Introduction
IBM Security IGI is a comprehensive Identity and Governance solution. With its unique capabilities on mapping user roles to business activities and providing a risk-based access recertification, the solution stands tall in the Identity Governance space.
Guardium is a Data Security offering, which protects the data at the source. Everything revolves around the data that includes tasks like monitoring the traffic, logging, alerting, masking, blocking etc.
In this paper, we would like to highlight some of the benefits of integrating these two products.
Context Setting
IGI manages the enterprise users that include Database users too in many cases. The role-based access controls applied for the functional users do not necessarily fit to the DB Users. These controls can be implemented at the DB level. Also, the fine-grained permissions of a DB user that are based on SQL DDL or DML GRANTS are not visible to IGI and hence not they could not be managed by it.
On the other side, Guardium being a Database Activity Monitoring product, can bring out the DB user permissions in the name of DB Entitlement reports in real time.
The two products IGI and Guardium can now co-exist and can speak to each other. The integration takes the identity management to reach the next level of managing fine-grained access controls especially from the DB users’ perspective.
Use Case
- John is a Chief Compliance Officer for a financial institution and is in-charge of implementation of Sensitive compliance Data measures for the organization wherein IBM Security Guardium plays an important role in the solution.
- The project is stepping into the sustainable mode and John’s team has started automating some low-hanging tasks. One such thing is the DB entitlements management via Guardium reports with which John can regularly analyze the system user credentials that have access to Sensitive compliance Data. However, for any modification or clean up the permissions, a manual intervention is required.
- Dave, IT head manages the user identities for the enterprise and his team uses IBM Security IGI as their Enterprise IAM program.
- John thinks that the system user accounts are also valid identities and should undergo regular user management lifecycle. By doing so these accounts could be automatically managed by IT and will also be compliant from Sensitive compliance Data perspective.
- John approaches Dave and conveys the importance of the system user accounts management through IGI and Dave agrees for expanding the IGI scope.
- Dave utilizes the integration capability between IGI and Guardium and pulls in the entitlement details of the system accounts from Guardium reports into the IGI system.
- Dave then extends the Sensitive compliance Data compliance measures, especially the Secure Access (SA) risk definitions to the DB permissions there by making the associated user accounts under the regular re-certification campaigns.
How Dave has achieved the integration is what has been explained the topics below.
Architecture
The architecture includes three major components viz. IBM IGI, IBM Guardium and IBM Security Directory Integrator (SDI). Guardium is used for discovering the data and generating the entitlement report of the associated database, IGI to consume them as permissions and define risk and mitigation plans around its associated business activities and SDI to work as a communication channel between these two components.
Implementation Steps
The above diagram represents the flow of the execution of the use-case. The steps involved are explained below.
- A Data discovery exercise is done through Guardium discovery to identify the sensitive data. In our context it will be Sensitive compliance Data across all the database instances.
- Two entitlement reports are created in Guardium – User to Permission mapping and Permission to Attribute/Taxonomy mapping.
- A Client ID and Client Secret are created for the IGI environment in Guardium to enable the RestAPI calls.
- In IGI, the Guardium Adapter profile is imported (it is not available by default), and an Enterprise Connector is created using the profile.
- The configuration parameters of the Connector include, the communication URL for Guardium that contains the Client ID and the Client Secret, RMI URL of the SDI, the two report names from Guardium and the taxonomy mapping file name and location placed in the SDI environment.
- The taxonomy mapping file will contain the mapping of the sensitive elements discovered in the Guardium to that of the corresponding elements created in IGI.
- These elements are the Business activities to which the necessary risk definitions (in our case SA risks) are mapped.
- Once the configurations are done, the connected is executed to import the data from Guardium.
- The entitlement reports are reflected as permissions against the users and using the taxonomy mapping file they will get associated the business activities.
- When risk violation activities are executed the risky users are identified.
- These risks are remediated either by using a DB specific adapter or by using a certification campaign.
- As an advanced move, if this IGI instance is integrated with Cloud Identity Analyze (CIA) the identity risk analysis can be run through it and remediation activities can be invoked through the CIA itself.
Conclusion
With this integration in place, we could achieve the fine-grained access control for the Database system users. All these control measures can be automated and will aid in the overall compliance monitoring activities.
Resources
Knowledge Center URL for the Guardium Adapter:
https://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/igi/Guardium/install_config/guardium_html_mstr.htm
Box link for the Demo video:
https://ibm.box.com/s/fjrq87fx4mq8fy5o31ujbx4jlwsl4hph
PoC Implemented by: Sudhagar Tiroucamou, IBM Security Solution Architect and Vandana Verma, IBM Security Solution Architect.
Content Reviewed by: Pradeep Kumar, Executive Architect, IBM and Leanne Chen, Offering Manager - IAM, IBM