This document discusses the need for organizations to adopt a holistic approach to data security and compliance. It outlines three guiding principles: 1) Understand and define where sensitive data resides across the enterprise. 2) Secure and protect enterprise databases and monitor and audit data access. 3) Continuously monitor systems to demonstrate compliance to auditors. The document argues that a systematic, proactive approach is needed to address the growing threats to data security from sophisticated hackers, increased regulations, and the explosion of data sources and types in today's complex IT environments.

1. IBM Software October 2012
Thought Leadership White Paper
Three guiding principles to improve
data security and compliance
A holistic approach to data protection for a complex threat landscape

2. 2 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Executive summary protected against new threats or other malicious activity and
News headlines about the increasing frequency of information continually monitored for weaknesses.
and identity theft have focused awareness on data security and • Demonstrate compliance to pass audits: It’s not enough
privacy breaches — and their consequences. In response to this to develop a holistic approach to data security and privacy;
issue, regulations have been enacted around the world. organizations must also demonstrate and prove compliance
Although the specifics of the regulations may differ, failure to to third-party auditors.
ensure compliance can result in significant financial penalties,
criminal prosecution and loss of customer loyalty. IBM® solutions for data security and privacy are designed to
support this holistic approach and incorporate intelligence to
In addition, the information explosion, the proliferation of proactively address IT threats and enterprise risks. IBM has
endpoint devices, growing user volumes, and new computing developed three simple guiding principles (Understand and
models like cloud, social business and big data have created Define, Secure and Protect, and Monitor and Audit) to help
new vulnerabilities. To secure sensitive data and address organizations achieve better security and compliance without
compliance requirements, organizations need to adopt a more impacting production systems or straining already-tight budgets.
proactive and systematic approach.
Making sense of the buzz: Why the
Since data is a critical component of daily business operations, growing focus on data protection?
it is essential to ensure privacy and protect data no matter Data security is a moving target; as data grows, more
where it resides. Different types of information have different sophisticated threats emerge, the number of regulations
protection requirements; therefore, organizations must take a increase, and changing economic times make it difficult to
holistic approach to safeguarding information: secure and protect data. New attack vectors including cyber
security threats (worms, trojans, rootkits, rogues, dialers and
• Understand where the data exists: Organizations can’t spyware) and security complexities resulting from changing IT
protect sensitive data unless they know where it resides and architectures (virtualization, big data, open enterprise
how it’s related across the enterprise. initiatives, consumerization and employee mobility) challenge
• Safeguard sensitive data, both structured and organizations to focus on data protection (see Figure 1).
unstructured: Structured data contained in databases must
be protected from unauthorized access. Unstructured data in According to the October 2011 report “Databases are More at
documents, forms, image files, GPS systems and more Risk Than Ever,” which surveyed 355 data security professionals,
requires privacy policies to redact (remove) sensitive informa­ one-fourth of respondents felt that a data breach in 2012 was
tion while still allowing needed business data to be shared. likely or inevitable. Only 36 percent of organizations have taken
• Protect non-production environments: Data in non- steps to ensure their applications are not subject to SQL
production, development, training and quality assurance injection attacks, and over 70 percent take longer than three
environments needs to be protected, yet still usable during months to apply critical patch updates, giving attackers the
the application development, testing and training processes. opportunity they are looking for. Most respondents are unable
• Secure and continuously monitor access to the data: to tell whether there has been unauthorized access or changes to
Enterprise databases, data warehouses, file shares and their databases. In many cases, a breach would go undetected for
Hadoop-based systems require real-time monitoring to months or longer, as only 40 percent of organizations audit their
ensure data access is protected and audited. Policy-based databases on a regular basis.
controls based on access patterns are required to rapidly
detect unauthorized or suspicious activity and alert key Prevention strategies are almost non-existent at most
personnel. In addition, sensitive data repositories need to be companies. Only one-fourth of respondents say they are able

3. IBM Software 3
to stop abuse of privileges by authorized database users, of the cases) followed by backdoor malware (26 percent),
especially highly privileged users such as database use of stolen credentials (24 percent), exploiting backdoor
administrators, before it happens. Only 30 percent encrypt or command and control channels (23 percent), and keyloggers
sensitive and personally identifiable information in all their and spyware (18 percent). SQL injection attacks accounted
databases, despite data privacy regulations worldwide requiring for 13 percent of the breaches. As for the targets, 90 percent
encryption for data at rest. Additionally, most admit to having of the breaches Verizon investigated went after servers,
sensitive data in non-production environments that is mainly point-of-sale servers, web and app servers, and
accessible to developers, testing and even third parties. database servers.
