Your SlideShare is downloading. ×
0
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Midwest IMS RUG 09_2013 - Guardium for IMS.pdf
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Midwest IMS RUG 09_2013 - Guardium for IMS.pdf

3,404

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,404
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 © 2013 IBM Corporation Dennis Eichelberger IT Specialist IMS Advanced Technical Skills deichel@us.ibm.com IMS and InfoSphere Guardium
  • 2. 2 Copyrite IBM 2013 Topics • What are the business needs driving data protection • Intro to data protection terminology • An encryption solution from IBM for IMS databases • An auditing and access monitoring solution for IMS data
  • 3. Copyrite IBM 2013 The Primary Source of Breached Data are Database Servers Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf Source of Records Breached (2012) 0 20 40 60 80 100 % of Records Breached All other sources <1% Desktop/Workstation 34% Mail server 2% Reg employee/end-user 1% Database server 96% Web/app server 80% POS server 1%
  • 4. Copyrite IBM 2013 LensCrafters -- Mainframe Breach  Luxottica Group S.p.A. owns LensCrafters chain and world's largest supplier of high-end eyewear Personally Identifiable Information (PII) for 59,419 employees stolen, with victims in all 50 states  "Generally, mainframes are not accessible to the Internet, so the hacker most likely had to compromise other systems internally before getting to the mainframe," said Chris Petersen, a former IT auditor with Price Waterhouse and Ernst & Young.  “As mainframes become a major component in service-oriented architectures, they are increasingly exposed to malware. Web services on the mainframe have had a significant impact on security.” -SearchCompliance.com Sources: http://www.internetnews.com/security/article.php/3787431/Mainframe+Breach+at+LensCrafters+Parent+Hits+59K.htm http://privacy.wi.gov/databreaches/2008/nov08.jsp Polo Ralph Lauren Prada Versace brands Ray-Ban Dolce & Gabbana Donna Karan
  • 5. Copyrite IBM 2013 TJX Companies -- Security Breach  Parent company of T.J. Maxx, HomeGoods, Marshalls, etc.  A security breach originally reported to have occurred in May of 2006 was not discovered until December of the same year  A forensic investigation by IBM and General Dynamics showed the breach may have occurred in July of 2005  How much did the breach cost TJX Companies? • Initial estimate: $4.5B ($100 per stolen record) • Later estimate: Up to $300 per stolen record Sources: http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever https://www.braintreepayments.com/blog/pci-compliance-and-the-cost-of-a-credit-card-breach http://www.informationweek.com/news/199203277 SearchCompliance.com
  • 6. Copyrite IBM 2013 Certegy -- an Insider Tale  Certegy is a subsidiary of Fidelity National Information Services that provides check authorization & check cashing services, partly for the gaming industry  Senior DBA sold 8.5 million customer records containing the following for $580K to data broker  Data theft came to light after retailer reported correlation between transactions and receipt of marketing offers by its customers • Certegy engaged the U.S. Secret Service, which found data had come from separate company owned by the Certegy DBA • “Why did it take Certegy more than five years to find out that confidential consumer information was being sucked out of its database?” (St. Petersburg Times) Names Addresses Birth dates Bank account info Credit card info Sources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtml http://www.prnewswire.com
  • 7. Copyrite IBM 2013  Settled class-action suit for $4 million, plus: • $975,000 in fines from Attorney General • Mandatory security audit every year • 2 years of credit monitoring services ($180 per customer)  Rogue DBA sentenced to nearly 5 years in prison Certegy -- an Insider Tale Sources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtml http://www.prnewswire.com
  • 8. Copyrite IBM 2013 Other Real-World Examples of Insider Threats  Unauthorized changes to financial data • DBA accidentally deleted critical financial table during production hours (was doing a favor for application developer, bypassing change process) • Outsourcer erased logs showing he made changes during the day (because it was more convenient than during the night)  Theft of sensitive data • Departing employees stealing design information & other intellectual property • DBAs and outsourcers selling customer information to competitors and crime syndicates  Internal fraud • Mortgage processor -- insider changed credit scores to make loans look better • Mobile telecom -- insider created & sold pre-paid phone cards • Electric utility -- insider gave free service to friends and family as part of low- income assistance program • Health provider -- insider sold medical identities for insurance fraud
