IBM Guardium Data Encryption

Different Enterprise Use Cases Require Different Approaches

Original Value
4536 6382 9896 5200

Masking Redaction
The ability to desensitize personal information and
 The process of obscuring part of a text for
make it unreadable from original form while
security purposes.
preserving format and referential integrity
 it is a one way algorithm – ie. No unmasking data  The ability to replace real data with substitute
 SDM – Static Data Masking characters like (“*”)
 DDM – Dynamic
Data Masking Redacted Value
Masked Value
ABCD GDIC JIJG VXYZ **** **** **** 5200

Tokenization
 The process of substituting a “token” which can
be mapped to the original value
 Token is a non- personal data equivalent which
has no extrinsic value
 Must maintain a mapping between the tokens
and the original values
Encryption
 The process of encoding data in such a way
that only authorized individuals can read it by
decrypting the encoded data with a key
 Format Preserving Encryption (FPE) is a
special form of encryption

Token Value Encrypted Value

4212 5454 6565 7780 1@#43$%!xy1K2L4P

2 IBM Security IBM and Business Partner Confidential

 Applying Encryption
• The process of encoding data EXAMPLE
so that only authorized users can Original Value Encrypted Value
read it by decrypting encrypted 4536 6382 9896 5200 1@#43$%!xy1K2L4P
data with a key

Database Unstructured Cloud

Encryption Data Encryption Encryption
Encrypt tablespace, Encrypt and control Encrypt and control
log and other access to any type of access to data used
database files data used by LUW server by cloud instances

3 IBM Security
 Regulatory non-compliance is becoming more painful!
Regulatory Compliance is #1 reason
customers adopt encryption

COMPLIANCE PCI SOX HIPAA GDPR

REQUIREMENTS
Safeguard Protect Ensure patient Protect personal
cardholder data financial data privacy privacy and data

NON-COMPLIANCE $5K - $500K $1M - $5M Up to $1.5M Up to €20M

PENALTIES per month with possible per year or 4% annual
imprisonment WW turnover

How do you mitigate the RISK of data compromise and regulatory non-compliance?

4 IBM Security
 And increasingly, demand for encryption is spurred by the need to protect
data, regardless of its location

Azure Private / Google

Micro

Cloud-based data:
AWS IBM
• Databases • File systems
• Data warehouses • Big data platforms

REMEMBER…
• You can’t always control what happens in cloud environments, but:
̶ You can control the DATA
̶ You must keep cloud service providers out of your sensitive data
• Compliance still applies - even in the cloud

5 IBM Security
 2019 Data Security Encryption Portfolio
Guardium Data
Encryption (GDE)
• On-Prem File Encryption
• Agent-Server Architecture
• OEM from Vormetric/Thales
Security Key Lifecycle
Manager (SKLM)
• Enterprise Key Mgmt
• KMIP Certified
• Distributed and Z-versions
available
6 IBM Security
Multi-Cloud Data
Encryption (MDE)
• File, Volume, & S3 Encryption
• Agent-Server Architecture
• OEM from Security First Corp
Guardium Data
Encryption for IMS and
DB2 (GDE4Z)
• Protects Database Contents
• OEM from Rocket
• Z-platform only
IBM Guardium Protect on-premises enterprise data while meeting
Data Encryption compliance mandates
Encryption Guardium Data Encryption

• Protects on-premise data from misuse

• Supports separation of duties
• Meets government and industry
compliance regulations
e.g., PCI, GDPR, etc. Oracle DB2

Hadoop Teradata NoSQL

Guardium
• Scales in heterogeneous Protect databases Data
Protect
and Big Data apps
environments Encryption

• Tokenization support
• Provides encryption for: Protect
files
̶ Files and Databases
̶ Applications
̶ Teradata environments

7 IBM Security
 Imagine encryption… anywhere!

Encryption Encryption Encryption

Agents Agents Agents
Encryption Encryption
Agents Agents

On-Prem
Data Security
Manager (DSM) Encryption
Agents

REST API

IBM Guardium Data Encryption

helps provide distributed encryption and centralized management to protect
sensitive data for traditional, on-prem environments

8 IBM Security
IBM Guardium Guardium Data Encryption v3.0 Offers Different Components
Data Encryption
Guardium for File and Database Encryption
Encryption
• Encrypts Structured and Unstructured Data
• Agent-based solution with management server virtual appliance
• Next generation version of GDE v2.0 for files and database encryption
• GDE v2.0 can upgrade to Guardium for File and Database Encryption (v3.0) at no
charge as long as their S&S is current

Guardium for Application Encryption

• Offers an SDK that allows customers to directly integrate their applications with the
encryption agents
• Agent-based solution with management server virtual appliance
Guardium for Teradata Encryption
• Encrypts structured and unstructured data within a Teradata environment
• Agent-based solution with management server virtual appliance

Guardium for Tokenization

• Supports Database Tokenization though REST API calls
• Solution includes a tokenization server virtual appliance and a management server
virtual appliance

