Mainframes host mission critical corporate information and production applications for many financial, healthcare, government and retail companies requiring highly secure systems and regulatory compliance. Demonstrating compliance for your industry can be complex and failure to comply can result in vulnerabilities, audit failures, loss of reputation, security breaches, and even system shut down. How can you simplify enforcement of security policy and best practices? How can you automate security monitoring, threat detection, remediation and compliance reporting? How can you demonstrate governance, risk and compliance on your mainframe? Learn how your modern mainframe can help you to comply with industry regulations, reduce costs and protect your enterprise while supporting cloud, mobile, social and big data environments.
View the full on-demand webcast: https://www2.gotomeeting.com/en_US/island/webinar/registration.tmpl?Action=rgoto&_sf=14
Scaling API-first â The story of a global engineering organization
Â
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstrating Governance, Risk Management and Compliance
1. Don't Risk Your Reputation or Your Mainframe: Best
Practices for Demonstrating Governance, Risk
Management and Compliance
Glinda Cummings â IBM Security WW Senior Product Manager
glinda@us.ibm.com
1
1
Š 2012 IBM Corporation
2. Security Systems Division
Trademark
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
DataPower*
PR/SM
DB2*
RACF*
IBM*
System z*
IBM (logo)*
z/OS*
zEnterprise*
* Registered trademarks of IBM Corporation
The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Windows Server and the Windows logo are trademarks of the Microsoft group of countries.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
* Other product and service names might be trademarks of IBM or other companies.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the
workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to
change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the
performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
2
Š 2014 IBM Corporation
3. Security Systems Division
The world is becoming more digitized and interconnected,
opening the door to emerging threats and leaksâŚ
DATA
EXPLOSION
The age of Big Data â the explosion of digital
information â has arrived and is facilitated by
the pervasiveness of applications accessed
from everywhere
CONSUMERIZATION
OF IT
With the advent of Enterprise 2.0 and social
business, the line between personal and
professional hours, devices and data has
disappeared
EVERYTHING
IS EVERYWHERE
ATTACK
SOPHISTICATION
3
Organizations continue to move to new
platforms including cloud, virtualization,
mobile, social business and more
The speed and dexterity of attacks has
increased coupled with new actors with new
motivations from cyber crime to terrorism
to state-sponsored intrusions
Š 2014 IBM Corporation
4. Security Systems Division
New Industry Trends Bring Security Challenges to Business
The cost of data loss has increased by 68% over the past five years 1
Todayâs applications with huge data volumes means
protection of data is a key imperative
77% of execs believe that adopting cloud computing makes protecting
privacy more difficult2
Security risks abound around the sharing of common
cloud infrastructure
More than one half of security leaders say mobile security is their
greatest near-term technology concern3
Emerging mobile and social applications can generate
new use cases and also new risks
Are you security ready?
Redefining the challenge of securing your busines
4
1 Source: Computerweekly.com March 20, 2012 www.computerweekly.com/news/2240147054/Cost-of-data-breach-up-68
2 Source: IBM's Institute for Business Value 2010 Global IT Risk Study
3 Source: IBM 2012 CISO study
Š 2014 IBM Corporation
5. Security Systems Division
The attack surface for a typical business is growing at an
exponential rate
People
Hackers
Employees
Consultants
Outsourcers
Suppliers
Customers
Customers
Terrorists
Data
Structured
Structured
Unstructured
Unstructured
At rest
In motion
In motion
Applications
Systems
Systems
Applications
applications
Web
Applications
Web 2.0
Web 2.0
Mobile apps
Mobile
Applications
Infrastructure
