Guardium Data Security Center license guide

This document provides information about licensing and entitlements for IBM Guardium® Data Security Center Software ("Guardium Package").

Note: This license guide is intended to provide only supplementary information to assist you in deploying one or more Programs you licensed from IBM within your purchased entitlement. Your license agreement such as the IBM International Program License Agreement (IPLA) or equivalent and its transaction documents, including the license information for Guardium Package, is the sole and complete agreement between you and IBM regarding use of the Program.

License options

There are multiple license options for Guardium Data Security Center. The following table shows current and legacy bundle offerings and the applications and product components that are included in each.
Table 1. Bundles and Entitlements
Bundle Entitlement License
IBM Guardium Data Security Center Software
  • IBM Guardium DDR
  • IBM Guardium Quantum Safe
  • IBM Guardium Data Protection
  • IBM Guardium Vulnerability Assessment
 https://www.ibm.com/terms/?id=L-QABB-9QRLFB
IBM Guardium Package (software)
  • IBM QRadar SOAR
  • IBM QRadar SOAR Breach Response Add-On
  • IBM Guardium Data Protection
  • IBM Guardium Vulnerability Assessment
  • IBM Guardium Data Security Center
  • Risk Manager
 https://www.ibm.com/terms/?id=L-YCUQ-REB48T
IBM Cloud Pak for Security 1.10.0 (Gen 3)
  • QRadar XDR Connect - Data Explorer, Threat Intelligence Insights, Threat Investigator
  • IBM QRadar SOAR
  • IBM QRadar SOAR Breach Response Add-On
  • QRadar Event Analytics
  • QRadar Flow Analytics
  • QRadar Data Lake
  • IBM Guardium Data Protection
  • IBM Guardium Vulnerability Assessment
  • IBM Guardium Data Security Center
  • Risk Manager
 https://www.ibm.com/support/customer/csol/terms/?id=L-GBLK-CEYGU9&lc=en

License type

The following table lists the license and associated environment types for the Guardium Package program.

License Environment Type Description
Latest License File; for example, L-GBLK-CDVHGZ Production or Nonproduction IBM Guardium Data Security Center Software
These licenses include Red Hat® OpenShift® Container Platform support entitlements. These licenses can be deployed in the Production or Nonproduction environment. For more information, see Programs that can be deployed on Red Hat OpenShift.

Specific to the Red Hat OpenShift Kubernetes environment, the license is used when creating instances of Package components in the spec.license.license field of each custom resource, with spec.license.use based on applicable environment type.

What do you get with your purchase of the Guardium Package, and what is your entitlement?

IBM Guardium helps your organization protect data across the hybrid cloud. The following bundled programs are included in the Guardium Package.

Bundled program Related entitlement
  • IBM Guardium Data Protection for Big Data
  • IBM Guardium Data Protection for Databases
  • IBM Guardium Data Protection for Database Services
  • IBM Guardium Data Protection for Data Warehouses
  • IBM Guardium Data Protection for Files
  • IBM Guardium Data Protection for z/OS®
  • IBM Guardium Data Protection for SAP HANA
 Guardium Data Protection
IBM Guardium Vulnerability Assessment for Databases Guardium Vulnerability Assessment

When you deploy any of the bundled programs under the Guardium Package, the licensee must not exceed the maximum entitlement at any time. See License ratios for details. Deployments can include a mix of different deployed bundled programs. Licensee can change the deployed programs at any time if the maximum entitlement is not exceeded.

Select programs run on Guardium Data Security Center, an enterprise-ready, containerized software solution environment that runs on Red Hat OpenShift. The Guardium Data Security Center is supported on Linux® 64-bit(X86_64) only today. See Programs that can be deployed on Red Hat OpenShift to learn more about which deployments require the Red Hat OpenShift Container Platform and how those entitlements need to be handled.

Differences in license terms

The license terms for the Guardium Package supersede the license terms of the bundled programs and related programs. However, this policy applies only when there is a conflict of terms. Terms that apply to the bundled programs and related programs still apply, if not superseded.

