Your SlideShare is downloading. ×
0
1 © 2013 IBM CorporationDennis EichelbergerIT SpecialistIMS Advanced Technical Skillsdeichel@us.ibm.comIMS and InfoSphere ...
2Copyrite IBM 2013Topics• What are the business needs driving data protection• Intro to data protection terminology• An en...
Copyrite IBM 2013The Primary Source of BreachedData are Database ServersSource: http://www.verizonbusiness.com/resources/r...
Copyrite IBM 2013LensCrafters -- Mainframe Breach Luxottica Group S.p.A. owns LensCrafters chain and worldslargest suppli...
Copyrite IBM 2013LensCrafters -- Mainframe Breach “As mainframes become a major component in service-orientedarchitecture...
Copyrite IBM 2013TJX Companies -- Security Breach Parent company of T.J. Maxx, HomeGoods, Marshalls, etc. A security bre...
Copyrite IBM 2013Certegy -- an Insider Tale Certegy is a subsidiary of Fidelity National Information Servicesthat provide...
Copyrite IBM 2013 Settled class-action suit for $4 million, plus:• $975,000 in fines from Attorney General• Mandatory sec...
Copyrite IBM 2013Other Real-World Examples of Insider Threats Unauthorized changes to financial data• DBA accidentally de...
Copyrite IBM 2013Other Real-World Examples of Insider Threats Internal fraud• Mortgage processor -- insider changed credi...
Copyrite IBM 2013The Smarter (& More Secure) Mainframe 71% of the Global 500 run on mainframes• 100% of the world’s top 5...
12Copyrite IBM 2013Data Protection Drivers Industry Compliance Regulatory Compliance Information Governance
13Copyrite IBM 2013Industry Compliance Driving Data Protection PCI “Payment Card Industry” compliance…• World-wide accept...
14Copyrite IBM 2013 PCI “Payment Card Industry” compliance (cont’d)• PCI standards require sensitive personal information...
15Copyrite IBM 2013Regulatory Compliance Driving Data Protection Governmental Regulations• Basel III (2010-2011)− Measure...
16Copyrite IBM 2013Regulatory Compliance Driving Data Protection Governmental Regulations• Patriot Act (2001)- Prevent us...
17Copyrite IBM 2013Data Protection - Not Just an Activity for One Group Initial concerns and questions- What is the right...
18Copyrite IBM 2013Focal Areas for a Strong Security Strategy Encrypting the data• Reduce the liability even if data is a...
19Copyrite IBM 2013What is Encryption? Data that is not encrypted is referred to as “clear text” Clear text is encrypted...
20Copyrite IBM 2013What is Encryption? Encryption is a process where clear-text is converted using aknown ALGORITHM• AES•...
21Copyrite IBM 2013Encryption is a technique used to helpprotect data from unauthorized access Data that is not encrypted...
22Copyrite IBM 2013Encryption Algorithms – Which Ones Are Best? DES (Data Encryption Standard)− 56-bit, viewed as weak an...
23Copyrite IBM 2013Encryption Algorithms – Which Ones Are Best? For more information:– TDES NIST Special Publication 800-...
24Copyrite IBM 2013Integrated Cryptographic Service Facility (ICSF) Provides: z/OS integrated software support for data e...
25Copyrite IBM 2013What are Encryption Keys? Master Keys– Used to generate, encrypt, and store user keys into theCKDS (Cr...
26Copyrite IBM 2013Cryptography on z/OS Clear Key– Key is exposed in the storage ofprocessor– Can be viewed in dump ofsto...
27Copyrite IBM 2013How can you as an IMS Support personachieve this ?Encryption in a Nutshell
28Copyrite IBM 2013InfoSphere Guardium DataEncryption for DB2 and IMS DatabasesInfoSphere Guardium Data Encryption protect...
29Copyrite IBM 2013To create an exit that encrypts and decrypts IMS data, the Tool can beimplemented in one of two ways:1)...
30Copyrite IBM 2013 Implementation steps− Create an encryption key− Create an encryption exit− Unload database to be encr...
31Copyrite IBM 2013Selections:1 = use to create an encryption exit that will be used standalone; that iswithout co-existen...
32Copyrite IBM 2013CSF lib = Installation Encryption datasetZAP lib = Dataset containing AMASPZAP programSMP lib = Guardiu...
33Copyrite IBM 2013ISPF created linkjob for encryption exit creation (step 1)Encryption routine is calledDSECRYPTInfoSpher...
34Copyrite IBM 2013Encryption routine is calledDSECRYPTEncryption key label usedby DSECRYPT exitInfoSphere Guardium Data E...
