Authors: Walid Rjaibi, Mohammed Alhamid and Mokhtar Kandil
IBM Security – Data Security
As organizations modernize their IT and expand into hybrid multi-cloud environments, data security and compliance become increasingly challenging. Fragmented and disconnected security tools do not provide a complete view of the data security and compliance landscape. This creates blind spots for an organization and diminishes its ability to assess, prioritize and respond effectively to data security threats and compliance mandates. Current data security and compliance solutions must therefore evolve to meet the challenges of hybrid multi-cloud environments. To be effective, a modern data security and compliance solution must address three key challenges: Centralized control, data risk visibility, and response orchestration. This paper introduces IBM Security Guardium Insights as the next generation of the Guardium data security and compliance solution and shows how it addresses the above challenges.
IBM Security Guardium Insights is an evolution of the industry leading Guardium solution that is specifically designed to help organizations meet their data security and compliance needs as they modernize their IT and expand into hybrid multi-cloud environments. Figure 1 depicts the key capabilities of IBM Security Guardium Insights version 2.5. It is a modern microservices-based architecture running on IBM Cloud Pak for Security (CP4S), thus giving organizations the flexibility to deploy and run the solution virtually on premise or anywhere on the cloud.
1. Introducing IBM Security Guardium Insights
Figure 1: IBM Security Guardium Insights 2.5.
For existing Guardium Data Protection environments, Guardium Insights helps simplify the environment by removing the need for aggregator appliances. In fact, Guardium collector appliances can be configured to push data directly to Guardium Insights, where it can be used for analytics and reporting purposes. Besides eliminating the need for aggregator appliances, Guardium Insights also improves reporting performance. This improvement is partly due to the fact that the required data is now available in a single store (as opposed to being scattered through multiple aggregator appliances), and partly due to the columnar nature of the data store which boosts query performance. For cloud databases, Guardium Insights offers an agentless activity monitoring option by integrating directly with the appropriate cloud services such as Amazon Kinesis and Azure Event Hub.
2. Centralized Control
IBM Security Guardium Insights is designed to be a single control point for data security and compliance across hybrid multi-cloud environments. It can support connecting existing data security and compliance solutions such as Guardium Data Protection, as well as cloud data sources such as those available on the AWS and Azure clouds as in Figure 2. This ensures full visibility into user activities and risks across the entire hybrid multi-cloud environment in one place. Protection measures such as blocking a user's access to any database across the entire environment can also be triggered from this single control point, thus saving time and cost.
Figure 2: High-level architecture of IBM Security Guardium Insights.
Guardium Insights also brings an effective data management strategy for reporting and analytics. The strategy consists of an intelligent combination of hot and cold storage. Users can decide the retention period after which the data in the hot storage is automatically and transparently moved to cold storage. In this way, users can optimize the overall storage cost while also deciding what cold storage they would like to use. As of Guardium Insight 2.5 release, S3 and Hadoop are fully supported cold storage options. Data in the hot storage is encrypted to meet the most stringent privacy requirements. The data is also compressed and column-organized to boost the performance of reporting and analytics.
3. Data Risk Visibility
IBM Security Guardium Insights employs advanced analytics to uncover data risks and alerts the administrator of such risks to take appropriate actions. The analytics is organized in the form of a pipeline where each station is a different type of analytics examining the input data with different lenses. One example of such analytics is a Long Short-Term Memory (LSTM) a type of recurrent neural network which is capable of learning the logical operations that make up an application. The model can then detect any breaches in such logical operations. For example, consider a money transfer logical operation in a hypothetical banking application. Typically, such money transfer operation would consist of a sequence of five database operations:
- Looking up the sender's account
- Verifying the sender’s transfer limit
- Looking up the receiver's account
- Debiting the sender's account
- Crediting the receiver's account
A malicious entity might want to skip the fourth transaction in the sequence above to avoid debiting the sender's account while crediting the receiver’s account. Such breach would be detected by the LSTM Deep Learning model in IBM Security Guardium Insights and flagged as a business logic violation. Figure 3 illustrates this scenario. The five transactions above are represented by SQL statements S1, S2, S3, S4, and S5.
Figure 3: Business logic violation illustration.
Another example of analytics in the IBM Security Guardium Insights analytics pipeline is a statistical model which learns the profiles of users, databases, and objects across multiple dimensions and then detects a wide range of outliers, including excessive data extraction or excessive data modification. Combining multiple analytics, each examining the same input data with different lenses helps uncover a broad range of threats that may not be detectable by employing a single analytic, thus enabling IBM Security Guardium Insights to deliver greater visibility into data risk. Last but not least, IBM Security Guardium Insights uses an advanced risk scoring engine to rank and prioritize all data risks found, so administrators know exactly which risk to focus on first.
4. Response Orchestration
While analytics is critical for providing visibility into data risk, response orchestration is essential for mitigating such risk. In this context, IBM Security Guardium Insights integrates with Security Orchestration, Automation and Response (SOAR) capabilities such as those on IBM Cloud Pak for Security (CP4S) so that “cases” for data risk findings can be seamlessly created for SOAR teams to investigate further and drive appropriate mitigation procedures. Figure 4 shows the key capabilities of CP4S, including SOAR and Data Security (Guardium Insights).
Figure 4: IBM Cloud Pak for Security (CP4S).
5. Summary and Next Steps
Fragmented and disconnected security tools do not provide a complete view of the data security and compliance landscape. This creates blind spots for an organization and diminishes its ability to assess, prioritize and respond effectively to data security threats and compliance mandates. IBM Security Guardium Insights addresses the challenges of hybrid multi-cloud environments more effectively. It is a single control point, providing a full view of the data security and compliance landscape. Its deep analytics, risk scoring engine and SOAR integration give organizations a clear view of data risks so they can assess and respond to them more effectively. Ready to take a closer look at IBM Security Guardium Insights? Check out this video for more details: https://www.ibm.com/security/digital-assets/guardium/insights-demo/