Changes in IT environments and evolving Regulatory compliance mandates
business initiatives The number and variety of regulatory mandates are too
Security policies and corresponding technologies must evolve numerous to name here, and they affect organizations around
as organizations embrace new business initiatives such as the globe. Some of the most prevalent mandates include the
outsourcing, virtualization, cloud, mobile, Enterprise 2.0, Sarbanes-Oxley Act (SOX), the Health Insurance Portability
big data and social business. This evolution means and Accountability Act (HIPAA), the Payment Card Industry
organizations need to think more broadly about where Data Security Standard (PCI-DSS) (enforcement of which has
sensitive data resides and how it is accessed. Organizations firmly started expanding beyond North America), the Federal
must also consider a broad array of both structured and Information Security Management Act (FISMA), and the EU
unstructured sensitive data, including customer information, Data Privacy Directive. Along with the rising number of
trade secrets, intellectual property, development plans, regulatory mandates is the increased pressure to show
competitive differentiators and more. immediate compliance. Enterprises are under tremendous
time pressure and need to show immediate progress to the
Smarter, more sophisticated hackers business and shareholders, or face reputation damage and stiff
Many organizations are now struggling with the widening gap financial penalties.
between hacker capabilities and security defenses. The
changing nature, complexity and larger scale of outside attacks Information explosion
are cause for concern. Previously, the most critical concern was The explosion in digital information is mind-boggling. In
virus outbreaks or short denial-of-service attacks, which would 2009, the world had about 0.8 zettabytes of data. In 2012,
create a temporary pause in business operations. Today, hackers it is estimated to be 1.8 ZBs. This is an amazing number,
are becoming more savvy and interconnected; they leverage considering a zettabyte is a trillion gigabytes. The information
social networks, purchase pre-packaged “hacking” applications explosion has made access to public and private information
and might even be state sponsored. By penetrating the a part of everyday life. The digital explosion also brings
perimeter and infiltrating the network, new advanced an increase in the volume, variety and velocity of data.
persistent threats (APTs) exploit employee knowledge gaps and Organizations need to understand the unique challenges
process weaknesses and technology vulnerabilities in random that big data brings, such as large-scale cloud infrastructures,
combinations to steal customer data or corporate data, such as diversity of data sources and formats, the streaming nature
trade secrets, resulting in the potential for billions of dollars of of data acquisition, and high-volume data aggregation.
lost business, fines and lawsuits, and irreparable damage to an
organization’s reputation. Critical business applications typically collect this information
for legitimate purposes; however, given the interconnected
According to the 2012 Verizon Data Breach Investigations nature of the Internet and information systems, as well as
Report, the most commonly used venue for breaches was enterprise ERP, CRM and custom business applications,
exploiting default or easily guessed passwords (with 29 percent sensitive data is easily subject to theft and misuse.

4. 4 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Insider threats The stakes are high: Risks associated with
A high percentage of data breaches actually emanate from insufficient data security and privacy
internal weaknesses. These breaches range from employees Corporations and their officers may face fines from USD5,000
who may misuse payment card numbers and other sensitive to USD1 million per day, and possible jail time if data is
information to those who save confidential data on laptops that misused. According to the Ponemon Institute, “2011: Cost of
are subsequently stolen. Furthermore, organizations are also Data Breach Study” (published March 2012), the average
accountable for protecting data no matter where the data organizational cost of a data breach in 2011 was USD5.5
resides — be it with business partners, consultants, contractors, million. Data breaches in 2011 cost their companies an average
vendors or other third parties. of USD194 per compromised record. The number of breached
records per incident in 2011 ranged from approximately 4,500
In summary, organizations are focusing more heavily on data records to more than 98,000 records. In 2011, the average
security and privacy concerns. They are looking beyond number of breached records was 28,349.
developing point solutions for specific pains and toward
building security and privacy policies and procedures into The most expensive breach studied by Ponemon Institute
the enterprise. Building security into business and IT (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took
policies is especially important as they embrace the new USD35.3 million to resolve, up USD4.8 million (15 percent)
era of computing. from 2009. The least expensive data breach was USD780,000,
up USD30,000 (4 percent) from 2009. As in prior years, data
breach cost appears to be directly proportional to the number
of records compromised.