  • 9. Copyrite IBM 2013 The Smarter (& More Secure) Mainframe  71% of the Global 500 run on mainframes • 100% of the world’s top 50 banks • 22 of the top 25 retailers  Unique IT value proposition • Efficiency, utilization & server consolidation • Proven reliability, availability & quality-of-service • z/OS with IMS, SAP, WebSphere, InfoSphere Warehouse, Cognos 8 BI, … • z/VM & Linux with Oracle, MySQL, Cognos, … • Virtualization  Robust Security Model • Built-in encryption with hardware acceleration • z LPAR hosting is the only server with Common Criteria EAL5 certification • z/OS, RACF & Tivoli zSecure Audit protect access to system resources (CICS, DB2, IMS…)
  • 10. 10 Copyrite IBM 2013 Data Protection Drivers  Industry Compliance  Regulatory Compliance  Information Governance
  • 11. 11 Copyrite IBM 2013 Industry Compliance Driving Data Protection  PCI “Payment Card Industry” compliance… • World-wide accepted standards that protect against credit card fraud - Requires adaptation of business controls to protect against compromising sensitive data • Examples of standards - Protect stored cardholder data - Restrict access to cardholder data by business on a “need-to-know” basis - Restrict physical access to cardholder data
  • 12. 12 Copyrite IBM 2013  PCI “Payment Card Industry” compliance (cont’d) • PCI standards require sensitive personal information of credit card holders to be encrypted, including: - Account number - Expiration date - Name and address - Social Security number • Compressed data is not acceptable as data encryption Industry Compliance Driving Data Protection
  • 13. 13 Copyrite IBM 2013 Regulatory Compliance Driving Data Protection  Governmental Regulations • Basel III (2010-2011) − Measurement of total banking risk based on capital adequacy, stress tests and market liquidity risks • Sarbanes-Oxley Act (2002) • Strengthen financial reporting and internal controls by fixing responsibility within a companies’ management • HIPAA (1996) − Provide national standards for electronic health care records and secure those medical records, prove how they have been used and who has used them • Patriot Act (2001) - Prevent usage of the financial system to support illegal activities, particularly terrorism • Various anti-money laundering (AML) - Prevent the laundering of money derived from illegal activities • Gramm-Leach-Bliley Act (1999) - Protection of personally identifiable financial information (PII)
  • 14. 14 Copyrite IBM 2013 Data Protection - Not Just an Activity for One Group  Initial concerns and questions - What is the right database encryption solution? - Would the application need to be modified? - Would application performance be impacted? - Which group will own key management? - What is the security team’s role? - What is the audit team’s role? - What is IMS systems programmer role? - What is the DBA’s role?
  • 15. 15 Copyrite IBM 2013 Focal Areas for a Strong Security Strategy  Encrypting the data • Reduce the liability even if data is accessed, using encryption reduces the usability of that data  Monitoring access to the data • Have visibility to data access -- identify who accessed data, when it was accessed or updated
  • 16. 16 Copyrite IBM 2013 What is Encryption?  Data that is not encrypted is referred to as “clear text”  Clear text is encrypted by processing with a “key” and an encryption algorithm • Several standard algorithms exist including DES, TDES and AES  Keys are bit streams that vary in length • For example AES supports 128, 192 and 256 bit key lengths
  • 17. 17 Copyrite IBM 2013 What is Encryption?  Encryption is a process where clear-text is converted using a known ALGORITHM • AES • DES • TDES  A key is used in the encryption process to produce CYPHERTEXT and can be either a: • Clear key • Secure key
  • 18. 18 Copyrite IBM 2013 Encryption is a technique used to help protect data from unauthorized access  Data that is not encrypted is referred to as “clear text”  Clear text is encrypted by processing with a “key” and an encryption algorithm – Several standard algorithms exist, include DES, TDES and AES (next slide)  Keys are bit streams that vary in length – For example AES supports 128, 192 and 256 bit key lengths Encryption Process Encryption algorithm (e.g. AES) Clear Text Ciphertext (Encrypted Data) Decryption Process Encryption algorithm Ciphertext Clear Text Key Key
  • 19. 19 Copyrite IBM 2013 Encryption Algorithms – Which Ones Are Best?  DES (Data Encryption Standard) − 56-bit, viewed as weak and generally unacceptable today by the NIST  TDES (Triple Data Encryption Standard) − 128-bit, universally accepted algorithm  AES (Advanced Encryption Standard) − 128- or 256- bit, newest commercially used algorithm  What is acceptable? – DES is viewed as unacceptable – TDES is viewed as acceptable and compliant with NIST (National Institute of Standards and Technology) – AES 128 or 256 is also viewed as acceptable and strategic
  • 20. 20 Copyrite IBM 2013 Encryption Algorithms – Which Ones Are Best?  For more information: – TDES NIST Special Publication 800-67 V1 entitled "Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher" and can be found at http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf – TDES NIST FIPS Publication 197 entitled "Announcing the Advanced Encryption Standard (AES)" and can be found at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  • 21. 21 Copyrite IBM 2013 Integrated Cryptographic Service Facility (ICSF)  Provides: z/OS integrated software support for data encryption  Operating System S/W API Interface to Cryptographic Hardware − CEX2/3C hardware feature  Enhanced Key Management for key creation and distribution − Public and private keys − Secure and clear keys − Master keys  Created keys are stored/accessed in the Cryptographic Key Data Set (CKDS) with unique key label − CKDS itself is secured via Security Access Facility  See Reference Section of this presentation for more details
  • 22. 22 Copyrite IBM 2013 What are Encryption Keys?  Master Keys – Used to generate, encrypt, and store user keys into the CKDS (Cryptographic Key Data Set) – Loaded into the CEX2/3C hardware, and stored NO WHERE else  User Keys (Data Encrypting Keys) – Generated via ICSF services – Stored inside the CKDS – Public or Private – Clear or Secure – Used by the IBM InfoSphere Guardium Encryption Tool along with encryption algorithm to convert user data to Ciphertext
  • 23. 23 Copyrite IBM 2013 Cryptography on z/OS  Clear Key – Key is exposed in the storage of processor – Can be viewed in dump of storage – If correctly interpreted can expose data – Sometimes acceptable for short-lived keys with other constraints – Used in software-based cryptography – Used by CPACF  Secure Key – Key is only ever exposed in bounds of a secure processor – Can never be seen in storage – Dump will not reveal key – Key is held encrypted under Master key – Crypto Express 2/3 (Configured as CEX2/3C) provides this function for System z  Fee based option – APIs available via Integrated Cryptographic Support Facility (ICSF) – Can be used from Java on z/OS platform
  • 24. 24 Copyrite IBM 2013 How can you as an IMS Support person achieve this ? Encryption in a Nutshell
  • 25. 25 Copyrite IBM 2013 InfoSphere Guardium Data Encryption for DB2 and IMS Databases InfoSphere Guardium Data Encryption protects Sensitive and Private information minimizing the liability risks associated with Information Governance. High Performance and Low overhead by using the available cryptographic hardware Uses the major encryption algorithms Conforms to the existing z/OS security model Complies with Security and Privacy regulations Implementation at the IMS segment level No changes to application programs
  • 26. 26 Copyrite IBM 2013 To create an exit that encrypts and decrypts IMS data, the Tool can be implemented in one of two ways: 1) Through JCL. The product provides sample jobs where the JCL can be modified to meet your needs for encrypted IMS databases. These jobs can be found in the distribution libraries: DECIMSSK – IMS Secure Key DECIMSCK – Clear Key DES DECIMSCB – Clear and Secure Key AES DECIMSDV – Driver exit for compressed and encrypted IMS segment DECIMSJB – IMS Clear Key 2) Using the ISPF interface. ISPF panels are presented to you to create customized jobs for encrypting non-compressed and compressed IMS database segments. InfoSphere Guardium Data Encryption for DB2 and IMS Databases
  • 27. 27 Copyrite IBM 2013  Implementation steps − Create an encryption key − Create an encryption exit − Unload database to be encrypted − Generate and install DBD with encryption exit − Reload database using the new DBD InfoSphere Guardium Data Encryption for DB2 and IMS Databases
  • 28. 28 Copyrite IBM 2013 Selections: 1 = use to create an encryption exit that will be used standalone; that is without co-existence with a compression routine 2 = use to create both an encryption exit and a driver module to call an existing compression routine then the encryption exit InfoSphere Guardium Data Encryption – ISPF Main Menu
  • 29. 29 Copyrite IBM 2013 CSF lib = Installation Encryption dataset ZAP lib = Dataset containing AMASPZAP program SMP lib = Guardium load dataset EXIT lib = Load dataset for Encryption exit Exit Name = Load module name for Encryption exit IMS Clear key selected Usual Jobcard Encryption routine is called DSECRYPT The label (name) of the Encryption key that has been previously created by a security administrator InfoSphere Guardium Data Encryption – ISPF Definition for Creating Encryption Exit
  • 30. 30 Copyrite IBM 2013 ISPF created linkjob for encryption exit creation (step 1) Encryption routine is called DSECRYPT InfoSphere Guardium Data Encryption – ISPF Definition for Creating Encryption Exit
  • 31. 31 Copyrite IBM 2013 Encryption routine is called DSECRYPT Encryption key label used by DSECRYPT exit InfoSphere Guardium Data Encryption – ISPF Creating Zap Job for Encryption Exit Key
  • 32. 32 Copyrite IBM 2013 Encryption routine is called DSECRYPT The COMPRTN is added to the DBD source to invoke encryption Note, that only DATA is being encrypted here InfoSphere Guardium Data Encryption – DBD Definition with Encryption Exit
  • 33. 33 Copyrite IBM 2013 InfoSphere Guardium Data Encryption – Browse of IMS HDAM Database with Clear Data Clear data
  • 34. 34 Copyrite IBM 2013  Implementation steps − Unload the database − Generate and install DBD with the encryption exit − Reload the database using the new DBD InfoSphere Guardium Data Encryption for DB2 and IMS Databases
  • 35. 35 Copyrite IBM 2013 Encrypted data InfoSphere Guardium Data Encryption – Browse of IMS HDAM Database with Encrypted Data
  • 36. 36 Copyrite IBM 2013  Protects sensitive and private data  Reduces liability risks  Uses the available cryptographic hardware  Conforms to the existing z/OS security model  Complies with Security and Privacy regulations  Implementation at the IMS segment level  Implemented using standard IMS procedures and exits InfoSphere Guardium Data Encryption
  • 37. Copyrite IBM 2013 37 InfoSphere Guardium S-TAP for IMS  DID YOU KNOW… • 80% of the largest retail banks in the US, Germany, Japan, and Australia use IMS for their core banking • 3M MIPS running IMS • 15M GB of production data managed by IMS • 50B transaction per day run through IMS • 200M Users a day served by IMS • >100M IMS transactions a day by one customer on a single system  Introducing new S-TAP for collecting IMS DB events • Similar packaging to the DB2 S-TAP • Order the S-TAP code as z software in ESW • Order the Guardium for z Appliance via PPA  Regulatory compliance on the mainframe is growing • Expanded focus to all mainframe stores that hold sensitive data
  • 38. Copyrite IBM 2013 Customer Challenges: Auditing events on z/OS  Regulatory pressures to demonstrate adequate controls -- especially around privileged users (DBAs,SYSADMINs, etc.)  Most z/OS environments have minimal auditing -- requires significant manual effort by DBAs and System Staff  RACF sometimes perceived as sufficient security control, but RACF does not: − Prevent unauthorized update if the user has authority to the data − Prevent access to sensitive data that is not within scope of their job − Capture a granular audit trail of what the user did while accessing the DBMS  Does not support Separation of Duties (SoD) and represents security risk and exposure − The processes are managed by the staff that is being monitored
  • 39. Copyrite IBM 2013  Provides a single unified view and secure audit trail of all database activities – across both mainframe and distributed environments. • Enterprise-wide compliance reporting, analytics & forensics  May be managed by non-DBAs, thereby supporting SoD.  Reduces compliance cost and effort via automated and centralized controls (vs. manual, ad hoc processes) • With compliance workflow automation (sign-offs, escalations, …).  Based on mainframe technology developed by IBM.  Minimal impact on performance. InfoSphere Guardium S-TAP for IMS
  • 40. Copyrite IBM 2013 Non-Invasive, Real-Time Database Security & Monitoring • Continuously monitors all database activities (including local access by superusers) • Heterogeneous, cross-DBMS solution • Does not rely on native DBMS logs • Minimal performance impact • No DBMS or application changes • Supports Separation of Duties • Activity logs can’t be erased by attackers or DBAs • Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.) • Granular, real-time policies & auditing • Who, what, when, where, how DB2 & DB2/z IMS and VSAM
  • 41. Copyrite IBM 2013 Scalable Multi-Tier Architecture Integration with LDAP, IAM, SIEM, CMDB, change management, … S-TAP for DB2 S-TAP for IMS S-TAP for VSAM
  • 42. Copyrite IBM 2013 42 InfoSphere Guardium S-TAPs for z/OS V9.0 Support for VSAM − S-TAP for VSAM − Capture VSAM file activity to enhance your z/OS monitoring − VSAM security and compliance reporting Support for IMS − S-TAP for IMS − Monitor policy administration within the Guardium Appliance − Real-Time monitoring of IMS events − Customizable IMS security and compliance reports Enhanced support for DB2/z − S-TAP for DB2 − Monitor policy administration within the Guardium Appliance − Event data is streamed in real-time − Customizable DB2 security and compliance reports Support for DB2/z Vulnerability Assessment
  • 43. Copyrite IBM 2013 43 InfoSphere Guardium S-TAPs for IMS V9.0 -- Architecture
  • 44. Copyrite IBM 2013 44 InfoSphere Guardium S-TAPs for IMS – Components…  Administration Interface - graphical User Interface enabling the maintenance of user profiles and Appliance definitions; this interface runs on Windows  Agent Task - coordinates the collection of data to be audited; maintains communications with the Server and the various collectors and activity monitors of S-TAP; may be configured for multiple IMS systems using shared Recons or multiple IMS systems with unique Recons  Server Task - provides communications between the S-TAP components on an LPAR and the Administration interface  Common Storage Management Utility - manages and maintains the E/CSA memory containing the active collection profiles and IMS system definitions  Repository dataset - a VSAM dataset to store policy configurations and IMS definitions
  • 45. Copyrite IBM 2013 45 InfoSphere Guardium S-TAPs for IMS – Components  Guardium Appliance - creates, deletes and modifies event collection policies; responsible for the following: − A group of rules that define what IMS events will be monitored and reported about − Activate and de activate event collection policies • The policies are pushed to the IMS S-TAP where new and modified policies are (re)installed • Any unchanged policies remain in place − Report on IMS events being monitored − Customize displayed reports for specific user criteria • Information displayed ay be rearranged, order or sorted by differing criteria such as date and time
  • 46. Copyrite IBM 2013 InfoSphere Guardium S-TAP for IMS Collection Activity Databases • READ accesses to databases • All Reads of IMS DBs and segments using IMS DLI GET calls (GN, GU, GNP, etc). • Changes, INSERT, UPDATE and DELETE calls (REPL, ISRT, DLET) • Same for IMS Batch jobs and IMS Online regions • Segments • Ability to audit and report READ, INSERT, UPDATE, and DELETE calls on specific database segments • READ and DELETE calls retain the concatenated key of the audited segment • UPDATE and INSERT calls retain the concatenated key of the audited segment as well as the segment data, as found in the DLI call I/O area You can select which calls to audit per target • For example: all databases, all segments, one DB and one segment of the DB, • Each segment can have different calls audited • When a call is to be collected, the relevant information is gathered • E.g. call type, userid, PSB name, DBName, Segment Name, etc. • We do not gather the segment search argument
  • 47. Copyrite IBM 2013 47 What IMS “related” data is collected? Access to IMS related information outside the control of IMS services  Database datasets *  Image copy datasets *  IMS log datasets *  RECON datasets *  RENAMES: records and reports the original DSN and the new DSN  User access to the IMS system via SIGNON as recorded in the IMS log  PSB and DBD ‘change of state’ activity as recorded in the IMS log • Displayed as an EVENT with pertinent (PSB name, DBD name, DBD name, USERID, etc. • System STOP and START activity as recorded in the IMS log  IBM utility access: • from IMS Batch (DLI/DBB/BMP) jobs and IMS Online regions * may be disabled in Guardium V9 if desired
  • 48. Copyrite IBM 2013 48 IMS S-Tap System Monitor view
  • 49. Copyrite IBM 2013 IMS Access Report Here is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed database AUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Context column the calls in sequence made to the database are seen.