35Copyrite IBM 2013Encryption routine is calledDSECRYPTThe COMPRTN is added to the DBD source to invoke encryptionNote, th...
36Copyrite IBM 2013InfoSphere Guardium Data Encryption –Browse of IMS HDAM Database with Clear DataClear data
37Copyrite IBM 2013 Implementation steps− Unload the database− Generate and install DBD with the encryption exit− Reload ...
38Copyrite IBM 2013Encrypted dataInfoSphere Guardium Data Encryption –Browse of IMS HDAM Database with Encrypted Data
39Copyrite IBM 2013 Protects sensitive and private data Reduces liability risks Uses the available cryptographic hardwa...
Copyrite IBM 2013The Smarter (& More Secure) Mainframe 71% of the Global 500 run on mainframes• 100% of the world’s top 5...
Copyrite IBM 201341InfoSphere Guardium S-TAP for IMS DID YOU KNOW…• 80% of the largest retail banks in the US, Germany, J...
Copyrite IBM 2013Customer Challenges: Auditing events on z/OS Regulatory pressures to demonstrate adequate controls -- es...
Copyrite IBM 2013 Provides a single unified view and secure audit trail of all databaseactivities – across both mainframe...
Copyrite IBM 2013Non-Invasive, Real-TimeDatabase Security & Monitoring• Continuously monitors all databaseactivities (incl...
Copyrite IBM 2013Scalable Multi-Tier ArchitectureIntegration withLDAP, IAM, SIEM,CMDB, changemanagement, …S-TAP for DB2S-T...
Copyrite IBM 201346InfoSphere Guardium S-TAPs for z/OS V9.0 Support for VSAM− S-TAP for VSAM− Capture VSAM file activity ...
Copyrite IBM 201347InfoSphere Guardium S-TAPsfor IMS V9.0 -- Architecture
Copyrite IBM 201348InfoSphere GuardiumS-TAPs for IMS – Components… Administration Interface - graphical User Interface en...
Copyrite IBM 201349InfoSphere GuardiumS-TAPs for IMS – Components Guardium Appliance - creates, deletes and modifies even...
Copyrite IBM 2013InfoSphere Guardium S-TAPfor IMS Collection ActivityDatabases• READ accesses to databases• All Reads of I...
Copyrite IBM 201351What IMS “related” data is collected?Access to IMS related information outside the control of IMS servi...
Copyrite IBM 201352IMS S-Tap System Monitor view
Copyrite IBM 2013IMS Access ReportHere is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed data...
Copyrite IBM 2013IMS Access Detail ReportsHere is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC acces...
Copyrite IBM 2013IMS Data in Reports Using Contextual AttributesHere is shown an IMS BMP job that ran for 2 minutes. A job...
Copyrite IBM 2013IMS Detail reportUser PDTEMK signing into IMS as a user (line 1) using terminal S22T0161 (column Terminal...
Copyrite IBM 2013IMS SMF Data reportDatabase (AUEPHD4 and AUEPHD1) datasets being opened for update by user CSIVANA(lines ...
Copyrite IBM 2013Reducing risk by monitoring sensitive data on the mainframe.Flexible options for user management.IMS a...
Copyrite IBM 2013Protect the business data from unauthorized use.Guardium Encryption of IMS data at a segment level usingb...
Copyrite IBM 2013EncryptionReference Section
61Copyrite IBM 2013Cryptography on z/OS Clear Key– Key is exposed in the storage ofprocessor– Can be viewed in dump ofsto...
62Copyrite IBM 2013CKDS – Cryptographic Key Dataset Key element of the IBM encryption solution on z/OS VSAM Key Sequence...
63Copyrite IBM 2013IMS Data Encryption for IMS and DB2 Databases The following restrictions apply: An IMS segment can be...
64Copyrite IBM 2013Details About Clear KeyVersus Secure Key Performance Clear key elapsed time performance is MUCH superi...
