How IBM's new database security and monitoring software helps protect sensitive information and reduce compliance costs
Despite the noise you hear about data leakage through lost laptops, backup tapes, and unstructured data, databases are the primary target for external hackers and insider attacks. According to the 2009 Verizon Business Data Breach Investigations Report, 75 percent of breached records originated in database servers; backup tapes, laptops, and workstations accounted for less than 1 percent of records breached.
It's easy to understand why: databases contain an organization's most valuable information, including customer records, payment card data, and financial results. Statistics show that hackers are skilled at using techniques such as cross-site scripting to penetrate perimeter defenses and reach the database. Existing security solutions, such as intrusion detection systems (IDSes), lack the knowledge of database protocols and structures required to detect inappropriate activities. Other solutions that rely on native DBMS logs, such as security information and event management (SIEM) systems, do not operate in real time, can be evaded by users with elevated privileges (which hackers often acquire), and introduce problematic overhead.
A growing number of mandates encompass this type of sensitive information as well, including various financial regulations (such as the Sarbanes-Oxley Act), industry-specific mandates (the Payment Card Industry Data Security Standard [PCI DSS]), and local data privacy laws. Each mandate has unique aspects, but they generally require organizations to detect, record, and remediate unauthorized access or changes to sensitive data, including those by privileged users, while providing a secure audit trail to validate compliance. Information security and database managers struggle to implement these types of controls, especially with respect to monitoring privileged users. Heightened focus on business-reputation risk and sensitive data protection is also driving closer internal scrutiny of controls. The result of all this is clear: providing effective database security and compliance has become anything but easy.
The DIY approach
To date, meeting these needs typically involved developing custom solutions. The most common approach has been to enable the DBMS's audit facility to record transactions, then use UNIX scripts, Perl scripts, or C++ code to scrape and parse the logs and create a separate audit database or file. At regular intervals, individuals in the database administration organization must painstakingly review the data, identify policy violations, notify the parties responsible for investigating the violations, and record the investigation results.
This approach creates a variety of problems. First, developing, maintaining, and managing custom solutions often requires the equivalent of several highly skilled, full-time employees—the same personnel required for strategic business initiatives. Second, from a system-resource perspective, enabling the audit facility incurs overhead that is often unacceptable. And finally, auditors have begun to challenge the security of custom solutions: log files can be changed or deleted by hackers or insiders seeking to cover their tracks, and with a custom solution, security duties cannot be separated from administrative functions.
Creating and managing granular policies
With the acquisition of Guardium, a leading supplier of database activity monitoring (DAM) and database protection solutions, IBM now offers an automated, effective, and efficient way to directly address growing database security and compliance challenges.
The IBM InfoSphere Guardium solution continuously monitors database transactions through lightweight software probes (see Figure 1) installed on the database servers. The probes monitor all database transactions, including those of privileged users, at the operating system kernel level without relying on database audit logs. The probes forward transactions to a hardened Collector appliance on the network, where they are compared to previously defined policies to detect violations. The system can respond with a variety of policy-based actions, including generating an alert and blocking the transaction in real time.
Figure 1. InfoSphere Guardium's scalable multi-tier architecture protects sensitive data through centralized aggregation of audit data and centralized, enterprise-wide management of security policies.
With InfoSphere Guardium, developing a policy to protect sensitive data is straightforward. For an example, consider the process of building a policy for payment card data; such data is frequently targeted by hackers, and it is subject to the very comprehensive and global PCI DSS standard.
Figure 2 illustrates a simple rule (see the sections outlined in red) specifying that any database transaction not from an "Authorized Client IP" address that attempts to access objects specified in our "Cardholder Objects" group will trigger an action to terminate the session. The Authorized Client IP group is created by entering the IP addresses of personnel with the business need to access cardholder data in a separate screen.
Figure 2. InfoSphere Guardium enables the development of granular policies to detect and block unauthorized database access or changes.
Rules can be made as detailed as necessary and can include a wide range of parameters—from user names and database type to command, time period, and counts. InfoSphere Guardium also provides integration with typical Lightweight Directory Access Protocol (LDAP) and directory services within your environment to automatically populate the groups in the security policy. As a result, you can enforce the access control portion of user management. InfoSphere Guardium allows you to develop the type of proactive controls specified by PCI DSS Requirements 10 (track and monitor access to cardholder data), 7 (restrict access to cardholder data), and 3 (protect stored cardholder data).
Note that in this example, the policy is database agnostic and can be applied uniformly across all databases supported, including IBM DB2, IBM Informix, Oracle, Microsoft SQL Server, Sybase, MySQL, and Teradata.
