ibm data governance overvie€¦ · ibm data governance overview ... ,2214109,00.html. ... deletes...

© 2008 IBM Corporation

®

IBM Data Governance

IBM Software Group | Information Management software

2

Agenda

IBM Data Governance Overview

Question & Answer


3

IBM Data GovernanceIBM Data Governance


4

The Guardian, Online Edition, Nov 20 2007

http://politics.guardian.co.uk/economics/story/0,,2214109,00.html


5

The Evolution of Security

Perimeter Security

– Firewalls

– Intrusion Detection Systems (IDS)

Systems Security

– Anti-virus

– Patch Management

– Host intrusion prevention

– Network Access Control (integrated with above)

Data Security

Late 1990s

Early 2002

2006


6

Some Major Regulations

Protection of consumer informationCredit card issuers

All financial svs.Gramm-Leach-Bliley(SEC, FTC, FDIC…)

Protection of credit card dataMajor retailers and processorsPCI

(Visa, MC, Discover, AMEX)

Protection of US power systemsPower CompaniesNERC/FERC(NERC)

Complete security program based on NIST (National Institute of Standards and Technology) guidelines

Federal AgenciesFISMA(OMB)

Notifications and investigations of security breach of Personally Identifiable Information

Collect information about US ResidentsData Breach Disclosure(20+ States)

Confidentiality, integrity and availability of patient health information

Organizations that handle patient health information

HIPAA(CMS)

Integrity of financial data/Confidentiality of forward looking financial data/Protect valuable assets

Publicly traded companiesSarbanes-Oxley(SEC)


7

IBM Data Governance Software

Secure

ProtectPrivacy

Audit

LifecycleMgmt

Data Governance

Secure• Prevent Access• Restrict Access• Monitor Access

Protect Privacy• Mask Data• Encrypt Data

Audit• Audit Access• Audit Privileges• Audit Users

Lifecycle Mgmt• Data Retention• Data Retirement


8

IBM Data Governance Software

Secure

ProtectPrivacy

Audit

LifecycleMgmt

Data Governance

• IBM Optim Archive• IBM Optim Test Data Management

• IBM Optim Archive• IBM Optim Test Data Management

•DB2 9.5•IDS 11

•DB2 9.5•IDS 11

Secure• Prevent Access• Restrict Access• Monitor Access

Protect Privacy• Mask Data• Encrypt Data

Audit• Audit Access• Audit Privileges• Audit Users

Lifecycle Mgmt• Data Retention• Data Retirement

•DB2 Audit Management Expert •Tivoli CIM

•DB2 Audit Management Expert •Tivoli CIM

•IBM Optim Data Privacy•IBM Database Encryption Expert

•IBM Optim Data Privacy•IBM Database Encryption Expert


9

DB2 9.5 & IDS 11 SecurityDB2 9.5 & IDS 11 Security


10

DB2 9.5 & IDS 11 Security

Authentication

Authorization

Database Roles

Label-Based Access Control

Trusted Contexts

Auditing


11

Authentication

Authentication TypesSERVERSERVER_ENCRYPT

User ID and password encryptedDATA_ENCRYPT

Data and User ID and password encryptedCLIENT KERBEROSGSSPLUGIN (Vendor security solution)LDAP


12

Authorization

The process of checking whether an authorization id is allowed to execute a database operation

SQL statementCommand (or API)

The process involves granting a set of permissions available to the authorization id

Permissions held by the authorization id itselfPermissions held by the authorization id’s groups and rolesPermissions held by PUBLIC


13

Database Roles

What is a database role?A database object that may group together one or more privileges, authorities, security labels or exemptions, and may be granted to users, groups, PUBLIC or other roles

What is the advantage of database roles?They simplify the administration and management of privileges in a database rather than via the operating system

SECADMs can control access to their databases at a level of abstraction that is close to the structure of their organizations (e.g., they can create roles in the database that map directly to those in their organizations)


14

LBAC

A flexible implementation of Mandatory Access Control (MAC)

A security label is associated with both users and data objects

Access control is governed by the predefined LBAC security rules

PO-BRIAN-1SN0000005

Release NotesSN0000004

InstructionsSN0000003

Jane S Results

PO-HARRY-1SN0000001

PO-TONY-1SN0000002

TITLESERIAL_NUMBER

Bob (Unclassified)

Jane (Secret)

MARS-35Top SecretSN0000006

PO-BRIAN-1UnclassifiedSN0000005

Release NotesSecretSN0000004

InstructionsConfidentialSN0000003

Unclassified

Unclassified

SECLABEL

Artifact Table (protected table)

