1 / 15

Expert de la sécurité des SI

Expert de la sécurité des SI. Guardium Data Encryption La protection des données. Juillet 2014. What is IBM Infosphere Guardium Data Encryption?. Security for your structured and unstructured data High performance encryption , access control and auditing

blade
Télécharger la présentation

Expert de la sécurité des SI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Expert de la sécurité des SI Guardium Data Encryption La protection des données Juillet 2014

  2. What is IBM Infosphere Guardium Data Encryption? • Security for your structured and unstructured data • High performance encryption, access control and auditing • Data privacy for both online and backup environments • Unified policy and key management for centralized administration across multiple data servers • Transparency to users, databases, applications, storage • No coding or changes to existing IT infrastructure • Protect data in any storage environment • User access to data same as before • Centralized administration • Policy and Key management • Audit logs • High Availability 2

  3. Relationship to IBM Data Protection suite • Data Encryption is complimentary to other security products • Data Encryption Strength • Transparent Data Encryption • Key management • File Access Control GDE Server

  4. Guardium Data Encryption Guardium Data Encryption Requirements Ensure compliance with data encryption Ensure compliance and protect enterprise data with encryption • Protect sensitive enterprise information and avoid data breaches • Minimize impact to production • Enforce separation of duties by keeping security and data administration separate • Meet government and industry regulations (eg. PCI-DSS) Benefits • Protect data from misuse • Satisfy compliance requirements including proactive separation of duties • Scale to protect structured and unstructured data across heterogeneous environments without enterprise changes 4

  5. GDE Use Cases Database Encryption Unstructured Data Encryption Cloud Encryption • Usage: Encrypt Tablespace, Log, and other Database files • Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL… • Usage: Encrypt and Control access to any type of data used by LUW server • Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data… • Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc… • Usage: Encrypt and Control Access to data used by Cloud Instances • Common Cloud Providers: Amazon EC2, Rackspace, MS Azure 5

  6. GDE Design Concept Typical Approaches InfoSphere Guardium Data Encryption centralizes encryption Full disk encryption on the endpoint systems Database Exports Databases Application Logs File/Print Servers Document Ingest Spreadsheets, PDFs, Scanned Images Staging areas FTP Servers

  7. GDE Architecture Components: • GDE Security Server • GDE Secure File System Agent Users Application Web Administration Databases, Files OS FS Agent File System SAN, NAS, DAS Storage Policy is used to restrict access tosensitive data by user and processinformation provided by the OS. https GDE Security Server Failover SSL/TLS Key, Policy, Audit Log Store GDE Security Server • Policy and Key Management • Centralized administration • Separation of duties 7

  8. Web Administration Data Encryption Architecture Authenticated Users Applications DBMS Server / File server ftp server DBMS Server / File server ftp server DBMS server / file server ftp server DBMS Server / File server ftp server DBMS Server / File server ftp server SSL x.509 Certificates DEAgent File System File System File System https IBM DE Server Active /Active Key, Policy, Audit Log Store Data Encryption Security Server • Policy and Key Management • Centralized administration • Separation of duties Online Files 8

  9. GDE: How It Works Data Encryption Clear Text File Data File Data File Data File Management DE Agent Policy File SystemMetadata Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Writes Name: J Smith Credit Card #: 6011579389213 Exp Date: 04/04 Bal: $5,145,789 Social Sec No: 514-73-8970 File Data dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF Reads • Protects Sensitive Information Without Disrupting Data Management • High-Performance Encryption • Data Access as an Intended Privilege 9

  10. GDE Policies Authentication Authorization Audit Context-Aware Access Control • Filters Users or Groups Who May Access Protected Data • Filters the Applications Users May Invoke to Access Protected Data Who? • Identifies the File System Operations Available to the User/ Application Combination What? Where? • Identifies Protected Data (e.g., File, Directory, Wildcard) • Verifies Authorized Time Window Available for Access by Window-Sensitive Tasks (e.g., Backup, Contract Employees) When? How? • Separates the Ability to Access Data From the Ability to View Data

  11. GDE Segregation of Duties Key Administrator Server Administrator Policy Administrator Audit Administrator Administrator Roles • Roles provide separation of duties for Data Encryption Administrators • Server Administrator Role - Provides administration/configuration capabilities relevant to the security server • Domain Administrator: Assigns accounts their security roles • Key Administrator Role – Allows administrator to generate/manage keys • Policy Administrator Role – Allows administrator to create/manage policies • Host Administrator Role – Applies Policies to hosts • Audit Administrator Role – This role is required to purge audit logs 11

  12. LAN/WAN SAN NAS DAS Distributed Enforcement - Centralized Management Production DEV QA Centralized Security Servers • Centralized Security Server: • Multiple database instances • Online and Offline • Heterogeneous databases 12

  13. 13

  14. Merci de votre attention

  15. 15

More Related