Upcoming SlideShare
Loading in...5
×

IMS Protection Guardium - IMS UG May 2013 Seattle

768

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
768
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "IMS Protection Guardium - IMS UG May 2013 Seattle"

  1. 1. 1 © 2013 IBM CorporationDennis EichelbergerIT SpecialistIMS Advanced Technical Skillsdeichel@us.ibm.comIMS and InfoSphere Guardium
  2. 2. 2Copyrite IBM 2013Topics• What are the business needs driving data protection• Intro to data protection terminology• An encryption solution from IBM for IMS databases• An auditing and access monitoring solution for IMS data
  3. 3. Copyrite IBM 2013The Primary Source of BreachedData are Database ServersSource: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdfSource of Records Breached (2012)0 20 40 60 80 100% of Records BreachedAll other sources <1%Desktop/Workstation 34%Mail server 2%Reg employee/end-user 1%Database server 96%Web/app server 80%POS server 1%
  4. 4. Copyrite IBM 2013LensCrafters -- Mainframe Breach Luxottica Group S.p.A. owns LensCrafters chain and worldslargest supplier of high-end eyewear Personally Identifiable Information (PII) for 59,419 employeesstolen, with victims in all 50 states "Generally, mainframes are not accessible to the Internet, so thehacker most likely had to compromise other systems internallybefore getting to the mainframe," said Chris Petersen, a former ITauditor with Price Waterhouse and Ernst & Young.Sources: http://www.internetnews.com/security/article.php/3787431/Mainframe+Breach+at+LensCrafters+Parent+Hits+59K.htmhttp://privacy.wi.gov/databreaches/2008/nov08.jspPolo Ralph LaurenPradaVersace brandsRay-BanDolce & GabbanaDonna Karan
  5. 5. Copyrite IBM 2013LensCrafters -- Mainframe Breach “As mainframes become a major component in service-orientedarchitectures, they are increasingly exposed to malware. Webservices on the mainframe have had a significant impact onsecurity.” -SearchCompliance.com
  6. 6. Copyrite IBM 2013TJX Companies -- Security Breach Parent company of T.J. Maxx, HomeGoods, Marshalls, etc. A security breach originally reported to have occurred in May of 2006was not discovered until December of the same year A forensic investigation by IBM and General Dynamicsshowed the breach may have occurred in July of 2005 How much did the breach cost TJX Companies?• Initial estimate: $4.5B ($100 per stolen record)• Later estimate: Up to $300 per stolen recordSources: http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_everhttps://www.braintreepayments.com/blog/pci-compliance-and-the-cost-of-a-credit-card-breachhttp://www.informationweek.com/news/199203277SearchCompliance.com
  7. 7. Copyrite IBM 2013Certegy -- an Insider Tale Certegy is a subsidiary of Fidelity National Information Servicesthat provides check authorization & check cashing services, partlyfor the gaming industry Senior DBA sold 8.5 million customer records containing thefollowing for $580K to data broker Data theft came to light after retailer reported correlation betweentransactions and receipt of marketing offers by its customers• Certegy engaged the U.S. Secret Service, which found data hadcome from separate company owned by the Certegy DBA• “Why did it take Certegy more than five years to find out thatconfidential consumer information was being sucked out of itsdatabase?” (St. Petersburg Times)NamesAddressesBirth datesBank account infoCredit card infoSources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtmlhttp://www.prnewswire.com
  8. 8. Copyrite IBM 2013 Settled class-action suit for $4 million, plus:• $975,000 in fines from Attorney General• Mandatory security audit every year• 2 years of credit monitoring services ($180 per customer) Rogue DBA sentenced to nearly 5 years in prisonCertegy -- an Insider TaleSources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtmlhttp://www.prnewswire.com
  9. 9. Copyrite IBM 2013Other Real-World Examples of Insider Threats Unauthorized changes to financial data• DBA accidentally deleted critical financial table during productionhours (was doing a favor for application developer, bypassing changeprocess)• Outsourcer erased logs showing he made changes during the day(because it was more convenient than during the night) Theft of sensitive data• Departing employees stealing design information & other intellectualproperty• DBAs and outsourcers selling customer information to competitors andcrime syndicates
  10. 10. Copyrite IBM 2013Other Real-World Examples of Insider Threats Internal fraud• Mortgage processor -- insider changed credit scores to make loanslook better• Mobile telecom -- insider created & sold pre-paid phone cards• Electric utility -- insider gave free service to friends and family as partof low-income assistance program• Health provider -- insider sold medical identities for insurance fraud
