Best Practices For Protecting Enterprise Information In BigData .
Best practices for protecting EnterpriseInformation in BigData & DatawarehouseAnwar Ali,Senior Solution Consultant,Information Management
Big data– a growing phenomenon12 TBsdata every day20 Petabytes ofof tweet dataevery day30 billion RFIDtags today(1.3B in 2005)25 TBs oflog dataevery day6 billionmobilephonesworldwide100s ofmillionsof GPSenableddevicessoldannually2 billion76 million smartmeters in 2009 200M by 2014peopleon theWeb byend 2011
Analytically sophisticated organizations outperformothersRespondents who sayanalytics creates acompetitive ievinga competitiveadvantage withanalytics are2.2xmore likely tosubstantiallyoutperform theirindustry peersSource: The New Intelligent Enterprise, a joint MIT Sloan Management Review and IBM Institute of Business Value analyticsresearch partnership. Copyright Massachusetts Institute of Technology 2011
Four dimensions of big dataVolumeVelocityVarietyVeracity*Data at RestData in MotionData in ManyFormsData in DoubtTerabytes to exabytesof existing data toprocessStreaming data,milliseconds toseconds to respondStructured,unstructured, text,multimedia* Truthfulness, accuracy or precision, correctness4Uncertainty due todata inconsistency& incompleteness,ambiguities, latency,deception, modelapproximations
The IBM Big Data Platform, Enterprise Big Data LandscapeInfoSphere BigInsightsHadoop-based low latencyanalytics for variety andvolumeHadoopInformation IntegrationStream ComputingInfoSphere InformationServerInfoSphere StreamsLow Latency Analytics forstreaming dataHigh volume data integrationand transformationMPP Data WarehouseIBM InfoSphereWarehouseIBM Netezza HighCapacity ApplianceLarge volume structureddata analyticsQueryable ArchiveStructured DataIBM Netezza 1000BI Ad HocAnalytics on Structured DataIBM Smart AnalyticsSystemOperational Analytics onStructured DataIBM Informix TimeseriesTime-structured analytics
Security and compliance concerns in big data environments Who is running specific big data requests? What map-reduce jobs are they running?Big Data PlatformStructured Are they trying to download all of thesensitive data for non-authorizedpurposes?, Is there an exceptional number of filepermission exceptions? Are these jobs part of an authorizedprogram list accessing the data?Unstructured Has some new query application beendeveloped that you were previouslyunaware existed?StreamingClients Massive volume of structured data movement 2.38 TB / Hour load to data warehouse High-volume load to Hadoop file system Ingest unstructured data into Hadoop file system Integrate streaming data sourcesHadoop Cluster
Regulations require data protection, no matter wheredata resides!Russia:Computerization & Protection of Information/ Participation in Int’l Info ExchangeKorea:3 Acts for FinancialData PrivacyJapan:Guidelines for theProtection of ComputerProcessed Personal DataUnited Kingdom:Data nstitutionGermany:Federal Data ProtectionAct & State LawsSwitzerland:Federal Law onData ProtectionTaiwan:Singapore:Computer- Processed Monetary Authority ofPersonal DataSingapore ActProtection LawVietnam:Banking LawHong Kong:Privacy OrdinanceNew Zealand: Philippines:Privacy Act Secrecy of BankDeposit ActAustralia:Federal PrivacyAmendment BillChinaCommercialBanking LawPakistan:Banking CompaniesOrdinanceIsrael:Protection ofIndia:Privacy LawSEC Board ofIndia ActSouth Africa:Indonesia:Promotion of AccessBank Secrecyto Information ActRegulation 8Canada:Personal Information Protection& Electronics Document ActUSA:Federal, Financial & HealthcareIndustry Regulations & State LawsMexico:E-Commerce LawArgentina:Habeas Data ActBrazil:Constitution, Habeas Data &Code of Consumer Protection& DefenseChile:Colombia:Protection ofPolitical Constitution –Personal Data ActArticle 15
Traditional approaches miss the mark855 5.5M 3M556Msecurity incidents in 2011,compromising 174 M recordsaverage cost per breachcost of losing customer loyalty(lost business) following adata breachconsumer cybercrime victimsin 2011, or 18 adults becamea victim every second 3.5MYearly average cost of compliance
More frequent and damaging data breachesAttacks impact 650 Israeli government websites, wipes databases, leaks emailsand passwordsNovember 2012: Thousands of email addresses/passwords, hundreds ofWeb sites, government & privately ownedSQL Injection Infects Millions of Web Pages; Attacks up 69%September 2012: Attacker takes full control of OS, DB and AppRogue employee steals over 9,000 drivers licenses recordsFebruary 2013: Employee had no “business need” to access dataMedical records exposed for nearly 300,000 clients; FTC suesFebruary 2013: FTC demands accountability for privacy practices
Database servers are a primary sourceReal time security is needed –66% of breaches that remain undiscovered for months or more!WHY? Database servers contain your client’smost valuable information–––––Financial recordsCustomer informationCredit card and other account recordsPersonally identifiable informationPatient records High volumes of structured data Easy to access2013 Data Breach Report from Verizon Business RISK Go where the money is and gothere often.” - Willie Sutton