License options and pricing models for the Guardium Package

The Guardium Package is available as either a perpetual or subscription license.

For more information about IBM perpetual and subscription licenses, see Passport Advantage® Licensing Overview.

Licensee can purchase Resource Units and apply them to the programs of their choice.

Asset metric

The unit of measure is Asset that counts the number of assets that are accessed, scanned, or managed by the software program.

  • For Guardium Data Protection and Guardium DDR, the number of data sources that the Guardium programs protect are counted.
  • For Guardium Vulnerability Assessment, the number of data sources that the Guardium program scans are counted.
  • For Guardium Quantum Safe, the number of objects that the Guardium program scans are counted.

A list of supported assets with definitions can be found in Guardium Data Security Center asset guidance.

License ratios

Entitlements for deployed instances of programs in the Guardium Package are calculated based on Resource Unit (RU) ratios to Assets. The following table shows the ratios:

Conversion Entitlement Ratios RU Ratio
Guardium Data Protection 1 Asset: 300 RU
Guardium Vulnerability Assessment 1 Asset: 40 RU
Guardium DDR 1 Asset: 100 RU
Guardium Quantum Safe 5 Asset: 1 RU

The Conversion Entitlement Ratio “n:m” means that a Licensee can convert some number (‘n’) entitlements of the indicated metric for the listed program for every specified number of (‘m’) entitlements of the specific metric for the Program. Once converted, the Licensee may use only such converted entitlements for the listed program. The specified conversion does not apply to any entitlements for the Program that are not of the required metric type.

As an example, if 5,000 Guardium Package RU entitlements are converted by an organization for Guardium Data Compliance (based on 100 Asset to protect 50 data sources), those RU entitlements are then used for Guardium Data Compliance, not other programs. If the RU entitlements that are deployed to Guardium Data Compliance are no longer needed, they can be redeployed to another program in Guardium Package, by using the applicable RU ratio for that program.

If Licensee is using the Program to manage IBM Guardium S-TAP on z/OS, then entitlements will be calculated by converting managed IBM Guardium S-Tap Value Units (VU) of Million Server Units (MSU) to Assets at a ratio of 1 Asset for every 5 VU.

RU program entitlements of Guardium Package that are deployed can be redeployed to other bundled programs under the Guardium Package, if the total entitlement is not exceeded, using the ratios by program to calculate your total entitlements. The program entitlements can be used in different combinations any number of times.

Programs that can be deployed on Red Hat OpenShift

The following programs are containerized and require the deployment of Red Hat OpenShift Container Platform.

  • Guardium Data Compliance (entitled through Guardium Data Protection)
  • Guardium DDR
  • Guardium Quantum Safe
For Red Hat related details and restrictions, see the Guardium Package Latest License File.
Note: All deployments of Guardium Data Compliance, Guardium DDR, and Guardium Quantum Safe through the Guardium Package will be run on Red Hat OpenShift Container Platform and must have sufficient support entitlement for the Red Hat OpenShift Container Platform cores that are used.

Red Hat OpenShift Container Platform entitlements

In the Red Hat OpenShift Container Platform entitlements section, “entitlement” to the Red Hat OpenShift Container Platform refers to the software subscription and support for the Red Hat OpenShift Container Platform. “Restricted license entitlement” means that software subscription and support for the Red Hat OpenShift Container Platform acquired pursuant to your Guardium Package License is only provided for use of the Red Hat OpenShift Container Platform, specifically for Guardium Package and not non-Guardium Package workloads.

When bundled offerings such as Guardium Data Compliance are deployed as part of a Guardium deployment, deployment of Red Hat OpenShift is required. The following list shows the restricted license entitlement for the Red Hat OpenShift.

