System Z Mainframe Security For An Enterprise
-
Upload
jim-porell -
Category
Technology
-
view
1.022 -
download
1
description
Transcript of System Z Mainframe Security For An Enterprise
© 2011 IBM Corporation
Security in a Distributed Environment
The role of the Mainframe
The future runs on System z
Jim PorellIBM Distinguished EngineerDeputy CTO, Federal Sales
© 2011 IBM Corporation2
Security on System z: Reducing risk for the Enterprise
Basic Insurance Policy
$100,000 Liability
Rider: Excess replacement for valuable items
Rider: Excess medical coverage
Rider: Unlimited vehicle towing
Rider: Excess liability insurance
$3,000,000
Basic Security: System z
RACF
Data Encryption services
Enterprise Key mgt
Identity Management
Compliance Reporting
Fraud Prevention, Forensics and
Analytics
© 2011 IBM Corporation3
Common “Data Processing” Program models
Transaction processing Point of sale Claims processing Credit/Debit/Transfer Working off an operational data store (ODS)
Data Mining/Data warehouse Batch operations – many times not on the operational data store Looking for new business opportunities
Operational Risk (OR) Leverages the data base Originally, it was also using a copy of the ODS for detection purposes
After 9/11, this proved to be inefficient. Fraud occurs during the batch window Now OR is more preventative, so it must work off of real time data
Additions to any OR database must also be considered in real time vs batch
© 2011 IBM Corporation
There are patterns for security as well
4
ProfessionalServices
Managed
Services
Hardware
& Software
Common Policy, Event Handling and Reporting
The IBM Security Framework
Security Governance, Risk Management and ComplianceSecurity Governance, Risk Management
and Compliance
People and Identity
Data and Information
Application and Process
Network, Server, and End-point
Physical Infrastructure
Authentication
Access Control
Data Privacy
Audit/Compliance
Registration/Enrollment
Incident and Event Management
Strategy: zEnterprise as a control point for the Enterprise
© 2011 IBM Corporation5
Cross Domain Risks
LAN and Network Security
Secure Sign in
Cross Domain Authentication
Self Signed Certificates
Certificate Management
Data privacy
– Developers
– PII data
Abhorrent behavior
Insider Theft
Forensics
Prevention
Security is notSecurity is notall aboutall about
technology!technology!(it's really about people and (it's really about people and
processes)processes)
© 2011 IBM Corporation6
Security Admin Requirements Systems Admin/DBA
– Identification/Authentication
– Access Control
– Data Confidentiality
– Audit/Compliance
– Registration/Enrollment
– “Cloning” simplifies admin
Network Admin
– DMZ
• Denial of service attacks• Internet facing• Firewalls
– Network Bandwidth
– Intrusion Prevention/Defense
End to End reality (aka Cross Domain)
– Virtualization
• When does Cloning make sense? When not?
– Are all network security needs handled?
– Insider threats?
• Forensics; Fraud prevention
– Consistent application of security across domains?
© 2011 IBM Corporation7
Multilevel Security
Encryption
Key Management
TS1120
Tape encryption
Common Criteria Ratings
Support for Standards
Audit, Authorization,
Authentication, and Access
Control
RACF®
IDS, Secure Communications
Communications Server
IBM Tivoli Security Compliance Insight Manager
IBM Tivoli® zSecure Suite
DB2® Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Express 3 Crypto Cards
System z SMF
LDAP
ITDS
Scalable Enterprise Directory
Network Authentication
Service
Kerberos V5 Compliant
z/OS® System SSL
SSL/TLS suite
ICSF
Services and Key Storage
for Key Material
Certificate Authority
PKI Services
DS8000®
Disk encryption
Enterprise Fraud Solutions
DKMS
DKMSTKLM
Venafi
GuardiumOptim™
Data Privacy
Compliance and Audit Extended Enterprise
Platform Infrastructure
Elements of an Enterprise Security Hub
Venafi Encryption
DirectorVenafi Encryption
Director
© 2011 IBM Corporation8
Wireless StoreInfrastructure
BankBank
HackerHacker
HQHQ
Regional Regional Data centerData center
BranchBranchManagerManager
Point ofPoint ofSaleSale
Point ofPoint ofSaleSale
Branch uses WEP for LAN activity
Processes cards with banks
Hacker plugs in and gets copies of all transactions
Problem detected and branch systems get fixed
Mainframe doesn’t appear affected by distributed leaks
Hypothesis: Mainframe could help secure end users if they use good procedures
Branch managers run inventory transactions to mainframe
No encryption on sign in
No audit records analyzed
??????
?
?
?
