Locating Unmanaged but Regulated Data on System z: CA Data Content Discovery

Locating Unmanaged but Regulated Data on z Systems: CA Data Content Discovery

Mary Ann Furno

Mainframe

CA Technologies

Director, Software Engineering

MFX25S

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

For Informational Purposes Only

Terms of this Presentation

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA

World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer

references relate to customer's specific use and experience of CA products and solutions so actual results may vary.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights

and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software

product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current

information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The

development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in

this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such

release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-

available basis. The information in this presentation is not deemed to be incorporated into any contract.


Abstract

CA Data Content Discovery helps you identify data exposure risks on z Systems by scanning through the mainframe data infrastructure. By discovering where the data is located, classifying the data to determine sensitivity level, and providing comprehensive reporting on the scan results, data can be adequately protected and exposure risks can be mitigated.

Mary Ann

FurnoCA Technologies

Director, Software Engineering


Agenda

CISOS, REGULATED DATA, AND THE MAINFRAME

SENSITIVE DATA DEFINED

DATA CONTENT DISCOVERY ON THE MAINFRAME

DATA CONTENT DISCOVERY ROADMAP

1

2

3

4

CISOs, Regulated Data, and the Mainframe


The Mainframe has never been hacked!

Mainframe data stays on the

mainframe; so it is safe!

Data is fluid in today’s world.Data analytics; cloud

Marriage of MF data and non MF data

Mainframe is well understood and

covered under three lines of risk

control– Operational, Compliance and

Internal audit

The Current State

REALITYMYTH

Consider:Social engineering hacks

Human error as MF experts retire

Mainframe is viewed as a black-box breeds complacency –compounding the risk


71% of the world’s mission critical data is on the mainframe

The mainframe acts as the enterprise IT server and has more entry and exit vectors.

We must protect the mainframe and all business critical data as the strategic assets that they are, plus ensure

easily confirmed regulatory compliance.

Years in the making…

Source: Rehabilitating the Perception of Mainframes, Enterprise systems Media, 22 July 2015


What We Hear From Clients

Regulated data has to be protected, regardless of what type of server it sits on or how it got there. That includes the mainframe, and existing controls may not cover all of it.

We know where our sensitive, regulated data is…. It’s in our data center.

Audit

MF Security analystCISO

The mainframe is now just another always-on server connected to all the others in our TCP/IP network. I’m not sure all the data hosted there is being managed to policy…

We know the mainframe is no longer isolated from other servers in the network. We don’t know how much unmanaged regulated data now resides there…

With the addition of TCP/IP via USS, mainframe data is fluid – we don’t know what we don’t know about what’s being stored there….

MF Security Director

I need to exploit data’s full value proposition for my organization while controlling the risk.

Chief Data Officer


http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


The Impact of Data Theft

Health Insurance

Announced: March 2015

Records stolen: 11M

Cost: To be determined. Facing a class action lawsuit as well as potential regulatory violation fines.

Retail

Announced: September 2014

Records stolen: 56M

Cost: $43M and counting. Estimates put this as high as $10B (includes all remediation costs borne by the company and consumers)

Health Systems

Announced: August 2014

Records stolen: 4.5M

Cost: $75M – $150M

eCommerce

Announced: May 2014

Records stolen: 233M

Cost: $200M and counting.

Retail

Announced: December 2013

Records stolen: 70M

Cost: $162M and counting. Recent estimates put this at well over $1B.

Government

Announced: May 2015

Records stolen: 22M

Cost: To be determined. Likely facing a class action lawsuit as well as others.

Sensitive Data Defined


PCI DSS Data

Administered by one body

Payment Security Council

Account Data

Cardholder Data Sensitive Authentication Data

Primary Account Number (PAN) Magnetic stripe data

Cardholder Name CAV2/CVC2/CVV2/CID

Expiration Date PINs/PIN blocks

Service Code


Personally Identifiable Information – PII

PII Attributes

Full Name Date of birth

Home Address Email address

National Identification Number Passport number

Drivers License Number Vehicle registration

Birthplace Genetic information

Telephone number Login name, screen name, nickname, handle

Face, fingerprints, handwriting IP Address

Credit Card Numbers Digital identity

First Name Last Name

Country, state, postcode, city Age

Gender Race

Schools attended Criminal record

Legislated by an large & growing number of governmental entities

Multi-national: EU Data Protection Directive

National: Gramm-Leach Bliley Banking Modernization Act, Canada Privacy Act

Local: California SB 1386, Nevada Statute 603A, Massachusetts 201 CMR 17.00


PHI Attributes

Full Name Geographic subdivision

Data elements Telephone number

Fax number Electronic mail address

SSN Medical record number

Health Plan beneficiary number Account number

Certificate/license number Vehicle ID/Serial number/license plate number

Device identifier/serial number Biometric identifier

Full face photograph or image Other unique identifying element

Initially, only US, now spreading internationally

Legislated by an large & growing number of governmental entities

Multi-national: TBD

National: US HIPAA / HITECH ACTs

Local: TBD

Protected Health Information - PHI

Data Content Discovery on the Mainframe

Existing mainframe content discovery tools migrate off the mainframe to PCs or other devices to scan

Why locating data on a mainframe is a problem?

