Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?
-
Upload
ca-technologies -
Category
Technology
-
view
17 -
download
0
Transcript of Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?
World®’16
IntheVoiceofaMainframeMillennial:HowCanMainframeSecurityBeMadeEasier?JoshBroadhurst,AssociateSoftwareEngineerCATechnologies
MFT53T
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Agilebusinessesneedtobalancesecuritywitheaseofuse.Youneedtoknowwhoisaccessingyourdata,wherethedataislocatedandthatitissecure.Butatthesametime,authorizedusersneedaccessatalltimestopropelthebusinessforward.Howcanweoursimplifymainframesecuritypracticestoachievethisbalance?Inthissession,amainframemillennialprovidesafreshperspectiveonthelandscapeofmainframesecurityandprovidesnewinsightsonhowwecansimplifymainframesecuritypracticeswhileimprovingoursecurityandcomplianceposture.
JoshBroadhurstCATechnologiesAssociateSoftwareEngineer
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
QuickIntroduction
§ GraduatedfromUIUC– B.S.ComputerEngineering
§ StartedatCAinJanuary– AssociateSoftwareEngineer
§ WorkattheLisle,ILoffice– CADataContentDiscovery(DCD)
AboutMe
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
BACKGROUNDANDCHALLENGES
ADDRESSINGINTERNALSECURITYRISKS
CREATINGARISK-AWARECULTURE
PREPARINGAYOUNGERWORKFORCE
1
2
3
4
QUESTIONSANDCOMMENTS5
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BackgroundandChallenges
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BackgroundandChallenges
§ 80%ofFortune2000companieshavemainframestaffeligibleforretirement
§ Managementtasksbelievedwouldsuffermostfromshortfallsinmainframestaffing:– Security(55%)– Storage(47%)– Workloadmanagement(46%)
– Databasemanagement(26%)
MainframeSkillsShortage
SOURCE:“TheMainframeConundrum:EscalatingWorkloads,ShrinkingStaff”byTheInfoPro,Inc.(2008)
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BackgroundandChallenges
41%
43%
50%
PasswordSecurity
DataLoss
UnauthorizedAccess
Whichsecuritychallengesarelargeenterprises“extremelyconcerned”with?
EnterpriseSecurityChallenges
SOURCE:NokiaandPennSchoenBerland surveyof1500seniorITdecisionmakers(2015)
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BackgroundandChallenges
§ LPARonIBMSystemzisEAL5certified
§ Problem:EALislimitedtospecificTargetofEvaluation(TOE)– Onlypropertiesofsecurityproductsorsystemsconsidered
§ Whatabout– Administration?– Usertraining?– Compliance?
MeasuringSecurity
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AddressingInternalSecurityRisks
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AddressingInternalSecurityRisks
§ Toptwocausesofsecurityincidentsrelatetointernalrisks
InvestigatingSecurityIncidents
SOURCE:“DataBreachInvestigationsReport”byVerizon(2016)
8,886
9,630
9,701
10,490
11,347
EverythingElse
Denial-of-Service
PhysicalTheft/Loss
PrivilegeMisuse
MiscellaneousErrors
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AddressingInternalSecurityRisks
§ 63%ofconfirmedbreachesinvolvedweak,default,orstolenpasswords
§ 26%ofmiscellaneouserrorbreachesinvolvedemployeessendingsensitiveinformationtowrongperson
§ 70%ofinsidermisusebreachestookmonthsoryearstodiscover
SomeUsefulFigures
SOURCE:“DataBreachInvestigationsReport”byVerizon(2016)
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AddressingInternalSecurityRisks
27 6 3 2
7 1Internal
External
DiscoverymethodsofbreacheswithinMiscellaneousErrors
CustomerReport LeakedDocumentsorFiles ActorDisclosure Audit EmployeeReport ITReview
HowAreBreachesDiscovered?