  11. 11. Copyrite IBM 2013The Smarter (& More Secure) Mainframe 71% of the Global 500 run on mainframes• 100% of the world’s top 50 banks• 22 of the top 25 retailers Unique IT value proposition• Efficiency, utilization & server consolidation• Proven reliability, availability & quality-of-service• z/OS with IMS, SAP, WebSphere, InfoSphere Warehouse,Cognos 8 BI, …• z/VM & Linux with Oracle, MySQL, Cognos, …• Virtualization Robust Security Model• Built-in encryption with hardware acceleration• z LPAR hosting is the only server with Common Criteria EAL5certification• z/OS, RACF & Tivoli zSecure Audit protect access to systemresources (CICS, DB2, IMS…)
  12. 12. 12Copyrite IBM 2013Data Protection Drivers Industry Compliance Regulatory Compliance Information Governance
  13. 13. 13Copyrite IBM 2013Industry Compliance Driving Data Protection PCI “Payment Card Industry” compliance…• World-wide accepted standards that protect against creditcard fraud- Requires adaptation of business controls to protect againstcompromising sensitive data• Examples of standards- Protect stored cardholder data- Restrict access to cardholder data by business on a“need-to-know” basis- Restrict physical access to cardholder data
  14. 14. 14Copyrite IBM 2013 PCI “Payment Card Industry” compliance (cont’d)• PCI standards require sensitive personal information ofcredit card holders to be encrypted, including:- Account number- Expiration date- Name and address- Social Security number• Compressed data is not acceptable as data encryptionIndustry Compliance Driving Data Protection
  15. 15. 15Copyrite IBM 2013Regulatory Compliance Driving Data Protection Governmental Regulations• Basel III (2010-2011)− Measurement of total banking risk based on capital adequacy,stress tests and market liquidity risks• Sarbanes-Oxley Act (2002)• Strengthen financial reporting and internal controls by fixingresponsibility within a companies’ management• HIPAA (1996)− Provide national standards for electronic health care recordsand secure those medical records, prove how they have beenused and who has used them
  16. 16. 16Copyrite IBM 2013Regulatory Compliance Driving Data Protection Governmental Regulations• Patriot Act (2001)- Prevent usage of the financial system to support illegalactivities, particularly terrorism• Various anti-money laundering (AML)- Prevent the laundering of money derived from illegal activities• Gramm-Leach-Bliley Act (1999)- Protection of personally identifiable financial information (PII)
  17. 17. 17Copyrite IBM 2013Data Protection - Not Just an Activity for One Group Initial concerns and questions- What is the right database encryption solution?- Would the application need to be modified?- Would application performance be impacted?- Which group will own key management?- What is the security team’s role?- What is the audit team’s role?- What is IMS systems programmer role?- What is the DBA’s role?
  18. 18. 18Copyrite IBM 2013Focal Areas for a Strong Security Strategy Encrypting the data• Reduce the liability even if data is accessed, usingencryption reduces the usability of that data Monitoring access to the data• Have visibility to data access -- identify who accessed data,when it was accessed or updated
  19. 19. 19Copyrite IBM 2013What is Encryption? Data that is not encrypted is referred to as “clear text” Clear text is encrypted by processing with a “key” and anencryption algorithm• Several standard algorithms exist including DES, TDES andAES Keys are bit streams that vary in length• For example AES supports 128, 192 and 256 bit key lengths
  20. 20. 20Copyrite IBM 2013What is Encryption? Encryption is a process where clear-text is converted using aknown ALGORITHM• AES• DES• TDES A key is used in the encryption process to produceCYPHERTEXT and can be either a:• Clear key• Secure key
  21. 21. 21Copyrite IBM 2013Encryption is a technique used to helpprotect data from unauthorized access Data that is not encrypted is referred to as “clear text” Clear text is encrypted by processing with a “key” and an encryption algorithm– Several standard algorithms exist, include DES, TDES and AES (next slide) Keys are bit streams that vary in length– For example AES supports 128, 192 and 256 bit key lengthsEncryption ProcessEncryption algorithm(e.g. AES)Clear TextCiphertext(Encrypted Data)Decryption ProcessEncryption algorithmCiphertextClear TextKeyKey
  22. 22. 22Copyrite IBM 2013Encryption Algorithms – Which Ones Are Best? DES (Data Encryption Standard)− 56-bit, viewed as weak and generally unacceptable today by theNIST TDES (Triple Data Encryption Standard)− 128-bit, universally accepted algorithm AES (Advanced Encryption Standard)− 128- or 256- bit, newest commercially used algorithm What is acceptable?– DES is viewed as unacceptable– TDES is viewed as acceptable and compliant with NIST (NationalInstitute of Standards and Technology)– AES 128 or 256 is also viewed as acceptable and strategic
