IBM Software

Thought Leadership White Paper

September 2011

Data security and privacyA holistic approach

2 Data security and privacy

Executive summaryNews headlines about the increasing frequency of stolen infor-mation and identity theft have focused awareness on data secu-rity and privacy breaches—and their consequences. In responseto this issue, regulations have been enacted around the world.Although the specifics of the regulations may differ, failure toensure compliance can result in significant financial penalties and even jail time. Organizations also risk losing customer loyalty and destroying brand equity. The impact is seriousenough to have caused the demise of numerous previously prosperous organizations.

Companies rely on data to support daily business operations, soit is essential to ensure privacy and protect data no matter whereit resides. Also, different types of information have different protection and privacy requirements; therefore, organizationsmust take a holistic approach to protecting and securing theirinformation:

● Understand where the data exists: You can’t protect sensitivedata unless you know where it resides and how it’s relatedacross the enterprise.

● Safeguard sensitive data, both structured and unstructured:Structured data contained in databases must be protected from unauthorized access. Unstructured data in documentsand forms requires privacy policies to redact (remove) sensitiveinformation while still allowing needed business data to be shared.

● Protect non-production environments: Data in non-production, training and quality assurance environments needs to be protected yet still usable during the applicationdevelopment, testing and training processes.

● Secure and continuously monitor access to the data:Enterprise databases and file shares require real-time insight to ensure data access is protected and audited. Policy-basedcontrols are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, data-bases and file shares need to be protected against new threatsor other malicious activity and continually monitored for weaknesses.

● Demonstrate compliance to pass audits: It’s not enough todevelop a holistic approach to data security and privacy.Organizations must also demonstrate compliance and prove to third party auditors.

IBM® InfoSphere® solutions for data security and privacy aredesigned to support this holistic approach, helping your organi-zation protect itself against a complex threat landscape whileremaining focused on your business goals.

Making sense of the buzz: Why thegrowing focus on data protection?According to Forrester Research’s February 2011 independentreport, Forrsights: The Evolution Of IT Security, 2010 To 2011,IT security remains a hotbed of activity and growth as firmsstruggle with a more menacing, capable threat landscape;respond to a growing body of regulation and third-party require-ments; and adapt to an unprecedented level of IT upheaval.1

Much of this focus is specifically positioned around a few keythemes: new cyber security threats (such as Stuxnet and Aurora);changing IT architectures (such a virtualization in the data cen-ter, open enterprise initiatives, consumerization and employeemobility); regulations (especially PCI and other data privacydirectives); and growing pressures around third-party mandates.

During the past several years, according to the Forrester report,“security has steadily risen in visibility achieving board-levelattention and support.” For example, Forrester’s research indicates 54 percent of enterprise Chief Information SecurityOfficers (CISOs) report to a C-level executive and 42 percent of them report outside of the IT department.1 These percentagesreflect the increasing business relevance security has in organiza-tions of all types, across diverse industries. The number oforganizations that view security as a high or critical priority is now at its highest level in recent years.

3IBM Software

Many factors are fueling this increased focus on data security and privacy, as detailed below.

Changes in IT environments and evolving business initiativesSecurity policies and corresponding technologies must evolve as organizations embrace new business initiatives such as out-sourcing, virtualization, cloud, mobility, Web 2.0 and social networking. This evolution means organizations need to thinkmore broadly about where sensitive data resides and how it isaccessed. Organizations must also consider a broad array of sensitive data, including customer information, trade secrets,development plans, competitive differentiators and more.

Smarter, more sophisticated hackersMany organizations are now struggling with the widening gapbetween hacker capabilities and security defenses. The changingnature, complexity, and larger scale of outside attacks are causefor concern for organizations. According to the same Forresterreport mentioned previously, security attacks now have a farmore damaging business impact compared to ten years ago.1

Previously the most critical concern was virus outbreaks or shortdenial-of-service attacks, which would create a temporary pausein business operations. Today, the theft of customer data or corporate data, such as trade secrets, could result in billions ofdollars of lost business, fines and lawsuits, and irreparable damage to an organization’s reputation.

Regulatory compliance mandatesThe number and variety of regulatory mandates are too numerous to name here, and they affect organizations aroundthe globe. Some of the most prevalent mandates include:Sarbanes-Oxley Act (SOX), Health Insurance Portability andAccountability Act (HIPAA), Payment Card Industry DataSecurity Standard (PCI-DSS) (enforcement of which has firmlystarted expanding beyond North America), Federal InformationSecurity Management Act (FISMA), and the EU Data PrivacyDirective. Along with the rising number of regulatory mandatesis the increased pressure to show immediate compliance.

Enterprises are under tremendous time pressure and need toshow immediate progress to the business and shareholders, or face reputation damage and stiff financial penalties.

Information explosionThe explosion in electronic information is mind boggling. IDC estimates that 45 gigabytes of data currently exists for eachperson on the planet, or an astonishing 281 billion gigabytes in total. While a mere five percent of that data will end up onenterprise data servers, it is forecast to grow at a staggering 60 percent per year, resulting in 14 exabytes of corporate data by 2011. The information explosion has made access to publicand private information a part of everyday life. Critical businessapplications typically collect this information for legitimate purposes; however, given the interconnected nature of theInternet and information systems, as well as enterprise ERP,CRM and custom business applications, sensitive data is easilysubject to theft and misuse.2

Inside threatsA high percentage of data breaches actually emanate from internal weaknesses. Examples range from employees, who maymisuse payment card numbers and other sensitive information,to those who save confidential data on laptops that are subse-quently stolen. Furthermore, organizations are also accountablefor protecting data no matter where the data resides—includingwith business partners, vendors or other third parties.

In summary, organizations are focusing more heavily on datasecurity and privacy concerns. They are looking beyond devel-oping point solutions for specific pains, and towards buildingsecurity and privacy policies and procedures into the enterprise.

Organizations are also considering implementing strategicrecovery plans. Such plans require proving risks have been mitigated, continually demonstrating compliance over time—even in the face of new threats—and finding ways to engendertrust even after an incident occurs.

4 Data security and privacy

Security versus privacy

Security and privacy are related, but they are distinct concepts. Security is the infrastructure-level lockdown that prevents or grants access to certain areas or data based onauthorization. In contrast, privacy restrictions control accessfor users who are authorized to access a particular set ofdata. Data privacy ensures those who have a legitimate business purpose to see a subset of that data do not abusetheir privileges. That business purpose is usually defined by job function, which is defined in turn by regulatory ormanagement policy, or both.

Some examples of data security solutions include databaseactivity monitoring and database vulnerability assessments.Some examples of data privacy solutions include dataredaction and data masking. In a recent case illustrating thisdistinction, physicians at UCLA Medical Center were caughtgoing through celebrity Britney Spears’ medical records. The hospital’s security policies were honored since physicians require access to medical records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid medical purpose.

The stakes are high: Risks associated withinsufficient data security and privacyCorporations and their officers may face fines from $5,000 to$1,000,000 per day, and possible jail time if data is misused.According to 2010 Ponemon research, for the fifth year in a row, data breach costs have continued to rise. The average orga-nizational cost of a data breach in 2010 increased to $7.2 million,up 7 percent from $6.8 million in 2009. Total breach costs havegrown every year since 2006. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from 2009.3

The most expensive breach studied by Ponemon in 2010 took$35.3 million to resolve, up $4.8 million (15 percent) from 2009.The least expensive data breach was $780,000, up $30,000 (4 percent) from 2009. As in prior years, data breach costappears to be directly proportional to the number of recordscompromised.2

Hard penalties are only one example of how organizations canbe harmed; other negative impacts include erosion in share pricecaused by investor concern and negative publicity resulting froma data breach. Irreparable brand damage identifies a company as one that cannot be trusted.

Some common sources of risk include:

● Excessive privileges and privileged user abuse. When users(or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information.