Security versus privacy
Security and privacy are related, but they are distinct Hard penalties are only one example of how organizations can
concepts. Security is the infrastructure-level lockdown be harmed; other negative impacts include erosion in share
that prevents or grants access to certain areas or data price caused by investor concern and negative publicity
based on authorization. In contrast, privacy restrictions resulting from a data breach. Irreparable brand damage
control access for users who are authorized to access a identifies a company as one that cannot be trusted.
particular set of data. Data privacy ensures those who
have a legitimate business purpose to see a subset of that Five common sources of risk include:
data do not abuse their privileges. That business purpose
is usually defined by job function, which is defined in turn • Excessive privileges and privileged user abuse. When
by regulatory or management policy, or both. users (or applications) are granted database privileges that
Some examples of data security solutions include exceed the requirements of their job function, these privileges
database activity monitoring and database vulnerability may be used to gain access to confidential information.
assessments. Some examples of data privacy solutions • Unauthorized privilege elevation. Attackers may take
include data redaction and data masking. In a recent case advantage of vulnerabilities in database management
illustrating this distinction, physicians at UCLA Medical software to convert low-level access privileges to high-level
Center were caught going through celebrity Britney
access privileges.
Spears’ medical records. The hospital’s security policies
• SQL injection. SQL injection attacks involve a user who
were honored since physicians require access to medical
takes advantage of vulnerabilities in front-end web
records, but privacy concerns exist since the physicians
were accessing the file out of curiosity and not for a valid applications and stored procedures to send unauthorized
medical purpose. database queries, often with elevated privileges. Using SQL
injection, attackers could even gain unrestricted access to an
entire database.

5. IBM Software 5
• Denial of service. Denial of service (DoS) may be invoked few organizations have the funding or resources to implement
through many techniques. Common DoS techniques include another process-heavy initiative. Organizations need to build
buffer overflows, data corruption, network flooding and security and privacy policies into their daily operations and
resource consumption. The latter is unique to the database gather support for these policies across the enterprise
environment and frequently overlooked. including IT staff, business leaders, operations, and legal
• Exposure of backup data. Some recent high-profile attacks departments. Privacy requirements do vary by role, and
have involved theft of database backup tapes and hard disks understanding who needs access to what data is not a trivial
which were not encrypted. task. Third, the manual or homegrown data protection
approaches many organizations use today lead to higher risk
and inefficiency. Manual approaches typically don’t protect a
diverse set of data types in both structured and unstructured
settings, and do not scale as organizations grow. Finally, the
rising number of compliance regulations with time-sensitive
components adds more operational stress, rather than
clarifying priorities.
Organizations require a fresh approach to data protection —
one which ensures that they build security and privacy rules
into their best practices, and helps, rather than hinders, their
bottom line. Numerous driving factors combined with high
stakes make figuring out how to approach data security and
privacy an important priority.
Leveraging a holistic data security and
Figure 1: Analysis of malicious or criminal attacks experienced according to
privacy approach
the 2011 Cost of Data Breach Study conducted by the Ponemon Institute Organizations need a holistic approach to data protection. This
(published March 2012) approach should protect diverse data types across physical,
cloud and big data environments, and include the protection of
structured and unstructured data in both production and
Barriers to implementation: Challenges non-production (development, test and training) environments.
associated with protecting data Such an approach can help focus limited resources without
So with the market focused on security and the risks clearly added processes or increased complexity. A holistic approach
documented, why haven’t organizations adopted a holistic also helps organizations to demonstrate compliance without
approach to data protection? Why are organizations interrupting critical business processes or daily operations.
overwhelmed by new threats?
To get started, organizations should consider six key questions.
The reality is that significant challenges and complexities exist. These questions are designed to help focus attention to the
For one, there are numerous vendor solutions available that most critical data vulnerabilities:
are focused on one approach or one aspect of data protection.
Few look across the range of threats and data types and sources 1. Where does sensitive data reside across the enterprise?
to deliver a holistic strategy which can be flexible as new 2. How can access to your enterprise databases be protected,
threats arise and new computing models are embraced. Next, monitored and audited?

6. 6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
3. How can data be protected from both authorized and data will dictate the appropriate data transformation policy.
unauthorized access? For example, a policy could be established to mask data on
4. Can confidential data in documents be safeguarded while screen or on the fly to prevent call center employees from
still enabling the necessary business data to be shared? viewing national identification numbers. Another example
5. Can data in non-production environments be protected, could be masking revenue numbers in reports shared with
yet still be usable for training, application development business partners or third-party vendors.
and testing? 4. Data redaction can remove sensitive data from forms and
6. What types of data encryption are appropriate? documents based on job role or business purpose. For
example, physicians need to see sensitive information such as
The answers to these questions provide the foundation for a symptoms and prognosis data, whereas a billing clerk needs
holistic approach to data protection and scales as organizations the patient’s insurance number and billing address. The
embrace the new era of computing. The answers also help challenge is to provide the appropriate protection, while
organizations focus in on key areas they may be neglecting meeting business needs and ensuring that data is managed
with current approaches. on a “need-to-know” basis. Data redaction solutions should
protect sensitive information in unstructured documents,
1. Organizations can’t protect data if they don’t know it exists. forms and graphics.
Sensitive data resides in structured and unstructured formats 5. De-identifying data in non-production environments is
in production environments and non-production simply the process of systematically removing, masking or
environments. Organizations need to document and define transforming data elements that could be used to identify an
all data assets and relationships, no matter what the source. individual. Data de-identification enables developers, testers
It is important to classify enterprise data, understand data and trainers to use realistic data and produce valid results,
relationships and define service levels. The data discovery while still complying with privacy protection rules. Data that
process analyzes data values and data patterns to identify the has been scrubbed or cleansed in such a manner is generally
relationships that link disparate data elements into logical considered acceptable to use in non-production
units of information, or “business objects” (such as customer, environments and ensures that even if the data is stolen,
patient or invoice). exposed or lost, it will be of no use to anyone.
2. Activity monitoring provides privileged and non-privileged 6. Data encryption is not a new technology, and many different
user and application access monitoring that is independent approaches exist. Encryption is explicitly required by many
of native database logging and audit functions. It can regulations including PCI DSS, and also enables safe harbor
function as a compensating control for privileged user provisions in many regulatory mandates. This means
separation-of-duties issues by monitoring all administrator organizations are exempt from disclosing data breaches if the
activity. Activity monitoring also improves security by data is encrypted. It is challenging for an organization to
detecting unusual database, data warehouse, file share or identify the best encryption approach due to prolific
Hadoop systems read and update activities from the offerings from various vendors. For encrypting structured
application layer. Event aggregation, correlation and data, consider a file-level approach. This will protect both
reporting provide an audit capability without the need to structured data in the database management system (DBMS)
enable native audit functions. Activity monitoring solutions and also unstructured files such as DBMS log or
should be able to detect malicious activity or inappropriate configuration files, and is transparent to the network, storage
or unapproved privileged user access. and applications. Look for encryption offerings which
3. Data should be protected through a variety of data provide a strong separation of duties and a unified policy and
transformation techniques including encryption, masking and key management system to centralize and simplify data
redaction. Defining the appropriate business use for enterprise security management.

7. IBM Software 7
Meeting data security and compliance To address data security and compliance, IBM has defined
challenges three guiding principles to ensure a holistic data protection
What makes IBM’s approach to data protection unique? approach: Understand and Define, Secure and Protect, and Monitor
Expertise. The alignment of people, process, technology and and Audit. By following these three principles, organizations
information separates the IBM data security and privacy can improve their overall security posture and help meet
solutions from the competition. The goal of the IBM portfolio compliance mandates with confidence.
is to help organizations meet legal, regulatory and business
Understand and define
obligations without adding additional overhead. This helps
Organizations must discover where sensitive data resides,
organizations support compliance initiatives, reduce costs,
classify and define data types, and determine metrics and
minimize risk and sustain profitable growth. In addition, IBM
policies to ensure protection over time. Data can be distributed
has integrated data security into a broader security framework.
over multiple applications, databases and platforms with little
The IBM Security Framework (see Figure 2) and associated
documentation. Many organizations rely too heavily on system
best practices provide the expertise, data analysis, and maturity
and application experts for this information. Sometimes, this
models to give IBM’s clients the opportunity to embrace
information is built into application logic, and hidden
innovation with confidence.
relationships might be enforced behind the scenes.
Finding sensitive data and discovering data relationships
requires careful analysis. Data sources and relationships should
be clearly understood and documented so no sensitive data is
left vulnerable. Only after understanding the complete
Security Intelligence, landscape can organizations define proper enterprise data
Analytics and GRC security and privacy policies.
Professional
Services
IBM InfoSphere® Discovery is designed to identify and
document what data you have, where it is located and how
it’s linked across systems by intelligently capturing
relationships and determining applied transformations
and business rules. It helps automate the identification
Cloud and Managed
and definition of data relationships across complex,
heterogeneous environments.
Services
Without an automated process to identify data relationships
and define business objects, organizations can spend
months performing manual analysis — with no assurance
of completeness or accuracy. IBM InfoSphere Discovery,
on the other hand, can help automatically and accurately
Software and
Applicances identify relationships and define business objects in a
fraction of the time required using manual or profiling
approaches. It accommodates a wide range of enterprise
data sources, including relational databases, hierarchical
Figure 2: IBM is the only vendor providing a sophisticated security
framework with security intelligence across people, data, applications databases and any structured data source represented in
and infrastructure. text file format.

8. 8 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
In summary, IBM InfoSphere Discovery helps organizations: and VSAM. A holistic data protection approach ensures a
360-degree lockdown of all organizational data.
• Locate and inventory the data sources across the enterprise
• Identify and classify sensitive data For each type of data (structured, unstructured, offline and
• Understand data relationships online), we recommend different technologies to keep it safe.
• Define and document privacy rules Keep in mind that the various data types exist in both
• Document and manage ongoing requirements and threats production and non-production environments.
Secure and protect
Data security and privacy solutions should span a
heterogeneous enterprise, and protect both structured and Structured data: This data is based on a data model, and is
unstructured data across production and non-production available in structured formats like databases or XML.
environments (see Figure 3). IBM InfoSphere solutions help
Unstructured data: This data is in forms or documents which
protect sensitive data in ERP/CRM applications, databases,
may be handwritten, typed or in file repositories, such as word
warehouses, file shares and Hadoop-based systems, and also in
processing documents, email messages, pictures, digital audio,
unstructured formats such as forms and documents. Key video, GPS data and more.
technologies include activity monitoring, data masking, data
redaction and data encryption. InfoSphere Guardium provides Online data: This is data used daily to support the business,
enterprise-wide controls and capabilities across many platforms including metadata, configuration data or log files.
and data sources, enhancing the investments made in platforms, Offline data: This is data in backup tapes or on storage devices.
such as RACF on System z, that provide built-in security
models that leverage data sources such as DB2 for z/OS, IMS,
Data in heterogeneous databases Data not in databases
(Oracle, DB2, Netezza, Informix, (Hadoop, File Shares, ex. SharePoint,
Sybase, Sun MySQL, Teradata) .TIF, .PDF, .doc, scanned documents)
Structured Unstructured
• Data Redaction
• Activity Monitoring Data Data • Activity Monitoring
• Vulnerability Assessment N on-Produc • Data Masking
• Data Masking & t
io
• Data Encryption
duction
n
Systems
Pro
Data extracted from Data in daily use
databases
• Activity Monitoring
• Vulnerability Assessment
• Data Encryption Offline Online • Data Masking
Data • Data Encryption
Data
Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments

9. IBM Software 9
Keep in mind these four basic data types are exploding in IBM InfoSphere Guardium Data Redaction protects
terms of volume, variety and velocity. Many organizations are sensitive information buried in unstructured documents and
looking to include these data types in big data systems such as forms from unintentional disclosure. The automated solution
Netezza or Hadoop for deeper analysis. lends efficiency to the redaction process by detecting sensitive
information and automatically removing it from the version of
IBM InfoSphere Guardium® Activity Monitor and the documents made available to unprivileged readers. Based
Vulnerability Assessment provide a security solution which on industry-leading software redaction techniques, InfoSphere
addresses the entire database security and compliance life cycle Guardium Data Redaction also offers the flexibility of human
with a unified web console, back-end data store and workflow review and oversight if required.
automation system, enabling you to:
IBM InfoSphere Optim™ Data Masking Solution provides
• Assess database and data repository vulnerabilities and a comprehensive set of data masking techniques that can
configuration flaws support your data privacy compliance requirements on
• Ensure configurations are locked down after recommended demand, including:
changes are implemented
• Provide 100-percent visibility and granularity into all data • Application-aware masking capabilities help ensure that
source transactions — across all platforms and masked data, like names and street addresses, resembles the
protocols — with a secure, tamper-proof audit trail that look and feel of the original information. (see Figure 4)
supports separation of duties • Context-aware, prepackaged data masking routines make
• Monitor and enforce policies for sensitive data access, it easy to de-identify elements such as payment card
privileged user actions, change control, application user numbers, Social Security numbers, street addresses and
activities and security exceptions such as failed logins email addresses.
• Automate the entire compliance auditing • Persistent masking capabilities propagate masked
process — including report distribution to oversight teams, replacement values consistently across applications,
sign-offs and escalations — with preconfigured reports for databases, operating systems and hardware platforms.
SOX, PCI DSS and data privacy • Static or dynamic data masking supports both production
• Create a single, centralized audit repository for enterprise- and non-production environments.
wide compliance reporting, performance optimization,
investigations and forensics With InfoSphere Optim, organizations can de-identify data in
• Easily scale from safeguarding a single database to a way that is valid for use in development, testing and training
protecting thousands of databases, data warehouses, file environments, while protecting data privacy.
shares or Hadoop-based systems in distributed data centers
around the world
Traditionally, protecting unstructured information in forms,
documents and graphics has been performed manually by
Mask
deleting electronic content and using a black marking pen on
paper to delete or hide sensitive information. But this manual
process can introduce errors, inadvertently omit information
and leave behind hidden information within files that exposes
sensitive data. Today’s high volumes of electronic forms and
documents make this manual process too burdensome for Figure 4: Personal identifiable information is masked with realistic but
practical purposes, and increase an organization’s risk of exposure. fictional data

10. 10 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
IBM InfoSphere Guardium Data Encryption provides devices as well as non-IBM encryption solutions that use the
a single, manageable and scalable solution to encrypt Key Management Interoperability Protocol (KMIP). IBM
enterprise data without sacrificing application performance Tivoli Key Lifecycle Manager provides the following data
or creating key management complexity. InfoSphere security benefits:
Guardium Data Encryption helps solve the challenges of
invasive and point approaches through a consistent and • Centralize and automate the encryption key management
transparent approach to encrypting and managing enterprise process
data security. Unlike invasive approaches such as column- • Enhance data security while dramatically reducing the
level database encryption, PKI-based file encryption or native number of encryption keys to be managed
point encryption, IBM InfoSphere Guardium Data • Simplify encryption key management with an intuitive user
Encryption offers a single, transparent solution that is also interface for configuration and management
easy to manage. This unique approach to encryption provides • Minimize the risk of loss or breach of sensitive information
the best of both worlds: seamless support for information • Facilitate compliance management of regulatory standards
management needs combined with strong, policy-based data such as SOX and HIPAA
security. Agents provide a transparent shield that evaluates • Extend key management capabilities to both IBM and
all information requests against easily customizable policies non-IBM products
and provides intelligent decryption-based control over • Leverage open standards to help enable flexibility and
reads, writes, and access to encrypted contents. This high- facilitate vendor interoperability
performance solution is ideal for distributed environments,
and agents deliver consistent, auditable and non-invasive Monitor and audit
data-centric security for virtually any file, database or After data has been located and locked down, organizations
application — anywhere it resides. must prove compliance, be prepared to respond to new internal
and external risks, and monitor systems on an ongoing basis.
In summary, InfoSphere Guardium Data Encryption provides: Monitoring of user activity, object creation, data repository
configurations and entitlements help IT professionals and
• A single, consistent, transparent encryption method across auditors trace users between applications and databases. These
complex enterprises teams can set fine-grained policies for appropriate behavior
• An auditable, enterprise-executable, policy-based approach and receive alerts if these policies are violated. Organizations
• Among the fastest implementation processes achievable, need to quickly show compliance and empower auditors to
requiring no application, database or system changes verify compliance status. Audit reporting and sign-offs help
• Simplified, secure and centralized key management across facilitate the compliance process while keeping costs low and
distributed environments minimizing technical and business disruptions. In summary,
• Intelligent, easy-to-customize data security policies for organizations should create continuous, fine-grained audit
strong, persistent data security trails of all database activities, including the “who, what, when,
• Strong separation of duties where and how” of each transaction.
