Guardium 首次發表針對阻擋特權使用者存取機密敏感資料的解決方案 - 橫跨且支援所有主要的DBMS平台 May 23, 2008 這是第一次,組織可以全面地徹底實施資料管理職務上的切割 - 在不影響企業運作的前提下,DBAs是如何完成它的工作
Guardium S-GATE? is the only technology that allows organizations to safeguard enterprise data and meet compliance requirements – such as Sarbanes-Oxley (SOX), PCI-DSS and data privacy laws – without the cost and complexity of modifying databases, application code or existing business processes, and without relying on “after-the-fact” mechanisms such as logging and alerting. S-GATE’s ability to enforce granular access control policies that apply only to privileged users means that organizations can now implement robust preventive controls – without the risk of blocking legitimate business access.? S-GATE also strengthens security and enforces separation of duties (SOD) by preventing DBAs from performing security functions such as creating new database accounts and elevating privileges for existing accounts.? At the same time, authorized individuals can continue to use their super user or system privileges to perform day-to-day administrative tasks – including backups, patching and tuning – without interruption. Exposing the Database Security Gap: Privileged User Access Real-Time Preventive Controls; Zero Disruption to IT Infrastructures • Executing queries on sensitive tables • Changing sensitive data values • Adding or deleting critical tables (schema changes) outside change windows • Creating new user accounts and modifying privileges S-GATE is completely non-intrusive, and does not require add-on functionality inside the database.? As a result, it’s implemented quickly without disrupting business-critical applications such as Oracle E-Business Suite, PeopleSoft, Siebel, SAP, Business Objects and in-house applications. S-GATE provides strong advantages over database-resident controls, including: • Cross-Platform Support: S-GATE allows organizations to define a single set of access policies for their entire application and database infrastructure, rather than controlling access for only a specific DBMS platform or version. • Ease-of-Use for Non-DBAs: Database-resident controls require DBAs to administer them – raising issues around separation of duties.? S-GATE can be managed by IT security, compliance or risk teams because it uses simple, English-language policies that can be customized via drop-down menus, without requiring knowledge of database commands and structures. In addition, S-GATE uses a hardened, Linux-based network appliance to manage access policies, preventing privileged users from disabling or modifying policies, and further strengthening separation of duties. • A Single Solution for Policy Enforcement and Auditing: Compliance regulations require storing a complete audit trail of all privileged user actions, in order to document compliance and aid in forensic investigations. DBMS vendors typically offer fine-grained auditing and audit repositories as separate add-ons. Guardium 7 offers policy enforcement and fine-grained auditing in a single solution, further reducing cost and complexity • Policies that Examine Query Results, Not Just Incoming Queries: Database-resident controls are limited to controlling execution of specific SQL commands on specific objects.? S-GATE goes one step further by also examining query results.? For example, a connection from an anomalous script or application that is suddenly seen to be extracting PII from the database can be terminated, while a valid application that extracts the same PII data will be allowed. • Non-Stop Enforcement: Some database-resident controls must be turned off for routine maintenance operations such as backups and patching. During these maintenance windows, privileged users can take advantage of disabled controls to perform unauthorized actions. S-GATE provides continuous enforcement of access policies because it does not require disabling certain privileged accounts inside the database S-GATE, available with Guardium 7, is an extension to S-TAP? (“software tap”), Guardium’s lightweight, host-based agent.Unique in the industry, S-TAPs are non-intrusive software probes that monitor network streams at the OS level of database servers, including both network access and local access by privileged users (via shared memory, named pipes, Oracle Bequeath, etc.).? S-TAPs have minimal impact on server performance because they relay all traffic to separate Guardium appliances for policy evaluation, analysis, reporting and secure online storage of audit trails.? “Our customers have been asking for this capability because it is the ultimate in database security and separation of duties, and it’s essential for compliance,” said Ron Bennatan, Ph.D., Guardium CTO and author of Implementing Database Security and Auditing (Elsevier Digital Press, 2005). “Customers already using S-TAP can easily upgrade to S-GATE to start enforcing access at a very granular level – without disrupting their application environments.” This is the fifth in a series of announcements revealing Guardium 7’s new capabilities. Other highlights include: • The first solution to integrate database vulnerability assessment with other critical database security functions such as database activity monitoring, configuration auditing and policy-based controls, in a single system with a unified Web console, back-end data store and workflow automation system. • The first solution to monitor encrypted database traffic such as Oracle ASO, IPSEC and other encryption methods, without the security risk and added complexity of uploading keys to the appliance. • The first DAM solution to integrate with SIEM and log management leaders such as ArcSight ESM, CA, Cisco MARS, LogLogic, RSA enVision and SenSage • The first DAM solution to support Microsoft SQL Server 2008 and its advanced security features, such as monitoring of encrypted SSL connections
|