Bringing data security to the enterprise
August 1st, 2008
Can you remember a time when you didn't read about some company's recent security breach resulting in the loss of private information and data? In many ways, data security is priceless. No one can erase your company's name from the front page of the newspapers and undo the damage of a data security breach. Once your data, or more importantly your customer's, data is on the loose, it can't be reined back in. In today's economy of the Information Age, the chance of loss or exposure is real. Since information is your enterprise's most important asset, many people want access to that information - whether they are entitled to it or not. Many data breaches are perpetrated by those with malicious intent, either inside or outside your organization.
We're all aware of high profile data breaches in the last 12 months. According to Christopher Hope (April 2008), Home Affairs Correspondent of the Daily Telegraph, five security breaches a week have been reported since the loss last year of the two government discs containing the details of 25 million families. Richard Thomas, the Information Commissioner since 2002, said that he had been notified of 94 data breaches over the past five months.
Challenges for Implementing Security
Like other complex, systemic problems in the real world, there is no such thing as a single "quick fix" for securing data. If things were that easy, the problems would have been solved by now and we would be living in a world full of secure data. There is no "silver bullet" to security. The best security IT professionals can attain is to make the process and cost of stealing data difficult and prohibitively expensive to would-be attackers. The challenge for companies to achieve and maintain compliance can be divided into three key areas:
- Increasing requirements with volumes of regulations. The requirements come through governmental pressures from financial regulations. Compliance can also be an internal pressure with internal regulations requiring systems compliance and process compliance.
- Complexity is growing exponentially and today's more complex applications that are moving towards service oriented architecture take operations management to new levels of complexity.
- Cost pressures continue to mount. Do more with less yet in the face of the growing complexity, requirements for change, and need for compliance operations labor budgets have had to grow at the expense of development budgets. Getting cost under control is paramount to moving forward.
DB2 for z/OS and Data Governance Solutions
The latest version of DB2, DB2 9, delivers increased security and regulatory compliance through the implementation of roles, network-trusted contexts and enhanced auditing capabilities. Improvements in trace filtering makes the job of auditing and performance management easier. Many more options let you minimize the amount of data collected, so computing overhead is reduced and extraneous data does not need to be processed. These capabilities, and many others, keep DB2 and System z far ahead of other product solutions.
IBM Optim software is a single, scalable, interoperable Information Lifecycle Management solution providing a central point to deploy policies to extract, store, port, and protect application data from creation through to deletion. IBM Optim can provide the following core functionality:
- Data Privacy: Protecting your sensitive data does not stop at your production system. This data is commonly replicated in multiple test environments across your organization, as well as in extract files and staging tables. IBM Optim provides automatic data transformation capabilities to mask personal information and de-identify confidential information to protect privacy. You can then use the transformed data safely for application testing, which helps your address compliance requirements and maintain customer loyalty.
- Archive: IBM Optim provides proven database archiving capabilities, empowering organizations to segregate historical from current data, and to store if securely and cost-effectively while maintaining universal access to the data, thus allowing your production databases to serve your business applications at higher performance levels. Given the current regulatory compliance landscape, many organizations are faced with having to retain data for longer periods of time, this can extend to data that resides in retired applications, with little current business value, but retention is dictated for future unanticipated audit or compliance requirements.
- Test Data Management: IBM Optim assists in application development by streamlining the way you create and manage test environments. You can subset and migrate data to build realistic and right-size databases. This eliminates the expense and effort of maintaining multiple database clones. Used in conjunction with Optim Data Privacy, cost effective and secure test and QA environments are created and managed with consistent and repeatable processes.
Threats to sensitive and confidential data are multi-faceted and constantly evolving. Protecting your data servers against these broad-based threats requires you to first itemize and understand the threats themselves, and then put in place effective countermeasures to address every threat that is relevant in your environment. This is no trivial task - but the central importance of data security to our society today makes it a job that cannot be ignored or taken lightly.
The most important of these countermeasures involves building security-oriented business practices, processes and controls into your environment. For example, the practice of separation of duties and the principle of least privilege are fundamental security practices that must be present in any security-conscious environment.
But it does not stop at these controls and practices. Utilizing the proper technology, in the proper way, is a critical part of the solution. This begins by first making sure you are using a secure enterprise data server, such as IBM DB2. DB2 for z/OS features extensive security and auditing capabilities to help protect sensitive data. Secondly, DB2 for z/OS can be enhanced by utilizing critical security-enhancing software, such as: IBM Data Encryption for IMS and DB2 Databases IBM Optim, DB2 Audit Management Expert, and z/OS RACF - providing important layers of security critical to hardening your environment.
Triton Consulting can help you to manage your data growth and the challenges of security, For more information on how we can work with you to implement a secuerity and data growth strategy contact us.