About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
Cloud data compliance with Guardium Insights SaaS DSPM
Explore how Guardium Insights SaaS DSPM enhances cloud data compliance
On this page
In a multi-cloud environment, data sprawls across various platforms, making it challenging for enterprises to track its usage effectively. This lack of oversight can lead to compliance violations, damaging the enterprise's reputation and exposing it to severe penalties.
While many organizations have developed robust risk and compliance capabilities for on-premise data sources, achieving the same level of maturity in hybrid multi-cloud environments remains a significant challenge.
Key challenges faced by organizations in hybrid multi-cloud environments include:
- Understanding data residency
- Data leakage
- Personally Identifiable Information (PII) exposure
- Activity monitoring and reporting for auditing needs
When considering the product/solution, organizations have expectations in each of these categories:
- Data residency: Solutions should provide comprehensive information about data residency in the cloud environment.
- Preventing data leakage: Solutions should identify and prevent potential data leakage.
- Preventing PII exposure: Solutions should offer controls to safeguard enterprise PII data from unauthorized access by third parties.
- Data activity monitoring: Solutions should monitor critical data transactions, log them, assist in risk mitigation, and provide robust reporting for compliance auditing purposes.
This article explores how the capabilities of IBM Security Guardium Insights SaaS offering can effectively address these requirements.
Prerequisites
An understanding of data security and compliance, including both contextual knowledge and technical solution implementation expertise.
Solution approach
IBM Security Guardium Insights is designed to offer a robust platform enabling the Data Security team to adopt a modern and enhanced approach to meet Data Security and Compliance requirements. IBM Security Guardium Insights SaaS (GI SaaS) represents the Software as a Service version of the product.
Data Security Posture Management (DSPM) with Guardium Insights Saas provides visibility into data residency, encompassing the identification of shadow data, complete data flow analysis, and the discovery of data vulnerabilities.
IBM Guardium Insights SaaS DSPM, hereafter referred to as GI SaaS DSPM, is an agentless, non-intrusive, independent component within GI SaaS. It seamlessly connects to various customer SaaS applications and common cloud environments such as AWS, Azure, and GCP. Once connected, GI SaaS DSPM autonomously initiates data monitoring, providing essential compliance insights to the organization. For more information, see IBM Security Guardium Insights documentation.
Now, let's explore how this offering addresses the aforementioned compliance requirements.
Data residency
Once connected to cloud applications, GI SaaS DSPM initiates data investigation, with a key focus on data inventory. Data inventory provides comprehensive information about data sources within the cloud connection.
Data is classified into four categories:
- Personal: Information identifying individuals such as name, email address, and phone numbers.
- Development: Development environment-related information including AWS Keys, Github Tokens, and passwords.
- Financial: Financial data such as credit card numbers, account numbers, and TIN information.
- Identifiable: Other personally identifiable information (PII) such as SSN, driver's license, and passport numbers.
Custom categories can also be created, allowing GI SaaS DSPM to map entities accordingly. The Data Inventory page provides detailed insights into data within the connected cloud account, including geographical information. Drill-down capabilities enable a thorough understanding of data residency requirements.
Figure: Data Inventory page
Note: GI SaaS DSPM does not store any data from these investigations to ensure compliance with regulatory norms for handling customer data.
For detailed information about data inventory, see the Data inventory topic in IBM Security Guardium Insights documentation.
Preventing data leakage
GI SaaS DSPM provides information about vulnerabilities associated with cloud data, categorized into two major groups: Security and Compliance. This information enables understanding of potential data leakage aspects and how to mitigate them.
For example, consider the Vulnerability dashboard, where GI SaaS DSPM highlights a potential data leakage incident. This incident is classified as Exposed sensitive data, indicating public access to an S3 bucket, which could facilitate a data exfiltration attack. The affected S3 bucket contains credit card information, making it a compliance vulnerability.
Figure: Vulnerability Dashboard
Accompanying recommendations are provided to aid in risk mitigation. Various vulnerabilities, such as unencrypted data storage, sensitive data duplication, default write entitlements, and potential cross-country data flow, can also be identified.
For more information about the Vulnerability Dashboard, see the Vulnerabilities topic in IBM Security Guardium Insights documentation.
Preventing PII exposure
Another crucial aspect is providing information about third-party sources that have access to connected cloud applications. The Third-party Dashboard offers insights into cloud accounts accessed by third-party organizations, indicating whether they can access sensitive data and whether they adhere to certifications.
Figure: Third-party Dashboard
In the Third-Party Dashboard, it's evident that the third-party application Twilio Segment has access to the AWS production cloud account, along with associated details. The Action column on the far right of the table provides links to associated cloud data stores, enabling necessary actions to prevent sensitive data exposure to these third parties.
For detailed documentation about Third-Party Dashboard, see the Third parties topic in IBM Security Guardium Insights documentation.
Data activity monitoring
Data activity monitoring is seamlessly integrated into the vulnerability assessment Dashboard. Let's revisit the screen with additional details.
In the same example of a potential data exfiltration vulnerability involving an S3 bucket, GI SaaS DSPM has identified that the bucket has public access. This insight is obtained through data flow investigation, where GI SaaS DSPM reports on various data access patterns, detailed data flow, cross-country data access, and identifies unnecessary or duplicate data flow paths.
These monitoring activities occur automatically and continuously as part of GI SaaS DSPM's monitoring feature.
For more information about the Vulnerability Dashboard, see the Vulnerabilities topic in IBM Security Guardium Insights documentation.
Summary
This article provided information about how GI SaaS DSPM aids in addressing compliance requirements for customers using a hybrid multi-cloud environment for their data needs. GI SaaS already has capabilities for providing typical data security controls. By enabling GI SaaS DSPM, you can complement these controls with compliance measures, offering customers an end-to-end Data Security solution.
Next Steps
For more information about IBM Security Guardium Insights SaaS DSPM, see GI SaaS DSPM documentation.
To try out IBM Security Guardium Insights SaaS DSPM, start your 30-day IBM Security Guardium Insights SaaS trial. You can also request a personalized IBM Security Guardium Insights SaaS DSPM demo.