Don't Risk Your Reputation or Your Mainframe: Best
Practices for Demonstrating Governance, Risk
Management and Compliance
...
Security Systems Division

Trademark
The following are trademarks of the International Business Machines Corporation in th...
Security Systems Division

The world is becoming more digitized and interconnected,
opening the door to emerging threats a...
Security Systems Division

New Industry Trends Bring Security Challenges to Business
The cost of data loss has increased b...
Security Systems Division

The attack surface for a typical business is growing at an
exponential rate
People

Hackers

Em...
Security Systems Division

As a result, the Security market is shifting
Traditional Focus
Governance and Compliance

Emerg...
Security Systems Division

Fortunately IBM’s System z is Highly Secure
 Highly secure platform for virtual environments a...
Security Systems Division

Security is one of the strategic foundations of System z
• Integrated security that spans from:...
Security Systems Division

Protect People, Identities throughout your Extended Enterprise

• Integrated authentication and...
Security Systems Division

Manage Compliance to Reduce Risk and Improve Governance

• Reduce operational risk with exhaust...
Security Systems Division

Provide Strong Infrastructure to Provide Integrity and Trust for a
Smarter Cloud
• System z PR/...
Security Systems Division

Data

Maintain Confidentiality of Data and Protect Your Critical Assets

• Secure your business...
Security Systems Division

zEnterprise software: Mobile

1.7M+

70B

6x and 3x

apps in the
world today

apps will be
down...
Security Systems Division

End to end security from mobile to the mainframe
https
Worklight
Studio

z/OS

Linux on z

Work...
Security Systems Division

Four steps to data security in the Cloud

1
2
3
4
15

Understand, define
policy

Secure and pro...
Security Systems Division

SmartCloud Security Capabilities
IBM SmartCloud Security Intelligence
IBM Security QRadar SIEM,...
Security Systems Division

zEnterprise Big Data Security Solutions

 Up to 70% of corporate production data may still res...
Security Systems Division

IBM Security zSecure suite products
Vulnerability analysis for your
mainframe infrastructure.
A...
Security Systems Division

IBM Security zSecure suite Overview
IBM Security
zSecure Suite
IBM Security zSecure Administrat...
Security Systems Division

IBM Security zSecure suite Overview
zSecure Audit:
–
–
–
–
–
–
–

IBM Security
zSecure Suite

R...
Security Systems Division

IBM Security zSecure suite Overview
IBM Security

Combined audit and
administration for RACF
in...
Security Systems Division

Resource Access Control Facility (RACF)
The foundation of mainframe security
Administration
Adm...
Security Systems Division

IBM Guardium Provides Real-Time Database Security & Compliance
 Continuous, policy-based, real...
Data

Security Systems Division

Guardium Vulnerability Assessment
 New capability enabling customers to cost effectively...
Security Systems Division

Guardium Data Activity Monitoring
Data Repositories

Activity Monitoring
Continuous, policy-ba...
Security Systems Division

Extend Activity Monitoring to Big Data, Warehouses, File Shares

InfoSphere
BigInsights

HANA

...
Security Systems Division

Monitoring on System z
• Termination of suspicious DB2 activity
•
•
•
•
•
•
•

27

 Terminate ...
Security Systems Division

Customers need security intelligence: automated continuous compliance to
address worldwide indu...
Security Systems Division

Security Intelligence: QRadar provides security visibility
IBM X-Force® Threat
Information Cent...
Security Systems Division

zSecure, Guardium, AppScan & QRadar improve your
Security Intelligence
zSecure
z/OS
RACF
ACF...
Security Systems Division

Leverage advanced analytics across all stages of the attack

Monitor
Logs, network traffic, use...
Security Systems Division

Chosen by the leading organizations worldwide to secure
their most critical data

Guardium

zSe...
Security Systems Division

System z Certifications
z/VM

The Common Criteria
program establishes
an organizational and
tec...
Security Systems Division

IBM Solutions Help to Address Potential Security and Audit
Concerns for the Mainframe
Do you kn...
Security Systems Division

Ultimate Security
Reinforce customer trust
"Colony Brands puts Customer
Trust and Loyalty as to...
Security Systems Division

IBM System z has Secured Systems for over 45 Years.
IBM is Security Ready.
Security, Built-in, ...
February 23- 26