ď§75% felt effectiveness would increase with end-to-end solutions
5
Š 2014 IBM Corporation
JK 2012-04-26
ď§77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent
6. Security Systems Division
As a result, the Security market is shifting
Traditional Focus
Governance and Compliance
Emerging Focus
Risk Management
React when breached
Continual management
Weeks/months
Realtime
None
Operational KPIs
Thousands of events
Millions of events
Server
All devices
Company issued
Bring your own
Desktop environment
Standard build
Virtualization
Security enforcement
Policy
Audit
Annual physical inventory
Automatically managed
Security technology
Point products
Integrated
Security operations
Cost Center
Value Driver
Security strategy
Speed to react
Executive reporting
Data tracking
Network monitoring
Employee devices
Endpoint devices
Source: Client Insights 27-Jun-11, An Evaluation of the Security & Risk Opportunity; Assessing a New Approach to Competitive
Differentiation, Ari Sheinkin
6
Š 2014 IBM Corporation
7. Security Systems Division
Fortunately IBMâs System z is Highly Secure
ď§ Highly secure platform for virtual environments and workloads
ď§ Security is built into every level of the System z structure
â˘Processor
â˘Communications
â˘Hypervisor
â˘Storage
â˘Operating system
â˘Applications
ď§ System z security features address compliance:
- Identity and access management
- Hardware and software encryption
- Communication security capabilities
- Extensive logging and reporting of security events
ď§ Extensive security certifications (e.g., Common
Criteria and FIPS 140) including EAL5+
ď§ But todayâs mainframe must interoperate in a complex
environment including cloud, mobile, big data and
social networking
7
Š 2014 IBM Corporation
8. Security Systems Division
Security is one of the strategic foundations of System z
⢠Integrated security that spans from:
ď§
ď§
ď§
ď§
ď§
ď§
Hardware
Firmware
Hypervisors
System z Operating Systems
Middleware and applications
Network
⢠Integrated security that spans to an zEnterprise
â˘
â˘
â˘
ensemble
Hardware and firmware assists enhance security
QoS
System z security is integrated at all âlevelsâ of the
platform
From a strategic view -- multiple security
strategies converge -- to create unified view of
security on System z
Optimizing System z for Strategic Workloads &
Industry-based Initiatives
Data & Transaction Serving
Data Analytics
ď§High transaction rates
ď§High Quality of Service
ď§Peak workloads
ď§Resiliency and security
ď§ Compute or I/O intensive
ď§ High memory bandwidth
ď§ Floating point
ď§ Scale out capable
Business Apps
Virtualization
ď§Scale
ď§High Quality of Service
ď§Large memory footprint
ď§Responsive infrastructure
ď§Highly threaded
ď§Throughput-oriented
ď§Scale out capable
ď§Lower Quality of Service
Strategic Foundations
RAS
Continuous Availability
Storage Management
Security
Consumability
Performance Management
System z Leadership Delivery Capability
Cloud Computing
z/OS
Industry Frameworks
Linux & z/VM
z/VSE
z/TPF
Client Segments
High End
Mid Range
New Accounts
8
Š 2014 IBM Corporation
9. Security Systems Division
Protect People, Identities throughout your Extended Enterprise
⢠Integrated authentication and access control
provided by RACFÂŽ
⢠Centrally manage identities and access rights across
the enterprise
⢠Establish a unique, trusted identity and provide
accountability for all user activities
⢠Deliver a scalable digital certificate solution based
using IBM System zÂŽ as a trusted certificate authority
⢠Use IBM Enterprise PKCS #11 (Public Key
Cryptography Standard) to provide outstanding levels
of security
⢠CCA architecture provides many cryptographic key
management and generation functions
⢠Achieve Role Based Access Control
⢠Leverage trusted identity and context for additional
administrative and fine-grained authority on DB2 ÂŽ
9
Up to 52% lower security
administrative costs efforts on
mainframe
IBM zEnterpriseÂŽ Solutions
RACFÂŽ, LDAP, Identity propagation
IBM Security zSecure
TivoliÂŽ Federated Identity Manager
System z as a Certificate Authority
ICSF support of PKCS #11
DB2 and RACF security
IBM Enterprise PKCS #11 to provide digital
signatures with the highest levels of assurance;
designed for FIPS 140-2 Level 4 requirements.
Š 2014 IBM Corporation
10. Security Systems Division
Manage Compliance to Reduce Risk and Improve Governance
⢠Reduce operational risk with exhaustive audit, reporting and
control capabilities
⢠Consistent auditing and reporting using a centralized model
integrated with event management
68% of CIOs selected Risk
Management and Compliance as one
of the most important visionary plan
elements (CIO Study 2011)
⢠Enforced separation of duties preventing any one individual
from having uncontrolled access
IBM zEnterprise Solutions
⢠Customizable compliance monitoring, audit, reporting with
RACF and zSecure
⢠Prevent issuance of problematic commands with RACF
command verification
⢠Continued drumbeat of health checks to catch potential
problems early
z/OS Audit Records (SMF)
RACF and SAF
zSecure Audit
zSecure Command Verifier
QRadar SIEM
Optim
Healthchecks
Customers can save up to 70% of their audit and
compliance overhead with centralized security
audit and compliance reporting and more.*
âzSecure delivers the reports we need to meet the demands of security, audit and regulatory requirements
such as SOX. By easing the burden of audits, our security administrators can focus their time on
improving security quality.â â Source: Damien Dunne, Mainframe Systems Manager, Allied Irish Banks
Meet regulatory and corporate mandates; achieve improved
governance by driving consistent security policy
10
*Based on a European Insurance Coâs input to IBM BVA using IBM zSecure
Š 2014 IBM Corporation
11. Security Systems Division
Provide Strong Infrastructure to Provide Integrity and Trust for a
Smarter Cloud
⢠System z PR/SM⢠hypervisor maintains strict isolation
and compartmentalization between workloads
Common Criteria EAL5+ allows
your many workloads to be
concurrently hosted & securely
isolated
⢠Fast clear key operations (CPACF), secure keys or
protected keys
⢠World class security certifications: Common Criteria EAL
5+, FIPS 140-2 level 4
⢠Labeled DB2 and z/OS security for secured multi-tenancy
IBM zEnterprise Solutions
PR/SM at EAL 5+, RACF at EAL 5
Multi-Level Security on z/OS and DB2
z/Secure Manager for RACF z/VMÂŽ
HiperSockets
System z hardware
- Storage protection key
- APF Authorization
- Integrity Statement
⢠HiperSockets for fast, secured in-memory
communications between LPARs
⢠SAF interface provides automatic built-in centralized
control over system security processing
⢠Storage protect keys safeguards memory access
⢠Only authorized programs use sensitive system
functions; protects against misuse of control
⢠IBM backed âIntegrity Statementâ in effect for decades
IBM is unique in having published an Integrity
Statement for z/OS and z/VM, in place for over
three decades
System z security is hardwired throughout the server, network
and infrastructure. It cannot be bypassed
11
Š 2014 IBM Corporation
12. Security Systems Division
Data
Maintain Confidentiality of Data and Protect Your Critical Assets
⢠Secure your business critical assets with tamper resistant
crypto cards
⢠High speed encryption that keeps sensitive keys private,
ideal for securing high volume business transactions
⢠Centralized key management to manage your encryption
keys (z/OS PKI infrastructure)
⢠EKMF enterprise management of keys and certificates
targeting for financial customers
⢠Trusted Key Entry (TKE) Workstation to securely enter
master keys
⢠Encrypt DB2 and IMS⢠data with InfoSphere⢠GuardiumŽ
Data Encryption
The Crypto Express co-processors
have achieved FIPs 140-2 level 4
hardware evaluation
IBM zEnterprise Solutions
Crypto Express4s
ICSF
EKMF, TKE Workstation
Guardium DB2 Encryption, Dynamic Access
Managament
IBM Security Key Lifecycle Manager
z/OS Encryption Facility
Optim for data masking
⢠Encrypt sensitive data before transferring it to media for
archival purposes or business partner exchange
⢠Protect and mask sensitive z/OS data with Optim â˘
The zEC12 can perform up to 19,000 SSL
handshakes per second when using four Crypto
Express4S adapters configured as accelerators.