  23. 23. 23Copyrite IBM 2013Encryption Algorithms – Which Ones Are Best? For more information:– TDES NIST Special Publication 800-67 V1 entitled"Recommendation for the Triple Data Encryption Algorithm(TDEA) Block Cipher" and can be found athttp://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf– TDES NIST FIPS Publication 197 entitled "Announcing theAdvanced Encryption Standard (AES)" and can be found athttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  24. 24. 24Copyrite IBM 2013Integrated Cryptographic Service Facility (ICSF) Provides: z/OS integrated software support for data encryption Operating System S/W API Interface to CryptographicHardware− CEX2/3C hardware feature Enhanced Key Management for key creation and distribution− Public and private keys− Secure and clear keys− Master keys Created keys are stored/accessed in the Cryptographic KeyData Set (CKDS) with unique key label− CKDS itself is secured via Security Access Facility See Reference Section of this presentation for more details
  25. 25. 25Copyrite IBM 2013What are Encryption Keys? Master Keys– Used to generate, encrypt, and store user keys into theCKDS (Cryptographic Key Data Set)– Loaded into the CEX2/3C hardware, and storedNO WHERE else User Keys (Data Encrypting Keys)– Generated via ICSF services– Stored inside the CKDS– Public or Private– Clear or Secure– Used by the IBM InfoSphere Guardium Encryption Toolalong with encryption algorithm to convert user data toCiphertext
  26. 26. 26Copyrite IBM 2013Cryptography on z/OS Clear Key– Key is exposed in the storage ofprocessor– Can be viewed in dump ofstorage– If correctly interpreted canexpose data– Sometimes acceptable forshort-lived keys with otherconstraints– Used in software-basedcryptography– Used by CPACF Secure Key– Key is only ever exposed inbounds of a secure processor– Can never be seen in storage– Dump will not reveal key– Key is held encrypted underMaster key– Crypto Express 2/3 (Configuredas CEX2/3C) provides thisfunction for System z– APIs available via IntegratedCryptographic Support Facility(ICSF)– Can be used from Java onz/OS platform
  27. 27. 27Copyrite IBM 2013How can you as an IMS Support personachieve this ?Encryption in a Nutshell
  28. 28. 28Copyrite IBM 2013InfoSphere Guardium DataEncryption for DB2 and IMS DatabasesInfoSphere Guardium Data Encryption protects Sensitive andPrivate information minimizing the liability risks associated withInformation Governance.High Performance and Low overhead by using theavailable cryptographic hardwareUses the major encryption algorithmsConforms to the existing z/OS security modelComplies with Security and Privacy regulationsImplementation at the IMS segment levelNo changes to application programs
  29. 29. 29Copyrite IBM 2013To create an exit that encrypts and decrypts IMS data, the Tool can beimplemented in one of two ways:1) Through JCL. The product provides sample jobs where the JCLcan be modified to meet your needs for encrypted IMS databases.These jobs can be found in the distribution libraries:DECIMSSK – IMS Secure KeyDECIMSCK – Clear Key DESDECIMSCB – Clear and Secure Key AESDECIMSDV – Driver exit for compressed and encrypted IMS segmentDECIMSJB – IMS Clear Key2) Using the ISPF interface. ISPF panels are presented to you tocreate customized jobs for encrypting non-compressed andcompressed IMS database segments.InfoSphere Guardium DataEncryption for DB2 and IMS Databases
  30. 30. 30Copyrite IBM 2013 Implementation steps− Create an encryption key− Create an encryption exit− Unload database to be encrypted− Generate and install DBD with encryption exit− Reload database using the new DBDInfoSphere Guardium DataEncryption for DB2 and IMS Databases
  31. 31. 31Copyrite IBM 2013Selections:1 = use to create an encryption exit that will be used standalone; that iswithout co-existence with a compression routine2 = use to create both an encryption exit and a driver module to call anexisting compression routine then the encryption exitInfoSphere Guardium DataEncryption – ISPF Main Menu
  32. 32. 32Copyrite IBM 2013CSF lib = Installation Encryption datasetZAP lib = Dataset containing AMASPZAP programSMP lib = Guardium load datasetEXIT lib = Load dataset for Encryption exitExit Name = Load module name for Encryption exitIMS Clear keyselectedUsualJobcardEncryption routine is calledDSECRYPTThe label (name) of theEncryption key that hasbeen previously created bya security administratorInfoSphere Guardium Data Encryption –ISPF Definition for Creating Encryption Exit
  33. 33. 33Copyrite IBM 2013ISPF created linkjob for encryption exit creation (step 1)Encryption routine is calledDSECRYPTInfoSphere Guardium Data Encryption –ISPF Definition for Creating Encryption Exit
  34. 34. 34Copyrite IBM 2013Encryption routine is calledDSECRYPTEncryption key label usedby DSECRYPT exitInfoSphere Guardium Data Encryption –ISPF Creating Zap Job for Encryption Exit Key
