IBM Guardium Data Protection Review

Capture mode collects all activity and Collector stores the data for traceability


What is our primary use case?

Guardium is used based on our Manual of Internal Procedures (MPI), and its uses range from creating a rule to generating customized reports. The main use case is the procedure "Investigate Incidents Recorded by Unauthorized Access," with action "notify by electronic message the manager and/or leader of the area."

How has it helped my organization?

Improved security through the visibility and control of all access to the databases.

What is most valuable?

The most valuable feature is using the capture operation mode “S-TAP/K-TAP agent”, because all activities in the database are captured, including direct access to the database server by privileged users. This is useful because, even if the database server logs were deleted, the Guardium Collector has already stored such data to enable traceability of access.

What needs improvement?

I have already mentioned to IBM that a primary need is to improve the number of records in the reports above 65,535.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Depending on the policy and rules applied, there is a need to increase the minimum requirements (RAM and storage - HD) for better operation and not to experience hardware slowdowns due to the high flow of traffic. IBM brings the "minimums" and "recommendation." From experience in versions 9x and 10x, when installing Guardium, it's important to verify the "recommendation" requirements of IBM for stability. It is worth mentioning that the requirements (minimums or recommendation) are different for Collector and aggregator.

What do I think about the scalability of the solution?

The two major Database Audit and Protection (DAP) solutions are IBM Guardium and Imperva SecureSphere. There are two modes of operation of these solutions: remote agent and sniffer (out-of-band). I recommended using the remote agent to obtain direct access captures on servers. 

Note that in non-mainframe environments, both solutions are scalable. For the mainframe environment, Guardium has updated installation agents with the latest kernels and releases. This makes a big difference in companies with mainframes, so it is necessary to keep the technology pack updated.

Regardless of the mode of operation, when increasing the number of servers monitored it is important to re-evaluate or perform new sizing. The possible number of databases and database servers which can be monitored by Guardium is high. For me, this is a differentiator of IBM.

How is customer service and technical support?

On a "bad, good, and excellent" scale, I rate it as good.

Which solutions did we use previously?

Initially, there were two solutions to be evaluated: Oracle and Imperva. Oracle DAP was not evaluated because it does not monitor Linux or Windows Server-only environments. 

I evaluated Imperva and got good results. However, there is a delay by Imperva in creating updated agents for Linux and Unix, including for mainframe. For me, this is a problem because it is necessary to always keep the environment up to date. If you update the kernel or release of mainframes and do not have the agent upgraded, the DAP will not monitor.

How was the initial setup?

For those who do not have experience, it is complex. There are several configurations to be made, from the configuration of NTP, IP, Mask, registration of the Collectors in the Central Manager, integration with other tools like storage (backup), LDAP, SIEM, through to the application of the policies and customized rules. Note: There are some pre-set rules that can also be customized.

What's my experience with pricing, setup cost, and licensing?

The price of Guardium is higher than the main competitor, Imperva. In addition, it's complex as the calculation of the licensing is done by Processor Value Unit (PVU).

However, before purchasing a DAP solution, it is important to analyze specific points to evaluate the cost-benefit of each tool. For example: Does the environment to be monitored have mainframes? If so, it's a point for Guardium. If not, a point for Imperva. Note: IBM is looking into a new licensing policy and reducing the price of Guardium.

What other advice do I have?

  1. Read important articles related to DAP such as the "2017 Planning Guide for Security and Risk Management."
  2. Gather information from the servers (operating system with version and database types with the versions) of the environment to be monitored.
  3. Check which DAP solutions can monitor the environment.
  4. List the “mandatory requirements” and “non-mandatory requirements.” It is important to have in mind which points will be evaluated.
  5. Request PoCs with the main DAP manufacturers (IBM, Imperva, and Oracle).
  6. Do the sizing with the topology to get an idea of the requirements and cost of the project.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
3 visitors found this review helpful
Add a Comment
Guest
Sign Up with Email