Security Systems Division

MGM Grand – Las Vegas, Nevada

Pulse Protect2014

The Security Forum at
Februa...
Security Systems Division

ibm.com/security

38

© Copyright IBM Corporation 2012. All rights reserved. The information co...
Upcoming SlideShare
Loading in...5
×

Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstrating Governance, Risk Management and Compliance

3,796

Published on

Mainframes host mission critical corporate information and production applications for many financial, healthcare, government and retail companies requiring highly secure systems and regulatory compliance. Demonstrating compliance for your industry can be complex and failure to comply can result in vulnerabilities, audit failures, loss of reputation, security breaches, and even system shut down. How can you simplify enforcement of security policy and best practices? How can you automate security monitoring, threat detection, remediation and compliance reporting? How can you demonstrate governance, risk and compliance on your mainframe? Learn how your modern mainframe can help you to comply with industry regulations, reduce costs and protect your enterprise while supporting cloud, mobile, social and big data environments.

View the full on-demand webcast: https://www2.gotomeeting.com/en_US/island/webinar/registration.tmpl?Action=rgoto&_sf=14

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,796
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • RK
  • RK
  • Thread termination support based on Guardium collector policy violations:
    With Guardium, you can create a policy rule that when conditions are met will send a request to the S-TAP to cancel the related active DB2 thread.
    Guardium introduced 67 new Vulnerability (VA) tests for DB2 z/OS with the use of zSecure Audit 2.1. Customers would have to purchase zSecure Audit 2.1 to leverage these tests. Once properly setup, these tests will show all the DB2 subsystem effective privileges correlating the DB2 catalog and RACF privileges.
    Also there's the 'Entitlements Reporting' piece of the integration with zSecure... Guardium offers 17 new entitlement report that use the data coming from zSecure. it is more accurate, as it reflect the system’s effective privileges meaning, by correlating the DB2 catalog and RACF ACL lists to give the exact privilege state.Any customer who purchase zSecure Audit v2.1 would want to use Guardium’s new VA tests along with entitlement.
    Functions and Configuration Screens previously done by Windows Admin GUI are now part of the Guardium system GUI
  • RK
  • There are many, many other examples of successful InfoSphere Guardium deployments. InfoSphere Guardium is the most widely deployed Database Auditing and Protection solution worldwide, with over 700 clients. They span across top customers in all verticals and continents, for example:
    (Review a few of the highlights from the slide)
  • Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstrating Governance, Risk Management and Compliance

