Information protection, Part 2: Audit and compliance

"SAFER" information protection capabilities

Information protection is one of the common entry points for organizations getting started with information governance. Protecting sensitive data serves a clear business need, and protecting data is the goal of many current regulations. In 2008, the average cost of a data breach to an organization was $6.5M - and these only represent the ones that were found. Most of these breaches were internal.

In part 1 of this two part series we looked at the information security and privacy aspects of protection your data. Now, in part 2 we turn our attention to audit and compliance.


Mark Simmonds (, Senior Product Marketing Manager, Information Management division, System z, IBM

Mark Simmonds is a senior product marketing manager within the IBM Software Group Information Management division focused on Data Governance, Master Data Management and SOA for the System z® portfolio. He has 15 years IBM service. He previously spent 10 years in WebSphere® Product Marketing. He has his feet firmly on the ground having spent three years as an IBM systems architect responsible for infrastructure design and corporate technical architecture with large financial institutions. He has a number of author recognition awards, having written articles for technical journals and business magazines.

Ernie Mancill (, Executive IT Specialist System z, IBM

Ernie is an Executive IT Specialist and is a founding member of IBM’s z/Series Database Tools team, a team which assists customers in evaluating and implementing IBM's database tools for DB2. Ernie specializes in Data Governance and Security on DB2 and IMS on System z. He has a specific focus on Auditing, Data Privacy, and Data Encryption technology. Prior to joining IBM in 1999, Ernie worked as a DB2 and CICS Systems Programmer and has over 35 years of IT experience in many different capacities and in a variety of different industries.

Ernie is a Certified DB2 for z/OS V9 Database Administrator, and has presented at IDUG, the DB2 Information-On-Demand Conference, SHARE, and at local DB2 user groups throughout the Americas. Ernie has co-authored three IBM Redbooks, "A Deep Blue View of DB2 Performance – IBM Tivoli OMEGAMON for DB2 Performance Expert on z/OS", "Keeping Your Data in its Place with DB2 Data Archive Expert", and "Securing and Auditing Data on DB2 for z/OS". In his spare time, Ernie is an avid saltwater fly fisherman.

02 August 2010

Also available in Russian


Let's just recap : IBM provides a comprehensive set of information protection capabilities for IBM hardware platforms that help organizations discover which data needs to be protected, secure access to it, provide encryption of the data, and ensure that privacy controls are in place throughout the information life cycle. In addition, IBM provides organizations with powerful and flexible analysis, real-time auditing, and reporting tools.

Figure 1. IBM provides organizations with a comprehensive set of information protection capabilities
IBM provides organizations with a comprehensive set of information protection capabilities.

Information protection for IBM System z

It's estimated that 95 percent of Fortune 1000 companies store business data on IBM System z®. Its business-focused capabilities—advanced business continuity features, security, transaction integrity, scalability, dynamic workload balancing capabilities, and powerful tools for access control and protection—make the System z platform an excellent choice for storing and processing business-critical information.

However, organizations must demonstrate accountability by complying with industry, financial and regulatory guidelines and be able to answer the who, what, when, where and how questions when it comes to data access. Regulations exist at the worldwide level, in addition to the country- and state-specific laws and regulations that must be followed. The Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Basel II and U.S. Senate Bill 1396 are just a few examples of the regulations with which organizations must comply. Research shows that the perceived quality of a company's corporate governance can influence its share price, as well as the cost of raising capital.

Let's take a closer look at information protection on the System z platform, focusing this time on Audit and compliance on z/OS.

Auditing and IBM data servers on z/OS

RACF is the industry-leading security product for z/OS and does an excellent job in protecting access to secured assets on data servers for z/OS. However, it does little in the way of access and activity reporting. Audit mechanisms need to collect and report on activity performed in data servers for z/OS with relatively low overhead. Auditing does not enforce security policies. Therefore, a robust security implementation requires both RACF-based protections and auditing support. The purpose of auditing is to ensure that the appropriate controls are in place to identify inappropriate access and use of production data. Although auditing does not enforce access patterns or implement security, it provides the forensic information used to analyze the activities of users after access occurs. The key point to remember is that auditing solutions do nothing to protect access to data or other database resources.