  35. 35. 35Copyrite IBM 2013Encryption routine is calledDSECRYPTThe COMPRTN is added to the DBD source to invoke encryptionNote, that only DATA is being encrypted hereInfoSphere Guardium Data Encryption –DBD Definition with Encryption Exit
  36. 36. 36Copyrite IBM 2013InfoSphere Guardium Data Encryption –Browse of IMS HDAM Database with Clear DataClear data
  37. 37. 37Copyrite IBM 2013 Implementation steps− Unload the database− Generate and install DBD with the encryption exit− Reload the database using the new DBDInfoSphere Guardium DataEncryption for DB2 and IMS Databases
  38. 38. 38Copyrite IBM 2013Encrypted dataInfoSphere Guardium Data Encryption –Browse of IMS HDAM Database with Encrypted Data
  39. 39. 39Copyrite IBM 2013 Protects sensitive and private data Reduces liability risks Uses the available cryptographic hardware Conforms to the existing z/OS security model Complies with Security and Privacy regulations Implementation at the IMS segment level Implemented using standard IMS procedures and exitsInfoSphere Guardium Data Encryption
  40. 40. Copyrite IBM 2013The Smarter (& More Secure) Mainframe 71% of the Global 500 run on mainframes• 100% of the world’s top 50 banks• 22 of the top 25 retailers Unique IT value proposition• Efficiency, utilization & server consolidation• Proven reliability, availability & quality-of-service• z/OS with IMS, SAP, WebSphere, InfoSphere Warehouse,Cognos 8 BI, …• z/VM & Linux with Oracle, MySQL, Cognos, …• Virtualization Robust Security Model• Built-in encryption with hardware acceleration• z LPAR hosting is the only server with Common Criteria EAL5certification• z/OS, RACF & Tivoli zSecure Audit protect access to systemresources (CICS, DB2, IMS…)
  41. 41. Copyrite IBM 201341InfoSphere Guardium S-TAP for IMS DID YOU KNOW…• 80% of the largest retail banks in the US, Germany, Japan, andAustralia use IMS for their core banking• 3M MIPS running IMS• 15M GB of production data managed by IMS• 50B transaction per day run through IMS• 200M Users a day served by IMS• >100M IMS transactions a day by one customer on a singlesystem Introducing new S-TAP for collecting IMS DB events• Similar packaging to the DB2 S-TAP• Order the S-TAP code as z software in ESW• Order the Guardium for z Appliance via PPA Regulatory compliance on the mainframe is growing• Expanded focus to all mainframe stores that hold sensitive data
  42. 42. Copyrite IBM 2013Customer Challenges: Auditing events on z/OS Regulatory pressures to demonstrate adequate controls -- especiallyaround privileged users (DBAs,SYSADMINs, etc.) Most z/OS environments have minimal auditing -- requires significantmanual effort by DBAs and System Staff RACF sometimes perceived as sufficient security control, but RACFdoes not:− Prevent unauthorized update if the user has authority to the data− Prevent access to sensitive data that is not within scope of their job− Capture a granular audit trail of what theuser did while accessing the DBMS Does not support Separation of Duties (SoD)and represents security risk and exposure− The processes are managed by the staffthat is being monitored
  43. 43. Copyrite IBM 2013 Provides a single unified view and secure audit trail of all databaseactivities – across both mainframe and distributed environments.• Enterprise-wide compliance reporting, analytics & forensics May be managed by non-DBAs, thereby supporting SoD. Reduces compliance cost and effort via automated and centralizedcontrols (vs. manual, ad hoc processes)• With compliance workflow automation (sign-offs, escalations, …). Based on mainframe technologydeveloped by IBM. Minimal impact on performance.InfoSphere Guardium S-TAP for IMS
  44. 44. Copyrite IBM 2013Non-Invasive, Real-TimeDatabase Security & Monitoring• Continuously monitors all databaseactivities (including local access bysuperusers)• Heterogeneous, cross-DBMSsolution• Does not rely on native DBMS logs• Minimal performance impact• No DBMS or application changes• Supports Separation of Duties• Activity logs can’t be erased byattackers or DBAs• Automated compliance reporting,sign-offs & escalations (SOX,PCI, NIST, etc.)• Granular, real-time policies &auditing• Who, what, when, where, howDB2& DB2/zIMSand VSAM
  45. 45. Copyrite IBM 2013Scalable Multi-Tier ArchitectureIntegration withLDAP, IAM, SIEM,CMDB, changemanagement, …S-TAP for DB2S-TAP for IMSS-TAP for VSAM
  46. 46. Copyrite IBM 201346InfoSphere Guardium S-TAPs for z/OS V9.0 Support for VSAM− S-TAP for VSAM− Capture VSAM file activity to enhance your z/OS monitoring− VSAM security and compliance reporting Support for IMS− S-TAP for IMS− Monitor policy administration within the Guardium Appliance− Real-Time monitoring of IMS events− Customizable IMS security and compliance reports Enhanced support for DB2/z− S-TAP for DB2− Monitor policy administration within the Guardium Appliance− Event data is streamed in real-time− Customizable DB2 security and compliance reports Support for DB2/z Vulnerability Assessment