Customer Problem
© 2011 IBM Corporation9
Real World Customer Problems That problem could never happen at my business
– Wrong – this problem can occur anywhere there is a change in security administrative control
The weakest link in an enterprise is typically the end user interface
– Virus, worms, Trojan Horses enable someone to hijack the end user interface
– In turn, that hijacked desktop can be used to log into any other server
• Is it “really the authorized end user”? Perhaps not.– That’s a large risk to a business.
Outsourcers and mainframe IT operations have SLA’s that protect the data they host on their systems.
Do their customers and end users have SLA’s that specify minimum desktop security? Do they manage Desktops and mainframes together?
– Typically not – as a result, there is a major risk that a compromised end user interface can result in compromised mainframe access.
Our Goal is to look at security management across these domains
© 2011 IBM Corporation10
Examples of End to End Security
Wireless BusinessInfrastructure
BankBank
HQHQOutsourcerOutsourcer
RegionalRegionalData centerData center
BranchBranchManagerManager
Point ofPoint ofSaleSale
Point ofPoint ofSaleSale
Mainframe Userid and Password Encryption via Host on Demand
Virtual Private Network encryption (which exploits the zIIP)
Audit and anomaly detection via TCIM
Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP)
LAN encryption via WPA which exploits z/OS PKI
z/OS PKI deployment with Global Services
PKI management via Venafi
HackerHackerOrOr
InsiderInsider
??????
?
?
?Compliance Insight Manager
Global Services:Security & Privacy Consulting
z/OS PKI Services
© 2011 IBM Corporation11
System z Solution Edition for Security – Fraud Reference Case
Client Scenario: State Criminal Justice System, Bullet-proof Mainframe security, Many access points
IBM Sales Team targets the CIO and CFO:“Experience has demonstrated that insider leaks may be utilized to help criminals escape prosecution or to release information about celebrities or high ranking government officials”.
“Your current IT infrastructure is exposed to these leaks which will likely result in civil and criminal penalties”
“At this very moment, policemen or detectives may be leaking information to criminals or the media. Also you are currently exposed to illegal access of sensitive information. Most alarming is that you may only become aware of such illegal access after your department has become fodder for the Tabloids. In such cases, departments have suffered high-level resignations and civil penalties
• Policemen access Driver information from portal within Police cruiser
• Detectives track case data via Cognos Analytics application
• Courts manage search warrants and court cases
Provocation:
Compliance Insight Manager
Solution Edition for Security
Mainframe Security Extended end-to-end across the Enterprise
“Joe Biden selected as
Obama’s running mate”
Wants and Warrants Database
Illegal queries
© 2011 IBM Corporation12
Deployment choices toward a Fraud & Forensic Clearing House on System z
Switch
3270 / 5250 / MQ / HTTP
IntellinxSensor
Analyzer IntellinxIntellinxSession Analyzer
Queue
Screen/Message Recording
Session Reconstruction
REPLAY
Actions
Event Analyzer
BacklogEvents Repository
Business Event
IntellinxReports
MQSeries
Files
Host
1
2
3 4
5
z/OS Business Goals
– A User activity monitor for forensic and fraud prevention
– Non-invasively capture activities from a wide variety of protocols and systems
– Stealthfully deploy, where possible
Intellinx in Action
– Identified thefts from Dormant bank accounts
– Eliminated RYO audit tools for major Police Dept
– Stopped leakage of personally identifiable information
Bladecenter deployment
– Over 200 blades to meet needs of large financial institution with the five distinct solution points of control
– Weeks to configure and deploy software
– Environmental and FTE costs are highest
– Coordination across security, network and server admin teams
Linux on System z deployment
– Multiple Linux server instances to cover the five distinct solution points of control
– Common hardware reduces environmentals and FTEs
– Network connections must be established to capture traffic
z/OS zWatch edition deployment
– Installation in under an hour, software only
– zIIP and zAAP eligible for 98% of processing keeps software pricing minimal
– High volume, low CPU utilization
– TCA and TCO are less than alternatives
– zWatch unique capability to handle network encrypted traffic
– With zBX, zWatch can handle non-z traffic with network admin assistance and simplify operations
– Reduced overhead and latency for real time analytics
© 2011 IBM Corporation13
System z Solution Edition for Security – Encryption Reference Case
Client Scenario: Large Airline, Web enabled reservation system, High volume transaction processing
IBM Sales Team targets the CIO and CFO:“Encryption is leveraged to protect personally identifiable information transmitted across the internet. Each application is signed to ensure that spoofing cannot occur. Self signed certificates are used by application developers to speed deployment. However, transactions fail when certificates expires”.