Report writers extract production data and data exists in sequential files or JES spool

Copies of sensitive production data exist

Files with possible sensitive data are accidentally sent to outside parties without validation of content

Once data is extracted, the target destination doesn’t match the security characteristics of source DB

RESULT

Organizations are neither prepared for, or confident in an audit!

CHALLENGES REALITY

Why locating data on a mainframe is a problem?


CA Data Content Discovery

FINDSet up the scan

Initiate the scan

Provide discovered results to Security Administrator

CLASSIFYReview compliance results and label sensitive data

Provide compliance report to Internal Auditor

PROTECTModify access based on scan results

Confirm successful audit against industry regulations

Security Operations Internal Auditor Security Administrator


Find It: Define Scope


Classify it


Account Data

Cardholder Data Sensitive Authentication Data

Primary Account Number (PAN) Magnetic stripe data

Cardholder Name CAV2/CVC2/CVV2/CID

Expiration Date PINs/PIN blocks

Service Code

Classify It: PCI Data


Classify It: PII Data

PII AttributesFull Name Date of birth

Home Address Email address

National Identification Number Passport number

Drivers License Number Vehicle registration

Birthplace Genetic information

Telephone number Login name, screen name, nickname, handle

Face, fingerprints, handwriting IP Address

Credit Card Numbers Digital identity

First Name Last Name

Country, state, postcode, city Age

Gender Race

Schools attended Criminal record

C

C

C

C

C

C

C

C

C

C

C

C

C

C

C

Custom Classifier

Quick Picks


Classify It: PHI Data

PHI Attributes

Full Name Geographic subdivision

Data elements Telephone number

Fax number Electronic mail address

SSN Medical record number

Health Plan beneficiary number Account number

Certificate/license number Vehicle ID/Serial number/license plate number

Device identifier/serial number Biometric identifier

Full face photograph or image Other unique identifying element

C

Custom Classifier

Quick Picks

C

C

C

C

C

C

C

C

C


Protect It: Who Has Access to the Sensitive Data?


CA Data Content Discovery Promise

FIND IT CLASSIFY IT PROTECT IT

For CISO, MF Security Director FOR CISO, Internal Audit, Risk OfficerFOR MF Security analysts, MF Data

analyst

The first data-pattern scanning

capability uniquely natively on

mainframe in the market

Simple and Modern GUI along with

Flexible scheduling designed for

both z and non-IBM z personnel

Eliminate risky offloading- with data

security right on the mainframe.

Only Data security product currently

on the market for mainframe to use

specialty engines to reduce upgrade

costs

Gain quick and critical insight about

the potential and magnitude of data

exposure on the mainframe

Prove it to auditors that controls are

checked by data-types to satisfy

regulations

Stay in control – eliminate risk while

reducing costs of data protection

processes


Product / Technology Architecture

Execution Policy

Web GUI Control ScansReporting

ClassificationEngine:

z/OSData Sources

VSAM

DB2

PS

API

3rd party 3rd party

CA ComplianceEvent Manager

PDS/PDSE

…

Description of Technology

Overview of Technology

Data Content Discovery “scans” data, identifying data vulnerabilities and risks to compliance

Lands Lightly

Product has no other CA product dependencies or other prerequisites, installs in <1 day

DCD Repository


Data Content Discovery – A critical part of CA’s Security and Compliance Solution

CA Data Protection

3rd party DLP Solution

3rd party DLP Solution

Big Data AnalyticsSolutions

CA Compliance Event Manager

IBM RACF

CA Top Secret

CA ACF2

CA Cleanup

In Ideation: Mainframe Advanced

Authentication

CA Data Content

Discovery

CA Auditor

Secure mainframe assetsCapture events affecting compliance and policyDiscover sensitive data

Extend compliance event data to analytics solutionsEnable secure data in motion across the enterprise

Security Administrator

Big Data AnalystAuditor

Planned

Available

Non-CA Product


Results

There is stray, unmanaged, unprotected data on your mainframe – regulated, sensitive data that will damage the enterprise if compromised

Find it, classify it, protect it with DCD

SummaryA Few Words to Review


Recommended Sessions

SESSION # TITLE DATE/TIME

Tech TalkIsn’t one authentication mechanism on z Systems™

enough?

11/18 – 4:30pm

Mainframe Content Center

Mainframe

Theater

Panel Discussion: Is Complacency Around Mainframe

Security a Disaster Waiting to Happen?

11/18 – 3:45pm

Mainframe Theater

Tech Talk The Known Unknown – Finding lost, abandoned, and

hidden regulated data on the Mainframe

11/19 – 12:15pm

Mainframe Content Center

MFX26SHow to Increase User Accountability by Eliminating the

Default User in Unix System Services

11/19 – 1:00pm

Breakers I

MFX47STop 10 things you shout NOT forget when evaluating

your security implementation

11/19 – 2:00pm

Breakers I


Follow Conversations in the Mainframe Content Center

CA Data Content Discovery

CA ACF2 ™ for z/OS CA Top Secret® for z/OS CA Cleanup CA Auditor

Advanced Authentication Nov 18th @ 4:30pm

The Known Unknown -Nov 19th @ 12:15pm


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

Locating Unmanaged but Regulated Data on System z: CA Data Content Discovery

Technology

Transcript of Locating Unmanaged but Regulated Data on System z: CA Data Content Discovery