  • 50. Copyrite IBM 2013 IMS Access Detail Reports Here is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed database AUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Context column the calls in sequence made to the database are seen.
  • 51. Copyrite IBM 2013 IMS Data in Reports Using Contextual Attributes Here is shown an IMS BMP job that ran for 2 minutes. A jobname of TSTCMDDC accessed database AUECCMDD. You can also see the UserID and the PSB being used by the job. Under IMS Context column the calls in sequence made to the database are seen.
  • 52. Copyrite IBM 2013 IMS Detail report User PDTEMK signing into IMS as a user (line 1) using terminal S22T0161 (column Terminal) . Then doing some Starts/Stops of databases and PSBs (lines 2 -7) Notice that there is no USERID associated with the DB/PSB stop starts… IMS does not keep track of who did these. I can’t report what is not there. Lines 8 – 19 show me issuing transactions IVPNO and IVPFD (column titled Transaction) to add, display and delete some data in databases IVPDB1 and IVPDB3. Column PSB Name indicates which PSBS were used. Notice lines 16 and 17 which are the OPENS of DEDB IVPDB3, shows both AREAS being opened in the column PART/AREA. Lines 20 – 32 show access from outside of IMS, in this case via a DB2 stored procedure using the ODBA connection.
  • 53. Copyrite IBM 2013 IMS SMF Data report Database (AUEPHD4 and AUEPHD1) datasets being opened for update by user CSIVANA (lines 1 – 4). An Image copy data set related to database AUEPHD3 being renamed from : AUE.ICA1.IC.PHDT31.B00001 to AUE.ICA1X.IC.PHDT31.B00001 (lines 9 and 10) . An IMS SLDS data set being opened for read (line 15 and 16). Various RACF access violations (line 25 to the end)
  • 54. Copyrite IBM 2013 Reducing risk by monitoring sensitive data on the mainframe. Flexible options for user management. IMS auditing is available. Integrates with the rest of your database infrastructure. Integrated work flow, centralized reporting and administration. IMS Applications are not affected. InfoSphere Guardium S-TAP for IMS Summary
  • 55. Copyrite IBM 2013 Protect the business data from unauthorized use. Guardium Encryption of IMS data at a segment level using built in cryptographic hardware capabilities. Encryption is implemented using standard IMS exits without need for application program modifications. Monitor the sensitive business data for unauthorized access and update. Guardium S-TAP for IMS provides a versatile capability of tracking and reporting IMS event accesses to sensitive business data. InfoSphere Guardium for IMS
  • 56. Copyrite IBM 2013 Monitor Reference Section
  • 57. Copyrite IBM 2013 Reference Documentation  InfoSphere Guardium Data Encryption for DB2 and IMS V1.2 User's Guide SC19-3219 http://publib.boulder.ibm.com/epubs/pdf/decuga20.pdf • IBM InfoSphere Guardium S-TAP for IMS on z/OS V 8.2 User's Guide SC19-3344 http://publib.boulder.ibm.com/epubs/pdf/auiugh20.pdf • IBM InfoSphere Guardium S-TAP for VSAM on z/OS V 8.2 User's Guide SC19-3346 http://publib.boulder.ibm.com/epubs/pdf/auvugh20.pdf
  • 58. Copyrite IBM 2013 Reference – SMF Records Record 00 IPL Record Record 14 Dataset Input Activity Record 15 Dataset Output/Update Activity Record 17 Scratch Dataset Status Record 18 Rename Non-VSAM dataset Record 30 Common Address Space Work Accounting Record 42 SMS Statistics Record 60 VSAM Dataset Update Record 61 SMF Collector Event Record 62 VSAM Component Opened Record 64 VSAM Component Status Record 65 ICF Delete Activity Record 66 ICF Alter Activity Record 80 RACF Process Record 89 Usage Data
  • 59. Copyrite IBM 2013 Reference – IMS Log Records Log 06 IMS Accounting Information Log 16 RACF/SIGN completed Log 20 Database Open Log 21 Database Close Log 4C DBD/PSB Activity Log 59xx DEDB Open Log 5922 DEDB Close Log 5923 DEDB Status
  • 60. Copyrite IBM 2013 Encryption Reference Section