● Unauthorized privilege elevation. Attackers may take advantage of vulnerabilities in database management softwareto convert low-level access privileges to high-level access privileges.

● SQL injection. SQL injection attacks involve a user whotakes advantage of vulnerabilities in front-end web applicationsand stored procedures to send unauthorized database queries,often with elevated privileges. Using SQL injection, attackerscould even gain unrestricted access to an entire database.

● Denial of service. Denial of service (DoS) may be invokedthrough many techniques. Common DoS techniques includebuffer overflows, data corruption, network flooding andresource consumption. The latter is unique to the databaseenvironment and frequently overlooked.

● Exposure of backup data. Some recent high profile attackshave involved theft of database backup tapes and hard diskswhich were not encrypted.

5IBM Software

Cost Activity

Total

2010 2009 2008

102%102%100%

Lost customer business due to churn 39% 40% 43%

14% 14%

11%

10% 11%12%

9%

9%

9%9%9%

6% 6%

6%6%

5%

5%

2%

2%

1% 1%

1% 1%1%

2% 2%

2%

4% 4%

8%

Legal services - defense

Investigations & forensics

Audit and consulting services

Customer acquistion costs

Inbound contact costs

Outbound contact costs

Legal services - compliance

Identify protection services

Free or discounted services

Public relations / communications

Figure 1: Percent of breach costs by specific cost activity, 2008-10.

Barriers to implementation: Challengesassociated with protecting dataSo with the market focused on security and the risks clearly documented, why haven’t organizations adopted a holisticapproach to data protection? Why are organizations over-whelmed by new threats?

The reality is significant challenges and complexities exist. Forone, there are numerous vendor solutions available that arefocused on one approach or one aspect of data protection. Fewlook across the range of threats and data types and sources todeliver a holistic strategy which can be flexible as new threatsarise. Next, few organizations have the funding or resources toimplement another process-heavy initiative. Organizations needto build security and privacy policies into their daily operationsand gather support for these policies across the enterpriseincluding IT staff, business leaders, operations, and legal depart-ments. Privacy requirements do vary by role, and understandingwho needs access to what data is not a trivial task. Third, manualor homegrown data protection approaches many organizations

use today lead to higher risk and inefficiency. Manual approachestypically don’t protect a diverse set of data types in both struc-tured and unstructured settings and do not scale as organizationsgrow. Finally, the rising number of compliance regulations withtime sensitive components adds more operational stress, ratherthan clarifying priorities.

Organizations require a fresh approach to data protection—onewhich ensures organizations build security and privacy rules intotheir best practices and helps, rather than hinders, their bottomline. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority.

Leveraging a holistic data security andprivacy approachOrganizations need a holistic approach to data protection. Thisapproach should protect diverse data types across different locations throughout the enterprise, including the protection of structured and unstructured data in both production and non-production (development, test and training) environments. Suchan approach can help focus limited resources without addedprocesses or increased complexity. A holistic approach also helpsorganizations to demonstrate compliance without interruptingcritical business processes or daily operations.

To get started, organizations should consider four key questions.These questions are designed to help focus attention to the most critical data vulnerabilities:

1. Where does sensitive data reside across the enterprise?2. How can access to your enterprise databases be protected,

monitored and audited? How can data be protected from both authorized and unauthorized access?

3. Can confidential data in documents be safeguarded while stillenabling the necessary business data to be shared?

4. Can data in your non-production environments be protected,yet still be usable for training, application development andtesting?

6 Data security and privacy

The answers to these questions provide the foundation for aholistic approach to data protection. They help organizationsfocus in on key areas they may be neglecting with currentapproaches.

1. Organizations can’t protect data if they don’t know it exists.Sensitive data resides in structured and unstructured formatsin production environments and non-production environ-ments. Organizations need to document and define all dataassets and relationships no matter the source. It is importantto classify enterprise data, understand data relationships anddefine service levels. The data discovery process analyzes datavalues and data patterns to identify the relationships that linkdisparate data elements into logical units of information, or“business objects” (such as customer, patient or invoice).