Secure and encrypt your data throughout its lifecycle
using entitled crypto or tamper resistant cards
12
Š 2014 IBM Corporation
13. Security Systems Division
zEnterprise software: Mobile
1.7M+
70B
6x and 3x
apps in the
world today
apps will be
downloaded in 2013
the number of Android and iOS versions Google
and Apple respectively have released compared
to major MicrosoftÂŽ WindowsÂŽ versions
Build mobile web, hybrid,
and native apps connecting to zEnterprise
data
Complete lifecycle security
Sharing of apps in a cloud
environment
Building, connecting, and securing zEnterprise data to mobile devices
to provide a better customer experience
13
Š 2014 IBM Corporation
14. Security Systems Division
End to end security from mobile to the mainframe
https
Worklight
Studio
z/OS
Linux on z
Worklight
* Server
SOAP/https
TFIM
RACF/LDAP
zSecure
IBM
Endpoint
Manager
SOAP/https
DP
XI50z
Hardware
PKI Services
MQTT
SOAP/https
zBX
IBM MessageSsite
ď§
ď§
ď§
ď§
ď§
14
Cryptography
cards
zEnterprise
End to end capability of mobile users identity permits, syncing of LDAP, auditing of
transactions, simplified identity mapping with zSecure and RACFÂŽ
Advanced scalability of encryption processing with System z cryptography cards
Centralized certificate management with z/OS PKI services, RACF and zSecure
Secured integration gateway for System z services, centralized key management and mobile
access policy capabilities with DataPower XI50z
High level security to backend applications via HiperSockets or IEDN support with Worklight Server
Worklight Server can also reside on Linux on z *
Š 2014 IBM Corporation
15. Security Systems Division
Four steps to data security in the Cloud
1
2
3
4
15
Understand, define
policy
Secure and protect
ď§ Discover where sensitive data resides
ď§ Classify and define data types
ď§ Define policies and metrics
ď§ Encrypt, redact and mask virtualized databases
ď§ De-identify confidential data in non-production
environments
Actively monitor and
audit
ď§ Monitor virtualized databases and enforce review of
policy exceptions
ď§ Automate and centralize the controls needed for
auditing and compliance (e.g., SOX, PCI)
ď§ Assess database vulnerabilities
Establish
compliance and
security intelligence
ď§ Automate reporting customized for different
regulations to demonstrate compliance in the Cloud
ď§ Integrate data activity monitoring with security
information and event management (QRadar SIEM)
Š 2014 IBM Corporation
16. Security Systems Division
SmartCloud Security Capabilities
IBM SmartCloud Security Intelligence
IBM Security QRadar SIEM, zSecure and VFlow Collectors
13-04-02
IBM SmartCloud Security
IBM SmartCloud Security
IBM SmartCloud Security
Identity Protection
Data and Application Protection
Threat Protection
Administer, secure, and extend
identity and access to and from
the cloud
ď§ IBM Security Identity and Access
Management Suite
Secure enterprise databases
Build, test and maintain secure
cloud applications
ď§ IBM InfoSphere Guardium
Prevent advanced threats with
layered protection and analytics
ď§ IBM SmartCloud Patch
ď§ IBM Security Network IPS and
Virtual IPS
ď§ IBM Security Federated Identity
Manager - Business Gateway
ď§ IBM AppScan OnDemand (hosted)
ď§ IBM Security Virtual Server
Protection for VMware
ď§ IBM Security Privileged Identity
Manager
16
ď§ IBM Security AppScan Suite
ď§ IBM Security Key Lifecycle
Manager
ď§ IBM Security zSecure Manager for
RACF z/VM
ď§ IBM Security zSecure portfolio
Š 2014 IBM Corporation
17. Security Systems Division
zEnterprise Big Data Security Solutions
ď§ Up to 70% of corporate production data may still reside on mainframes
ď§ Enhanced DB2, CICS, and IMS data protection with RACF, Guardium,
Optim, and zSecure
ď§ Improved data integrity with automated auditing and compliance
capabilities with zSecure, Guardium, and IBM Security QRadar
ď§ Data security classification with RACF, Guardium, and Optim
ď§ Sensitive data encryption with DB2, Guardium, Optim and SKLM for z/OS
17
17
Š 2014 IBM Corporation
18. Security Systems Division
IBM Security zSecure suite products
Vulnerability analysis for your
mainframe infrastructure.
Automatically analyze and report on
security events detect security
exposures, and report to SIEMs and
Guardium VA.
Real-time mainframe threat
monitoring permits you to
monitor intruders, identify
misconfigurations that could
hamper your compliance
efforts, and report to SIEMs.
