3 guiding priciples to improve data security

Thought Leadership White PaperIBM Software October 2012

Three guiding principles to improve data security and complianceA holistic approach to data protection for a complex threat landscape

2 Three Guiding Principles to Improve Your Data Security and Compliance Strategy

Executive summaryNews headlines about the increasing frequency of information and identity theft have focused awareness on data security and privacy breaches — and their consequences. In response to this issue, regulations have been enacted around the world. Although the specifics of the regulations may differ, failure to ensure compliance can result in significant financial penalties, criminal prosecution and loss of customer loyalty.

In addition, the information explosion, the proliferation of endpoint devices, growing user volumes, and new computing models like cloud, social business and big data have created new vulnerabilities. To secure sensitive data and address compliance requirements, organizations need to adopt a more proactive and systematic approach.

Since data is a critical component of daily business operations, it is essential to ensure privacy and protect data no matter where it resides. Different types of information have different protection requirements; therefore, organizations must take a holistic approach to safeguarding information:

• Understand where the data exists: Organizations can’t protect sensitive data unless they know where it resides and how it’s related across the enterprise.

• Safeguard sensitive data, both structured and unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents, forms, image files, GPS systems and more requires privacy policies to redact (remove) sensitive informa­tion while still allowing needed business data to be shared.

• Protect non-production environments: Data in non­production, development, training and quality assurance environments needs to be protected, yet still usable during the application development, testing and training processes.

• Secure and continuously monitor access to the data: Enterprise databases, data warehouses, file shares and Hadoop­based systems require real­time monitoring to ensure data access is protected and audited. Policy­based controls based on access patterns are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, sensitive data repositories need to be

protected against new threats or other malicious activity and continually monitored for weaknesses.

• Demonstratecompliancetopassaudits: It’s not enough to develop a holistic approach to data security and privacy; organizations must also demonstrate and prove compliance to third­party auditors.

IBM® solutions for data security and privacy are designed to support this holistic approach and incorporate intelligence to proactively address IT threats and enterprise risks. IBM has developed three simple guiding principles (Understand and Define, Secure and Protect, and Monitor and Audit) to help organizations achieve better security and compliance without impacting production systems or straining already­tight budgets.

Making sense of the buzz: Why the growing focus on data protection?Data security is a moving target; as data grows, more sophisticated threats emerge, the number of regulations increase, and changing economic times make it difficult to secure and protect data. New attack vectors including cyber security threats (worms, trojans, rootkits, rogues, dialers and spyware) and security complexities resulting from changing IT architectures (virtualization, big data, open enterprise initiatives, consumerization and employee mobility) challenge organizations to focus on data protection (see Figure 1).

According to the October 2011 report “Databases are More at Risk Than Ever,” which surveyed 355 data security professionals, one­fourth of respondents felt that a data breach in 2012 was likely or inevitable. Only 36 percent of organizations have taken steps to ensure their applications are not subject to SQL injection attacks, and over 70 percent take longer than three months to apply critical patch updates, giving attackers the opportunity they are looking for. Most respondents are unable to tell whether there has been unauthorized access or changes to their databases. In many cases, a breach would go undetected for months or longer, as only 40 percent of organizations audit their databases on a regular basis.

Prevention strategies are almost non­existent at most companies. Only one­fourth of respondents say they are able

IBM Software 3

to stop abuse of privileges by authorized database users, especially highly privileged users such as database administrators, before it happens. Only 30 percent encrypt sensitive and personally identifiable information in all their databases, despite data privacy regulations worldwide requiring encryption for data at rest. Additionally, most admit to having sensitive data in non­production environments that is accessible to developers, testing and even third parties.

Changes in IT environments and evolving business initiativesSecurity policies and corresponding technologies must evolve as organizations embrace new business initiatives such as outsourcing, virtualization, cloud, mobile, Enterprise 2.0, big data and social business. This evolution means organizations need to think more broadly about where sensitive data resides and how it is accessed. Organizations must also consider a broad array of both structured and unstructured sensitive data, including customer information, trade secrets, intellectual property, development plans, competitive differentiators and more.