“Your system is not immune to this issue and when certificates expire, your online reservations will fail”
“You currently lack a central control point to manage certificate expiration. Failure to detect an impending expiration will lead to an outage that will result in lost bookings. Based on your transaction volumes, your firm will lose $3M dollars per day in perishable reservations. This need not be left to chance….IBM has a solution to eliminate this costly exposure”
• Consumers and Travel Agents leverage SOA portal to access reservations
• 10,000’s of tickets sold daily via the web
• Secure access for client access and privacy is essential to workflow
Provocation:
Solution Edition for Security
Mainframe Security Extended end-to-end across the Enterprise
Lost Revenues
(and Customers)
© 2011 IBM Corporation14
Three types of encryption keys to be managed Symmetric keys
– Used for encrypting storage devices – Tapes and Disks
– Management comes from:
• Initially managed by EKM• Evolving toward TKLM. However, TKLM requires an Asymmetric key to be boot strapped
Asymmetric keys
– Used for identification and authentication
– Used by applications, interactive sessions, web services, networking, POS Devices
– Management comes from
• Roll your own applications, such as the sample web pages shipped with PKI Services• DKMS – a services offering• Venafi or Verisign – third party vendors
Root Keys
– Both of the above keys are stored in a hardware security manager (HSM) or “vault”. There needs to be a key to the vault.
– On System z, the Trusted Key Entry desktop is used to manage the crypto hardware
– For other HSMs, (e.g. ATM root, 4758 crypto hardware, oem), GTS has developed DKMS
•
•
© 2011 IBM Corporation
P
P P
PPPP
PPPP
P P P P
The Reality of Lifecycle Management
PPolicy –
W
WWW
W
W
W
W W
W
W
W
Workflow – W
WW
P
W
A A A A A
AAA
A A A A A
AA
Configure App
Init/Manage Key Store
Index(Metadata)
Manage Roots/Trust
Notify/ Alert
Retire/ Revoke
WRotate
Control Access
Monitor/ ValidateA
Distribute/ Provision
Discover/ Inventory
Store
Archive/ Backup
Acquire Certificate
DestroyWGenerate
Audit – A
WW
W
© 2011 IBM Corporation16
Payment Services A unique national digital identity card project implemented on a country-wide scale
Business Need:Payment Business Services (PBS) won the contract for implementing and running a digital signature (PKI) infrastructure for the national danID in Denmark.
To meet the needs of the client, PBS had to be able to accommodate the following:• Same userid and logon-id procedure for both the public and the banking infrastructure.• Access from any computer. • Improved security of a two-factor-authentication with a one-time password.
Benefit:This solution allows all Danish citizens to sign-on and perform digital signatures banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio.
IBM provides the operational platform for the digital signature infrastructure. The IBM System z9 Enterprise Class server running z/OS is the platform for development, test and production. IBM developed cryptographic security based on mandated security regulations.
© 2011 IBM Corporation17
System z Solution Edition for Security – CI&AM Reference Case
Client Scenario: Automobile manufacturer, automated assembly line, employee administration
IBM Sales Team targets the CIO and CFO:“Common roles defined across workflow processes are critical to business success. Registration and enrollment of users must be rapid and consistent across application environments ”.
“300,000 former employees, who have retired or terminated, still have discrete ids and access to critical data.”
“Your firm is susceptible to espionage and/or sabotage from former employees. You are putting your operations at risk because of the ad hoc provisioning of users to disparate systems. Failure to centralize the administration and removal of unauthorized people from your systems (in a timely fashion) could cost you millions. IBM can help you eliminate this risk and potential for future loss”
• Many applications across a wide variety of systems
• Critical workflows to ensure automated assembly line
• 10,000 active employees that communicate with critical applications
Provocation:
Identity Manager
Solution Edition for Security
Mainframe Security Extended end-to-end across the Enterprise
In the News: Former DuPont employee used access to steal trade secrets on OLED.
In the News: Disgruntled employee of International Financial Services organization planted “logic bomb” which deleted 10 billion files and affected over 1300 servers causing $3M in losses.
© 2011 IBM Corporation18
Application Architecture: The Complexity of DistributedBusiness Objectives A bank has four basic transactions
– Credit, Debit, Transfer, Inquiry And they have a variety of choices for front end interface
– ATM, Branch Terminal, Kiosk, Web browser, PDA, Cellphone Customer uses a Bladecenter to drive multi channel transformation The back end processing remains the same regardless of the
presentation deviceFully Distributed Model (if deployed) Each application becomes a cluster of server images and must be
individually authenticated and managed Each line is a separate network connection, requiring high bandwidth
and protection Data is replicated across enterprise to meet scalability Customer deploys/builds automation processes to facilitate system
recovery with additional software – this is not trivial and requires additional software and unique development
High environmental needs and full time employees to manage infrastructure
Management Considerations for an enterprise
AuthenticationAlert processingFirewallsVirtual Private Networks
Network BandwidthEncryption of dataAudit Records/ReportsProvisioning Users/Work
Disaster Recovery plansStorage ManagementData TransformationsApplication Deployment
How does the Virtualization Manager improve these?
