Presentation is loading. Please wait.

Presentation is loading. Please wait.

2/16/2019 Managing Business Risks Protecting Critical Data with IBM Data Risk Manager.

Similar presentations


Presentation on theme: "2/16/2019 Managing Business Risks Protecting Critical Data with IBM Data Risk Manager."— Presentation transcript:

1 2/16/2019 Managing Business Risks Protecting Critical Data with IBM Data Risk Manager

2 There is explosive data growth across multiple platforms
22.4% Annual increase in structured data2 Structured data 60% Growth in cloud documents 1 26% Annual increase in big data2 Big Data This slide shows our point of view around data growth. The volume of data is increasing, as are the platforms where the data is located. The data is also dynamic – moving between these platforms is common. This slide also presents a data–centric view of data security. No longer can you just consider a platform and protect it. There is no one technology that protects ALL platforms. The solution requires a combination of experienced consultants, a proven methodology and best of breed technology. IBM can provide great tools. Where we have a gap in our coverage, we have built IBM Business Partner relationships. Cloud Service 42.5% Annual increase in unstructured data2 Unstructured data 1 Elastica Shadow Data Report Q2 2015; 2 IDC

3 The per-record cost of a data breach varies widely by industry
2/16/2019 The per-record cost of a data breach varies widely by industry Healthcare is number 1! Source: Cost of Data Breach Study: Global Analysis, by Ponemon Institute Average cost per record breached Currencies converted to US dollars

4 Attackers break through everyday to get at sensitive data
2013 800+ Million records breached 2014 1+ Billion records breached 2015 Unprecedented high-value targets breached

5 Evolving threats can make data security and protection challenging
2/16/2019 These are six common concerns in sensitive data protection: 1 Where is your sensitive data? Technology is only as good as the platforms and repositories they protect 4 What to lock down? You can not protect everything. Focus your investments where it is needed most 2 Who can access your data? Understand how partners and suppliers can access your data 5 Compliance-driven strategy It takes more than passing an audit to assure the security of critical data. 3 Data security is an ongoing process Setting and forgetting is not enough 6 Where do I start? With the exponential growth of mobile, cloud & data volumes, simply getting started may seem overwhelming.

6 Business Risk – Critical data are the “Crown Jewels”
44% Increase in data breaches in 2017 over 2016 Crown Jewels An organization’s most sensitive or business critical information. Source: 2017 Annual Data Breach Year-End Review Today, many organizations are not aware of what their Crown Jewel information is, where it resides, who has access to it, or how it is protected. Possessing information about Crown Jewels is necessary in order to determine whether adequate controls are in place. Crown Jewel protection is dependent upon having access to vital information in order to apply proper controls. Increase in actual number of records breached with credit and debit card numbers in 2017 over 2016 88% Source: 2017 Annual Data Breach Year-End Review Crown Jewel Examples Enterprise Executive Intellectual property Top-secret plans and formulas Acquisition and divestiture plans Executive and board deliberations

7 Identify the value of different categories of data to the enterprise
Rank Relative Sensitivity 2 Acquisition plans x 3 Divestiture plans y 5 Secret formulas / trade secrets z 89 Market intelligence 1 100 Delivery plans 104 Market growth projections Start with the data elements – map to categories Priority rank the categories Map categories to their classification schemes

8 Business Risk – Identify critical data that is of high value to the organization
Data Value Data type Examples Enterprise Critical Certain intellectual property Top-secret plans & formulas Executive Acquisition / divestiture plans Executive / board deliberations Regulated SPI & PII Sarbanes-Oxley HIPAA ITAR Quarterly results Business Strategic External audit results Alliance, joint venture & partner data Business strategic plans Business Unit Critical Design documents R&D results Customer records Pricing data Security data Operational Project plans Contracts Salaries & benefits data Accounts receivable Near-Public List of partners Revenue growth by segments Market intelligence Pay comparison data CRITICAL DATA % Personally identifiable information (PII), or Sensitive Personal Information (SPI),Health Insurance Portability and Accountability Act (HIPAA);, International Traffic in Arms Regulations (ITAR)