PO-HARRY-1SN0000001

PO-TONY-1SN0000002

TITLESERIAL_NUMBER

PO-BRIAN-1SN0000005

Bob U Results

PO-HARRY-1SN0000001

PO-TONY-1SN0000002

TITLESERIAL_NUMBER

select serial_number, titlefrom artifact


15

Trusted Contexts

Security challengesApplications servers use of a single user id causes the following:

Loss of end user identity within the database serverDiminished user accountabilityOver granting of privileges to a single authorization id

The lack of control on when privileges are applied to a user canweaken overall security.


16

Trusted Contexts (Cont.)

What is a trusted context?A trust relationship between the database and an external entity such as an application server

Stored in the database

The trust relationship is based on the following trust attributes

Authorization idIP address (or domain name)

Data stream encryption


17

Auditing

Audit PolicyA database object that specifies what categories of events are to be audited

An audit policy can be applied to:A databaseA tableA trusted contextAn authorization id (user, role, group)An authority (SYSADM, SYSMAINT, SYSCTRL, SYSMON,

DBADM, SECADM)


18

DB2 Audit Management ExpertDB2 Audit Management Expert


19

DB2 Audit Management Expert Overview

Provides centralized auditing tools to bring together information from many different sources into a correlated, coherent view

Enables auditors to collect, view, analyze and report on existing audit logs and save it into an audit repository

Allows auditors to automatically generate their own reports and export the data into other applications such as Excel spreadsheets


20

DB2 Audit Management Expert (Con’t)

A powerful tool targeted at auditors, not database administrators.

With DB2 Audit Management Expert, auditors have a centralized set of tools that allow them to:

Selectively audit inserts, updates, deletes and reads in DB2 systems using automatic processes.

View all reported activity on specific DB2 objects (such as read, change and utility access).

Generate meaningful reports on the data collected in the audit repository.

Perform log analysis of collected data.


21

IBM Database Encryption ExpertIBM Database Encryption Expert


22

IBM Database Encryption Expert

Offline data protection– Encryption and/or Compression of database backups– Integrated into the backup and restore process– Ensure privacy and compliance

Online data protection– Flexible Encryption of online database files

• Control files• Log files• Database Tablespaces/Containers

– Tables, Indexes, LOBs, XML, etc– Privileged OS user access control to database files– Ensure privacy and compliance


23

IBM Database Encryption ExpertCentrally managed security for DB2 data files

DB2• tables• views• indexes

Database Backup Files

On-Line Database Files

Tablespace

Log

Configuration

Data Import/Extract

• Encrypts DB2 backups• Audit and prevent unauthorized

restores

• Selectively encrypt DB2 files• Control decryption by user, process• Audit unauthorized access attempts• Control privileged OS users

• Automatic key management• Transparent to existing

applications


24

IBM Optim solutionsIBM Optim solutions


25

Enterprise Data Management (EDM)

Enabling High Availabilty and Integrity across all EnterpriseApplication Data


26

Challenges Impact

Enterprise Data ChallengesEnterprise Data Challenges

Test Data CreationTest Data Creation

Data Theft In Data Theft In NonNon--ProductionProduction

Data RetentionData RetentionRegulationsRegulations

Quality and Time Of Quality and Time Of Application TestingApplication Testing

Time To MarketTime To Market

Loss Of Brand Equity,Loss Of Brand Equity,FinesFines

Costs Of Compliance/Costs Of Compliance/StoringStoring

Costs Of AuditCosts Of Audit


27

Optim Solution - Solves Business challenges

Data Growth & Archiving– Improve performance

– Control data growth, save storage

– Support retention compliance

– Enable application retirement

– Streamline upgrades

Test Data Management– Create targeted, right sized

test environments

– Improve application quality

– Speed iterative testing processes

Data Privacy– Mask confidential data

– Comply with privacy policies

© 2008 IBM Corporation 28

DB2 Information Management

Customin-house… other

Data PrivacyArchive Prod & History

Data

Oracle SQLServer Sybase Informix DB2 LUW DB2 z/OS MORE….