  47. 47. Copyrite IBM 201347InfoSphere Guardium S-TAPsfor IMS V9.0 -- Architecture
  48. 48. Copyrite IBM 201348InfoSphere GuardiumS-TAPs for IMS – Components… Administration Interface - graphical User Interface enabling themaintenance of user profiles and Appliance definitions; this interface runson Windows Agent Task - coordinates the collection of data to be audited; maintainscommunications with the Server and the various collectors and activitymonitors of S-TAP; may be configured for multiple IMS systems usingshared Recons or multiple IMS systems with unique Recons Server Task - provides communications between the S-TAPcomponents on an LPAR and the Administration interface Common Storage Management Utility - manages and maintains theE/CSA memory containing the active collection profiles and IMS systemdefinitions Repository dataset - a VSAM dataset to store policy configurations andIMS definitions
  49. 49. Copyrite IBM 201349InfoSphere GuardiumS-TAPs for IMS – Components Guardium Appliance - creates, deletes and modifies eventcollection policies; responsible for the following:− A group of rules that define what IMS events will bemonitored and reported about− Activate and de activate event collection policies• The policies are pushed to the IMS S-TAP where newand modified policies are (re)installed• Any unchanged policies remain in place− Report on IMS events being monitored− Customize displayed reports for specific user criteria• Information displayed ay be rearranged, order orsorted by differing criteria such as date and time
  50. 50. Copyrite IBM 2013InfoSphere Guardium S-TAPfor IMS Collection ActivityDatabases• READ accesses to databases• All Reads of IMS DBs and segmentsusing IMS DLI GET calls (GN, GU,GNP, etc).• Changes, INSERT, UPDATE andDELETE calls (REPL, ISRT, DLET)• Same for IMS Batch jobs and IMSOnline regions• Segments• Ability to audit and report READ,INSERT, UPDATE, and DELETE callson specific database segments• READ and DELETE calls retain theconcatenated key of the auditedsegment• UPDATE and INSERT calls retain theconcatenated key of the auditedsegment as well as the segment data,as found in the DLI call I/O areaYou can select which calls to audit per target• For example: all databases, allsegments, one DB and one segment ofthe DB,• Each segment can have different callsaudited• When a call is to be collected, therelevant information is gathered• E.g. call type, userid, PSB name,DBName, Segment Name, etc.• We do not gather the segmentsearch argument
  51. 51. Copyrite IBM 201351What IMS “related” data is collected?Access to IMS related information outside the control of IMS services Database datasets * Image copy datasets * IMS log datasets * RECON datasets * RENAMES: records and reports the original DSN and the new DSN User access to the IMS system via SIGNON as recorded in the IMS log PSB and DBD ‘change of state’ activity as recorded in the IMS log• Displayed as an EVENT with pertinent (PSB name, DBD name, DBDname, USERID, etc.• System STOP and START activity as recorded in the IMS log IBM utility access:• from IMS Batch (DLI/DBB/BMP) jobs and IMS Online regions* may be disabled in V9 if desired
  52. 52. Copyrite IBM 201352IMS S-Tap System Monitor view
  53. 53. Copyrite IBM 2013IMS Access ReportHere is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed databaseAUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Contextcolumn the calls in sequence made to the database are seen.
  54. 54. Copyrite IBM 2013IMS Access Detail ReportsHere is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed databaseAUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Contextcolumn the calls in sequence made to the database are seen.
  55. 55. Copyrite IBM 2013IMS Data in Reports Using Contextual AttributesHere is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed databaseAUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Contextcolumn the calls in sequence made to the database are seen.
  56. 56. Copyrite IBM 2013IMS Detail reportUser PDTEMK signing into IMS as a user (line 1) using terminal S22T0161 (column Terminal) .Then doing some Starts/Stops of databases and PSBs (lines 2 -7) Notice that there is no USERIDassociated with the DB/PSB stop starts… IMS does not keep track of who did these. I can’t reportwhat is not there.Lines 8 – 19 show me issuing transactions IVPNO and IVPFD (column titled Transaction) to add,display and delete some data in databases IVPDB1 and IVPDB3. Column PSB Name indicates whichPSBS were used.Notice lines 16 and 17 which are the OPENS of DEDB IVPDB3, shows both AREAS being opened inthe column PART/AREA.Lines 20 – 32 show access from outside of IMS, in this case via a DB2 stored procedure using theODBA connection.