InfoSphere provides a complete data protectionapproachDiscover & classifysensitive dataMask structured dataMonitor databaseactivity & assessvulnerabilitiesEncrypt structuredand unstructureddataEncrypt data withnegligibleperformanceimpactAutomatedetection ofsensitive dataDe-indentifysensitive dataDeploy centralizedcontrols for realtime databasemonitoring Classifysensitive datatypes Mask with prebuild functionsor customize Discoveryhidden datarelationships Maskconsistentlyacross systems Policy-basedcontrols to detectunauthorizedactivityInfoSphere Discovery& InfoSphereGuardiumInfoSphere OptimData Masking Vulnerabilityassessment &change auditing Unify policyand keymanagementfor centraladministrationInfoSphereGuardium DAM &VA SolutionInfoSphereGuardium DataEncryptionSatisfy compliance and regulatory mandates11 Encrypt filesand structureddata
Database Activity Monitoring& Vulnerability Assessment
Addressing the Full Lifecycle of DatabaseSecurity & ComplianceReal-Time Database Security & Monitoring Automated & centralized controls Prevent cyberattacks Cross-DBMS audit repository Monitor & block privileged users Detect application-layer fraud Enforce change controls Real-time alertsMonitor&EnforceAudit&Report Control firecall IDs SIEM integration Continuously updatesecurity policies Discover embeddedmalware & logic bombsFind&Classify No database changes Minimal performance impact Sign-off management Entitlement reportingCriticalDataInfrastructure Find & classifysensitive data Preconfigured policies/reportsAssess&Harden Assess static andbehavioral databasevulnerabilities Configuration auditing Preconfigured testsbased on best practicesstandards (STIG, CIS, CVE)
The Compliance Mandate – What do you need tomonitor?Audit RequirementsCOBIT(SOX)1. Access to Sensitive Data(Successful/Failed SELECTs)2. Schema Changes (DDL)(Create/Drop/Alter Tables, etc.)3. Data Changes (DML)(Insert, Update, Delete)4. Security Exceptions(Failed logins, SQL errors, etc.)5. Accounts, Roles &Permissions (DCL) (GRANT, REVOKE) PCI-DSSISO 27002DataPrivacy &ProtectionLaws NISTSP 800-53(FISMA) DDL Data Definition Language (aka schema changes)DML Data Manipulation Language (data value changes)DCL Data Control Language
What Database Audit Tools are Enterprises Manualreview and tracking
Non-Invasive, Real-Time Database Security &MonitoringCluster Continuously monitors all database activities(including local access by superusers) Heterogeneous, cross-DBMS solutionDoes not rely on native DBMS logsMinimal performance impact (2-3%)No DBMS or application changes Supports Separation of Duties Activity logs can’t be erased by attackersor DBAs Automated compliance reporting, sign-offs &escalations (SOX, PCI, NIST, etc.) Granular, real-time policies & auditing Who, what, when, where, how
Guardium monitors data activities on BigInsightsRelevant messages arecopied and sent to collectorInfoSphere GuardiumS-TAPHive queriesMapReducejobs Minimal impact to big data serverresources or network Separation of duties – audited dataon secure appliance Heterogeneous support(IBM, Cloudera)InfoSphereGuardiumcollectorHDFS and HBasecommandsSensitive dataalert!ClusterInfoSphere Guardiumreporting and alerting
Highest Overall Score forCurrent Offering, Strategy, & Market Presence “Guardium continues to demonstrate its leadership in supporting very largeheterogeneous environments, delivering high performance and scalability,simplifying administration, and performing real-time database protection.” “IBM continues to focus on innovation and extending the Guardium product tointegrate with other IBM products.” #1 score in all 3 Top Categories and all 17 subcategories along with perfect scoresfor Audit Policies; Auditing Repository; Corporate Strategy; Installed Base;Services; and International Presence. “Guardium offers support for almost any of the features that one might find in anauditing and real-time protection solution.” “Guardium offers strong support for database-access auditing, applicationauditing, policy management, auditing repository, and real-time protection.” “Guardium has been deployed across many large enterprises and hundreds ofmission-critical databases.” “IBM offers comprehensive professional services to help customers with complexenvironments as well as those who need assistance implementing databasesecurity across their enterprise.”The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks ofForrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and isplotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does notendorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best availableresources. Opinions reflect judgment at the time and are subject to change.Source: “The Forrester Wave : Database Auditing And RealTime Protection
Validated by Industry Experts“Dominance in this space”#1 Scores for Current Offering,Architecture & Product Strategy“Most Powerful ComplianceRegulations Tools . Ever"“Top of DBEP Class”“Guardium is ahead of the pack“Practically every feature you'lland gainingneed to lock down sensitive data.“speed.”2007 Editor's Choice Awardin "Auditing andCompliance"“Enterprise-class data securityproduct that should be on everyorganization's radar."“5-Star Ratings: Easyinstallation, sophisticatedreporting, strong policy-basedsecurity.”