  • 61. 61 Copyrite IBM 2013 Cryptography on z/OS  Clear Key – Key is exposed in the storage of processor – Can be viewed in dump of storage – If correctly interpreted can expose data – Sometimes acceptable for short-lived keys with other constraints – Used in software-based cryptography – Used by CPACF  Secure Key – Key is only ever exposed in bounds of a secure processor – Can never be seen in storage – Dump will not reveal key – Key is held encrypted under Master key – Crypto Express 2/3/4 (Configured as CEX2/3/4C) provides this function for System z  Fee based option – APIs available via Integrated Cryptographic Support Facility (ICSF) – Can be used from Java on z/OS platform
  • 62. 62 Copyrite IBM 2013 CKDS – Cryptographic Key Dataset  Key element of the IBM encryption solution on z/OS  VSAM Key Sequenced Dataset  Contents are ICSF generated data encrypted keys  Accessed by ICSF API and Services − Key Label (known by application requestor) used to find key record in the CKDS  Copy of CKDS cached in operating system storage at first ICSF invocation for performance − Refreshable  CKDS administration performed using ICSF services and ISPF interfaces.  Use of specific individual keys can be controlled via RACF profiles and permissions  CEX2/3C hardware feature required for use − Unless with a combination of HCR7751 or greater and clear key only, then CEX2/3C is optional
  • 63. 63 Copyrite IBM 2013 IMS Data Encryption for IMS and DB2 Databases  The following restrictions apply:  An IMS segment can be associated with only one Segment Edit/Compression exit. If your IMS segment is already associated with a non-IBM Segment Edit/Compression exit and you want to implement Data Encryption for IMS and DB2 Databases, you must code an alternative solution for your existing exit.  HIDAM index databases cannot be encrypted (the IMS DBD COMPRTN) parameter does not allow index databases to be specified on the Segment Edit/Compression exit).  Administrators of data governance should consider the following points:  When you install and initialize ICSF, consider setting the CHECKAUTH installation option to NO. Setting CHECKAUTH to YES adds considerable CPU path length. Setting KEYAUTH to YES also adds CPU path length.  Depending on your security requirements, you can define different encryption key labels for as many segments as you need to. (Encryption key labels are set up by your security analyst.)  A separate exit must be built for each encryption key label that you define. Note that you need to balance your security requirements against the increased maintenance of multiple exits.  The first time that you use Segment Edit/Compression exits at your installation, your system programmer needs to provide APF authorization for the Segment Edit/Compression EXITLIB.  If you are already using Segment Edit/Compression exits, you need to ensure that the Segment Edit/Compression exits reside in an APF-authorized EXITLIB.
  • 64. 64 Copyrite IBM 2013 Details About Clear Key Versus Secure Key Performance  Clear key elapsed time performance is MUCH superior than secure key.  Secure key (performed inside the CEXnC) is generally viewed as more secure from a cryptographic perspective.  Clear key uses special instructions that run on the z9 – z12 general purpose processors, so performance is measured in milliseconds.  Secure key encryption is dispatched to run on the cryptographic coprocessors on the CEXnC crypto feature. This tends to be measured in microseconds as this is essentially an I/O operation.  Secure key elapsed time measurements (depending on workload and type) can be from 10x to 40x more than clear key.  Secure key is probably NOT appropriate for most (to date all) OLTP workloads, but each customer needs to make this encryption decision based on their security requirements and performance expectations

×