    1. 1. Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstrating Governance, Risk Management and Compliance Glinda Cummings – IBM Security WW Senior Product Manager glinda@us.ibm.com 1 1 © 2012 IBM Corporation
    2. 2. Security Systems Division Trademark The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. DataPower* PR/SM DB2* RACF* IBM* System z* IBM (logo)* z/OS* zEnterprise* * Registered trademarks of IBM Corporation The following are trademarks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Windows Server and the Windows logo are trademarks of the Microsoft group of countries. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. * Other product and service names might be trademarks of IBM or other companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. 2 © 2014 IBM Corporation
    3. 3. Security Systems Division The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks… DATA EXPLOSION The age of Big Data – the explosion of digital information – has arrived and is facilitated by the pervasiveness of applications accessed from everywhere CONSUMERIZATION OF IT With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared EVERYTHING IS EVERYWHERE ATTACK SOPHISTICATION 3 Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorism to state-sponsored intrusions © 2014 IBM Corporation
    4. 4. Security Systems Division New Industry Trends Bring Security Challenges to Business The cost of data loss has increased by 68% over the past five years 1 Today’s applications with huge data volumes means protection of data is a key imperative 77% of execs believe that adopting cloud computing makes protecting privacy more difficult2 Security risks abound around the sharing of common cloud infrastructure More than one half of security leaders say mobile security is their greatest near-term technology concern3 Emerging mobile and social applications can generate new use cases and also new risks Are you security ready? Redefining the challenge of securing your busines 4 1 Source: Computerweekly.com March 20, 2012 www.computerweekly.com/news/2240147054/Cost-of-data-breach-up-68 2 Source: IBM's Institute for Business Value 2010 Global IT Risk Study 3 Source: IBM 2012 CISO study © 2014 IBM Corporation
    5. 5. Security Systems Division The attack surface for a typical business is growing at an exponential rate People Hackers Employees Consultants Outsourcers Suppliers Customers Customers Terrorists Data Structured Structured Unstructured Unstructured At rest In motion In motion Applications Systems Systems Applications applications Web Applications Web 2.0 Web 2.0 Mobile apps Mobile Applications Infrastructure 75% felt effectiveness would increase with end-to-end solutions 5 © 2014 IBM Corporation JK 2012-04-26 77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent
    6. 6. Security Systems Division As a result, the Security market is shifting Traditional Focus Governance and Compliance Emerging Focus Risk Management React when breached Continual management Weeks/months Realtime None Operational KPIs Thousands of events Millions of events Server All devices Company issued Bring your own Desktop environment Standard build Virtualization Security enforcement Policy Audit Annual physical inventory Automatically managed Security technology Point products Integrated Security operations Cost Center Value Driver Security strategy Speed to react Executive reporting Data tracking Network monitoring Employee devices Endpoint devices Source: Client Insights 27-Jun-11, An Evaluation of the Security & Risk Opportunity; Assessing a New Approach to Competitive Differentiation, Ari Sheinkin 6 © 2014 IBM Corporation
    7. 7. Security Systems Division Fortunately IBM’s System z is Highly Secure  Highly secure platform for virtual environments and workloads  Security is built into every level of the System z structure •Processor •Communications •Hypervisor •Storage •Operating system •Applications  System z security features address compliance: - Identity and access management - Hardware and software encryption - Communication security capabilities - Extensive logging and reporting of security events  Extensive security certifications (e.g., Common Criteria and FIPS 140) including EAL5+  But today’s mainframe must interoperate in a complex environment including cloud, mobile, big data and social networking 7 © 2014 IBM Corporation
    8. 8. Security Systems Division Security is one of the strategic foundations of System z • Integrated security that spans from:       Hardware Firmware Hypervisors System z Operating Systems Middleware and applications Network • Integrated security that spans to an zEnterprise • • • ensemble Hardware and firmware assists enhance security QoS System z security is integrated at all “levels” of the platform From a strategic view -- multiple security strategies converge -- to create unified view of security on System z Optimizing System z for Strategic Workloads & Industry-based Initiatives Data & Transaction Serving Data Analytics High transaction rates High Quality of Service Peak workloads Resiliency and security  Compute or I/O intensive  High memory bandwidth  Floating point  Scale out capable Business Apps Virtualization Scale High Quality of Service Large memory footprint Responsive infrastructure Highly threaded Throughput-oriented Scale out capable Lower Quality of Service Strategic Foundations RAS Continuous Availability Storage Management Security Consumability Performance Management System z Leadership Delivery Capability Cloud Computing z/OS Industry Frameworks Linux & z/VM z/VSE z/TPF Client Segments High End Mid Range New Accounts 8 © 2014 IBM Corporation