Solution Illustration
Granular Policies with Detective & 244DatabaseServer10.10.9.56
Cross-DBMS, Data-Level Access Control (S-GATE)Application ersIssue SQLS-GATEHold SQLOutsourced DBAConnection terminated Cross-DBMS policiesBlock privileged user actionsNo database changesNo application changesWithout risk of inlineappliances that can interferewith application trafficCheck PolicyOn AppliancePolicy Violation:Drop ConnectionSession Terminated
Data Encryption
What is driving data encryption technology? Businesses or organizations that retain sensitive dataand/or must meet data governance compliance Credit card data PCI - Payment Card Industry Data Security Standard All that process credit card transactions Health data HIPPA - Health Insurance Portability and Accountability Act Health care provides and organizations who retain and/ortransmit health related infomation including financialtransactions Financial data Sarbanes-Oxley - Sarbanes-Oxley Act Public companies, public accounting firms, and firms providingauditing services Notification Laws in most states Minimal disruption while meeting data security needs andcompliance
Why Encrypt Data? Industry RegulationsPayment Card Industry (PCI) Requirements 1Install and maintain a firewall72Do not use vendor-supplied defaults forpasswords. Develop configurationstandards83Protect stored dataEncrypt cardholder number94Encrypt transmission of cardholder dataacross public networks56Use and regularly update anti-virussoftwareDevelop and maintain secure systems andapplicationsIBM Database Encryption Expert can helpRestrict access to data by business need-toknowAssign a unique ID to each person withcomputer accessRestrict physical access to cardholder data10Track and monitor all access to networkresources and cardholder data11Systems should be tested to ensure securityis maintained over time and throughchanges12Maintain an information security policy
The Data Threats – Data at Rest & Data in Transit Online – internal threats Attackers breaking through perimeter security Privileged user abuse Data replicates to many locations Offline – theft and loss Backups typically written to portable media Often stored offsite for long periods Onwire – internal and external threats Hackers and sniffers picking data off the network
What is IBM Database Encryption Expert? Data protection for your database environments High performance encryption, access control andauditing Data privacy for both online and backupenvironments Unified policy and key management for centralizedadministration across multiple data servers Transparency to users, databases, applications,storage No coding or changes to existing IT infrastructure Protect data in any storage environment User access to data same as before Centralized administration Policy and Key management Audit logs High Availability
Encryption Expert ArchitectureComponents: EE Security ServerEE Secure Offline AgentEE Secure File System Online AgentBackup FilesAuthenticated UsersSSLx.509 CertificatesApplicationsDBMS ServerDB2 OfflineAgentOnline AgentWebAdministrationhttpsFile SystemIBM EE ServerKey, Policy,Audit LogStoreOnline FilesEncryption Expert Security Server Policy and Key Management Centralized administration Separation of dutiesFailover
Policy Rules WHO is attempting to access protected data? Configure one or more users, groups, or applications usersmay invoke who can access protected data WHAT data is being accessed? Configure a mix of files and directories WHEN is the data being accessed? Configure a range of hours and days of the week forauthorized access HOW is the data being accessed? Configure allowable file system operations allowed to accessthe datae.g. read, write, delete, rename, etc. EFFECT: Permit; Deny; Apply Key; Audit
Data Masking
Vulnerable non-production environments at riskMost ignore security in non-production environmentsInformation Governance Core DisciplinesSecurity and PrivacyUnderstand &DefineSecure &Protect70% 194of organizations surveyed use livecustomer data in non-productionenvironments (testing, Q/A, development)per recordcost of a data breachDatabase Trends and Applications. Ensuring Protection for Sensitive Test DataThe Ponemon Institute. 2012 Cost of Data Beach Study50%52%of organizations surveyed have no wayof knowing if data used in test wascompromisedof surveyed organizationsoutsource developmentThe Ponemon Institute. The Insecurity of Test Data: The Unseen CrisisThe Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis31Monitor& Audit