Smarter, more sophisticated hackersMany organizations are now struggling with the widening gap between hacker capabilities and security defenses. The changing nature, complexity and larger scale of outside attacks are cause for concern. Previously, the most critical concern was virus outbreaks or short denial­of­service attacks, which would create a temporary pause in business operations. Today, hackers are becoming more savvy and interconnected; they leverage social networks, purchase pre­packaged “hacking” applications and might even be state sponsored. By penetrating the perimeter and infiltrating the network, new advanced persistent threats (APTs) exploit employee knowledge gaps and process weaknesses and technology vulnerabilities in random combinations to steal customer data or corporate data, such as trade secrets, resulting in the potential for billions of dollars of lost business, fines and lawsuits, and irreparable damage to an organization’s reputation.

According to the 2012 Verizon Data Breach Investigations Report, the most commonly used venue for breaches was exploiting default or easily guessed passwords (with 29 percent

of the cases) followed by backdoor malware (26 percent), use of stolen credentials (24 percent), exploiting backdoor or command and control channels (23 percent), and keyloggers and spyware (18 percent). SQL injection attacks accounted for 13 percent of the breaches. As for the targets, 90 percent of the breaches Verizon investigated went after servers, mainly point­of­sale servers, web and app servers, and database servers.

Regulatory compliance mandatesThe number and variety of regulatory mandates are too numerous to name here, and they affect organizations around the globe. Some of the most prevalent mandates include the Sarbanes­Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI­DSS) (enforcement of which has firmly started expanding beyond North America), the Federal Information Security Management Act (FISMA), and the EU Data Privacy Directive. Along with the rising number of regulatory mandates is the increased pressure to show immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to the business and shareholders, or face reputation damage and stiff financial penalties.

Information explosionThe explosion in digital information is mind­boggling. In 2009, the world had about 0.8 zettabytes of data. In 2012, it is estimated to be 1.8 ZBs. This is an amazing number, considering a zettabyte is a trillion gigabytes. The information explosion has made access to public and private information a part of everyday life. The digital explosion also brings an increase in the volume, variety and velocity of data. Organizations need to understand the unique challenges that big data brings, such as large­scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition, and high­volume data aggregation.

Critical business applications typically collect this information for legitimate purposes; however, given the interconnected nature of the Internet and information systems, as well as enterprise ERP, CRM and custom business applications, sensitive data is easily subject to theft and misuse.

4 Three Guiding Principles to Improve Your Data Security and Compliance Strategy

Insider threatsA high percentage of data breaches actually emanate from internal weaknesses. These breaches range from employees who may misuse payment card numbers and other sensitive information to those who save confidential data on laptops that are subsequently stolen. Furthermore, organizations are also accountable for protecting data no matter where the data resides — be it with business partners, consultants, contractors, vendors or other third parties.

In summary, organizations are focusing more heavily on data security and privacy concerns. They are looking beyond developing point solutions for specific pains and toward building security and privacy policies and procedures into the enterprise. Building security into business and IT policies is especially important as they embrace the new era of computing.

Security versus privacy

Security and privacy are related, but they are distinct concepts. Security is the infrastructure-level lockdown that prevents or grants access to certain areas or data based on authorization. In contrast, privacy restrictions control access for users who are authorized to access a particular set of data. Data privacy ensures those who have a legitimate business purpose to see a subset of that data do not abuse their privileges. That business purpose is usually defined by job function, which is defined in turn by regulatory or management policy, or both.

Some examples of data security solutions include database activity monitoring and database vulnerability assessments. Some examples of data privacy solutions include data redaction and data masking. In a recent case illustrating this distinction, physicians at UCLA Medical Center were caught going through celebrity Britney Spears’ medical records. The hospital’s security policies were honored since physicians require access to medical records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid medical purpose.

The stakes are high: Risks associated with insufficient data security and privacyCorporations and their officers may face fines from USD5,000 to USD1 million per day, and possible jail time if data is misused. According to the Ponemon Institute, “2011: Cost of Data Breach Study” (published March 2012), the average organizational cost of a data breach in 2011 was USD5.5 million. Data breaches in 2011 cost their companies an average of USD194 per compromised record. The number of breached records per incident in 2011 ranged from approximately 4,500 records to more than 98,000 records. In 2011, the average number of breached records was 28,349.

The most expensive breach studied by Ponemon Institute (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took USD35.3 million to resolve, up USD4.8 million (15 percent) from 2009. The least expensive data breach was USD780,000, up USD30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised.

Hard penalties are only one example of how organizations can be harmed; other negative impacts include erosion in share price caused by investor concern and negative publicity resulting from a data breach. Irreparable brand damage identifies a company as one that cannot be trusted.