    9. 9. Security Systems Division Protect People, Identities throughout your Extended Enterprise • Integrated authentication and access control provided by RACF® • Centrally manage identities and access rights across the enterprise • Establish a unique, trusted identity and provide accountability for all user activities • Deliver a scalable digital certificate solution based using IBM System z® as a trusted certificate authority • Use IBM Enterprise PKCS #11 (Public Key Cryptography Standard) to provide outstanding levels of security • CCA architecture provides many cryptographic key management and generation functions • Achieve Role Based Access Control • Leverage trusted identity and context for additional administrative and fine-grained authority on DB2 ® 9 Up to 52% lower security administrative costs efforts on mainframe IBM zEnterprise® Solutions RACF®, LDAP, Identity propagation IBM Security zSecure Tivoli® Federated Identity Manager System z as a Certificate Authority ICSF support of PKCS #11 DB2 and RACF security IBM Enterprise PKCS #11 to provide digital signatures with the highest levels of assurance; designed for FIPS 140-2 Level 4 requirements. © 2014 IBM Corporation
    10. 10. Security Systems Division Manage Compliance to Reduce Risk and Improve Governance • Reduce operational risk with exhaustive audit, reporting and control capabilities • Consistent auditing and reporting using a centralized model integrated with event management 68% of CIOs selected Risk Management and Compliance as one of the most important visionary plan elements (CIO Study 2011) • Enforced separation of duties preventing any one individual from having uncontrolled access IBM zEnterprise Solutions • Customizable compliance monitoring, audit, reporting with RACF and zSecure • Prevent issuance of problematic commands with RACF command verification • Continued drumbeat of health checks to catch potential problems early z/OS Audit Records (SMF) RACF and SAF zSecure Audit zSecure Command Verifier QRadar SIEM Optim Healthchecks Customers can save up to 70% of their audit and compliance overhead with centralized security audit and compliance reporting and more.* “zSecure delivers the reports we need to meet the demands of security, audit and regulatory requirements such as SOX. By easing the burden of audits, our security administrators can focus their time on improving security quality.” — Source: Damien Dunne, Mainframe Systems Manager, Allied Irish Banks Meet regulatory and corporate mandates; achieve improved governance by driving consistent security policy 10 *Based on a European Insurance Co’s input to IBM BVA using IBM zSecure © 2014 IBM Corporation
    11. 11. Security Systems Division Provide Strong Infrastructure to Provide Integrity and Trust for a Smarter Cloud • System z PR/SM™ hypervisor maintains strict isolation and compartmentalization between workloads Common Criteria EAL5+ allows your many workloads to be concurrently hosted & securely isolated • Fast clear key operations (CPACF), secure keys or protected keys • World class security certifications: Common Criteria EAL 5+, FIPS 140-2 level 4 • Labeled DB2 and z/OS security for secured multi-tenancy IBM zEnterprise Solutions PR/SM at EAL 5+, RACF at EAL 5 Multi-Level Security on z/OS and DB2 z/Secure Manager for RACF z/VM® HiperSockets System z hardware - Storage protection key - APF Authorization - Integrity Statement • HiperSockets for fast, secured in-memory communications between LPARs • SAF interface provides automatic built-in centralized control over system security processing • Storage protect keys safeguards memory access • Only authorized programs use sensitive system functions; protects against misuse of control • IBM backed “Integrity Statement” in effect for decades IBM is unique in having published an Integrity Statement for z/OS and z/VM, in place for over three decades System z security is hardwired throughout the server, network and infrastructure. It cannot be bypassed 11 © 2014 IBM Corporation