The privileged user conundrum

To ensure the continued health and well-being of any database management system (DBMS), including DB2 and IMS on z/OS, many activities must be performed on a regular basis by system and database administrators. While these activities can be well controlled by external security processes such as RACF, they are pervasive in effect and can be used in ways that are contrary to security policies. To cite one possible scenario, there is sensitive data residing on a DB2 table, and the applications that access this table - such as IMS or IBM CICS® - are well protected by RACF. The database administrator does not have RACF authority to execute the CICS application, but has database administration authority (DBADM) to administer the table. The database administrator runs an UNLOAD utility against the table, extracting all of the data contained in the table. He or she can then transfer that data through any number of mechanisms to an outside entity (FTP, Flash/USB, CSV to spreadsheet, etc.).Since the user has special privileges against the table, there will be no evidence of a security violation that would be reported by RACF.

If, on the other hand, the environment were protected by an auditing solution, there could be mechanisms that would report on this authorized, but questionable, use of special privileges. One recommendation for audit collection is to monitor any SQL or utility access for privileged users. Conversely, one might elect to monitor each utility event or combine looking for one or both classes of events within a time interval. So, while it might be acceptable for the database administrator to access the audited tables during normal business hours, auditing parameters might be set up to look for unusual access patterns outside of normal business hours. The conundrum in all of this is that the nature of these authorities gives the privileged user capabilities to access DB2 and IMS resources and data by means outside the use of the well-protected application environment. This has the effect of providing unlimited access to the data, and circumventing normal transaction-level RACF protection. In a DBMS environment where privileged user authorities have been granted, there must be some mechanism to track and record activities that are performed under the control of these privileged user identifiers.

Figure 2. Guardium provides scalable auditing, access control, and monitoring capabilities across heterogeneous environments
Guardium provides scalable auditing, access control, and monitoring capabilities across heterogeneous environments

Separation of roles

Any mechanism used to audit activities of trusted users must be implemented in such a way as to prevent the privileged user from interfering with the collection of, or contaminating the source of, the audit data. Audit mechanisms against data servers for z/OS must maintain the necessary separation of duties, resulting in assurance of audit data integrity and more accurate reports. This allows database administrators to perform their own job duties and allows auditors to run audit reports independently of the database administrators, which results in easier and more accurate audits. Auditors need to have the ability to adhere to published industry standards and external auditing without relying on the assistance of the personnel being monitored.

Guardium for z

Auditors using Guardium for z do not need to go to a large number of sources to access data, nor do they need user IDs for DB2 or the operating system. They simply log in to Guardium to gain complete visibility of all auditable objects.An auditor can display collected data for all DB2 instances, or just the DB2 instances of interest, all from the central repository. A centralized repository creates a single source for reporting, institutional controls, and summarizing of data, including high-level trending of audit anomalies and drill-down capability (one layer at a time), as well as a robust level of reporting events controlled by the auditor without database administrator involvement. Secure audit data is in a locked-down, tamper-proof audit repository that cannot be modified by anyone, including database administrators and other privileged users, thereby supporting separation of duties and addressing a key audit requirement. When audit data resides in a hardened environment like Guardium for z, organizations can better control access and protect audit data.

For many organizations, a comprehensive auditing environment requires much more than just collecting, storing, and providing reporting mechanisms. Most customers today require support for heterogeneous DBMS environments,spread across different hardware, operating system and database managers. Effective auditing calls for data from these disparate environments to be combined on a single-pane view. Guardium, as part of a larger heterogeneous implementation,provides additional support, which satisfies many of the common auditing and reporting requirements as well as providing significantly more robust functionality. Guardium helps to satisfy a wide range of requirements for monitoring and alerting - without impacting SLAs and performance, and without requiring changes to databases or applications:

  • Streamline compliance processes with workflow automation that automatically distributes compliance reports to oversight teams for electronic sign-offs, escalations andcomments.
  • Provide a scalable, multi-tier architecture that easily grows to handle increased workloads and additional applications and data center locations.
  • Prevent unauthorized changes to database schemas and data.
  • Allow for implementation of automated change control reconciliation by comparing approved change tickets with actual changes implemented by database administrators.
  • Provide a best-practices library of hundreds of preconfigured reports and policies for regulations and standards such as SOX, PCI and HIPAA, as well as an easy-to-use, drag-and-drop "builder"- for creating custom reports and policies.

Being alerted in near real time to potential threats enables an organization to stay one step ahead. Why be reactive when you can be proactive with Guardium for z?


IBM Information Management information protection solutions for z/OS offer comprehensive end-to-end capabilities to help manage business risk and reduce the threat of data breaches and security exposures- wherever your data is, whoever is using it, whenever it is being used. IBM can help you find ways to take back control and be S.A.F.E.R.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.


  • Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Information management on developerWorks

Zone=Information Management, SOA and web services
ArticleTitle=Information protection, Part 2: Audit and compliance