InfoSphere Guardium also supports IBM System z, a common platform in large enterprise environments. While IBM Resource Access Control Facility (RACF) is sometimes perceived as a sufficient control for mainframes, it does not capture a granular audit trail of what users did while accessing DB2 on z/OS, nor does it identify administrative users who abuse their privileges to view or change sensitive tables without a legitimate business need. IBM DB2 Audit Management Expert technology is used to capture mainframe database transactions and integrate them into a unified, enterprise-wide view via Collector appliances.
How is it done?
Behind the scenes, the InfoSphere Guardium solution uses a series of technology strategies to support high levels of security while minimizing the impact on enterprise systems.
On the DBMS server, the solution must ensure that all traffic is captured—including direct connections to the DBMS server, such as SSH—and that the solution cannot be disabled without authorization. To meet this requirement, InfoSphere Guardium software probes are installed as a system account (root) and run as a single process on the operating system. The probes are installed on Microsoft Windows servers as a Windows service, and on UNIX servers as a daemon that, if killed, is restarted by the operating system. Also, because the probes are installed at the system software level, no changes to the database or applications are required, and the solution supports all major DBMS platforms.
Because databases are user-level programs that get services from the operating system, the probes can monitor all database transactions, whether they originate locally or remotely, by viewing these service requests. They can also support as many database instances as are installed on the server via a single probe process. This approach provides the separation of duties required by auditors, because only the security administrator will have the authority to disable the probe. As an additional security measure, there is a heartbeat between the appliance and the probe that will alert the administrator if the probe is disabled for any reason.
As the data is captured, it must be analyzed in real time to quickly identify policy violations. The probes transmit the data to the Collector appliances, which strip the data headers and analyze the content to determine how it relates to parameters specified by the policy. For example, the network layer will provide information on the client IP address, the OS user name will be extracted from the OS layer, the database user name will be extracted from the database layer, and lastly, the payload will provide the actual SQL content. Relevant information is stored in a secure internal database so it can easily be used for enterprise-wide analytics, compliance reporting, and forensics.
Because transaction analysis is performed by the Collector and the server is only tasked with forwarding transactions, the performance impact on the server is very low—typically less than 5 percent.
Data can be aggregated across Collectors, enabling centralized policy management, reporting, and compliance workflow management—even across enterprises that have thousands of geographically dispersed databases. Clustering and high-availability architectures are often found in these types of large enterprise environments. To accommodate these architectures, probes can be configured to automatically fail over to other Collectors on the network, providing both high availability and load balancing. In clustered environments, probes are installed on all nodes, and each probe is configured as though that node is the primary node. All probes will be active, but only the primary node will forward monitored transactions.
Beyond rules and policies
InfoSphere Guardium supports many other database security and compliance needs. Capabilities include discovering databases that may have been added outside normal processes by crawling the network; enforcing change control by matching actual database changes detected by the probes to authorized changes imported from a corporate change ticketing application; and detecting fraud by identifying actual end-user identities in transactions executed from enterprise applications such as SAP, Oracle E-Business Suite, and PeopleSoft that utilize pooled database connections.
The solution also provides vulnerability assessment and configuration-auditing capabilities that enable DBAs to directly evaluate the security of their databases. The former allows administrators to schedule tests—specific to their installed databases (see Figure 3)—to detect and prioritize (through a risk score) issues such as missing patches, weak passwords, misconfigured privileges, and inappropriate behavioral activity like credential sharing. The latter detects changes in critical system files and configuration objects. These are important capabilities called out in PCI DSS Requirements 2 (don't use vendor default passwords), 6 (maintain secure systems), and 11 (regularly test system security).
InfoSphere Guardium provides powerful monitoring, detection, and protection capabilities—but companies also need proof that all policy violations have been investigated and remediated. The Compliance Workflow Automation module satisfies that need, managing the regular distribution of compliance reports to oversight teams, tracking the results of electronic sign-offs, and storing the results of this oversight process in the secure repository for review by auditors.
Figure 3. The InfoSphere Guardium Vulnerability Assessment module scans the database infrastructure for missing patches, default passwords, misconfigured privileges, and other vulnerabilities.
Improve security, free up resources
Groups responsible for database administration should partner with other stakeholders—like the security team—to plan the InfoSphere Guardium implementation so they can help identify sensitive data, define appropriate protective policies, and design automated workflow to ensure incidents are investigated and closed in a manner that satisfies compliance requirements. Resources previously dedicated to the maintenance of custom solutions and the review of audit data can be redeployed to support the organization's strategic initiatives.
IBM has historically delivered strong security controls in its database solutions, including core authentication and authorization functionality, as well as advanced features such as Trusted Contexts. InfoSphere Guardium adds controls that will enable organizations using IBM database servers to significantly improve their security and compliance posture, while freeing up scarce technical resources.
- Learn more about InfoSphere Guardium.