    12. 12. Security Systems Division Data Maintain Confidentiality of Data and Protect Your Critical Assets • Secure your business critical assets with tamper resistant crypto cards • High speed encryption that keeps sensitive keys private, ideal for securing high volume business transactions • Centralized key management to manage your encryption keys (z/OS PKI infrastructure) • EKMF enterprise management of keys and certificates targeting for financial customers • Trusted Key Entry (TKE) Workstation to securely enter master keys • Encrypt DB2 and IMS™ data with InfoSphere™ Guardium® Data Encryption The Crypto Express co-processors have achieved FIPs 140-2 level 4 hardware evaluation IBM zEnterprise Solutions Crypto Express4s ICSF EKMF, TKE Workstation Guardium DB2 Encryption, Dynamic Access Managament IBM Security Key Lifecycle Manager z/OS Encryption Facility Optim for data masking • Encrypt sensitive data before transferring it to media for archival purposes or business partner exchange • Protect and mask sensitive z/OS data with Optim ™ The zEC12 can perform up to 19,000 SSL handshakes per second when using four Crypto Express4S adapters configured as accelerators. Secure and encrypt your data throughout its lifecycle using entitled crypto or tamper resistant cards 12 © 2014 IBM Corporation
    13. 13. Security Systems Division zEnterprise software: Mobile 1.7M+ 70B 6x and 3x apps in the world today apps will be downloaded in 2013 the number of Android and iOS versions Google and Apple respectively have released compared to major Microsoft® Windows® versions Build mobile web, hybrid, and native apps connecting to zEnterprise data Complete lifecycle security Sharing of apps in a cloud environment Building, connecting, and securing zEnterprise data to mobile devices to provide a better customer experience 13 © 2014 IBM Corporation
    14. 14. Security Systems Division End to end security from mobile to the mainframe https Worklight Studio z/OS Linux on z Worklight * Server SOAP/https TFIM RACF/LDAP zSecure IBM Endpoint Manager SOAP/https DP XI50z Hardware PKI Services MQTT SOAP/https zBX IBM MessageSsite      14 Cryptography cards zEnterprise End to end capability of mobile users identity permits, syncing of LDAP, auditing of transactions, simplified identity mapping with zSecure and RACF® Advanced scalability of encryption processing with System z cryptography cards Centralized certificate management with z/OS PKI services, RACF and zSecure Secured integration gateway for System z services, centralized key management and mobile access policy capabilities with DataPower XI50z High level security to backend applications via HiperSockets or IEDN support with Worklight Server Worklight Server can also reside on Linux on z * © 2014 IBM Corporation
    15. 15. Security Systems Division Four steps to data security in the Cloud 1 2 3 4 15 Understand, define policy Secure and protect  Discover where sensitive data resides  Classify and define data types  Define policies and metrics  Encrypt, redact and mask virtualized databases  De-identify confidential data in non-production environments Actively monitor and audit  Monitor virtualized databases and enforce review of policy exceptions  Automate and centralize the controls needed for auditing and compliance (e.g., SOX, PCI)  Assess database vulnerabilities Establish compliance and security intelligence  Automate reporting customized for different regulations to demonstrate compliance in the Cloud  Integrate data activity monitoring with security information and event management (QRadar SIEM) © 2014 IBM Corporation
    16. 16. Security Systems Division SmartCloud Security Capabilities IBM SmartCloud Security Intelligence IBM Security QRadar SIEM, zSecure and VFlow Collectors 13-04-02 IBM SmartCloud Security IBM SmartCloud Security IBM SmartCloud Security Identity Protection Data and Application Protection Threat Protection Administer, secure, and extend identity and access to and from the cloud  IBM Security Identity and Access Management Suite Secure enterprise databases Build, test and maintain secure cloud applications  IBM InfoSphere Guardium Prevent advanced threats with layered protection and analytics  IBM SmartCloud Patch  IBM Security Network IPS and Virtual IPS  IBM Security Federated Identity Manager - Business Gateway  IBM AppScan OnDemand (hosted)  IBM Security Virtual Server Protection for VMware  IBM Security Privileged Identity Manager 16  IBM Security AppScan Suite  IBM Security Key Lifecycle Manager  IBM Security zSecure Manager for RACF z/VM  IBM Security zSecure portfolio © 2014 IBM Corporation
    17. 17. Security Systems Division zEnterprise Big Data Security Solutions  Up to 70% of corporate production data may still reside on mainframes  Enhanced DB2, CICS, and IMS data protection with RACF, Guardium, Optim, and zSecure  Improved data integrity with automated auditing and compliance capabilities with zSecure, Guardium, and IBM Security QRadar  Data security classification with RACF, Guardium, and Optim  Sensitive data encryption with DB2, Guardium, Optim and SKLM for z/OS 17 17 © 2014 IBM Corporation
    18. 18. Security Systems Division IBM Security zSecure suite products Vulnerability analysis for your mainframe infrastructure. Automatically analyze and report on security events detect security exposures, and report to SIEMs and Guardium VA. Real-time mainframe threat monitoring permits you to monitor intruders, identify misconfigurations that could hamper your compliance efforts, and report to SIEMs. Policy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands 18 Combined audit and administration for RACF in the z/VM environment including auditing Linux on System z Enables more efficient and effective RACF administration, using significantly fewer resources Helps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows–based GUI for RACF administration Provides access RACF command & APIs from a CICS environment, allowing for additional administrative flexibility © 2014 IBM Corporation