  • 136 Cores of Red Hat OpenShift Container Platform if Licensee obtains 0-25,000 RU entitlements of the Program
  • 208 Cores of Red Hat OpenShift Container Platform if Licensee obtains 25,001-100,000 RU entitlements of the Program
  • 532 Cores of Red Hat OpenShift Container Platform if Licensee obtains 100,001 or more RU entitlements of the Program

The entitlements for Red Hat OpenShift that are included in the Guardium Package entitlement are restricted license entitlements. These entitlements can be used only for deployments of Guardium Package instances, not for other third-party deployments or custom code. If you deploy other code or components such as agents used for monitoring Guardium Package capabilities, you must purchase separate Red Hat OpenShift entitlements to make available to the cluster. Otherwise, the deployment of the non-Guardium Package workload on those Red Hat OpenShift licenses will result in those Red Hat OpenShift cores, and potentially the workload itself, being unsupported. These additional Red Hat OpenShift entitlements for running non-Guardium Package workload must be procured separately from the Red Hat OpenShift entitlements that are granted through Guardium Package. The workload that you run on separately purchased Red Hat OpenShift entitlement doesn’t need to be deployed separately from Guardium Package workload that is running on Guardium Package-procured Red Hat OpenShift cores. But the number of separately purchased Red Hat OpenShift cores must be equal to or greater than the number of cores of non-Guardium Package workloads that are deployed on them to receive support for the complete deployment of non-Guardium Package workloads.

The number of cores of Red Hat OpenShift entitled with Guardium Package doesn’t vary by the ratio of the bundled offerings, which are deployed under Guardium Package entitlement. Therefore, the number of cores that are necessary for deployment of bundled offerings in Guardium Package can, in some scenarios, exceed the number of Red Hat OpenShift cores that are available as part of the entitlement for Guardium Package. In such cases, the customer must acquire additional entitlement for Red Hat OpenShift to make sure that they are always correctly licensed. Only Red Hat OpenShift cores that are deployed as worker nodes count against the Red Hat OpenShift entitlement.

Guardium Package includes foundational services and bundled programs. These foundational services, when deployed will also consume the Red Hat OpenShift entitlements.

Note: Organizations deploying Guardium Package on managed Red Hat OpenShift environments in public clouds such as AWS ROSA, IBM ROKS, or Azure ARO may get discounts on the cost of Red Hat OpenShift on worker nodes, if this Guardium Package is deployed based on the Red Hat OpenShift entitlements that are included in Guardium Package entitlements. Customers must verify with their public cloud service provider to establish if a discount is available.

IBM Guardium Data Protection

Guardium Data Protection is available as a virtual appliance only. It is not available on the Guardium Data Security Center and hence does not require deployment of the Red Hat OpenShift Container Platform. A license key is necessary to access Guardium Data Protection capabilities and is provided in the software download. For more information, see https://www.ibm.com/docs/en/guardium/12.0?topic=system-license-keys.

Licensees who want to allocate RUs to the Guardium Data Protection capabilities can use any of the following bundled programs.
  • IBM Guardium Data Protection for Big Data
  • IBM Guardium Data Protection for Databases
  • IBM Guardium Data Protection for Database Services
  • IBM Guardium Data Protection for Data Warehouses
  • IBM Guardium Data Protection for Files
  • IBM Guardium Data Protection for z/OS®
  • IBM Guardium Data Protection for SAP HANA

The licensee must obtain the sufficient quantity of Assets that are needed to protect their data.

Customers may use the embedded Guardium Data Security Center Data Compliance module up to the same number of Assets concurrently that a customer is entitled to for Guardium Data Protection. Guardium Data Protection includes Data Compliance that is a containerized program and hence requires deployment of the Red Hat OpenShift Container Platform.

The licensee is not necessary to obtain entitlements to the following supporting programs:

  • IBM Guardium Aggregator Software Appliance
  • IBM Guardium Collector Software Appliance

Nonproduction activities for IBM Guardium Data Protection are defined as anything other than actively monitoring or protecting data. For clarity, monitoring or protecting data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

For details on how to report on Guardium Data Protection license usage see the Guardium Data Protection Usage Reporting Guide.

Data sources Assets Ratio # of RU
100 on-premises database servers 100 databases 1 Asset: 300 RU 30,000 RU
12 Azure data sets totaling 96 vCPUs 12 data sets 1 Asset: 300 RU 3,600 RU
Total RUs 33,600 RU
Result: 336 license entitlements needed (packs of 100 RUs)

IBM Guardium Vulnerability Assessment

Guardium Vulnerability Assessment is available as a virtual appliance only. It is not available on the Guardium Data Security Center and hence does not require deployment of the Red Hat OpenShift Container Platform.