Five common sources of risk include:

• Excessive privileges and privileged user abuse. When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information.

• Unauthorized privilege elevation. Attackers may take advantage of vulnerabilities in database management software to convert low­level access privileges to high­level access privileges.

• SQL injection. SQL injection attacks involve a user who takes advantage of vulnerabilities in front­end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.

IBM Software 5

• Denial of service. Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked.

• Exposure of backup data. Some recent high­profile attacks have involved theft of database backup tapes and hard disks which were not encrypted.

few organizations have the funding or resources to implement another process­heavy initiative. Organizations need to build security and privacy policies into their daily operations and gather support for these policies across the enterprise including IT staff, business leaders, operations, and legal departments. Privacy requirements do vary by role, and understanding who needs access to what data is not a trivial task. Third, the manual or homegrown data protection approaches many organizations use today lead to higher risk and inefficiency. Manual approaches typically don’t protect a diverse set of data types in both structured and unstructured settings, and do not scale as organizations grow. Finally, the rising number of compliance regulations with time­sensitive components adds more operational stress, rather than clarifying priorities.

Organizations require a fresh approach to data protection — one which ensures that they build security and privacy rules into their best practices, and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority.

Leveraging a holistic data security and privacy approachOrganizations need a holistic approach to data protection. This approach should protect diverse data types across physical, cloud and big data environments, and include the protection of structured and unstructured data in both production and non­production (development, test and training) environments. Such an approach can help focus limited resources without added processes or increased complexity. A holistic approach also helps organizations to demonstrate compliance without interrupting critical business processes or daily operations.

To get started, organizations should consider six key questions. These questions are designed to help focus attention to the most critical data vulnerabilities:

1. Where does sensitive data reside across the enterprise? 2. How can access to your enterprise databases be protected,

monitored and audited?

Figure 1: Analysis of malicious or criminal attacks experienced according to the 2011 Cost of Data Breach Study conducted by the Ponemon Institute (published March 2012)

Barriers to implementation: Challenges associated with protecting dataSo with the market focused on security and the risks clearly documented, why haven’t organizations adopted a holistic approach to data protection? Why are organizations overwhelmed by new threats?

The reality is that significant challenges and complexities exist. For one, there are numerous vendor solutions available that are focused on one approach or one aspect of data protection. Few look across the range of threats and data types and sources to deliver a holistic strategy which can be flexible as new threats arise and new computing models are embraced. Next,

6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy

3. How can data be protected from both authorized and unauthorized access?

4. Can confidential data in documents be safeguarded while still enabling the necessary business data to be shared?

5. Can data in non­production environments be protected, yet still be usable for training, application development and testing?

6. What types of data encryption are appropriate?

The answers to these questions provide the foundation for a holistic approach to data protection and scales as organizations embrace the new era of computing. The answers also help organizations focus in on key areas they may be neglecting with current approaches.

1. Organizations can’t protect data if they don’t know it exists. Sensitive data resides in structured and unstructured formats in production environments and non­production environments. Organizations need to document and define all data assets and relationships, no matter what the source. It is important to classify enterprise data, understand data relationships and define service levels. The data discovery process analyzes data values and data patterns to identify the relationships that link disparate data elements into logical units of information, or “business objects” (such as customer, patient or invoice).

2. Activity monitoring provides privileged and non­privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation­of­duties issues by monitoring all administrator activity. Activity monitoring also improves security by detecting unusual database, data warehouse, file share or Hadoop systems read and update activities from the application layer. Event aggregation, correlation and reporting provide an audit capability without the need to enable native audit functions. Activity monitoring solutions should be able to detect malicious activity or inappropriate or unapproved privileged user access.

3. Data should be protected through a variety of data transformation techniques including encryption, masking and redaction. Defining the appropriate business use for enterprise

data will dictate the appropriate data transformation policy. For example, a policy could be established to mask data on screen or on the fly to prevent call center employees from viewing national identification numbers. Another example could be masking revenue numbers in reports shared with business partners or third­party vendors.

4. Data redaction can remove sensitive data from forms and documents based on job role or business purpose. For example, physicians need to see sensitive information such as symptoms and prognosis data, whereas a billing clerk needs the patient’s insurance number and billing address. The challenge is to provide the appropriate protection, while meeting business needs and ensuring that data is managed on a “need­to­know” basis. Data redaction solutions should protect sensitive information in unstructured documents, forms and graphics.