2. Database Activity Monitoring provides privileged and non-privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged userseparation-of-duties issues by monitoring administrator activity. The technology also improves database security bydetecting unusual database read and update activity from theapplication layer. Database event aggregation, correlation andreporting provide a database audit capability without the needto enable native database audit functions, which are also a partof database activity monitoring. Database activity monitoringsolutions should be able to detect malicious activity or inap-propriate or unapproved database administrator (DBA) access.

3. Data redaction can remove sensitive data from forms and doc-uments based on job role or business purpose. For example,physicians need to see sensitive information such as symptomsand prognosis data whereas a billing clerk needs the patient’sinsurance number and billing address. The challenge is toprovide the appropriate protection, while meeting businessneeds and ensuring that data is managed on a “need-to-know”basis. Data redaction solutions should protect sensitive information in unstructured documents, forms and graphics.

4. De-identifying data in non-production environments is simplythe process of systematically removing, masking or transform-ing data elements that could be used to identify an individual.Data de-identification enables developers, testers and trainersto use realistic data and produce valid results, while still complying with privacy protection rules. Data that has beenscrubbed or cleansed in such a manner is generally consideredacceptable to use in non-production environments andensures that even if the data is stolen, exposed or lost, it will be of no use to anyone.

Meeting data security and privacychallenges with IBM InfoSphereWhat makes IBM’s approach to data protection unique?Expertise. The IBM Information Governance Council wasestablished in 2005 with a focus on governance and continuousprocess improvement. The collaboration of top global organiza-tions, business partners and industry experts form the counciland their collective experiences are built into IBM InfoSpheredata security and privacy offerings.

The alignment of people, process, technology and informationseparates the IBM InfoSphere data security and privacy solutionsfrom the competition. The goal of the IBM InfoSphere portfoliois to help organizations meet legal, regulatory and business obligations without adding additional processes. TheIBM InfoSphere solutions focus on process optimization to support business goals, which can help organizations developstrategic advantages. The goal is to help organizations supportcompliance initiatives, reduce costs, minimize risk and sustainprofitable growth.

IBM InfoSphere solutions are open, modular and support allaspects of data security and privacy, including structured, semi-structured and unstructured data no matter where it lives.IBM InfoSphere solutions support virtually all leading enterprisedatabases and operating systems, including IBM DB2®, Oracle, Teradata, Netezza®, Sybase, Microsoft SQL Server,IBM Informix®, IBM IMS™, IBM Virtual Storage Access

7IBM Software

Method (VSAM), Microsoft Windows, UNIX, Linux andIBM z/OS®. InfoSphere also supports key ERP and CRMapplications—Oracle E-Business Suite, PeopleSoft Enterprise,JD Edwards EnterpriseOne, Siebel and Amdocs CRM—as well as most custom and packaged applications. Finally,IBM InfoSphere supports access monitoring for file sharing software such as Microsoft SharePoint.

IBM InfoSphere provides a unique three-tiered approach toensure a holistic data protection approach: Understand andDefine, Secure and Protect, and Monitor and Audit.

Understand and defineOrganizations must discover were sensitive data resides, classifyand define data types, and determine metrics and policies toensure protection overtime. Data can be distributed over multiple applications, databases and platforms with little docu-mentation. Many organizations rely too heavily on system andapplication experts for this information. Sometimes, this infor-mation is built into application logic and hidden relationshipsmight be enforced behind the scenes.

Finding sensitive data and discovering data relationships requirescarefully analysis. Data sources and relationships should beclearly understood and documented so no sensitive data is leftvulnerable. Only after understanding the complete landscape can organizations define proper enterprise data security and privacy policies.

IBM InfoSphere Discovery is designed to identify and documentwhat data you have, where it is located and how it’s linked acrosssystems by intelligently capturing relationships and determining

applied transformations and business rules. It helps automate theidentification and definition of data relationships across complex,heterogeneous environments.