An Append license key is required to access Guardium Vulnerability Assessment capabilities and is provided in the software download. For more information, see https://www.ibm.com/docs/en/guardium/12.0?topic=system-license-keys.

The licensee must obtain the sufficient quantity of Assets that are needed to protect their data.

Nonproduction activities for Guardium Vulnerability Assessment are defined as anything other than running scans to harden the environment. For clarity, scanning data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

For details on how to report onGuardium Vulnerability Assessment license usage see the Guardium Data Protection Usage Reporting Guide.

For example, consider the following scenario for Guardium Vulnerability Assessment:

Data sources Assets Ratio # of RU
100 on-premises database servers 100 databases 1 Asset: 40 RU 4,000 RU
15 Cloud DbaaS instances/nodes 15 instances 1 Asset: 40 RU 600 RU
Total RUs 4,600 RU
Result: 46 license entitlements needed (packs of 100 RUs)

IBM Guardium DDR

Guardium DDR is a containerized program and hence requires deployment of the Red Hat OpenShift Container Platform. Guardium DDR does not use license keys. Licensee must obtain sufficient Resource Unit (RU) allocation that is needed to protect the data sources in their deployed environments. The licensee is not required to obtain entitlements to the following supporting programs:
  • IBM Guardium Aggregator Software Appliance
  • IBM Guardium Collector Software Appliance
  • IBM Guardium Data Protection for Databases

These supporting programs may be deployed and configured only as collectors and central managers and solely to collect and send data activity information to Guardium Data Security Center.

Guardium DDR software includes an asset library that can be used to help you track the number of data sources protected. To get started, an organization needs to count the number of data sources (Assets) to ensure sufficient entitlements, and then map them to Resource Units. For more information, see License ratios.

Data sources Assets Ratio # of RU
100 on-premises database servers 100 databases 1 Asset: 100 RU 10,000 RU
12 Cloud DBaaS data sets across 50 vCPUs 12 data sets 1 Asset: 100 RU 1,200 RU
Total RUs 11,200 RU
Result: 112 license entitlements needed (packs of 100 RUs)

Nonproduction activities for Guardium DDR are defined as anything other than actively monitoring or protecting data. For clarity, monitoring or protecting data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

IBM Guardium Quantum Safe

Guardium Quantum Safe is a containerized program and hence requires deployment of the Red Hat OpenShift Container Platform. Guardium Quantum Safe does not use license keys. Licensee must obtain sufficient Resource Unit (RU) allocation that is needed to protect the data sources in their deployed environments.

Guardium Quantum Safe software includes an asset library that can be used to help you track the number of data sources protected. To get started, an organization needs to count the number of scanned objects (Assets) to ensure sufficient entitlements, and then map them to Resource Units. For more information, see License ratios.

For example, applied to Guardium Vulnerability Assessment, consider the following scenario:

Data sources Assets Ratio # of RU
10000 network endpoints 10,000 unique IP+port 5 Asset: 300 RU 2,000 RU
50000 Quantum Safe Explorer files 50,000 files in findings.JSON 5 Asset: 300 RU 10,000 RU
Total RUs 12,000 RU
Result: 120 license entitlements needed (packs of 100 RUs)

Nonproduction activities for Guardium Quantum Safe are defined as anything other than actively scanning objects. For clarity, scanning objects in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

Other Resource Unit Entitlements

Customers may have existing RU entitlements through other Guardium license part numbers. For example, IBM Guardium Package (Software) referenced in the license options in the Guardium Package Software License Guide. RU entitlements from other licenses cannot be applied to this Guardium Package License entitlements.

Obtaining Red Hat OpenShift Container Platform

You can use your entitlement for Guardium Data Security Center to install Red Hat OpenShift Container Platform on the environment of your choice. You can download Red Hat OpenShift either from IBM Passport Advantage or directly from the https://access.redhat.com/.