    19. 19. Security Systems Division IBM Security zSecure suite Overview IBM Security zSecure Suite IBM Security zSecure Administration  zSecure Admin: • Improves security at lower labor cost • Provides capability for RACF database cleanup with Access Monitor and compare facility • RACF Offline for command simulation and testing • Also saves cost by: o o Improving directory merges o  Avoiding configuration errors Efficient group management zSecure Visual: • • Provides access for only current employees & contractors (better business control) • Enables segregation of duties (minimizing business risk) • 19 Permits changes in minutes vs. overnight Aids in reducing labor cost and errors © 2014 IBM Corporation
    20. 20. Security Systems Division IBM Security zSecure suite Overview zSecure Audit: – – – – – – – IBM Security zSecure Suite Reports can match business model/requirements Prioritizes tasks (optimize labor utilization) Helps find “segregation of duties” exposures (reduces risk) Compliance framework for audit and compliance automation Audit more than just RACF, ACF2 and Top Secret Audit and compliance for DB2, CICS, IMS, z/OS and more Integrated with Guardiium, QRadar SIEM, and more to provide security information zSecure Alert: – – 20 Allows capture of unauthorized “back door” changes to RACF / security policies Addresses real time audit control points, especially network audit control points © 2014 IBM Corporation
    21. 21. Security Systems Division IBM Security zSecure suite Overview IBM Security Combined audit and administration for RACF in the VM environment. Auditing for Linux on System z zSecure Suite 21 © 2014 IBM Corporation
    22. 22. Security Systems Division Resource Access Control Facility (RACF) The foundation of mainframe security Administration Administration RACF Data & Applications Applications Networks Networks z/OS z/OS Architecture Architecture Authentication Authorization Administration Auditing Enables application and database security without modifying applications Can reduce security complexity and expense: • Central security process that is easy to apply to new workloads or as user base increases • Tracks activity to address audit and compliance requirements • Integration with distributed system security domain • Checking for “Best Practices” with z/OS HealthChecker • Serving mainframe enterprises for over 30 years Hardware Hardware 22 © 2014 IBM Corporation
    23. 23. Security Systems Division IBM Guardium Provides Real-Time Database Security & Compliance  Continuous, policy-based, real-time monitoring of all database activities, including actions by privileged users Key Characteristics  Database infrastructure scanning for missing patches, misconfigured privileges and other vulnerabilities  Single Integrated Appliance  Data protection compliance automation  Non-invasive/disruptive, crossplatform architecture  Dynamically scalable  SOD enforcement for DBA access  Auto discover sensitive resources and data  Detect or block unauthorized & suspicious activity  Granular, real-time policies  Who, what, when, how  Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc. Integration with LDAP, IAM, SIEM, TSM, Remedy, … 23  Growing integration with broader security and compliance management vision © 2014 IBM Corporation
    24. 24. Data Security Systems Division Guardium Vulnerability Assessment  New capability enabling customers to cost effectively improve the security of mainframe environments by conducting automated database vulnerability assessment tests • Packaged tests to detect vulnerabilities including inappropriate privileges, grants, default accounts, etc.. • Capabilities enabling the development of custom tests  Based on industry standards such as STIG and CIS  Management of mainframe VA testing from central InfoSphere Guardium console for enterprise-wide control • Configuration and scheduling of mainframe tests  Integrated with other InfoSphere Guardium elements for improved process efficiency, including Compliance Workflow Automation and audit repository  Based on DB2 Development at SVL, DISA STIG and CIS security standards • Server defaults • Patch levels • OS and DBMS Vulnerability Assessment 24 24 © 2014 IBM Corporation