  57. 57. Copyrite IBM 2013IMS SMF Data reportDatabase (AUEPHD4 and AUEPHD1) datasets being opened for update by user CSIVANA(lines 1 – 4).An Image copy data set related to database AUEPHD3 being renamed from :AUE.ICA1.IC.PHDT31.B00001 to AUE.ICA1X.IC.PHDT31.B00001 (lines 9 and 10) .An IMS SLDS data set being opened for read (line 15 and 16).Various RACF access violations (line 25 to the end)
  58. 58. Copyrite IBM 2013Reducing risk by monitoring sensitive data on the mainframe.Flexible options for user management.IMS auditing is available.Integrates with the rest of your database infrastructure.Integrated work flow, centralized reporting and administration.IMS Applications are not affected.InfoSphere GuardiumS-TAP for IMS Summary
  59. 59. Copyrite IBM 2013Protect the business data from unauthorized use.Guardium Encryption of IMS data at a segment level usingbuilt in cryptographic hardware capabilities. Encryption isimplemented using standard IMS exits without need forapplication program modifications.Monitor the sensitive business data for unauthorized accessand update.Guardium S-TAP for IMS provides a versatile capability oftracking and reporting IMS event accesses to sensitivebusiness data.InfoSphere Guardium for IMS
  60. 60. Copyrite IBM 2013EncryptionReference Section
  61. 61. 61Copyrite IBM 2013Cryptography on z/OS Clear Key– Key is exposed in the storage ofprocessor– Can be viewed in dump ofstorage– If correctly interpreted canexpose data– Sometimes acceptable forshort-lived keys with otherconstraints– Used in software-basedcryptography– Used by CPACF Secure Key– Key is only ever exposed inbounds of a secure processor– Can never be seen in storage– Dump will not reveal key– Key is held encrypted underMaster key– Crypto Express 2/3 (Configuredas CEX2/3C) provides thisfunction for System z Fee based option– APIs available via IntegratedCryptographic Support Facility(ICSF)– Can be used from Java onz/OS platform
  62. 62. 62Copyrite IBM 2013CKDS – Cryptographic Key Dataset Key element of the IBM encryption solution on z/OS VSAM Key Sequenced Dataset Contents are ICSF generated data encrypted keys Accessed by ICSF API and Services− Key Label (known by application requestor) used to find key record inthe CKDS Copy of CKDS cached in operating system storage at first ICSFinvocation for performance− Refreshable CKDS administration performed using ICSF services and ISPFinterfaces. Use of specific individual keys can be controlled via RACF profilesand permissions CEX2/3C hardware feature required for use− Unless with a combination of HCR7751 or greater and clear key only,then CEX2/3C is optional
  63. 63. 63Copyrite IBM 2013IMS Data Encryption for IMS and DB2 Databases The following restrictions apply: An IMS segment can be associated with only one Segment Edit/Compression exit. If your IMSsegment is already associated with a non-IBM Segment Edit/Compression exit and you wantto implement Data Encryption for IMS and DB2 Databases, you must code an alternativesolution for your existing exit. HIDAM index databases cannot be encrypted (the IMS DBD COMPRTN) parameter does notallow index databases to be specified on the Segment Edit/Compression exit). Administrators of data governance should consider the following points: When you install and initialize ICSF, consider setting the CHECKAUTH installation option toNO. Setting CHECKAUTH to YES adds considerable CPU path length. Setting KEYAUTH toYES also adds CPU path length. Depending on your security requirements, you can define different encryption key labels for asmany segments as you need to. (Encryption key labels are set up by your security analyst.) A separate exit must be built for each encryption key label that you define. Note that you need tobalance your security requirements against the increased maintenance of multiple exits. The first time that you use Segment Edit/Compression exits at your installation, your systemprogrammer needs to provide APF authorization for the Segment Edit/Compression EXITLIB. If you are already using Segment Edit/Compression exits, you need to ensure that the SegmentEdit/Compression exits reside in an APF-authorized EXITLIB.
  64. 64. 64Copyrite IBM 2013Details About Clear KeyVersus Secure Key Performance Clear key elapsed time performance is MUCH superior thansecure key. Secure key (performed inside the CEX2C) is generally viewedas more secure from a cryptographic perspective. Clear key uses special instructions that run on the z9 – z10general purpose processors, so performance is measured inmilliseconds. Secure key encryption is dispatched to run on thecryptographic coprocessors on the CEX2C crypto feature.This tends to be measured in microseconds as this isessentially an I/O operation. Secure key elapsed time measurements (depending onworkload and type) can be from 10x to 40x more than clearkey. Secure key is probably NOT appropriate for most (to date all)OLTP workloads, but each customer needs to make thisencryption decision based on their security requirements andperformance expectations
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×