IBM Security Systems

Encryption is Fundamental: A Technical Overview of

Guardium Data Encryption

2013 IBM Corporation

Introducing IBM InfoSphere Guardium Data Encryption

EnsureEnsure compliance
compliance with
and protect
Requirements
enterprise data
datawith encryption
encryption Protect sensitive enterprise
information and avoid data
breaches
Data Encryption
Minimize impact to production
Enforce separation of duties by
keeping security and data
administration separate
Meet government and industry
regulations (eg. PCI-DSS)

Benefits
Protect data from misuse
Satisfy compliance
requirements including
proactive separation of duties
Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes

7 2014 IBM Corporation

InfoSphere Guardium Data Encryption Value Proposition:
Continuously restrict access to sensitive data including databases, data
warehouses, big data environments and file shares to.
1 Prevent data breaches
Prevent disclosure or leakages of sensitive data
2 Ensure the integrity of sensitive data
Prevent unauthorized changes to data, database
structures, configuration files and logs
3 Reduce cost of compliance
Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy
regulations, HIPAA/HITECH etc.
o Across heterogeneous environments such as databases,
applications, data warehouses and Big Data platforms like Hadoop
4 Protect data in an efficient, scalable, and cost effective
way
Increase operational efficiency
No degradation of infrastructure or business processes

8 2014 IBM Corporation

Guardium Data Encryption Use Cases Big Picture
Data Files
Usage: Sensitive data used
by systems and end users
touched by privileged users
(DBAs), Activity Monitoring
requirement for separation of
duties and consistent audit
policy. Also: Encrypt
Tablespace, Log, and other
Data files at File System to
protect against System OS
privileged user cred
Common Databases: DB2,
Informix, Oracle, MSSQL,
Sybase, MySQL
11
Unstructured Data Cloud
Usage: Monitor and know
Usage: Monitor WHO is
WHO is touching your data
touching the files and for
stored in the cloud and for
WHAT purpose.
WHAT purpose
Usage: Encrypt and Control
access to any type of data
Usage: Encrypt and Control
used by LUW server
Access to data used by Cloud
Common Data Types: Instances
Logs, Reports, Images, ETL,
Audio/Video Recordings, Common Cloud Providers:
Documents, Big Data IBM, Amazon EC2,
Examples: FileNet, Rackspace, MS Azure
Documentum, Nice, Hadoop,
Home Grown, etc
2014 IBM Corporation
GDE File/Table/Volume based Encryption

Authentication/ Authorization Data Security Manager

Authentication/ Authorization
Centralized Key Management
Policy Decision Point
Applications Highly Available
Applications
Rules-Policy Engine
Detailed Auditing
Databases/Applications
Databases/Applications

File Level

LAN/
WAN
File System Security Manager
File System

Implements Encryption, Access Control,

Device Level Auditing on Host
Support for file systems and raw
partitions

Volume Manager
Volume Manager

SAN / NAS / DAS / VM / Cloud Protect ALL sensitive data

SAN / NAS / DAS / VM / Cloud
wherever/however its stored

12 2014 IBM Corporation

 Enterprise/HA Architecture

Remote

Web Server

Primary
Application
Application Servers
Servers

DSM
Secondary

Encrypted Folder/Guardpoint
Web Server Application
Servers GDE File System Agent

Data Security Manager/DSM

DSM
Secure High Availability Connection

13 2014 IBM Corporation

InfoSphere Guardium Data Encryption (GDE) - Addresses
compliance requirements and protects data at the File System Level
File And Volume Encryption
High Performance / Low overhead Intel/AMD X86 processor
AES-NI hardware encryption available
Transparent No changes to application or management required
Broad OS, file system and volume support

Data File & Distributed File System Encryption

Heterogeneous, transparent and high performance
Encrypts the tablespace at the file and volume level
Broad support for multiple database and big data vendors

Policy Based Access Control to Encrypted Data

Policy-based - Transparent
Linked to LDAP and system level accounts
By process, user, time and more
Prevents Privileged User access to protected data while allowing
normal application and systems management use

Key Management
Securely stores and manages keys used in the implementation

14 2014 IBM Corporation

 File Encryption Management
Data
Clear Text Encryption

Name: Jsmith.doc Name: Jsmith.doc

File System
Created: 6/4/99 Created: 6/4/99
Metadata
Modified: 8/15/02 Modified: 8/15/02

Name: J Smith
dfjdNk%(Amg
Credit Card #:
8nGmwlNskd 9f
6011579389213 Block-Writes
Sk9ineo93o2n*&*^
File Data
Bal: $5,145,789
xIu2Ks0BKsjd
Social Sec No: Block-Reads Nac0&6mKcoS
514-73-8970
File File qCio9M*sdopF
File
Data Data Data

File systems always read and write in fixed block sizes

Encryption takes place on the block IOs to a protected file
GDE simply encrypts or decrypts the block reads and writes

15 2014 IBM Corporation

Policy Rules

WHO is attempting to access protected data?

Configure one or more users, groups, or applications users may invoke who can access protected
data
WHAT data is being accessed?
Configure a mix of files and directories
WHEN is the data being accessed?
Configure a range of hours and days of the week for authorized access
HOW is the data being accessed?
Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, etc.
EFFECT: Permit; Deny; Apply Key; Audit

16 2014 IBM Corporation