    25. 25. Security Systems Division Guardium Data Activity Monitoring Data Repositories Activity Monitoring Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users Blocking & Masking Data protection compliance automation  Vulnerability Assessment Host-based Probes Collector Appliance (S-TAP) Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities Key Characteristic s  Single Integrated Appliance  Non-invasive/disruptive, cross-platform architecture  Dynamically scalable  SOD enforcement for DBA access  Auto discover sensitive resources and data  Detect or block unauthorized & suspicious activity  Granular, real-time policies  Who, what, when, how 25 Central Manager Appliance  100% visibility including local DBA access  Minimal performance impact  Does not rely on resident logs that can easily be erased by attackers, rogue insiders  No environment changes  Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.  Growing integration with broader security and compliance management vision © 2014 IBM Corporation
    26. 26. Security Systems Division Extend Activity Monitoring to Big Data, Warehouses, File Shares InfoSphere BigInsights HANA CIC S FTP 26 © 2014 IBM Corporation
    27. 27. Security Systems Division Monitoring on System z • Termination of suspicious DB2 activity • • • • • • • 27  Terminate a DB2 thread that a Guardium policy has flagged as high risk Many new System z RACF vulnerability tests  directly or via zSecure Integration New Entitlement Reporting for z  DB2 Catalog and RACF via zSecure New monitoring of DataSet activity (sequential and partitioned) Centralized IMS management Expanded DB2 monitoring including DB2 start and stop Resiliency across network or server outages  Consistent across all platforms Appliance based policy administration  Consistent with Distributed policies on Guardium UI © 2014 IBM Corporation
    28. 28. Security Systems Division Customers need security intelligence: automated continuous compliance to address worldwide industry standards and regulations Monitor, analyze audit records and create compliance reports Collect information, assess, and establish security policy Security Intelligence Automatically and continuously enforce security policy Automate corrective actions by updating access controls IBM Security zSecure Compliance and Auditing With QRadar 28 © 2014 IBM Corporation
    29. 29. Security Systems Division Security Intelligence: QRadar provides security visibility IBM X-Force® Threat Information Center Identity and User Context 29 Real-time Security Overview w/ IP Reputation Correlation Real-time Network Visualization and Application Statistics Inbound Security Events © 2014 IBM Corporation
    30. 30. Security Systems Division zSecure, Guardium, AppScan & QRadar improve your Security Intelligence zSecure z/OS RACF ACF2, TSS CICS DB2 Guardium DB2 IMS VSAM Security Devices Servers & Mainframes Network/Virtual Activity Database Activity Application Activity Configuration Info AppScan •Web Apps •Mobile Apps •Web services •Desktop Apps Extensive Data Sources Event Correlation Activity Baselining & Anomaly Detection Offense Identification Threat Intelligence User Activity Vulnerability Information + Deep Intelligence = Exceptionally Accurate and Actionable Insight  Centralized view of mainframe and distributed network security incidents, activities and trends  Alerts, unauthorized log-ins, policy violations, configuration changes, etc. provided from zSecure Alert & zSecure Audit  Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure  S-TAP feeds routed to QRadar via Guardium Central Policy Manager  SMF data set feeds with zSecure Audit and zSecure Alert for Systemz  Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign incident priorities and surface meaningful activity from noise 30  Creates automatic alerts for newly discovered vulnerabilities experiencing active ‘Attack Paths’  Produces increase accuracy of risk levels and offense scores, and simplified compliance reporting © 2014 IBM Corporation
    31. 31. Security Systems Division Leverage advanced analytics across all stages of the attack Monitor Logs, network traffic, user activity Detect anomalies Unusual yet hidden behavior 31 Correlate intelligently Connect the dots of disparate activity Prioritize for action Attack high-priority incidents © 2014 IBM Corporation
    32. 32. Security Systems Division Chosen by the leading organizations worldwide to secure their most critical data Guardium zSecure 5 of the top 5 global banks 7 of the top 10 global banks 2 of the top 3 global retailers 8 of the top 10 global insurers 5 of the top 6 global insurers Greater than half of the World’s 50 largest businesses 8 of the top 10 telcos worldwide 4 of the top 4 global managed healthcare providers 32 QRadar Top 10 US general merchandise retailer Top five global auto manufacturer Top 10 US defense contractors Top 15 US utility companies © 2014 IBM Corporation