Policy enforcement solution
that helps enforce compliance
to company and regulatory
policies by preventing
erroneous commands
18
Combined audit and
administration for RACF in
the z/VM environment
including auditing Linux on
System z
Enables more efficient and
effective RACF administration,
using significantly fewer
resources
Helps reduce the need for
scarce, RACF-trained
expertise through a Microsoft
Windowsâbased GUI for
RACF administration
Provides access RACF
command & APIs from a
CICS environment, allowing
for additional administrative
flexibility
Š 2014 IBM Corporation
19. Security Systems Division
IBM Security zSecure suite Overview
IBM Security
zSecure Suite
IBM Security zSecure Administration
ďź zSecure Admin:
â˘
Improves security at lower labor cost
â˘
Provides capability for RACF database cleanup with Access Monitor
and compare facility
â˘
RACF Offline for command simulation and testing
â˘
Also saves cost by:
o
o
Improving directory merges
o
ďź
Avoiding configuration errors
Efficient group management
zSecure Visual:
â˘
â˘
Provides access for only current employees & contractors (better
business control)
â˘
Enables segregation of duties (minimizing business risk)
â˘
19
Permits changes in minutes vs. overnight
Aids in reducing labor cost and errors
Š 2014 IBM Corporation
20. Security Systems Division
IBM Security zSecure suite Overview
zSecure Audit:
â
â
â
â
â
â
â
IBM Security
zSecure Suite
Reports can match business
model/requirements
Prioritizes tasks (optimize labor utilization)
Helps find âsegregation of dutiesâ
exposures (reduces risk)
Compliance framework for audit and
compliance automation
Audit more than just RACF, ACF2 and Top
Secret
Audit and compliance for DB2, CICS, IMS,
z/OS and more
Integrated with Guardiium, QRadar SIEM,
and more to provide security information
zSecure Alert:
â
â
20
Allows capture of unauthorized âback doorâ
changes to RACF / security policies
Addresses real time audit control points,
especially network audit control points
Š 2014 IBM Corporation
21. Security Systems Division
IBM Security zSecure suite Overview
IBM Security
Combined audit and
administration for RACF
in the VM environment.
Auditing for Linux on
System z
zSecure Suite
21
Š 2014 IBM Corporation
22. Security Systems Division
Resource Access Control Facility (RACF)
The foundation of mainframe security
Administration
Administration
RACF
Data & Applications
Applications
Networks
Networks
z/OS
z/OS
Architecture
Architecture
Authentication
Authorization
Administration
Auditing
Enables application and database security without
modifying applications
Can reduce security complexity and expense:
⢠Central security process that is easy to apply to
new workloads or as user base increases
⢠Tracks activity to address audit and compliance
requirements
⢠Integration with distributed system security domain
⢠Checking for âBest Practicesâ with z/OS
HealthChecker
⢠Serving mainframe enterprises for over 30 years
Hardware
Hardware
22
Š 2014 IBM Corporation
23. Security Systems Division
IBM Guardium Provides Real-Time Database Security & Compliance
ďź Continuous, policy-based, real-time monitoring of all
database activities, including actions by privileged users
Key Characteristics
ďź Database infrastructure scanning for missing patches,
misconfigured privileges and other vulnerabilities
ď§ Single Integrated Appliance
ďź Data protection compliance automation
ď§ Non-invasive/disruptive, crossplatform architecture
ď§ Dynamically scalable
ď§ SOD enforcement for DBA
access
ď§ Auto discover sensitive
resources and data
ď§ Detect or block unauthorized &
suspicious activity
ď§ Granular, real-time policies
ď§ Who, what, when, how
ď§ Prepackaged vulnerability
knowledge base and compliance
reports for SOX, PCI, etc.
Integration
with LDAP,
IAM, SIEM,
TSM, Remedy,
âŚ
23
ď§ Growing integration with broader
security and compliance
management vision
Š 2014 IBM Corporation
24. Data
Security Systems Division
Guardium Vulnerability Assessment
ď§ New capability enabling customers to cost effectively improve the security of mainframe
environments by conducting automated database vulnerability assessment tests
⢠Packaged tests to detect vulnerabilities including inappropriate privileges, grants,
default accounts, etc..
