Thursday, January 2, 2014

Type 1 Guardium STAP for Guardium/Vormetric Data Encryption

by John Haldeman, Security Practice Lead

Today we open sourced a custom STAP for integrating Guardium Database Activity Monitoring and Guardium/Vormetric Data Encryption. This custom STAP can be found at the following GitHub repository:
https://github.com/johnhaldeman/GuardDETap

Guardium Database Activity Monitoring (Guardium DAM) and Guardium/Vormetric Data Encryption (Guardium/Vormetric DE) do a great job of working together to help audit and control the access to sensitive data in databases. This custom STAP receives syslog events sent from Guardium/Vormetric DE agents, translates those messages into the Guardium Universal Feed protocol, and transmits the data to a Guardium DAM collector for reporting and alerting.


It is fairly well known at this point that in order to ensure that all administrative user access to sensitive data is controlled and audited, you need both Guardium DAM and Guardium/Vormetric DE. For auditing, the Guardium DAM product monitors database client/server communication but does not provide detailed information on the access of files outside of the database engine. Guardium/Vormetric DE monitors direct access to the files, but has little visibility into the transactions being run through the database engine. Both products are needed to provide a complete picture of administrative access.

The same goes for prevention. Guardium/Vormetric DE prevents data breaches by system administrators by encrypting the data at rest while Guardium DAM prevents data breaches by DBAs through the database engine by preventing SQL statements from executing when those administrative users access sensitive data.

The GuardDETap custom STAP that we open sourced today processes the messages being generated by Guardium/Vormetric DE agents and transmits it to a Guardium collector for reporting. In this way, reporting on administrative access to database resources can be managed and reported on in a single system. Alerts can then be sent from Guardium DAM and incidents can be managed for both file level access and access through the database engine.

How the GuardDETap fits into an environment that has Guaridum DAM and Guardium/Vormetric DE Installed

A good alternative approach to using this custom STAP would be to send Syslog messages from the Guardium/Vormetric DE agents and Syslog messages from Guardium DAM to a SIEM (eg: QRadar) for consolidated reporting. This is a good approach. The GuardDETap is more for environments where Guardium/Vormetric DE is installed and Guardium DAM is installed but there is no SIEM, or if Guardium is the preferred repository for file-level event auditing for the customer.

On a side note, much of the code in this new STAP was adapted from the mongoTap project. If you don't know already, MongoDB is now fully supported by the base Guardium product, so you no longer have to use a custom STAP for that database type.




No comments:

Post a Comment