• Top-notch performance with proven ability to meet SLAs
for mission-critical systems IBM InfoSphere Guardium Activity Monitor provides granular,
database management system (DBMS) — independent auditing
IBM Tivoli® Key Lifecycle Manager helps IT organizations with minimal impact on performance. InfoSphere Guardium is
better manage the encryption key life cycle by enabling them also designed to help organizations reduce operational costs via
to centralize and strengthen key management processes. It can automation, centralized cross-DBMS policies and audit
manage encryption keys for IBM self-encrypting storage repositories, and filtering and compression.

11. IBM Software 11
Conclusion: Better Data Security or choose to deploy multiple building blocks together for
and Compliance increased acceleration and value. The IBM InfoSphere platform
Protecting data security and privacy is a detailed, continuous provides an enterprise-class foundation for information-
responsibility which should be part of every best practice. IBM intensive projects, providing the performance, scalability,
provides an integrated data security and privacy approach reliability and acceleration needed to simplify difficult challenges
delivered through these three guiding principles. and deliver trusted information to your business faster.
1. Understand and Define About IBM Security
2. Secure and Protect IBM’s security portfolio provides the security intelligence to
3. Monitor and Audit help organizations holistically protect their people,
infrastructure, data and applications. IBM offers solutions for
Protecting data requires a 360-degree, holistic approach. With identity and access management, database security, application
deep, broad expertise in the security and privacy space, IBM can development, risk management, endpoint management,
help your organization define and implement such an approach. network security and more. IBM operates the world’s broadest
security research and development and delivery organization.
IBM solutions are open, modular and support all aspects of This consists of nine security operations centers, nine IBM
data security and privacy, including structured, semi-structured Research centers, 11 software security development labs and an
and unstructured data, no matter where it resides. IBM Institute for Advanced Security with chapters in the United
solutions support virtually all leading enterprise databases and States, Europe and Asia Pacific. IBM monitors 13 billion
operating systems, including IBM DB2®, Oracle, Teradata, security events per day in more than 130 countries and holds
Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM more than 3,000 security patents.
IMS™, IBM DB2 for z/OS, IBM Virtual Storage Access
Method (VSAM), Microsoft Windows, UNIX, Linux and IBM For more information
z/OS®. InfoSphere also supports key ERP and CRM For more information on IBM security, please visit:
applications — Oracle E-Business Suite, PeopleSoft Enterprise, ibm.com/security.
JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as
well as most custom and packaged applications. IBM supports To learn more about IBM InfoSphere solutions for protecting
access monitoring for file sharing software such as Microsoft data security and privacy, please contact your IBM sales
SharePoint and IBM FileNet. IBM also supports Hadoop- representative or visit: ibm.com/guardium.
based systems such as Cloudera and InfoSphere BigInsights.
To learn more about the new IBM DB2 for z/OS security
About IBM InfoSphere features, download the Redbook at www.redbooks.ibm.com/
IBM InfoSphere software is an integrated platform for defining, Redbooks.nsf/RedbookAbstracts/sg247959.html
integrating, protecting and managing trusted information across
your systems. The IBM InfoSphere platform provides the Additionally, financing solutions from IBM Global Financing
foundational building blocks of trusted information, including can enable effective cash management, protection from
data integration, data warehousing, master data management technology obsolescence, improved total cost of ownership and
and information governance, all integrated around a core of return on investment. Also, our Global Asset Recovery Services
shared metadata and models. The portfolio is modular, allowing help address environmental concerns with new, more energy-
you to start anywhere, and mix and match IBM InfoSphere efficient solutions. For more information on IBM Global
software building blocks with components from other vendors, Financing, visit: ibm.com/financing.

12. © Copyright IBM Corporation 2012
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
October 2012
IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere,
Optim, Tivoli, and z/OS are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States,
other countries or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks
of Microsoft Corporation in the United States, other countries or both.
Netezza is a trademark or registered trademark of Netezza Corporation,
an IBM Company.
UNIX is a registered trademark of The Open Group in the United States
and other countries.
This document is current as of the initial date of publication and may
be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR
MPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according
to the terms and conditions of the agreements under which they
are provided.
Please Recycle
IMW14568-USEN-05