⢠Capabilities enabling the development of custom tests
ď§ Based on industry standards such as STIG and CIS
ď§ Management of mainframe VA testing from central InfoSphere Guardium console for
enterprise-wide control
⢠Configuration and scheduling of mainframe tests
ď§ Integrated with other InfoSphere Guardium elements for improved process efficiency,
including Compliance Workflow Automation and audit repository
ď§ Based on DB2 Development at SVL, DISA STIG and CIS security standards
⢠Server defaults
⢠Patch levels
⢠OS and DBMS Vulnerability Assessment
24
24
Š 2014 IBM Corporation
25. Security Systems Division
Guardium Data Activity Monitoring
Data Repositories
ďźActivity Monitoring
Continuous, policy-based, real-time monitoring of all data
traffic activities, including actions by privileged users
ďźBlocking & Masking
Data protection compliance automation
ďź Vulnerability Assessment
Host-based
Probes
Collector
Appliance
(S-TAP)
Database infrastructure scanning for missing patches,
mis-configured privileges and other vulnerabilities
Key
Characteristic
s
ď§ Single Integrated Appliance
ď§ Non-invasive/disruptive, cross-platform architecture
ď§ Dynamically scalable
ď§ SOD enforcement for DBA access
ď§ Auto discover sensitive resources and data
ď§ Detect or block unauthorized & suspicious activity
ď§ Granular, real-time policies
ď§ Who, what, when, how
25
Central Manager Appliance
ď§ 100% visibility including local DBA access
ď§ Minimal performance impact
ď§ Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
ď§ No environment changes
ď§ Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
ď§ Growing integration with broader security and
compliance management vision
Š 2014 IBM Corporation
26. Security Systems Division
Extend Activity Monitoring to Big Data, Warehouses, File Shares
InfoSphere
BigInsights
HANA
CIC
S
FTP
26
Š 2014 IBM Corporation
27. Security Systems Division
Monitoring on System z
⢠Termination of suspicious DB2 activity
â˘
â˘
â˘
â˘
â˘
â˘
â˘
27
ď§ Terminate a DB2 thread that a Guardium policy has flagged as high risk
Many new System z RACF vulnerability tests
ď§ directly or via zSecure Integration
New Entitlement Reporting for z
ď§ DB2 Catalog and RACF via zSecure
New monitoring of DataSet activity (sequential and partitioned)
Centralized IMS management
Expanded DB2 monitoring including DB2 start and stop
Resiliency across network or server outages
ď§ Consistent across all platforms
Appliance based policy administration
ď§ Consistent with Distributed policies on Guardium UI
Š 2014 IBM Corporation
28. Security Systems Division
Customers need security intelligence: automated continuous compliance to
address worldwide industry standards and regulations
Monitor, analyze audit
records and create
compliance reports
Collect information, assess,
and establish security policy
Security
Intelligence
Automatically and
continuously enforce
security policy
Automate corrective actions
by updating access controls
IBM Security zSecure Compliance and Auditing
With QRadar
28
Š 2014 IBM Corporation
29. Security Systems Division
Security Intelligence: QRadar provides security visibility
IBM X-ForceÂŽ Threat
Information Center
Identity and
User Context
29
Real-time Security Overview
w/ IP Reputation Correlation
Real-time Network Visualization
and Application Statistics
Inbound
Security Events
Š 2014 IBM Corporation
30. Security Systems Division
zSecure, Guardium, AppScan & QRadar improve your
Security Intelligence
zSecure
ď§z/OS
ď§RACF
ď§ACF2, TSS
ď§CICS
ď§DB2
Guardium
ď§DB2
ď§IMS
ď§VSAM
Security Devices
Servers & Mainframes
Network/Virtual Activity
Database Activity
Application Activity
Configuration Info
AppScan
â˘Web Apps
â˘Mobile Apps
â˘Web services
â˘Desktop Apps
Extensive Data Sources
Event
Correlation
Activity Baselining &
Anomaly Detection
Offense
Identification
Threat Intelligence
User Activity
Vulnerability Information
+
Deep
Intelligence
=
Exceptionally Accurate and
Actionable Insight
ďź Centralized view of mainframe and distributed network security incidents, activities and trends
ďź Alerts, unauthorized log-ins, policy violations, configuration changes, etc. provided from zSecure Alert & zSecure Audit
ďź Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure
ďź S-TAP feeds routed to QRadar via Guardium Central Policy Manager
ďź SMF data set feeds with zSecure Audit and zSecure Alert for Systemz
ďź Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign
incident priorities and surface meaningful activity from noise
30
ďź Creates automatic alerts for newly discovered vulnerabilities experiencing active âAttack Pathsâ
ďź Produces increase accuracy of risk levels and offense scores, and simplified compliance reporting
Š 2014 IBM Corporation
31. Security Systems Division
Leverage advanced analytics across all stages of the attack
Monitor
Logs, network traffic, user
activity
Detect anomalies
Unusual yet hidden behavior
31
Correlate intelligently
Connect the dots of disparate activity
Prioritize for action
Attack high-priority incidents
Š 2014 IBM Corporation
32. Security Systems Division
Chosen by the leading organizations worldwide to secure
their most critical data
Guardium
zSecure
5 of the top 5 global banks
7 of the top 10 global
banks
2 of the top 3 global
retailers
8 of the top 10 global
insurers
5 of the top 6 global
insurers
Greater than half of the
Worldâs 50 largest
businesses
8 of the top 10 telcos
worldwide
4 of the top 4 global
managed healthcare
providers
32
QRadar
Top 10 US general
merchandise retailer
Top five global auto
manufacturer
Top 10 US defense
contractors
Top 15 US utility
companies
Š 2014 IBM Corporation
33. Security Systems Division
System z Certifications
z/VM
The Common Criteria
program establishes
an organizational and
technical framework
to evaluate the
trustworthiness of IT
Products and
protection profiles
ď§ Common Criteria
ď§ z/VM 6.1 is EAL 4+ for OSPP
ď§ z/VM 6.1 System SSL is FIPS
140-2 certified.