Without an automated process to identify data relationships anddefine business objects, organizations can spend months per-forming manual analysis—with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, canhelp automatically and accurately identify relationships anddefine business objects in a fraction of the time required usingmanual or profiling approaches. It accommodates a wide rangeof enterprise data sources, including relational databases, hierar-chical databases and any structured data source represented in text file format.

In summary, IBM InfoSphere Discovery helps organizations:

● Locate and inventory the databases across the enterprise● Identify sensitive data and classify it● Understand data relationships● Define and document privacy rules● Document and manage ongoing requirements and threats

Secure and protectData security and privacy solutions should span a heterogeneousenterprise and protect both structured and unstructured dataacross production and non-production environments.IBM InfoSphere solutions help secure sensitive data values indatabases, in ERP/CRM applications and also in unstructuredenvironments such as forms and documents. Key technologiesinclude database activity monitoring, data masking, data redac-tion and data encryption. A holistic data protection approachensures 360-degree lockdown of all organizational data.

8 Data security and privacy

Data in heterogeneous databases

• DB Activity Monitoring• DB Vulnerability Assessment• Data Masking• Data Encryption

• DB Activity Monitoring• DB Vulnerability Assessment• Data Masking• Data Encryption

• Data Encryption• Data Masking

• Data Redaction• Access monitoring for file shares

Data not in databases

StructuredData

UnstructuredData

OfflineData

OnlineData

Data in daily useData extracted from databases

Pro

duct

ion &

Non-Production Systems

(Oracle, DB2, Netezza, Informix, Sybase, Sun MySQL, Teradata)

(File Shares, ex. SharePoint, .TIF, .PDF, .doc, scanned documents)

Figure 2: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments.

For each type of data (structured, unstructured, offline and online), we recommend different technologies to keep it safe. Keep in mind that the various data

types exist in both production and non-production environments.

Structured data: This data is based on a data model and is available in structured formats like databases or XML.

Unstructured data: This data is in forms or documents whichmay be handwritten or typed, such as word processing doc-uments, email messages, pictures, digital audio and video.

Online data: This is data used daily to support the business,including metadata, configuration data or log files.

Offline data: This is data in backup tapes or on storagedevices.

IBM InfoSphere Guardium® Database Security provides adatabase security solution which addresses the entire databasesecurity and compliance life cycle with a unified web console,back-end data store and workflow automation system, enabling you to:

● Assess database vulnerabilities and configuration flaws● Ensure configurations are locked down after recommended

changes are implemented● Provide 100-percent visibility and granularity into all database

transactions—across all platforms and protocols—with asecure, tamper-proof audit trail that supports separation ofduties

● Track activities on major file sharing platforms like MicrosoftSharePoint

9IBM Software

● Monitor and enforce policies for sensitive data access, privileged user actions, change control, application user activities and security exceptions such as failed logins

● Automate the entire compliance auditing process—includingreport distribution to oversight teams, sign-offs and escalations—with pre-configured reports for SOX, PCI DSSand data privacy

● Create a single, centralized audit repository for enterprise-wide compliance reporting, performance optimization, investigations and forensics

● Easily scale from safeguarding a single database to protectingthousands of databases in distributed data centers around the world

IBM InfoSphere Guardium Data Redaction is designed to protect unstructured information. Traditionally, protectingunstructured information in forms, documents and graphics hasbeen performed manually by deleting electronic content andusing a black marking pen on paper to delete or hide sensitiveinformation. But this manual process can introduce errors, inad-vertently omit information and leave behind hidden informationwithin files that exposes sensitive data. Today’s high volumes ofelectronic forms and documents make this manual process tooburdensome for practical purposes and increase organizations’risk of exposure.

IBM InfoSphere Guardium Data Redaction protects sensitiveinformation buried in unstructured documents and forms fromunintentional disclosure. The automated solution lends effi-ciency to the redaction process by detecting sensitive informa-tion and automatically removing it from the version of thedocuments made available to unprivileged readers. Based on

industry-leading software redaction techniques, InfoSphereGuardium Data Redaction also offers the flexibility of humanreview and oversight if required.

IBM InfoSphere Optim™ Data Masking Solution provides acomprehensive set of data masking techniques that can supportyour data privacy compliance requirements, including:

● Application-aware masking capabilities help ensure thatmasked data, like names and street addresses, resembles thelook and feel of the original information

● Context-aware, prepackaged data masking routines make iteasy to de-identify elements such as payment card numbers,Social Security numbers, street addresses and email addresses

● Persistent masking capabilities propagate masked replacementvalues consistently across applications, databases, operatingsystems and hardware platforms.

With InfoSphere Optim, companies can de-identify data in away that is valid for use in development, testing and trainingenvironments, while protecting data privacy.

Mask

Figure 3: Personal identifiable information is masked with realistic but

fictional data for testing and development purposes.

10 Data security and privacy

IBM InfoSphere Guardium Encryption Expert provides a single, manageable and scalable solution to encrypt enterprisedata without sacrificing application performance or creating keymanagement complexity. InfoSphere Guardium EncryptionExpert helps solve the challenges of invasive and pointapproaches through a consistent and transparent approach toencrypting and managing enterprise data security.

Unlike invasive approaches such as column-level databaseencryption, PKI-based file encryption or native point encryp-tion, IBM InfoSphere Guardium Encryption Expert offers a single, transparent solution that is also easy to manage. Thisunique approach to encryption provides the best of both worlds:seamless support for information management needs combinedwith strong, policy-based data security. Agents provide a trans-parent shield that evaluates all information requests against easilycustomizable policies and provides intelligent decryption-basedcontrol over reads, writes, and access to encrypted contents. Thishigh-performance solution is ideal for distributed environments,and agents deliver consistent, auditable and non-invasive data-centric security for virtually any file, database or application—anywhere it resides.

In summary, InfoSphere Guardium Encryption Expert provides:

● A single, consistent, transparent encryption method acrosscomplex enterprises

● An auditable, enterprise-executable, policy-based approach● Among the fastest implementation processes achievable

requiring no application, database or system changes● Simplified, secure and centralized key management across

distributed environments● Intelligent, easy-to-customize data security policies provide

strong, persistent data security● Strong separation of duties● Top-notch performance with proven ability to meet SLAs

for mission critical systems

John Smith401 Main Street Apt 2076

Austin, TX 78745-4548

John Smith401 Main Street Apt 2076

Austin, TX 78745-4548

Encrypt

Decrypt

*&^$!@#)(~I”+_)? $%~:>>

%^$#%&, >< <>?_)-^%~~

*&^$!@#)(~I”+_)? $%~:>>

%^$#%&, >< <>?_)-^%~~

Figure 4: Personal identifiable information is encrypted making it meaning-

less without a proper key.

IBM Tivoli® Key Lifecycle Manager helps IT organizationsbetter manage the encryption key life cycle by enabling them tocentralize and strengthen key management processes. It canmanage encryption keys for IBM self-encrypting storage devicesas well as non-IBM encryption solutions that use the KeyManagement Interoperability Protocol (KMIP). Tivoli KeyLifecycle Manager provides the following data security benefits:

● Centralize and automate the encryption key managementprocess

● Enhance data security while dramatically reducing the numberof encryption keys to be managed

● Simplify encryption key management with an intuitive userinterface for configuration and management

● Minimize the risk of loss or breach of sensitive information● Facilitate compliance management of regulatory standards

such as SOX and HIPAA● Extend key management capabilities to both IBM and non-

IBM products● Leverage open standards to help enable flexibility and facilitate

vendor interoperability

11IBM Software

Monitor and auditAfter data has been located and locked down, organizations must prove compliance, be prepared to respond to new internaland external risks, and monitor systems on an ongoing basis.Monitoring of user activity, object creation, database configura-tion and entitlements help IT professionals and auditors traceusers between applications and databases. These teams can setfine-grained policies for appropriate behavior and receive alertsif these policies are violated. Organizations need to quickly showcompliance and empower auditors to verify compliance status.Audit reporting and sign-offs should help facilitate the compli-ance process while keeping costs low and minimizing technicaland business disruptions. In summary, organizations should create continuous, fine-grained audit trails of all database activities, including the “who, what, when, where and how” of each transaction.