5. De­identifying data in non­production environments is simply the process of systematically removing, masking or transforming data elements that could be used to identify an individual. Data de­identification enables developers, testers and trainers to use realistic data and produce valid results, while still complying with privacy protection rules. Data that has been scrubbed or cleansed in such a manner is generally considered acceptable to use in non­production environments and ensures that even if the data is stolen, exposed or lost, it will be of no use to anyone.

6. Data encryption is not a new technology, and many different approaches exist. Encryption is explicitly required by many regulations including PCI DSS, and also enables safe harbor provisions in many regulatory mandates. This means organizations are exempt from disclosing data breaches if the data is encrypted. It is challenging for an organization to identify the best encryption approach due to prolific offerings from various vendors. For encrypting structured data, consider a file­level approach. This will protect both structured data in the database management system (DBMS) and also unstructured files such as DBMS log or configuration files, and is transparent to the network, storage and applications. Look for encryption offerings which provide a strong separation of duties and a unified policy and key management system to centralize and simplify data security management.

IBM Software 7

Meeting data security and compliance challenges What makes IBM’s approach to data protection unique? Expertise. The alignment of people, process, technology and information separates the IBM data security and privacy solutions from the competition. The goal of the IBM portfolio is to help organizations meet legal, regulatory and business obligations without adding additional overhead. This helps organizations support compliance initiatives, reduce costs, minimize risk and sustain profitable growth. In addition, IBM has integrated data security into a broader security framework. The IBM Security Framework (see Figure 2) and associated best practices provide the expertise, data analysis, and maturity models to give IBM’s clients the opportunity to embrace innovation with confidence.

To address data security and compliance, IBM has defined three guiding principles to ensure a holistic data protection approach: Understand and Define, Secure and Protect, and Monitor and Audit. By following these three principles, organizations can improve their overall security posture and help meet compliance mandates with confidence.

Understand and defineOrganizations must discover where sensitive data resides, classify and define data types, and determine metrics and policies to ensure protection over time. Data can be distributed over multiple applications, databases and platforms with little documentation. Many organizations rely too heavily on system and application experts for this information. Sometimes, this information is built into application logic, and hidden relationships might be enforced behind the scenes.

Finding sensitive data and discovering data relationships requires careful analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete landscape can organizations define proper enterprise data security and privacy policies.

IBM InfoSphere® Discovery is designed to identify and document what data you have, where it is located and how it’s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification and definition of data relationships across complex, heterogeneous environments.

Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis — with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchical databases and any structured data source represented in text file format.

Security Intelligence,Analytics and GRC

Software andApplicances

Clo

ud a

nd M

anag

edS

ervi

ces

Pro

fess

iona

lS

ervi

ces

Figure 2: IBM is the only vendor providing a sophisticated security framework with security intelligence across people, data, applications and infrastructure.

8 Three Guiding Principles to Improve Your Data Security and Compliance Strategy

In summary, IBM InfoSphere Discovery helps organizations:

• Locate and inventory the data sources across the enterprise • Identify and classify sensitive data • Understand data relationships • Define and document privacy rules • Document and manage ongoing requirements and threats

Secure and protectData security and privacy solutions should span a heterogeneous enterprise, and protect both structured and unstructured data across production and non­production environments (see Figure 3). IBM InfoSphere solutions help protect sensitive data in ERP/CRM applications, databases, warehouses, file shares and Hadoop­based systems, and also in unstructured formats such as forms and documents. Key technologies include activity monitoring, data masking, data redaction and data encryption. InfoSphere Guardium provides enterprise­wide controls and capabilities across many platforms and data sources, enhancing the investments made in platforms, such as RACF on System z, that provide built­in security models that leverage data sources such as DB2 for z/OS, IMS,

and VSAM. A holistic data protection approach ensures a 360­degree lockdown of all organizational data.

For each type of data (structured, unstructured, offline and online), we recommend different technologies to keep it safe. Keep in mind that the various data types exist in both production and non­production environments.

Structured data: This data is based on a data model, and is available in structured formats like databases or XML.

Unstructured data: This data is in forms or documents which may be handwritten, typed or in file repositories, such as word processing documents, email messages, pictures, digital audio, video, GPS data and more.

Online data: This is data used daily to support the business, including metadata, configuration data or log files.