9 IBM Security
IBM Multi-Cloud Protect data in cloud and hybrid environments
Data Encryption while meeting compliance mandates
Encryption IBM Multi-Cloud Data Encryption

• Protect data in single cloud, multiple clouds

and hybrid environments from misuse
• Encrypts file, volume and object store data Protect cloud environments

while controlling and logging data access

• Meets government and industry compliance
regulations e.g., PCI, GDPR, etc.
IBM Multi-Cloud
Data
• Central console and agent model with over Encryption
On-Prem

10 languages supported
• Provides full REST API support Key
Management

• Integrates to IBM Security Key Lifecycle

Manager (SKLM) for more control

10 IBM Security
 MDE 2.3 - Protecting data-at-rest wherever it resides

SIEM
System
Central
Administration
Management
Automation via Console
REST API
External Key Manager

NFS SERVER SERVER OBJECT

FILE VOLUME FILE STORE
AGENT AGENT AGENT AGENT
S3 API S3
OBJECT
STORAGE
NFS

provide access controls, encryption, monitoring and centralized management to

protect sensitive data in a single cloud, multiple clouds and hybrid environments

11 IBM Security
 MDE 2.3 – Agents protect data-at-rest however it is stored

File Agent Protect local files and folders with access controls and encryption
File agent installed on the server with attached storage

Protect NFS mount with access controls and encryption

Linux NFS Support
File agent installed on the NFS client server
New in 2.3

Protect complete volumes/ partitions with access controls and encryption

Volume Agent Volume agent installed on the server with attached storage

Protect data with access controls and encryption via S3 API prior to transmit
Object Store Agent
Object store agent appliance serves as proxy for S3 object store

12 IBM Security
 MDE 2.3 –Agents and Operating Systems

File Agent

Performance New in 2.3

Linux NFS Support

New in 2.3

Volume Agent

Object Store Agent Appliance

13 IBM Security
 IBM Data Protection Ecosystem

Multi-Cloud
Da t a E nc r ypt i on

Security Key Lifecycle Manager QRadar

MDE
Agent

Object Store Agent

Data Risk Manager Cloud Object Storage

MDE
AGENT

File, Volume or NFS

Windows / Linux /
AIX
Guardium Data Protection Spectrum Protect

14 IBM Security
 How Can We Protect Against S3 Threats?

Researchers from Kromtech Alliance Corp., based in

Dubai, found a Kubernetes console with no password
protection that included data from dozens of Amazon S3
buckets, but, allegedly, no personal data was accessed
in the Weight Watchers exposure.
Search tool accesses firms' documents in
the cloud
https://searchcloudsecurity.techtarget.com/news/252442
http://www.bbc.com/news/technology-
958/Weight-Watchers-exposure-due-to-unsecured-
43057681
Kubernetes-console

15 IBM Security
 What is Object Store?

Block File Object

Interface Operating System User Program (API)

Cost $$-$$$ $$-$$$$ $

Performance

Dedicated Network
Proximity Fiber Channel / 10Gb
LAN / 10Gb Internet

Sharing user data, Images, PDFs,

Use Case OS, Database
web content Archives, Video

Scale

16 IBM Security
 Encrypted Data Flow
Imagine a cloud … where you are in control! Clear Data Flow
Key and Policy Flow

AWS S3 Private S3 IBM COS

Object Store Object Store Object Store

Server with On-Prem

Object Store
MDE Policy Encryption Agent
Central Management and Keys
Console
S3 API
Keys and Policies
Local S3
Object Store

IBM Multi-Cloud Data Encryption – Object Store Encryption

Provide protection before it is sent to the cloud

17 IBM Security
 Encrypted Data Flow
One Product – Multiple Solutions! Clear Data Flow
Encrypted Data Flow (split)
Keys and Policies

Servers protected by MDE File or Volume Agents High-Availability / Resiliency using Object Store Agent M-of-N splitting
on-prem or in the cloud

AWS S3 Private S3 IBM COS S3

AWS EC2 Server Object Storage Object Storage Object Storage
Volume with
Policy Agent
On-Cloud
Encrypt files and Folders On-Prem On-Prem
Server with Object
Store Encryption Agent
Central Management
Console S3 API
Private CoLo

File with Keys and Policies

Policy Agent

IBM Multi-Cloud Data Encryption – Flexibility

Provide protection wherever your data resides

18 IBM Security
 SC Magazine Review of
Multi-Cloud Data Encryption (MDE)

“5 Stars”

“Verdict: This is a great product for large environments,

especially for those requiring GDPR support. It offers
Windows and Linux support, giving it versatility. The
customizability and security of the Multi-Cloud Data
Encryption, and the unique raid like setup gives
customers privacy assurance and flexibility. “
https://www.scmagazine.com/review/ibm-multi-cloud-data-encryption/

https://www.ibm.com/us-en/marketplace/cloud-data-encryption

19 IBM Security
 https://securityintelligence.com/media/podcast-monitoring-national-cybersecurity-trends-with-former-nsa-deputy-director-bill-crowell/

20 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.