IBM InfoSphere Guardium database security provides granular,database management system (DBMS)-independent auditingwith minimal impact on performance. InfoSphere Guardium isalso designed to help organizations reduce operational costs via automation, centralized cross-DBMS policies and auditrepositories, filtering and compression.

ConclusionsProtecting data security and privacy is a detailed, continuousresponsibility which should be part of every best practice.IBM InfoSphere provides an integrated data security and privacyapproach delivered through the three-tiered strategy ofUnderstand and Define, Secure and Protect, and Monitor andAudit. Since the InfoSphere solutions are scalable and modular,organizations can focus on their most critical concern first and

then adopt other solutions overtime. Protecting data requires a360-degree, holistic approach: with deep, broad expertise in thesecurity and privacy space, IBM can help your organizationdefine and implement such an approach.

About IBM InfoSphereIBM InfoSphere software is an integrated platform for defining,integrating, protecting and managing trusted information acrossyour systems. The IBM InfoSphere platform provides the foundational building blocks of trusted information, includingdata integration, data warehousing, master data management andinformation governance, all integrated around a core of sharedmetadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match IBM InfoSphere softwarebuilding blocks with components from other vendors, or chooseto deploy multiple building blocks together for increased acceleration and value. The IBM InfoSphere platform providesan enterprise-class foundation for information-intensive projects,providing the performance, scalability, reliability and accelera-tion needed to simplify difficult challenges and deliver trustedinformation to your business faster.

About IBM security solutionsIBM has the extensive knowledge, innovative research methodsand complex technologies required to deliver products and services that are recognized for leadership in IT security.IBM builds security technology into the fabric of the hardware,software and services it delivers—not bolting it on after the fact.As your trusted partner for security, IBM experienced and certi-fied consultants, architects, project managers and subject matterexperts are prepared to provide your organization with a comprehensive platform of preemptive security products andservices designed to protect your entire IT infrastructure, fromthe network gateway to the desktop.

Please Recycle

For more informationTo learn more about IBM InfoSphere, please contact your IBM sales representative or visit:ibm.com/software/data/infosphere

To learn more about IBM InfoSphere solutions for protectingdata security and privacy please contact your IBM sales representative or visit:ibm.com/software/data/optim/protect-data-privacy

Additionally, financing solutions from IBM Global Financingcan enable effective cash management, protection from technology obsolescence, improved total cost of ownership andreturn on investment. Also, our Global Asset Recovery Serviceshelp address environmental concerns with new, more energy-efficient solutions. For more information on IBM GlobalFinancing, visit: ibm.com/financing

© Copyright IBM Corporation 2011

IBM CorporationSoftware GroupRoute 100Somers, NY 10589

Produced in the United States of AmericaSeptember 2011All Rights Reserved

IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere,Tivoli, and z/OS are trademarks of International Business MachinesCorporation in the United States, other countries or both. If these and otherIBM trademarked terms are marked on their first occurrence in thisinformation with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered orcommon law trademarks in other countries. A current list of IBM trademarksis available on the web at “Copyright and trademark information” atibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, othercountries or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarksof Microsoft Corporation in the United States, other countries or both.

Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company.

UNIX is a registered trademark of The Open Group in the United Statesand other countries.

Other company, product or service names may be trademarks or servicemarks of others.

1 Jonathan Penn and Heidi Shey, “Forrsights: The Evolution Of IT Security,2010 To 2011,” 2011.

2 Julian Stuhler, “Top 10 IBM Management Trends,” 2010.

3 Ponemon Institute, “2010 Annual Study: U.S. Cost of a Data Breach,” 2011.

IMW14568-USEN-01