A South American automotive financing company

Tightens data security and automates audit reporting across mainframe and distributed environments

Published on 01-Nov-2013

Customer:
A South American automotive financing company

Industry:
Banking

Solution:
InfoSphere Guardium Activity Monitor, Information Governance, Information Lifecycle Governance (ILG), System z Software

IBM Business Partner:
LeadComm

Overview

Two years ago, IT staff at this South American automotive financing company conducted a review of the bank’s IT security and governance programs. This effort was part of the bank’s ongoing work to protect client information. At the outset, a key focus area was database security. The bank had used an internally developed solution to control authorized access and secure information in application databases. However, this solution was decentralized and had to be updated to support timely audit reporting and compliance requirements.

Business need:
The bank’s internally developed tool to control database access and secure information did not provide the comprehensive capabilities needed to meet audit and compliance requirements.

Solution:
Working with IBM Business Partner LeadComm, the bank implemented IBM® InfoSphere® Guardium® Database Activity Monitor software to more effectively prevent unauthorized activities and monitor database changes across its distributed and mainframe application databases.

Benefits:
Helped tighten database security to better protect client data; reduced compliance reporting times by 99 percent; decreased staff needed to manage database monitoring by 75 percent

Case Study

Two years ago, IT staff at this South American automotive financing company conducted a review of the bank’s IT security and governance programs. This effort was part of the bank’s ongoing work to protect client information.

At the outset, a key focus area was database security. The bank had used an internally developed solution to control authorized access and secure information in application databases. However, this solution was decentralized and had to be updated to support timely audit reporting and compliance requirements. The challenge was to find a technology solution that would secure and safeguard the company’s critical financial and transactional information and provide a high level of granularity for defining security policies for all users.

The IT organization wanted to see exactly who accessed what information. For example, at times, developers need to access the bank’s production database to investigate application issues. When this type of temporary access is granted, it is critical that these privileged users are not making unauthorized changes to the data.

The bank needed a solution that would provide these capabilities for all application databases in both the distributed and mainframe environments.

Monitoring access across a heterogeneous environment

The IT team launched a Proof-of-Concept evaluation to assess off-the-shelf database monitoring solutions. At first, the evaluation criteria targeted separate solutions to support the bank’s databases in the distributed and IBM z/OS® mainframe environments. However, once the team learned about IBM InfoSphere Guardium Database Activity Monitor software, the criteria changed as staff members realized that they could have one solution for application databases in both their mainframe and distributed environments.

IBM Business Partner LeadComm assisted the team with the implementation.

Gaining greater visibility into database transactions

With the new solution, the organization can continuously monitor access and automate compliance controls across its distributed and mainframe application databases. Using the platform, IT staff can easily:
● Define database security and access policies and track these activities at a detailed level of granularity
● Locate and classify sensitive information in the organization’s application databases
● Evaluate the vulnerabilities and imperfections of database configurations
● Confirm that configurations are not modified after they are applied
● Automate compliance and reporting processes, including report distribution

This increased visibility is helping the organization confirm that client data is protected. Today, just one IT staff member can manage control across all databases. The organization estimates that it would have probably needed four people to do this work without InfoSphere Guardium software, taking IT staff away from other critical projects.

Additionally, audit and compliance reporting processes are automated and can now be completed 99 percent faster—a huge time saver for IT staff. For example, in the past, a database administrator (DBA) had to manually check database log files and then create the compliance reports—a process that used to take tens of hours. This work can now be completed in minutes.

Audit reports delivered to external regulatory entities verify that the bank has the proper controls and security measures in place.

Alerting business users to important database changes

The project began as many IT projects do. Its focus was on solving a specific business issue—in this case monitoring database activity to prevent unauthorized access to data. However, the team quickly realized that it could use the new solution to deliver greater oversight to business managers.

For example, certain data, such as interest rates, can be changed only at certain times of the year. Previously, IT personnel could know if a user was allowed to make a change, but had no way of knowing when the change was made. Now, the solution alerts business managers, for example, when interest rates are changed in the system. They can also confirm that only authorized users made the changes and that the changes were made within the permitted timeframe.

Solution components
Software
● IBM® InfoSphere® Guardium® Database Activity Monitor
● IBM InfoSphere Guardium Database Activity Monitor for z/OS®
IBM Business Partner
● LeadComm

For more information

To learn more about IBM InfoSphere Guardium Database Activity Monitor software, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/guardium

For more information about LeadComm, visit: www.leadcomm.com.br

Products and services used

IBM products and services that were used in this case study.

Software:
InfoSphere Guardium Database Activity Monitor, InfoSphere Guardium, InfoSphere Guardium Database Activity Monitor for z/OS

Operating system:
z/OS and OS/390

Legal Information

© Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America November 2013 IBM, the IBM logo, ibm.com, InfoSphere, Guardium, and z/OS are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. IMC14770-USEN-00