SOURCE:“DataBreachInvestigationsReport”byVerizon(2016)
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AddressingInternalSecurityRisks
§ Employeecompliancewithsecurityguidelinesisamajorfactorinsecurityincidents
§ Whyaren’temployeesfollowingexistingsecurityguidelines?
§ Needmoreinternaldiligencetoidentifybreachesandrespondearlierinthelifecycle
RootoftheProblem
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CreatingaRisk-AwareCulture
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CreatingaRisk-AwareCulture
§ Monitorsystemsandusers– Log,analyze,andreportonsecurityevents– SIEMsoftware
§ CAComplianceEventManager
§ Knowyourdata– Whereissensitivedatalocated?– Whohasaccesstoit?– DLPsoftware
§ CADataContentDiscovery
TechnicalMeasures
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CreatingaRisk-AwareCulture
§ Changingattitudes– Peoplewillfollowprocedureonlyifperceivedbenefitoutweighscost– Initiatives,programs,andpoliciesoftenconsidered“extrawork”– Fearofpunishmentcouldinhibitreporting
§ Activesupportfrommanagement– Authorizeriskmanagementcostsandresourceallocation– Acceptaccountabilityforsecurityfailuresandpolicyviolations– Provideongoingtrainingtosecurityteam
Non-technicalMeasures
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CreatingaRisk-AwareCulture
“Activeandvisibleinvolvementoftopmanagement…notonlychangestherelevantcultureoftheorganizationbutalso
directlyinfluencesthecognitivebeliefsofemployeeswhichtheninfluencetheircomplianceintentions.”
ManagingEmployeeCompliancewithInformationSecurityPolicies:TheCriticalRoleof
TopManagementandOrganizationalCulture
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PreparingaYoungerWorkforce
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PreparingaYoungerWorkforcePersonalExperience
§ x86/Linuxbackground– Computingfundamentalsnot
sodifferent
§ MainframeASEProgram– 7weeksofficialtraining
§ z/ArchitectureBasics§ TSOandISPFPanels§ z/OSlanguages
ME
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PreparingaYoungerWorkforce
§ Currentofferingsfocusonmainframeplatformasawhole
§ Whataboutsecuritypractices?
§ IBM“EnterpriseSkillsSurvey”of130customersandpartnersshowslackofemphasisonmainframesecurityskills
What’sMissing?
SOURCE:IBMAcademicInitiative,SystemzProgram,EnterpriseSkillsSurveyResults(2006-2009)
SkillsArea StronglyRequired NotRequiredSecurityTraining 36.03% 17.30%
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
VulnerabilityLabsFirst-handexperienceonvariousvulnerabilities,attacks,andcountermeasures
DesignLabsApplysecurityprinciplesindesigningandimplementingsystems
ExplorationLabsEnhancestudentlearningviaobservation,playingandexploration
PreparingaYoungerWorkforceCasestudy:SEED
SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PreparingaYoungerWorkforceCasestudy:SEED
42%
52%
6%
"Thelabsparksmyinterestincomputersecurity"
StronglyAgree Agree Neutral
SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)
68%
29%
3%
"Thelabwasavaluablepartofthiscourse"
StronglyAgree Agree Neutral
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ConclusionActionorinactionbyemployeesposessignificantrisktoinformationalassets.Awarenessofthreatsandtherationalebehindsecuritycontrolscanencourageappropriatepreventivebehavior.
Informationsecurityisprimarilyamanagementproblem.Topmanagementsupportisacriticalfactorinprocuringresourcestodevelopaneffectivesecurityculture.
Controlledaccesstoreal-worldsystemsisaninvaluableeducationaltool.Trainingfornewemployeesshouldbedesignedtoencouragecomplianceasaneasyanddesirabletask.
SummaryAFewWordstoReview
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX173S TheImportanceofMainframeSecurityEducation 11/16/2016at3:45pm
MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData
11/17/2016at12:45pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecret®MainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2™MainframeTheatre
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MainframeandWorkloadAutomation
FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI