A Proactive, Preventative Approach to Compliance and Security
Databases contain an organization’s most valuable assets. That’s where customer data, financial records, payment-card data and other sensitive information are stored. As a result, databases have become a primary target of attacks by hackers and insiders with malicious intent.
Investigations of data breaches over the past several years show that 75 to 92 percent of compromised records originated in database servers. The average cost of a data breach exceeded US$7 million in 2010, according to a Ponemon Institute report. In some countries the CEO is held personally responsible for a data breach.
Because of the explosion in data breaches, government and regulatory bodies worldwide have implemented mandates to encourage organizations to implement the controls needed to protect sensitive data. These include the Payment Card Industry Data Security Standard (PCI DSS), financial regulations such as Sarbanes-Oxley Act (SOX), Financial Instruments Exchange Law (FIEL) and BDDK Information System Audit provisions, as well as numerous country-specific data privacy laws.
Failure to comply with such regulations can have serious consequences, including fines, legal implications and even incarceration in certain geographies. At the same time, audit exceptions may also result in unwanted visibility at the board level. So it’s not surprising that audit failure is cited as the biggest security concern in BeyeNetwork’s 2010 Information Governance market survey.
While a top priority, implementing the controls to protect sensitive data and validating compliance across the range of mandates applicable to your enterprise can be challenging. Accordingly, many organizations are seeking a comprehensive enterprise-wide audit solution to proactively manage risk—which in turn can lower costs by avoiding fines due to noncompliance, as well as helping avoid costly data breaches.
Scope of the Problem
Many organizations have hundreds, thousands, even tens of thousands of databases geographically distributed, often around the globe. Compounding this complexity is the fact that sensitive data most often is stored in a variety of different databases as well as data warehouses. And they are hosted not only on Linux, UNIX and Windows systems, but also on core mainframe environments. In fact, the IBM mainframe System z platform is so robust that 95 percent of Fortune 1,000 companies store information on it.
Organizations now recognize that to be effective, protective measures need to encompass all of these environments, since they all contain critical enterprise data. Auditors have also become more demanding; broadening the scope of audits to encompass all these databases and platforms in recognition of this reality.
A Comprehensive Solution
IBM InfoSphere Guardium is an integrated solution for automating all aspects of the security and compliance lifecycle, across all popular databases enterprise-wide—including those supporting OLTP and batch environments.
In order to secure sensitive data, you need to know where it is. InfoSphere Guardium can automatically crawl the network to discover uncatalogued database instances, examine the contents for sensitive data, and apply appropriate controls to these instances.
Databases are highly dynamic, with changes in accounts, configuration and structure occurring regularly. InfoSphere Guardium allows organizations to harden sensitive databases by scanning them on a regular basis to identify security gaps and suggest prioritized remedial actions.
To protect sensitive data, organizations need to monitor not only access, but also changes to the content and structure of databases. InfoSphere Guardium is able to continually monitor all database transactions, compare them to policies specified by the policymaker, and take action when a violation is detected, including for most platforms, proactive policy enforcement by blocking the transaction in real-time.
To streamline compliance validation, InfoSphere Guardium complements these capabilities with powerful enterprise-wide auditing, reporting and workflow automation.