    33. 33. Security Systems Division System z Certifications z/VM The Common Criteria program establishes an organizational and technical framework to evaluate the trustworthiness of IT Products and protection profiles  Common Criteria  z/VM 6.1 is EAL 4+ for OSPP  z/VM 6.1 System SSL is FIPS 140-2 certified. • System Integrity Statement z/OS z/VM Linux Linux Linux on System z Linux z/OS • Common Criteria EAL4+ • with CAPP and LSPP • z/OS 1.7  1.10 + RACF • z/OS 1.11 + RACF (OSPP) • z/OS 1.12 , z/OS 1.13 (OSPP) • Common Criteria EAL5+ RACF V1R12 (OSPP) RACF V1R13 (OSPP) • z/OS 1.10 IPv6 Certification by JITC • IdenTrust™ certification for z/OS PKI Services • FIPS 140-2 • System SSL z/OS 1.10 1.13 • z/OS ICSF PKCS#11 Services – z/OS 1.11  z/OS 1.13 • Statement of Integrity 33 33 Virtualization with partitions Cryptography  Common Criteria  SUSE SLES11 SP2 certified at EAL4+ with OSPP  Red Hat EL6.2 EAL4+ with CAPP and LSPP • zEnterprise 196 & zEnterprise 114 • Common Criteria EAL5+ with specific target of Evaluation – LPAR: Logical partitions  OpenSSL - FIPS 140-2 Level 1 Validated • System zEC12 • Common Criteria EAL5+ with specific target of evaluation -- LPAR: Logical partitions  CP Assist - SHA-1 validated for FIPS 180-1 - DES & TDES validated for FIPS 46-3 • Crypto Express2 Coprocessor, Crypto Express3 & Crypto Express4s - FIPS 140-2 level 4 Hardware Evaluation - Approved by German ZKA CP Assist - FIPS 197 (AES) - FIPS 46-3 (TDES) - FIPS 180-3 (Secure Hash) • © 2014 IBM Corporation
    34. 34. Security Systems Division IBM Solutions Help to Address Potential Security and Audit Concerns for the Mainframe Do you know if How do you prevent unauthorized access? Do you know if anyone attempted an attack on the mainframe? RACF z/OS Communications Server IBM Security NIPS Platform Infrastructure How do you know your private customer data is encrypted with key mgmt? Guardium and Security Optim Solutions zSecure IBM Security Key suite Lifecycle Manager Data Privacy Is your mainframe security configured properly? Can your DB2 or IMS auditors get at the information they need? administrators are abusing privileges? Can you prove that all critical data is backed up and recoverable? DB2 and IMS Tivoli zStorage Audit Management Expert Compliance and Audit How do you know only authorized users are given user accounts? How did you protect your Web services applications? QRadar SIEM zSecure Compliance and Auditing Identity Manager Access Manager Tivoli Federated Identity Mgr Extended Enterprise *It is the customer's responsibility to identify, interpret and comply with any laws or regulatory requirements that affect its business. IBM does not represent that its products or services will ensure that the customer is in compliance with the law. 34 © 2014 IBM Corporation
    35. 35. Security Systems Division Ultimate Security Reinforce customer trust "Colony Brands puts Customer Trust and Loyalty as top priorities within the organization. We are proud to leverage IBM's zEnterprise throughout our organization due to the Trusted, Proven, and Secure nature of the platform. …” Garanti Bank – Turkey: The adoption of IBM's System z reinforced Garanti's strategy to deliver fast and secure banking services 24 hours a day, ensuring fast, scalable, robust, flexible, cost-effective and secure environment across different channels banking branches, ATMs, POSs, Internet and mobile channels.* - Todd Handel, Director, IT Strategy and Architecture “IBM Security zSecure benefited Itaú Unibanco risk areas by reducing the IT risks that could have a direct impact on the bank’s operational risk.” Ineida Moura, Information Security Manager, Itaú Unibanco * www.prnewswire.com/news-releases/new-ibm-system-z-mainframe-servers-at-turkish-garanti-bank-help-introduce-new-services-124862844.html 35 © 2014 IBM Corporation
    36. 36. Security Systems Division IBM System z has Secured Systems for over 45 Years. IBM is Security Ready. Security, Built-in, by Design “The mainframe has survived many challenges …. IBM has done this by keeping the IBM System z platform up to date with the changing times, while retaining the fundamental characteristics such as security that define enterprise-class computing at the highest level.”* *Masabi Group, David Hill, Analyst, November 14, 2012 Security Innovation Spanning Four Decades 1970 1977 1985 2004 2012 2013 Hardware Cryptography DES Encryption Unit Crypto Operating System Multilevel Security MLS RACF® Evaluated at EAL5+ Enterprise 36 Key Management © 2014 IBM Corporation Foundation
    37. 37. February 23- 26 Security Systems Division MGM Grand – Las Vegas, Nevada Pulse Protect2014 The Security Forum at February 23- 26 MGM Grand Pulse2014 – Las Vegas, Nevada learn more at ibm.com/security/pulse Pulse Protect 2014 will feature three days and 50+ sessions on the hottest security topics including security and threat intelligence, application and data security, vulnerability management, defense against web fraud and advanced malware, identity and access management, network security and emerging topics such as cloud and mobile security. HIGHLIGHTS Client & IBM led sessions 37 Threat Research CISO Lunch & Networking Introducing Trusteer Featuring leading clients such as Standard Bank, WestJet & Whirlpool. Hear from X-Force as well as IBM’s malware and application security researchers. Hear from IBM’s CISO and other industry leaders while networking with your peers. Discover Trusteer’s unique approach to addressing web fraud and malware. © 2014 IBM Corporation 37
    38. 38. Security Systems Division ibm.com/security 38 © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. © 2014 IBM Corporation
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×