Optim Relationship Engine

Power of the Optim SolutionData Growth

JD E

dwar

ds

Ora

cle

App

s

Sieb

el

Peop

leSo

ft

Test Data Management / Subsetting

Customin-house… other

JD E

dwar

ds

Ora

cle

App

s

Sieb

el

Peop

leSo

ftWindows Solaris HP/UX AIX Linux OS/390 z/OS

Governance, Risk, Compliance



IBM Optim Data Growth solutionsIBM Optim Data Growth solutions



Current

Production

Historical

RetrieveRetrieved

Archives

Reporting Data

Historical Data

Reference Data

Archive

● Complete Business Object provides historical reference snapshot of business activity● Storage device independence enables ILM● Immutable file format enables data retention compliance

Universal Access to Application Data

Application Application XML ODBC / JDBC

Optim™ Data Growth Solution: Archiving



Non DBMSRetention PlatformATA File ServerIBM RS550EMC CenteraHDS

Universal Access to Data

CurrentData

1-2 years

ActiveHistorical

3-4 years

Offline Retention Platform

CDTapeOptical

ProductionDatabase

Archive Database

Archive

OnlineArchive

5-6 years

OfflineArchive

7+ years

Restore

Report WriterXMLODBC / JDBCNative Application

Universal Access to Application Data

Application Independent Access



IBM Optim Data Privacy solutionsIBM Optim Data Privacy solutions



Optim™ Data Privacy Solution

Production

Contextual,Application- Aware,

Persistent Data Masking

Contextual,Application- Aware,

Persistent Data Masking

EBS / Oracle

Custom / Sybase

Siebel / DB2

Test

EBS / Oracle

Custom / Sybase

Siebel / DB2

● Substitute confidential information with fictionalized data● Deploy multiple masking algorithms ● Provide consistency across environments and iterations● Enable off-shore testing● Protect private data in non-production environments

ProtectPrivacy



Optim Test Data Solution

● Create targeted, “right-sized” subsets faster and more efficiently than cloning

● Easily refresh, reset and maintain test environments

● Compare data to pinpoint and resolve application defects faster

● Accelerate release schedule

Production or Production

CloneExtract

Extract Files

DevQA

Test

LoadInsert / Update

Compare



Transform or mask sensitive data using :

Standard rules: Literals, Special Registers, Expressions, Default Values, Look-up tables

Intelligent transformation rules: PCI, Addresses etc.Custom mapping rules: user exits

OPTIM Data Privacy - De-identifying test data

Production Data

Extract and

Mask

Masked Test Data



First Names and Last Names Data Sets

Stacey

Dave

Danielle

Bob

John

First Name Last Name GPA High School Advisor State

Paul Smith 3.2 Princeton Johnson NJ

Kate Jones 2.7 Albany Kline NY

First Name Last Name GPA High School Advisor State

Stacey Nelson 3.2 Princeton Johnson NJ

Dave Reese 2.7 Albany Kline NY

1) Client is a University who wishes to mask the first and last name fields in their admissions database

2) Optim now has a first name lookup table with over 5,000 male/female names and a last name lookup table with over 80,000 names

Test Database

Reese

Howell

Kline

Nelson

Newton

First Name Lookup Table

Production Database

Last Name Lookup Table

3) Use Lookup Tables to randomly replace table first and last names



Intelligent Masking Capability

154-74-7788

254-77-6644

SSN#

4324115574123654JonesVanessa

5298774132478855DenverJohn

Credit Card#L. NameF. Name

154-74-7788

854-77-6644

SSN#

4972584612457744JonesVanessa

5326458711224956DenverJohn

Credit Card#L. NameF. Name

Production Database

Data before Masking

Data after Masking…

Masked with Valid CC# and SS#How are these numbers valid?

Test DatabaseValidValid

Most credit card numbers are encoded with a "Check Digit". A check digit is a digit added to a number (either at the end or the beginning) that validates the authenticity of the number. A simple algorithm is applied to the other digits of the number which yields the check digit.

A Social Security Number (SSN) consists of nine digits. The first three digits is called the "area number'. The central, two-digit field is called the "group Number". The final four-digit field is called the "serial Number". All numbers must fit the latest available criteria for each section.

For Credit Card NumbersFor Social Security Numbers



Propagating Masked Data

●Key propagationPropagate values in the

primary key to all related tables Necessary to maintain

referential integrity

Cust ID Item # Order Date

27645 80-2382 20 June 2004

27645 86-4538 10 October 2005

Customers Table

Orders Table

Cust ID Name Street08054 Alice Bennett 2 Park Blvd19101 Carl Davis 258 Main27645 Elliot Flynn 96 Avenue

ibm data governance overvie€¦ · ibm data governance overview ... ,2214109,00.html. ... deletes...

Documents