You are previewing Deployment Guide for InfoSphere Guardium.
O'Reilly logo
Deployment Guide for InfoSphere Guardium

Book Description

IBM® InfoSphere® Guardium® provides the simplest, most robust solution for data security and data privacy by assuring the integrity of trusted information in your data center. InfoSphere Guardium helps you reduce support costs by automating the entire compliance auditing process across heterogeneous environments. InfoSphere Guardium offers a flexible and scalable solution to support varying customer architecture requirements.

This IBM Redbooks® publication provides a guide for deploying the Guardium solutions.

This book also provides a roadmap process for implementing an InfoSphere Guardium solution that is based on years of experience and best practices that were collected from various Guardium experts. We describe planning, installation, configuration, monitoring, and administrating an InfoSphere Guardium environment. We also describe use cases and how InfoSphere Guardium integrates with other IBM products.

The guidance can help you successfully deploy and manage an IBM InfoSphere Guardium system.

This book is intended for the system administrators and support staff who are responsible for deploying or supporting an InfoSphere Guardium environment.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Solutions and architecture
    1. 1.1 Introduction to regulation compliance and auditing requirement
    2. 1.2 Database security and lifecycle
    3. 1.3 Architecture and functional characteristics
      1. 1.3.1 Product architecture components
      2. 1.3.2 Product functionality
      3. 1.3.3 Product architecture options
      4. 1.3.4 S-TAP architecture options
    4. 1.4 Integration with IT infrastructure
    5. 1.5 Supported platforms
  5. Chapter 2. Implementation planning
    1. 2.1 Knowing product deployment types
    2. 2.2 Sizing and topology considerations
      1. 2.2.1 Audit level
      2. 2.2.2 Database to collector sizing
      3. 2.2.3 Collector to aggregator ratio
      4. 2.2.4 Central Manager ratio
    3. 2.3 Contingency and design considerations
      1. 2.3.1 Appliance location
      2. 2.3.2 Appliance configuration options
      3. 2.3.3 S-TAP agent contingency and configuration
    4. 2.4 Implementation approach
    5. 2.5 Implementation schedule
    6. 2.6 Roles and responsibilities
    7. 2.7 Installation and configuration sessions
    8. 2.8 Future growth considerations
  6. Chapter 3. Installation and configuration
    1. 3.1 Schedule of Implementation activities
    2. 3.2 Installation and configuration planning
    3. 3.3 Guardium appliance overview
      1. 3.3.1 Hardware and software appliance modes
      2. 3.3.2 Appliance types
    4. 3.4 Database and appliance inventory
      1. 3.4.1 Database inventory
      2. 3.4.2 Collector sizing
      3. 3.4.3 Aggregator sizing
    5. 3.5 Appliance deployment considerations
      1. 3.5.1 Managed or stand-alone environment
      2. 3.5.2 Contingency
      3. 3.5.3 Networking
      4. 3.5.4 Other allocation factors
      5. 3.5.5 Start with a test environment
      6. 3.5.6 Licensing
    6. 3.6 Appliance installation and configuration
      1. 3.6.1 Rack or build appliance
      2. 3.6.2 Configuring the appliance
    7. 3.7 Agent deployment, installation, and configuration
      1. 3.7.1 Guardium installation manager
      2. 3.7.2 S-TAP
      3. 3.7.3 Command-line options
      4. 3.7.4 S-TAP and its inspection engine configuration
      5. 3.7.5 More information
    8. 3.8 Configure remaining appliances
      1. 3.8.1 Managed units grouping
      2. 3.8.2 Creating a group
    9. 3.9 Guardium operations
      1. 3.9.1 Configuration
      2. 3.9.2 Transferring configuration to managed units
      3. 3.9.3 Data management
      4. 3.9.4 System backup
      5. 3.9.5 Aggregation
      6. 3.9.6 Job schedules
      7. 3.9.7 Enterprise systems interface configuration
      8. 3.9.8 Self-monitoring
    10. 3.10 Vulnerability assessment
      1. 3.10.1 Creating a database account
      2. 3.10.2 Creating a data source
      3. 3.10.3 VA tests
      4. 3.10.4 Creating an assessment
      5. 3.10.5 Custom reports
      6. 3.10.6 Scheduling an assessment
      7. 3.10.7 More information
      8. 3.10.8 High-level steps summary
    11. 3.11 Where to find more help
      1. 3.11.1 Product documentation
      2. 3.11.2 Release notifications and bulletins
      3. 3.11.3 Product support
      4. 3.11.4 User community and support
  7. Chapter 4. Monitoring and auditing
    1. 4.1 Regulations and compliance
    2. 4.2 Auditing categories
      1. 4.2.1 Privilege user monitoring
      2. 4.2.2 Sensitive object monitoring
      3. 4.2.3 Comprehensive monitoring
    3. 4.3 Auditing requirements
    4. 4.4 Database activity monitoring
    5. 4.5 Vulnerability assessment
    6. 4.6 Mapping audit requirements to the solution
      1. 4.6.1 Requirement 2: Do not use vendor-supplied defaults for system passwords
      2. 4.6.2 Requirement 3: Protect stored cardholder data
      3. 4.6.3 Requirement 6: Identify systems missing patches and enforce change controls
      4. 4.6.4 Requirement 7: Compensating control for network segmentation
      5. 4.6.5 Requirement 8: Assign a unique ID for each person with a computer access
      6. 4.6.6 Requirement 10: Track and monitor all access to cardholder data
      7. 4.6.7 Requirement 11: Regularly test systems
      8. 4.6.8 SOX requirement: Prevent unauthorized changes to the financial CRM, ERP, and HR data
  8. Chapter 5. Monitoring setup
    1. 5.1 Monitoring setup overview
    2. 5.2 Monitoring planning
    3. 5.3 Grouping
      1. 5.3.1 Wildcards
      2. 5.3.2 Hierarchical groups
      3. 5.3.3 Group deletion
      4. 5.3.4 Public versus private groups
      5. 5.3.5 Groups in federated environment
      6. 5.3.6 Size and performance effect
    4. 5.4 Policy
      1. 5.4.1 Policy types and policy rules
      2. 5.4.2 Logging granularity
      3. 5.4.3 Generating real-time alerts with policy
      4. 5.4.4 Extrusion rules
      5. 5.4.5 Database exceptions
      6. 5.4.6 Policy for z/OS
      7. 5.4.7 Policy installation
    5. 5.5 Reports
      1. 5.5.1 Reports versus queries
      2. 5.5.2 Domain, entities, and attributes
      3. 5.5.3 Query conditions
    6. 5.6 Compliance workflow
    7. 5.7 Real-time and threshold alerting
      1. 5.7.1 Alert generating
      2. 5.7.2 Alerter
    8. 5.8 Data level access control
      1. 5.8.1 S-TAP setup
      2. 5.8.2 Policy setup
      3. 5.8.3 Policy violation report
    9. 5.9 Vulnerability assessment setup
    10. 5.10 Configuration audit system setup
      1. 5.10.1 Prerequisites
      2. 5.10.2 High-level steps
      3. 5.10.3 Installation and configuration
      4. 5.10.4 Reviewing results
      5. 5.10.5 Next steps
    11. 5.11 Entitlement reporting setup
      1. 5.11.1 Prerequisites
      2. 5.11.2 High-level steps
      3. 5.11.3 Configuration steps
      4. 5.11.4 Review the entitlement data
    12. 5.12 Database auto-discovery setup
      1. 5.12.1 Prerequisites
      2. 5.12.2 High-level steps
      3. 5.12.3 Configuration steps
      4. 5.12.4 Viewing the results
      5. 5.12.5 Next steps
    13. 5.13 Sensitive data finder setup
      1. 5.13.1 Use cases and highlights
      2. 5.13.2 Prerequisites
      3. 5.13.3 High-level steps
      4. 5.13.4 Configuration steps
      5. 5.13.5 Viewing classification process results
      6. 5.13.6 Next steps
    14. 5.14 Adding a menu tab to your portal
  9. Chapter 6. Access management
    1. 6.1 Access management overview
      1. 6.1.1 Roles, portals, applications, and users
      2. 6.1.2 Managed configuration
      3. 6.1.3 Authorization versus authentication
      4. 6.1.4 Data-level security
    2. 6.2 User accounts
      1. 6.2.1 Creating a user account manually
      2. 6.2.2 Importing user accounts from LDAP
      3. 6.2.3 Modifying a user’s role
    3. 6.3 User role browser
      1. 6.3.1 Custom role
      2. 6.3.2 Adding a role
  10. Chapter 7. Ongoing operations
    1. 7.1 Performance optimization and tuning
      1. 7.1.1 S-TAP optimization and tuning
      2. 7.1.2 Inspection Core performance and unit usage
      3. 7.1.3 Interactive reports
      4. 7.1.4 Audit process reports
      5. 7.1.5 Back up and purge
      6. 7.1.6 Central management
    2. 7.2 Maintenance and updates
      1. 7.2.1 Appliance updates
    3. 7.3 Diagnostic tools
      1. 7.3.1 Appliance diagnostic tools
      2. 7.3.2 Agents diagnostic tests
    4. 7.4 Restoring audit data for forensic analysis
      1. 7.4.1 Restore strategies
      2. 7.4.2 Restore audit process result sets
  11. Chapter 8. Disaster recovery
    1. 8.1 Overview
      1. 8.1.1 System backup and restore
      2. 8.1.2 Data archive and restore
      3. 8.1.3 Storage location
    2. 8.2 Appliance recovery
    3. 8.3 Appliance recovery steps
      1. 8.3.1 Stand-alone collector
      2. 8.3.2 Collector with Aggregator no CM
      3. 8.3.3 Aggregator: Not centrally managed
      4. 8.3.4 Centrally managed collector
      5. 8.3.5 Centrally managed aggregator
      6. 8.3.6 Dedicated central manager (no data aggregation)
  12. Chapter 9. Upgrade best practices
    1. 9.1 Content delivery for 32-bit and 64-bit systems
    2. 9.2 Compatibility considerations for 32-bit versus 64-bit systems
      1. 9.2.1 Central management
      2. 9.2.2 Aggregation
      3. 9.2.3 Central management and aggregation combo appliances
    3. 9.3 RAM memory considerations
    4. 9.4 Enterprise upgrade strategy
      1. 9.4.1 Change control management
      2. 9.4.2 Top-to-bottom rollout order
      3. 9.4.3 Strategies
      4. 9.4.4 Enterprise upgrade summary
    5. 9.5 Appliance upgrade methods
      1. 9.5.1 Resource download locator
      2. 9.5.2 Upgrading appliances by using V8.2 to V9.0p50 upgrade bundle
      3. 9.5.3 Rebuilding appliances with V9.1p100 (64-bit) ISO image and restoring the V8.2 or V9.0 backup
      4. 9.5.4 Building new separate V9.1p100(64-bit) appliances and gradually retiring the old ones
    6. 9.6 Agents upgrade methods
      1. 9.6.1 GIM upgrades
      2. 9.6.2 UNIX S-TAP upgrade
      3. 9.6.3 Windows S-TAP upgrade
    7. 9.7 Upgrading bundle monitoring and status validation
      1. 9.7.1 Health check monitoring
      2. 9.7.2 Upgrade process monitoring
      3. 9.7.3 Troubleshooting upgrade issues
  13. Chapter 10. Use cases
    1. 10.1 Creating an integrated change management report
      1. 10.1.1 Importing change tickets with Enterprise Integrator
      2. 10.1.2 Uploading the data from the external table
      3. 10.1.3 Defining the custom domain
      4. 10.1.4 Defining custom query with new external domain entities
      5. 10.1.5 Customizing the reports
    2. 10.2 Connection profiling and security best practices
  14. Chapter 11. Integration with other IBM products
    1. 11.1 Security and audit
      1. 11.1.1 BigInsights integration
    2. 11.2 Databases and data warehouses
      1. 11.2.1 Basic database activity monitoring
      2. 11.2.2 Advanced database activity monitoring
      3. 11.2.3 Basic vulnerability assessment
      4. 11.2.4 Advanced vulnerability assessment
    3. 11.3 Data lifecycle management integration
      1. 11.3.1 Identifying archive candidates
      2. 11.3.2 Auditing archive access
      3. 11.3.3 Test data management integration
      4. 11.3.4 Exchanging the sensitive information location with InfoSphere Discovery
    4. 11.4 Identifying the user activity
      1. 11.4.1 Custom identification procedures
      2. 11.4.2 GuardAppEvents and GuardAppUser
      3. 11.4.3 Setting client user ID
      4. 11.4.4 WebSphere application user information
      5. 11.4.5 CICS application user
      6. 11.4.6 InfoSphere MDM and Data Stage application user
      7. 11.4.7 Cognos application user
    5. 11.5 Security integration
      1. 11.5.1 Guardium and QRadar integration
      2. 11.5.2 Tivoli Netcool
      3. 11.5.3 IBM Security Access Manager for enterprise single sign-on
      4. 11.5.4 Tivoli Directory: Lightweight Directory Access Protocol
      5. 11.5.5 IBM Endpoint Manager and Guardium Integration
      6. 11.5.6 Tivoli Storage Manager and Guardium Integration
  15. Related publications
    1. Online resources
    2. Help from IBM
  16. Back cover