepsSchedule a Client Value Engagement (CVE) at no cost to you• Business and IT: Narrow the communication gap• Easy to follow programmatic client-centric approach – determine possible benefits from solution• Fast time to completion: Less than 2 weeks – deliverables easy to follow and understand
Visit a lab for a deeper dive with our Product Managers and R&D teams• In-depth technical discussions & product demonstrations• Product roadmap discussions; get the latest on innovations and research• Collaborate with our best experts on your problems and potential solutions
Visit the web for more about InfoSphere solutions • Understanding and selecting data masking solutions• Understanding encryption requirements of PCI DSS• Managing compliance to protect enterprise data• Top tips for security big data environments• Three guiding principals to improve data security• Gartner Magic Quadrant Data Masking Technology
49 #SmarterEnterprise