Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?

World®’16

IntheVoiceofaMainframeMillennial:HowCanMainframeSecurityBeMadeEasier?JoshBroadhurst,AssociateSoftwareEngineerCATechnologies

MFT53T

MAINFRAMEANDWORKLOADAUTOMATION

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Agilebusinessesneedtobalancesecuritywitheaseofuse.Youneedtoknowwhoisaccessingyourdata,wherethedataislocatedandthatitissecure.Butatthesametime,authorizedusersneedaccessatalltimestopropelthebusinessforward.Howcanweoursimplifymainframesecuritypracticestoachievethisbalance?Inthissession,amainframemillennialprovidesafreshperspectiveonthelandscapeofmainframesecurityandprovidesnewinsightsonhowwecansimplifymainframesecuritypracticeswhileimprovingoursecurityandcomplianceposture.

JoshBroadhurstCATechnologiesAssociateSoftwareEngineer


QuickIntroduction

§ GraduatedfromUIUC– B.S.ComputerEngineering

§ StartedatCAinJanuary– AssociateSoftwareEngineer

§ WorkattheLisle,ILoffice– CADataContentDiscovery(DCD)

AboutMe


Agenda

BACKGROUNDANDCHALLENGES

ADDRESSINGINTERNALSECURITYRISKS

CREATINGARISK-AWARECULTURE

PREPARINGAYOUNGERWORKFORCE

1

2

3

4

QUESTIONSANDCOMMENTS5


BackgroundandChallenges



§ 80%ofFortune2000companieshavemainframestaffeligibleforretirement

§ Managementtasksbelievedwouldsuffermostfromshortfallsinmainframestaffing:– Security(55%)– Storage(47%)– Workloadmanagement(46%)

– Databasemanagement(26%)

MainframeSkillsShortage

SOURCE:“TheMainframeConundrum:EscalatingWorkloads,ShrinkingStaff”byTheInfoPro,Inc.(2008)



41%

43%

50%

PasswordSecurity

DataLoss

UnauthorizedAccess

Whichsecuritychallengesarelargeenterprises“extremelyconcerned”with?

EnterpriseSecurityChallenges

SOURCE:NokiaandPennSchoenBerland surveyof1500seniorITdecisionmakers(2015)



§ LPARonIBMSystemzisEAL5certified

§ Problem:EALislimitedtospecificTargetofEvaluation(TOE)– Onlypropertiesofsecurityproductsorsystemsconsidered

§ Whatabout– Administration?– Usertraining?– Compliance?

MeasuringSecurity


AddressingInternalSecurityRisks



§ Toptwocausesofsecurityincidentsrelatetointernalrisks

InvestigatingSecurityIncidents

SOURCE:“DataBreachInvestigationsReport”byVerizon(2016)

8,886

9,630

9,701

10,490

11,347

EverythingElse

Denial-of-Service

PhysicalTheft/Loss

PrivilegeMisuse

MiscellaneousErrors



§ 63%ofconfirmedbreachesinvolvedweak,default,orstolenpasswords

§ 26%ofmiscellaneouserrorbreachesinvolvedemployeessendingsensitiveinformationtowrongperson

§ 70%ofinsidermisusebreachestookmonthsoryearstodiscover

SomeUsefulFigures




27 6 3 2

7 1Internal

External

DiscoverymethodsofbreacheswithinMiscellaneousErrors

CustomerReport LeakedDocumentsorFiles ActorDisclosure Audit EmployeeReport ITReview

HowAreBreachesDiscovered?




§ Employeecompliancewithsecurityguidelinesisamajorfactorinsecurityincidents

§ Whyaren’temployeesfollowingexistingsecurityguidelines?

§ Needmoreinternaldiligencetoidentifybreachesandrespondearlierinthelifecycle

RootoftheProblem


CreatingaRisk-AwareCulture



§ Monitorsystemsandusers– Log,analyze,andreportonsecurityevents– SIEMsoftware

§ CAComplianceEventManager

§ Knowyourdata– Whereissensitivedatalocated?– Whohasaccesstoit?– DLPsoftware

§ CADataContentDiscovery

TechnicalMeasures



§ Changingattitudes– Peoplewillfollowprocedureonlyifperceivedbenefitoutweighscost– Initiatives,programs,andpoliciesoftenconsidered“extrawork”– Fearofpunishmentcouldinhibitreporting

§ Activesupportfrommanagement– Authorizeriskmanagementcostsandresourceallocation– Acceptaccountabilityforsecurityfailuresandpolicyviolations– Provideongoingtrainingtosecurityteam

Non-technicalMeasures



“Activeandvisibleinvolvementoftopmanagement…notonlychangestherelevantcultureoftheorganizationbutalso

directlyinfluencesthecognitivebeliefsofemployeeswhichtheninfluencetheircomplianceintentions.”

ManagingEmployeeCompliancewithInformationSecurityPolicies:TheCriticalRoleof

TopManagementandOrganizationalCulture


PreparingaYoungerWorkforce


PreparingaYoungerWorkforcePersonalExperience

§ x86/Linuxbackground– Computingfundamentalsnot

sodifferent

§ MainframeASEProgram– 7weeksofficialtraining

§ z/ArchitectureBasics§ TSOandISPFPanels§ z/OSlanguages

ME


PreparingaYoungerWorkforce

§ Currentofferingsfocusonmainframeplatformasawhole

§ Whataboutsecuritypractices?

§ IBM“EnterpriseSkillsSurvey”of130customersandpartnersshowslackofemphasisonmainframesecurityskills

What’sMissing?

SOURCE:IBMAcademicInitiative,SystemzProgram,EnterpriseSkillsSurveyResults(2006-2009)

SkillsArea StronglyRequired NotRequiredSecurityTraining 36.03% 17.30%


VulnerabilityLabsFirst-handexperienceonvariousvulnerabilities,attacks,andcountermeasures

DesignLabsApplysecurityprinciplesindesigningandimplementingsystems

ExplorationLabsEnhancestudentlearningviaobservation,playingandexploration

PreparingaYoungerWorkforceCasestudy:SEED

SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)


PreparingaYoungerWorkforceCasestudy:SEED

42%

52%

6%

"Thelabsparksmyinterestincomputersecurity"

StronglyAgree Agree Neutral

SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)

68%

29%

3%

"Thelabwasavaluablepartofthiscourse"

StronglyAgree Agree Neutral


ConclusionActionorinactionbyemployeesposessignificantrisktoinformationalassets.Awarenessofthreatsandtherationalebehindsecuritycontrolscanencourageappropriatepreventivebehavior.

Informationsecurityisprimarilyamanagementproblem.Topmanagementsupportisacriticalfactorinprocuringresourcestodevelopaneffectivesecurityculture.

Controlledaccesstoreal-worldsystemsisaninvaluableeducationaltool.Trainingfornewemployeesshouldbedesignedtoencouragecomplianceasaneasyanddesirabletask.

SummaryAFewWordstoReview


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

MFX173S TheImportanceofMainframeSecurityEducation 11/16/2016at3:45pm

MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData

11/17/2016at12:45pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm


MustSeeDemos

Real-TimeDataSecurity&Compliance

CADataContentDiscoveryMainframeTheatre

MainframeSecuritySmartBar

CATopSecret®MainframeTheatre

Real-TimeDataSecurity&Compliance

CAComplianceEventManagerMainframeTheatre

MainframeSecuritySmartBar

CAACF2™MainframeTheatre


Thankyou.

Stayconnectedatcommunities.ca.com


MainframeandWorkloadAutomation

FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI

Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?

Technology

Transcript of Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?