9 IBM Method – Approach to Critical Data Management
What are the “crown jewels”? Where are they? How are they used? What is required to protect critical data? How to plan, design, and implement? What to consider operationally? Supported by: Robust Consulting Method | Industry-specific Data Models | Global Consulting Expertise | IBM Data Security Research IBM Data Risk Manager with IBM Guardium, IBM IGC, StoredIQ, DLP, and other leading data protection technologies NEW Accelerate Discovery & Classification Process, Enable Continuous Discovery, Establish Visibility & Protection of High Value Assets, and Manage Information Asset Risks with IBM Data Risk Manager and IBM Guardium Understand overall data security strategy Determine data protection objectives Develop organizational data model / taxonomy Understand data environment, infrastructure and lifecycle Perform iterative discovery, analysis and classification Establish baseline security requirements for crown jewels Assess current data security processes and controls Determine gaps and identify solutions Plan and prioritize technical and business process transformations Design and implement solutions that protect critical data, enable access and align to business growth objectives Develop governance framework, risk metrics and monitoring processes Periodically validate data protection strategy and methodology

10 IBM Data Risk Manager (IDRM) – know all there is to know about your data Information Security Management and Governance IDRM Information Security Management and Governance What? Sensitive and Valuable Data Governance? Risks and Mitigation Where? Location Who? Key Stakeholders Security? Maturity of security controls How? Controls and Protection Measures Why? Purpose and Usage

11 Continuous Data Risk Management Program Data Classification and Controls Integration Workflow with IDRM << Integrate >> << Discover >> << Classify >> CMDB Policy Definition Business Context Business Information Asset Portfolio Information Asset Definition - Logical Grouping of Discovered Data Native Metadata Discovery Filtering and Analysis Organization Data Infrastructure Taxonomy Mapping and Assignment Risk Modeling and Configuration >> Native IDRM Discovery >>> IDRM Server >> Guardium-based Discovery >>> SIEM Classifier Process: Catalog Search Exact Data Search Information Assets Policy Violations and Vulnerabilities Security Classification IBM Guardium Information Asset Portfolio with Business Risk Data Catalog Information Asset Portfolio Process Activity or Task Result – Work product or Deliverable

12 What you don’t know can hurt you: the IDRM solution provides visibility to potential risks and enables proactive measures to be applied The “Ah-ha” Moment When the Board of Directors & C-Suite realize their business is at risk Where does critical data reside? – Data centers and Geo’s Which lines of business have the highest risk? Data residency information Are the “Crown Jewels” classified and protected? What applications and processes access and use them? Controllers’ and Processor’s applications and processes Who are the owners of sensitive data? What compliance issues do we have and remediation action items? Roles and responsibilities such as Data Protection Officer

13 IBM Data Risk Manager (IDRM) – Functional Architecture
GOVERN IDRM Dashboard Information Assets Risk Analytics Action Management MODEL MANAGE Business Context Modeler (BCM) Security Command and Control Center (C3) Enterprise Datasources and Assets Integration Manage your area of work Controls Management Model and Map Data Context Discovery and Classification Information Policy Management Risks and Issues Analysis Information Risk Modeling and Configuration Posture Assessment Data Flow Modeling Action Center – Remediation Planning Integration Exchange Microservices Diagnostic Tools IDRM Server Industry Models Solution Packages Templates and Reusable Assets Knowledge Base Next Gen Cognitive Cloud IDRM SaaS

14 Demo – IDRM Dashboard

15 What you don’t know can hurt you: have visibility into critical data
Information Asset Portfolio visualized across Organization Units, BUs or LoBs and by Business Processes and Sensitivity categories Information Asset with risk score and data classification labels

16 Visibility into critical data, its residency, controls in place, business usage and potential risks
Data Residency Data platforms, instance hostnames, and also geographical locations where critical data is stored Controls Integration and Visibility Application of data-platform specific controls such as Data Activity Monitoring and Vulnerability Assessment Business Usage and Impact Application, business processes that access and/or use critical data for business operations and processing

17 … in addition to providing insight into roles and responsibilities across the data lifecycle and ability to view data flows,… Roles and Responsibilities Business and data owners across the data lifecycle including resource names and contact information Data Flow Diagrams Visualize critical data as it flows across the enterprise and modeled based on business context data

18 … and “A-Ha” Driving visibility into business risks using Guardium
Information Asset with risk score and data classification labels Risk and Remediation Management Understanding of detailed risk profile and information asset valuation to determine remediation steps and action items prioritization

19 IBM Data Risk Manager (IDRM)
Client Problem – what you don’t know can hurt you: Master your risk with a command center that lets you see and address data-related business risk Allows early visibility into potential risks to sensitive data Identifies specific, high-value business-sensitive data at risk from internal or external threats Provides a complete view (processes, procedure, compliance, ownership, etc.) of sensitive data Delivers value and meaning to business executives with a unique, easy-to-understand dashboard Enables the right conversations with IT, Security, and LOB teams to improve business processes and mitigate risks Uncover Act Analyze Visualize IBM Data Risk Manager (IDRM) Together, IBM Data Risk Manager, IBM Security Guardium, and IBM Security Services can identify & stop potential risks to sensitive business data that may impact business processes, operations & competitive position

20 IDRM Server – Sizing and Configuration
The recommended hardware configuration for a standalone Server VM is: The recommended software configuration is (ova – virtual image): Processor Intel Quad-core XEON 2GHz or above Number of Processors 2 Memory (RAM) 16 GB Network Dual 1 Gbps Storage 200 GB RAID Level RAID 5 Virtualization Software Virtual Machine Host – VMWare ESXi/ VMWare Workstation Architecture 64-bit OS/JVM Connectivity Supports Internet and Intranet Deployment & Maintenance Server VM should be accessible over internet for installation

21 IDRM Server – Performance Considerations
Technical Considerations Baseline and Test Results Impact on network bandwidth during data scan IBM DRM product suite performs discovery by scanning the data on the target system that extracts only the metadata. The actual data is not scanned or extracted. The size of metadata file is small and impact on network throughput is insignificant. Assuming the target datasource has about 4000 tables, the following network performance metrics is provided as baseline: Data Upload: 500KB, Data Download: 9MB; throughput: 20KB/sec across segmented networks (via VPN) Impact on performance and CPU resources on the database servers As baseline for performing metadata scans on user schema tables, the following CPU usage metrics were observed for performing metadata scan of about 500 database tables: % CPU Peak usage: 2% Average % CPU usage: 1.8% Total scan time: approx. 4 minutes Target Datasource configuration: Oracle 12c database installed on CentOS 6.7 Final operating system Number of CPU: 1 Assigned Memory: 8GB RAM

22 IDRM Server – Network Protocol Services
Port/Protocol Service Source Destination 22/TCP ssh: command line access to administer and manage IDRM server Remote Desktop IDRM Server 25/TCP smtp: (optional) connect to smtp, if integration is required 514/TCP or UDP shell: to receive syslog notifications from the Guardium appliance Guardium Appliance (if installed) 8009, 8080 /TCP http: for server admin page connectivity IDRM client applications/ Remote Desktop 8443/TCP https: IDRM server connectivity to IDRM client applications, Guardium appliance(s) IDRM client applications, IDRM Server IDRM Server and Guardium Appliance 8762/TCP Native DB Scanner 8763/TCP Guardium Scanner 8764/TCP Symantec Agent IDRM Server and Symantec appliance 8765/TCP Identity Manager Agent 8767/TCP DAM Listener Agent 10001/TCP scp-config

23 Mass Media Conglomerate Major Insurance Company
IBM Data Risk Manager helping customers around the world uncover, analyze, visualize, and take action to protect their most critical data Mass Media Conglomerate Global Manufacturer Uncover Act Analyze Visualize IBM Data Risk Manager Provided visibility into information asset risk posture by developing sensitive data catalog and uncovering database vulnerabilities Discovered and classified customer data across 23 enterprise applications to enable major business transformation initiative Education Ministry Major Insurance Company Developed Ministry-wide portfolio of information assets and its lifecycle to address compliance and privacy regulations Established sustainable discovery and classification process and accelerated data security solution deployment

24 Notices and disclaimers
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.” Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

25 Notices and disclaimers (continued)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at:

26

27 IBM Data Risk Manager – Managing and protecting data Overview – Functional Architecture
IDRM Dashboard GOVERN Business Context and Data Flow Modeling Remediation Management Business Context Modeler (BCM) Security Command and Control Center (SC3) Enterprise Integration Wizard Policy Management – Central Data Ingestion Wizard (DIW) Controls – DbAM and VA Integration MODEL MANAGE RESTful Data Services RESTful Data Services IDRM Server IBM Guardium Organization Data Infrastructure REST API Integration with IBM Guardium Structured Data Discovery & Database Access Monitoring

28 Chief Risk Officer (CRO)
Business Risk Management is now a collaborative effort between different business units and areas managing business valuable assets, and between business leaders and IT teams that manage such assets To bring in the broadest possible definition of risk with business outcomes in the forefront - Mitigate any potential business disruptions occurring due to cyberattacks, and Allowing IT and Ops to focus on technical execution Enterprise Risk Chief Risk Officer (CRO) MARKET RISK CREDIT BUSINESS RISK COMPLIANCE RISK OPERATIONAL IT RISK INFO / DATA RISK Ability to visualize business risks and a­ffected sensitive information assets with an ability to focus into details of Information and Data Risk – specific threats, incidents, and vulnerabilities

29 Enterprise Risk Enterprise Risk
Chief Risk Officer (CRO) Chief Information Security Officer (CISO) Chief Data Officer (CDO) Requirements Visibility into threats to high value assets and understand types of sensitive assets that are at risk Understand types and severity of risks, associated impact, and remediation actions Prioritize security measures for implementation in alignment with business value of information and data assets Recognizing opportunities to extract value – insight and intelligence - from data Enable strategic decisions pertaining to data based on changing organizational, environmental, and operational factors Solutions Ability to view most valuable information assets across business areas and functions, understand associated business value and potential risks Protect and secure such critical data from external threats, data breaches and data leaks Transparent, dynamic, real- or near real-time security threats, incidents, and associated risk information Uncovered vulnerabilities and associated risks to sensitive information and data assets

30 Data Discovery and Classification Approach
2/16/2019 Data Discovery and Classification Approach Identify Scope Define Data Elements Conduct Discovery and Analyze Results Classify Data Elements & Assign Classification Identify the applications and the corresponding databases to be scanned Prioritize the asset inventory by either current knowns and/or business criticality Gather the contextual information for each of the assets in scope Gather information, validate and continue gathering contextual information Create scan policies to identify sensitive data Upload solution packages into data discovery and classification technology Conduct discovery scan Populate contextual information into data discovery and classification technology Review and cleanse scan results If necessary, update Solution Package and re- run metadata scan Align Information Asset to Data Classification Levels Determine the necessary cybersecurity controls needed to protect assets based on the assigned classification level Update Data Catalog to include new Information Assets and/or new data elements to existing Information Assets Key Activities Prioritized list of assets Metadata Scan Policies Technology Solution Packages Information Asset Categories Updated Data Catalog Data Classification Framework Outcomes

31 Applying the Data Discovery and Classification Approach
2/16/2019 Applying the Data Discovery and Classification Approach Identify Scope Define Data Elements Conduct Discovery and Analyze Results Classify Data Elements & Assign Classification Names Data Catalog (pilot) Classification Information Asset Control(s)* Public None - Business Use Only Internal Use Only Employment Information Access should be password controlled Employment Data: Positions Confidential Names Encryption is required for storage Data on removable media must be encrypted Addresses Personal Information Date of Birth Driver’s License Numbers Medical Information Restricted Name Address Birthdate National ID Telephone Number Address Payroll Earning Account Information Account Balance Addresses ACME Application Personal Information Date of Birth Driver’s License Numbers “ims0198” ims0198.acmecorp.com Medical Information Employment Information Employment Data: Positions

32 DRM Application Packages
DRM Dashboard: An interactive dashboard that enables information governance by providing visualization and management in a single, unifying console that depicts potential risks to sensitive business assets. Business Context Modeler (BCM): Business Context Modeling software to represent flow of data elements across the organization by collating entities and actors including business process, applications, infrastructure nodes and control specification. BCM is used to define policies for data discovery and classification. Command and Control Center (C3) - Data Ingestion Wizard (DIW): A data discovery management solution that enables data discovery policy execution, analysis and cleansing of discovered data, and information asset categorization. DRM Application Server: The DRM Server is an information management and governance solution that provides visibility to sensitive data assets and potential risks associated with the assets. The assets and risks are further associated with applications and business processes that may potentially be impacted.

33 DRM – Service Offerings
Proof-of-Concept Quick Start Pilot Enterprise Duration of services 1 week 3 weeks 6 weeks Services engagement to be determined in consultation with the customer Scope 1-2 data elements/discovery policies ~100 database tables ~5 data elements/discovery policies ~400 database tables ~8 to 10 data elements/discovery policies ~4000 database tables Scope is to be determined based on services engagement. Usage of tools Yes All the DRM products and IBM Guardium, if available Deliverables Report in Word format DRM Dashboard (for the project duration only) All the DRM products are deployed. Licensed Software No Price to be determined. Skills and Knowledge Transfer No. However, approach is documented in the deliverable. Resources & Cost One resource Free No tool charges Local resource rates Fixed cost project Two resources TBD Scope items such as DB tables are for SoW baseline purposes only.


Download ppt "2/16/2019 Managing Business Risks Protecting Critical Data with IBM Data Risk Manager."

Similar presentations


Ads by Google