Offline data: This is data in backup tapes or on storage devices.

Data in heterogeneous databases(Oracle, DB2, Netezza, Informix, Sybase, Sun MySQL, Teradata)

• Activity Monitoring• Vulnerability Assessment• Data Masking• Data Encryption

Data not in databases(Hadoop, File Shares, ex. SharePoint,.TIF, .PDF, .doc, scanned documents)

• Data Redaction• Activity Monitoring

• Data Masking

StructuredData

UnstructuredData

OfflineData

OnlineData

Data in daily use

• Activity Monitoring• Vulnerability Assessment

• Data Masking • Data Encryption

Data extracted from databases

• Data Encryption

Prod

uct

ion

& Non-Production System

s

Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments

IBM Software 9

Keep in mind these four basic data types are exploding in terms of volume, variety and velocity. Many organizations are looking to include these data types in big data systems such as Netezza or Hadoop for deeper analysis.

IBM InfoSphere Guardium® Activity Monitor and Vulnerability Assessment provide a security solution which addresses the entire database security and compliance life cycle with a unified web console, back­end data store and workflow automation system, enabling you to:

• Assess database and data repository vulnerabilities and configuration flaws

• Ensure configurations are locked down after recommended changes are implemented

• Provide 100­percent visibility and granularity into all data source transactions — across all platforms and protocols — with a secure, tamper­proof audit trail that supports separation of duties

• Monitor and enforce policies for sensitive data access, privileged user actions, change control, application user activities and security exceptions such as failed logins

• Automate the entire compliance auditing process — including report distribution to oversight teams, sign­offs and escalations — with preconfigured reports for SOX, PCI DSS and data privacy

• Create a single, centralized audit repository for enterprise­wide compliance reporting, performance optimization, investigations and forensics

• Easily scale from safeguarding a single database to protecting thousands of databases, data warehouses, file shares or Hadoop­based systems in distributed data centers around the world

Traditionally, protecting unstructured information in forms, documents and graphics has been performed manually by deleting electronic content and using a black marking pen on paper to delete or hide sensitive information. But this manual process can introduce errors, inadvertently omit information and leave behind hidden information within files that exposes sensitive data. Today’s high volumes of electronic forms and documents make this manual process too burdensome for practical purposes, and increase an organization’s risk of exposure.

IBM InfoSphere Guardium Data Redaction protects sensitive information buried in unstructured documents and forms from unintentional disclosure. The automated solution lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version of the documents made available to unprivileged readers. Based on industry­leading software redaction techniques, InfoSphere Guardium Data Redaction also offers the flexibility of human review and oversight if required.

IBM InfoSphere Optim™ Data Masking Solution provides a comprehensive set of data masking techniques that can support your data privacy compliance requirements on demand, including:

• Application­aware masking capabilities help ensure that masked data, like names and street addresses, resembles the look and feel of the original information. (see Figure 4)

• Context­aware, prepackaged data masking routines make it easy to de­identify elements such as payment card numbers, Social Security numbers, street addresses and email addresses.

• Persistent masking capabilities propagate masked replacement values consistently across applications, databases, operating systems and hardware platforms.

• Static or dynamic data masking supports both production and non­production environments.

With InfoSphere Optim, organizations can de­identify data in a way that is valid for use in development, testing and training environments, while protecting data privacy.

Mask

Figure 4: Personal identifiable information is masked with realistic but fictional data

10 Three Guiding Principles to Improve Your Data Security and Compliance Strategy

IBM InfoSphere Guardium Data Encryption provides a single, manageable and scalable solution to encrypt enterprise data without sacrificing application performance or creating key management complexity. InfoSphere Guardium Data Encryption helps solve the challenges of invasive and point approaches through a consistent and transparent approach to encrypting and managing enterprise data security. Unlike invasive approaches such as column­ level database encryption, PKI­based file encryption or native point encryption, IBM InfoSphere Guardium Data Encryption offers a single, transparent solution that is also easy to manage. This unique approach to encryption provides the best of both worlds: seamless support for information management needs combined with strong, policy­based data security. Agents provide a transparent shield that evaluates all information requests against easily customizable policies and provides intelligent decryption­based control over reads, writes, and access to encrypted contents. This high­performance solution is ideal for distributed environments, and agents deliver consistent, auditable and non­invasive data­centric security for virtually any file, database or application — anywhere it resides.

