DB2 10.5 for Linux, UNIX, and Windows

IBM InfoSphere Guardium Data Encryption for encryption of data at rest

IBM® InfoSphere® Guardium® Data Encryption is a comprehensive software data security solution that when used in conjunction with native DB2® security provides effective protection of the data and the database application against a broad array of threats.

InfoSphere Guardium Data Encryption helps organizations ensure that private and confidential data is strongly protected and in compliance with regulations and legislative acts. The key benefits of InfoSphere Guardium Data Encryption are:

Proven, strong data security for the DB2 database system
Protection of live files, configuration files, log files and back-up data
Transparent to application, database and storage environments
Unified policy and key management for protecting data in both online and offline environments
Meets performance requirements

InfoSphere Guardium Data Encryption enables you to encrypt offline database backups and to encrypt online ("live") database files. This is encryption of data on the disk, sometimes called "data at rest" as opposed to "data in flight", which is travelling over the network.

For backups, data is encrypted as it is being backed up, so the data on the backup device is encrypted. Should the data need to be recovered, the recovery server recognizes that the data is encrypted and will un-encrypt the data.
For database files, the operating system data files containing the data from the DB2 database are encrypted. This protects the data files from unauthorized users trying to read the "raw" database file.

InfoSphere Guardium Data Encryption is transparent to users, databases, applications, and storage. No code changes or changes to existing infrastructure are required. InfoSphere Guardium Data Encryption can protect data in any storage environment, while users continue to access data the in the same way as before.

InfoSphere Guardium Data Encryption can protect database applications, because it can prevent changes to executable files, configuration files, libraries, and so on, thereby preventing attacks on the application.

Note: For DB2 pureScale® environments, InfoSphere Guardium Data Encryption is supported only on AIX®. InfoSphere Guardium Data Encryption is not supported on other platforms that are running DB2 pureScale environments.

Architecture of InfoSphere Guardium Data Encryption

InfoSphere Guardium Data Encryption is a set of agent and server software packages that you administer by using a Web-based user-interface and command-line utilities. The InfoSphere Guardium Data Encryption administrator configures security policies that govern how security and encryption are implemented.

According to how these security policies are defined, the InfoSphere Guardium Data Encryption backup agent encrypts DB2 backups, and the InfoSphere Guardium Data Encryption file system agent encrypts DB2 data files.

The security server stores the security policies, encryption keys and event log files. Security policies contain sets of security rules that must be satisfied in order to allow or deny access. Each security rule evaluates who, what, when, and how protected data is accessed and, if these criteria match, the security server either permits or denies access.

Figure 1 illustrates the architecture of InfoSphere Guardium Data Encryption.

Figure 1. Architecture of InfoSphere Guardium Data Encryption

Figure shows the security server, its agents and the backup and operating system files they protect.

File system agent

The InfoSphere Guardium Data Encryption file system agent process is always running in the background. The agent intercepts any attempt to access data files, directories, or executables that you are protecting. The InfoSphere Guardium Data Encryption file system agent forwards the access attempt to the security server and, based upon the applied policy, the security server grants or denies the attempted access.

InfoSphere Guardium Data Encryption protection extends beyond simply allowing or denying access to a file, you can also encrypt files. Just the file contents is encrypted, but the file metadata is left intact. Therefore, you do not have to decrypt an encrypted file just to see it's name, timestamps, file type, and so on. This allows data management applications to perform their functions without exposing the file contents. For example, backup managers can backup specific data, without being able to see the contents.

If an encrypted file is accessed by an unauthorized user, its contents are worthless without the appropriate security server approval and encryption keys. However, users with the correct policies and permissions are unaware that encryption and decryption are taking place.

Backup agent

All database backup functions that are normally performed by the DB2 backup API system are supported by the InfoSphere Guardium Data Encryption server, including native database compression. Other than an additional command-line argument, DB2 backup operators are unaware of InfoSphere Guardium Data Encryption intervention. InfoSphere Guardium Data Encryption backs up and restores static data-at-rest and active online data.

Basic backup and restore configuration is supported. In the basic configuration, data is encrypted and backed up with one server and multiple agents; data is decrypted and restored on an agent that is configured with the same server that was originally used to make the backup.

Single-site and multi-site configurations are also supported for backup and restore. In a single-site scenario, configuration data is mirrored across multiple security servers in a single data center. In a multi-site scenario, backups are restored on different security servers in different data centers.

Audit logging

InfoSphere Guardium Data Encryption agent activity is closely monitored and logged through a centralized audit logging facility. All auditable events, including backups, restores, and security administration operations can be logged. This includes InfoSphere Guardium Data Encryption system events, such as initialization, shut down and restart; and network connects and disconnects between different InfoSphere Guardium Data Encryption components.