⢠System Integrity Statement
z/OS
z/VM
Linux
Linux
Linux on System z
Linux
z/OS
⢠Common Criteria EAL4+
⢠with CAPP and LSPP
⢠z/OS 1.7 ď 1.10 + RACF
⢠z/OS 1.11 + RACF (OSPP)
⢠z/OS 1.12 , z/OS 1.13 (OSPP)
⢠Common Criteria EAL5+
RACF V1R12 (OSPP)
RACF V1R13 (OSPP)
⢠z/OS 1.10 IPv6 Certification by
JITC
⢠IdenTrust⢠certification for z/OS
PKI Services
⢠FIPS 140-2
⢠System SSL z/OS 1.10 ď 1.13
⢠z/OS ICSF PKCS#11 Services
â z/OS 1.11 ď z/OS 1.13
⢠Statement of Integrity
33
33
Virtualization with partitions
Cryptography
ď§ Common Criteria
ď§ SUSE SLES11 SP2 certified
at EAL4+ with OSPP
ď§ Red Hat EL6.2 EAL4+ with
CAPP and LSPP
â˘
zEnterprise 196 & zEnterprise 114
⢠Common Criteria EAL5+ with specific target of
Evaluation â LPAR: Logical partitions
ď§ OpenSSL - FIPS 140-2 Level 1
Validated
â˘
System zEC12
⢠Common Criteria EAL5+ with specific target of
evaluation -- LPAR: Logical partitions
ď§ CP Assist - SHA-1 validated for
FIPS 180-1 - DES & TDES
validated for FIPS 46-3
â˘
Crypto Express2 Coprocessor, Crypto Express3 &
Crypto Express4s
- FIPS 140-2 level 4 Hardware Evaluation
- Approved by German ZKA
CP Assist
- FIPS 197 (AES)
- FIPS 46-3 (TDES)
- FIPS 180-3 (Secure Hash)
â˘
Š 2014 IBM Corporation
34. Security Systems Division
IBM Solutions Help to Address Potential Security and Audit
Concerns for the Mainframe
Do you know if
How do you prevent
unauthorized access?
Do you know if
anyone
attempted an
attack on the
mainframe?
RACF
z/OS
Communications
Server
IBM Security NIPS
Platform
Infrastructure
How do you
know your
private
customer
data is
encrypted
with key
mgmt?
Guardium and Security
Optim Solutions zSecure
IBM Security Key suite
Lifecycle Manager
Data Privacy
Is your
mainframe
security
configured
properly?
Can your
DB2 or IMS
auditors
get at the
information
they need?
administrators are
abusing privileges?
Can you
prove that
all critical
data
is backed
up and
recoverable?
DB2 and IMS Tivoli
zStorage
Audit
Management
Expert
Compliance
and Audit
How do you
know only
authorized
users are given
user accounts?
How did you
protect your
Web services
applications?
QRadar SIEM
zSecure
Compliance
and Auditing
Identity
Manager
Access
Manager
Tivoli
Federated
Identity
Mgr
Extended Enterprise
*It is the customer's responsibility to identify, interpret and comply with any laws or regulatory requirements that affect its business.