In summary, InfoSphere Guardium Data Encryption provides:

• A single, consistent, transparent encryption method across complex enterprises

• An auditable, enterprise­executable, policy­based approach • Among the fastest implementation processes achievable,

requiring no application, database or system changes • Simplified, secure and centralized key management across

distributed environments • Intelligent, easy­to­customize data security policies for

strong, persistent data security • Strong separation of duties• Top­notch performance with proven ability to meet SLAs

for mission­critical systems

IBM Tivoli® Key Lifecycle Manager helps IT organizations better manage the encryption key life cycle by enabling them to centralize and strengthen key management processes. It can manage encryption keys for IBM self­encrypting storage

devices as well as non­IBM encryption solutions that use the Key Management Interoperability Protocol (KMIP). IBM Tivoli Key Lifecycle Manager provides the following data security benefits:

• Centralize and automate the encryption key management process

• Enhance data security while dramatically reducing the number of encryption keys to be managed

• Simplify encryption key management with an intuitive user interface for configuration and management

• Minimize the risk of loss or breach of sensitive information • Facilitate compliance management of regulatory standards

such as SOX and HIPAA • Extend key management capabilities to both IBM and

non­IBM products • Leverage open standards to help enable flexibility and

facilitate vendor interoperability

Monitor and auditAfter data has been located and locked down, organizations must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis. Monitoring of user activity, object creation, data repository configurations and entitlements help IT professionals and auditors trace users between applications and databases. These teams can set fine­grained policies for appropriate behavior and receive alerts if these policies are violated. Organizations need to quickly show compliance and empower auditors to verify compliance status. Audit reporting and sign­offs help facilitate the compliance process while keeping costs low and minimizing technical and business disruptions. In summary, organizations should create continuous, fine­grained audit trails of all database activities, including the “who, what, when, where and how” of each transaction.

IBM InfoSphere Guardium Activity Monitor provides granular, database management system (DBMS) — independent auditing with minimal impact on performance. InfoSphere Guardium is also designed to help organizations reduce operational costs via automation, centralized cross­DBMS policies and audit repositories, and filtering and compression.

IBM Software 11

Conclusion: Better Data Security and Compliance Protecting data security and privacy is a detailed, continuous responsibility which should be part of every best practice. IBM provides an integrated data security and privacy approach delivered through these three guiding principles.

1. Understand and Define2. Secure and Protect3. Monitor and Audit

Protecting data requires a 360­degree, holistic approach. With deep, broad expertise in the security and privacy space, IBM can help your organization define and implement such an approach.

IBM solutions are open, modular and support all aspects of data security and privacy, including structured, semi­structured and unstructured data, no matter where it resides. IBM solutions support virtually all leading enterprise databases and operating systems, including IBM DB2®, Oracle, Teradata, Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM IMS™, IBM DB2 for z/OS, IBM Virtual Storage Access Method (VSAM), Microsoft Windows, UNIX, Linux and IBM z/OS®. InfoSphere also supports key ERP and CRM applications — Oracle E­Business Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as well as most custom and packaged applications. IBM supports access monitoring for file sharing software such as Microsoft SharePoint and IBM FileNet. IBM also supports Hadoop­based systems such as Cloudera and InfoSphere BigInsights.

About IBM InfoSphereIBM InfoSphere software is an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The IBM InfoSphere platform provides the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match IBM InfoSphere software building blocks with components from other vendors,

or choose to deploy multiple building blocks together for increased acceleration and value. The IBM InfoSphere platform provides an enterprise­class foundation for information­intensive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster.

About IBM SecurityIBM’s security portfolio provides the security intelligence to help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. IBM operates the world’s broadest security research and development and delivery organization. This consists of nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents.

For more informationFor more information on IBM security, please visit: ibm.com/security.

To learn more about IBM InfoSphere solutions for protecting data security and privacy, please contact your IBM sales representative or visit: ibm.com/guardium.

To learn more about the new IBM DB2 for z/OS security features, download the Redbook at www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247959.html

Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energy­efficient solutions. For more information on IBM Global Financing, visit: ibm.com/financing.

Please Recycle

© Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY 10589

Produced in the United States of America October 2012

IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere, Optim, Tivoli, and z/OS are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both.

Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company.

UNIX is a registered trademark of The Open Group in the United States and other countries.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR MPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON­INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

IMW14568­USEN­05