Application Server
WebSphere®
Service PlatformDatabase
Connectors
SQLJ
Service
MessageServlet
Loan Applic.
Bank Teller
GeneralLedger
Credit CardProcessing
Risk AnalysisService
Service
Con
nectors/Ap
pliances
CurrentAccounts
BatchPrograms
Bill PaymentDatabase
SQLJ
CurrencyExchange
Temp data toElectronic Data Warehouse
Batch Process
RMI/IIOP
EJB
WAS
BillPayment
EJBs
AuthenticationServer
M
gt
M
gt
M
gt
M
gt
M
gt
Mg
t
M
gt
M
gt
Mg
t
Mg
tMg
t
Mg
t
Mg
t
© 2011 IBM Corporation19
Application Architecture: A Large EnterpriseEnd User –
Hosted Client
Application Server
Service Platform
Desktop Framework
Devices
Websphere
Service PlatformDatabase
Connectors
SQLJ
Service
MessageServlet
Loan Applic.
Bank Teller
GeneralLedger
Credit CardProcessing
Risk Analysis Service
Service
Connectors
CurrentAccounts
Banking Portal
Device Apps.
XML over HTTP(S)
Middleware Services
BatchPrograms
Bill PaymentDatabase
SQLJ
Desktop Framework Services
Personalization
Service Systems& Databases
MQ
CurrencyExchange
Temp data toElectronic Data Warehouse
Batch Process
RMI/IIOP
EJB
WASBillPayment
EJBs
AuthenticationServer
System zEnterprise
Potential advantages of consolidating your application and data serving Security Fewer points of intrusion Resilience Fewer Points of Failure Performance Avoid Network Latency Operations Fewer parts to manage Environmentals Less Hardware Capacity Management On Demand additions/deletions
With
IFLWith zAAP
& zIIP Utilization Efficient use of resources Scalability Batch and Transaction Processing Auditability Consistent identity Simplification Problem Determination/diagnosis Transaction Integrity Automatic recovery/rollback
Security Fewer points of intrusion Connectivity Improved throughput Simplification Problem Determination/Monitoring Development Consistent, cross platform tools
With
zBX
zNext Combinations – reducing control points Assumes the Bladecenter for the multi
channel transformation Can leverage Websphere on either Linux for
System z or z/OS The Bladecenter functionality can be
migrated to zBX in the future TCA and TCO advantages over distributed It’s the very same programming model in a
different container that provides a superior operations model
© 2011 IBM Corporation20
Imagine the possibilities…..
R I I NS TC E L
MA INFRAME
ClaimsPOS
Credit/Debit
DecisionSupport
FilterExtract
Move
PII input
DB
tmp
tmp
resultresult
result
Traditional Operations
zNext
ISAO or ASBs
DecisionSupport
Transform
zClaims
POSCredit/Debit
DB
CognosOn
Linux
Business Problem–Data warehouse can detect trends, but not necessarily prevent fraud or upgrade transactions in real time because data is copied in bulk or batch mode
Insight instead of Hindsight–Data is copied in nanoseconds instead of hours or days–Opens up opportunities for real time analytics
–Preventing fraud–Making business analytic decisions faster
–Improved performance and lowers cost–Uses blade-based specialty processors, storage for warehouse workloads–Boosts overall query performance 5x – 10x–Customers could see a 40% reduction in storage utilization–Supports in-memory column store for parallel star schema queries –Uses column-based compression to minimize storage needs–Unchanged interfaces to DB2 for z/OS and thus no changes to the BI/DW applications–Provides capability to perform both transactional (OLTP) and warehousing (OLAP) type of queries in the same database management system
© 2011 IBM Corporation21
© 2011 IBM Corporation22
Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk
© 2011 IBM Corporation23
Cross Domain Risks LAN and Network Security
Secure Sign in
Cross Domain Authentication
Self Signed Certificates
Certificate Management
Data privacy
– Developers
– PII data
Abhorrent behavior
Insider Theft
Forensics
Prevention
© 2011 IBM Corporation24
X86, RISC
IT Operations
Application Architects
IT Management Trends are changing
Mainframe
IT
operations
As a result, businesses can more rapidly meet their Global Responsibilities Governance Risk and Compliance Business Continuity Privacy Agility Lean and Green
Global IT operations
Application Architects
Mainframe
Application Sandbox
Bladecenter
Virtual Clients
IT Operations
Mainframe
IT Operations
Next G
en
Applic
atio
ns
Next G
en
Applic
atio
ns
•The mainframe must demonstrate that it is Good Enough to support the next generation of workloads•It should also demonstrate that collaborating with other systems can yield Fit for Purpose instead of Fit for Politics
© 2011 IBM Corporation
Questions
The future runs on System z