IBM does not represent that its products or services will ensure that the customer is in compliance with the law.
34
Š 2014 IBM Corporation
35. Security Systems Division
Ultimate Security
Reinforce customer trust
"Colony Brands puts Customer
Trust and Loyalty as top priorities
within the organization. We are
proud to leverage IBM's zEnterprise
throughout our organization due to
the Trusted, Proven, and Secure
nature of the platform. âŚâ
Garanti Bank â Turkey: The adoption of
IBM's System z reinforced Garanti's strategy
to deliver fast and secure banking services 24
hours a day, ensuring fast, scalable, robust,
flexible, cost-effective and secure
environment across different channels banking branches, ATMs, POSs, Internet and
mobile channels.*
- Todd Handel, Director, IT Strategy and Architecture
âIBM Security zSecure benefited ItaĂş
Unibanco risk areas by reducing the IT
risks that could have a direct impact on
the bankâs operational risk.â
Ineida Moura, Information Security
Manager, ItaĂş Unibanco
* www.prnewswire.com/news-releases/new-ibm-system-z-mainframe-servers-at-turkish-garanti-bank-help-introduce-new-services-124862844.html
35
Š 2014 IBM Corporation
36. Security Systems Division
IBM System z has Secured Systems for over 45 Years.
IBM is Security Ready.
Security, Built-in, by Design
âThe mainframe has survived many challenges âŚ. IBM has done this by keeping
the IBM System z platform up to date with the changing times, while retaining the
fundamental characteristics such as security that define enterprise-class
computing at the highest level.â*
*Masabi Group, David Hill, Analyst, November 14, 2012
Security Innovation Spanning Four Decades
1970
1977
1985
2004
2012
2013
Hardware
Cryptography
DES Encryption
Unit
Crypto Operating
System
Multilevel
Security MLS
RACFÂŽ Evaluated
at EAL5+
Enterprise
36
Key
Management
Š 2014 IBM Corporation
Foundation
37. February 23- 26
Security Systems Division
MGM Grand â Las Vegas, Nevada
Pulse Protect2014
The Security Forum at
February 23- 26
MGM Grand
Pulse2014 â Las Vegas,
Nevada
learn more at ibm.com/security/pulse
Pulse Protect 2014 will feature three days and 50+ sessions on the hottest security topics including security
and threat intelligence, application and data security, vulnerability management, defense against web fraud and advanced
malware, identity and access management, network security and emerging topics such as cloud and mobile security.
HIGHLIGHTS
Client & IBM led sessions
37
Threat Research
CISO Lunch & Networking
Introducing Trusteer
Featuring leading clients such as
Standard Bank, WestJet &
Whirlpool.
Hear from X-Force as well as
IBMâs malware and application
security researchers.
Hear from IBMâs CISO and other
industry leaders while networking
with your peers.
Discover Trusteerâs unique
approach to addressing web
fraud and malware.
Š 2014 IBM Corporation
37
38. Security Systems Division
ibm.com/security
38
Š Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBMâs sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Š 2014 IBM Corporation
Editor's Notes
RK
RK
Thread termination support based on Guardium collector policy violations:
With Guardium, you can create a policy rule that when conditions are met will send a request to the S-TAP to cancel the related active DB2 thread.
Guardium introduced 67 new Vulnerability (VA) tests for DB2 z/OS with the use of zSecure Audit 2.1. Customers would have to purchase zSecure Audit 2.1 to leverage these tests. Once properly setup, these tests will show all the DB2 subsystem effective privileges correlating the DB2 catalog and RACF privileges.
Also there's the 'Entitlements Reporting' piece of the integration with zSecure... Guardium offers 17 new entitlement report that use the data coming from zSecure. it is more accurate, as it reflect the systemâs effective privileges meaning, by correlating the DB2 catalog and RACF ACL lists to give the exact privilege state.Any customer who purchase zSecure Audit v2.1 would want to use Guardiumâs new VA tests along with entitlement.
Functions and Configuration Screens previously done by Windows Admin GUI are now part of the Guardium system GUI
RK
There are many, many other examples of successful InfoSphere Guardium deployments. InfoSphere Guardium is the most widely deployed Database Auditing and Protection solution worldwide, with over 700 clients. They span across top customers in all verticals and continents, for example:
(Review a few of the highlights from the slide)