What is data masking?Information Governance Core DisciplinesSecurity and PrivacyUnderstand &Define DefinitionMethod for creating a structurally similar but inauthentic version of anorganization's data. The purpose is to protect the actual data while having afunctional substitute for occasions when the real data is not required. RequirementEffective data masking requires data to be altered in a way that the actual valuescannot be determined or reengineered, functional appearance is maintained. Other Terms UsedObfuscation, scrambling, data de-identification Commonly masked data typesName, address, telephone, SSN/national identity number, credit card number Methods––32Static Masking: Extracts rows from production databases, obfuscating datavalues that ultimately get stored in the columns in the test databasesDynamic Masking: Masks specific data elements on the fly without touchingapplications or physical production data storeSecure &ProtectMonitor& Audit
IBM InfoSphere Optim Data Masking SolutionInformation Governance Core DisciplinesSecurity and PrivacyUnderstand &DefineSecure &ProtectMonitor& AuditRequirementsDe-identify sensitive informationwith realistic but fictional data JASON MICHAELSBenefitsROBERT SMITH Personal identifiable informationis masked with realistic butfictional data33Protect confidential data usedin test, training & developmentsystemsMask data on screen inapplicationsImplement proven datamasking techniquesSupport compliance withprivacy regulationsSolution supports custom &packaged ERP applications Protect sensitive informationfrom misuse and fraudPrevent data breaches andassociated finesAchieve better informationgovernance
Contextually accurate masked data facilitatesbusiness processesInformation Governance Core DisciplinesSecurity and PrivacyUnderstand &DefineSecure &ProtectMonitor& AuditSatisfy Privacy regulationsReduce risk of data breachesMaintain value of test data String literal values Character substrings &concatenation Random or sequential numbers Arithmetic expressions Lookup values Business data types (CCN, NID) Generic mask Dates User definedPersonal Info TablePatient Information123456Patient No. 112233NameSSN123-45-6789333-22-4444AmandaErica SchaferWintersAddress4012 BayberryMurray CourtDriveCity ElginAustinState 45PabloElliotPicassoFlynnZip 6012378704Data is masked with contextually correctdata to preserve integrity of dataReferential integrity is maintained with keypropagationEvent lliotPabloElliotLstNEvtOwnPicassoFlynnPicassoFlynn
Gartner Magic Quadrant - Data MaskingGartner MQ for DataMasking TechnologyIBMLeaderThe Magic Quadrant is copyrighted 2012 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certainvendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only thosevendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to thisresearch, including any warranties of merchantability or fitness for a particular purpose.35
Are there ways around your security policies?Requirements for data security and compliance
The Choice of Market Leaders
The Choice of Government
Security and compliance concerns in big data environments Structured Unstructured Streaming Massive volume of structured data movement 2.38 TB / Hour load to data warehouse High-volume load to Hadoop file system Ingest unstructured data into Hadoop file system Integrate streaming data sources Big Data Platform Hadoop Cluster
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
Switch and Zoning Best Practices 28-30 2. IP SAN Best Practices 30-32 3. RAID Group Best Practices 32-34 4. HBA Tuning 34-38 5. Hot Sparing Best Practices 38-39 6. Optimizing Cache 39 7. Vault Drive Best Practices 40 8. Virtual Provisioning Best Practices 40-43 9. Drive
och krav. Maskinerna skriver ut upp till fyra tum breda etiketter med direkt termoteknik och termotransferteknik och är lämpliga för en lång rad användningsområden på vertikala marknader. TD-seriens professionella etikettskrivare för . skrivbordet. Brothers nya avancerade 4-tums etikettskrivare för skrivbordet är effektiva och enkla att
Den kanadensiska språkvetaren Jim Cummins har visat i sin forskning från år 1979 att det kan ta 1 till 3 år för att lära sig ett vardagsspråk och mellan 5 till 7 år för att behärska ett akademiskt språk.4 Han införde två begrepp för att beskriva elevernas språkliga kompetens: BI
