Security in a Distributed Environment The role of the Mainframe The future runs on System z  Jim Porell IBM Distinguished ...
Security on System z: Reducing risk for the Enterprise Basic Insurance Policy $100,000 Liability Rider: Excess replacement...
Common “Data Processing” Program models <ul><li>Transaction processing </li></ul><ul><ul><li>Point of sale </li></ul></ul>...
There are patterns for security as well Professional Services Managed Services Hardware & Software Authentication Access C...
Cross Domain Risks <ul><li>LAN and Network Security </li></ul><ul><li>Secure Sign in </li></ul><ul><li>Cross Domain Authen...
Security Admin Requirements <ul><li>Systems Admin/DBA </li></ul><ul><ul><li>Identification/Authentication </li></ul></ul><...
Elements of an Enterprise Security Hub Encryption Key Management Tape encryption Common Criteria Ratings Support for Stand...
Customer Problem Wireless Store Infrastructure HQ Regional  Data center <ul><li>Branch uses WEP for LAN activity </li></ul...
Real World Customer Problems <ul><li>That problem could never happen at my business </li></ul><ul><ul><li>Wrong  – this pr...
Examples of End to End Security Wireless Business Infrastructure HQ Outsourcer <ul><li>Mainframe Userid and Password Encry...
System z Solution Edition for Security – Fraud Reference Case <ul><li>Client Scenario :  State Criminal Justice System, Bu...
Deployment choices toward a Fraud & Forensic Clearing House on System z  <ul><li>Business Goals </li></ul><ul><ul><li>A Us...
System z Solution Edition for Security – Encryption Reference Case <ul><li>Client Scenario :  Large Airline, Web enabled r...
Three types of encryption keys to be managed <ul><li>Symmetric keys </li></ul><ul><ul><li>Used for encrypting storage devi...
The Reality of Lifecycle Management P P P P P P P P P P P P P P P P Policy – W W W W W W W W W W W W Workflow – W W W P W ...
Payment Services   A unique national digital identity card project  implemented on a country-wide scale <ul><li>Business N...
System z Solution Edition for Security – CI&AM Reference Case <ul><li>Client Scenario :  Automobile manufacturer, automate...
Application Architecture: The Complexity of Distributed <ul><li>Business Objectives </li></ul><ul><li>A bank has four basi...
Application Architecture: A Large Enterprise <ul><li>zNext Combinations – reducing control points </li></ul><ul><li>Assume...
Imagine the possibilities….. <ul><li>Business Problem </li></ul><ul><ul><li>Data warehouse can detect trends, but not nece...
Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk
Cross Domain Risks <ul><li>LAN and Network Security </li></ul><ul><li>Secure Sign in </li></ul><ul><li>Cross Domain Authen...
IT Management Trends are changing X86, RISC IT Operations Application Architects  Mainframe IT operations <ul><li>As a res...
Questions The future runs on System z
Upcoming SlideShare
Loading in...5
×

System Z Mainframe Security For An Enterprise

760

Published on

System z provides technology that makes it one of the most secure platforms available. It also has the capability to secure other platforms. This presentation provides a number of examples of Enterprise Security. Reduce your cost, your risk, improve your security and resilience with System z.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
760
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • When everyone thinks about mainframe security they only think about RACF. System z Security includes a comprehensive set of products and solutions that provide unmatched security capabilities that span data privacy, compliance and audit, and platform infrastructure – and we extend these capabilities beyond the mainframe and into the enterprise. These are a sample of the products and solutions that provide the enterprise capabilities.
  • System z Solution Edition for Security: Example: Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP) In a recent example, a local police department encountered an embarrassing leak when a police officer made unlawful inquiries into the National and State Wants and Warrants database to uncover “dirt” on the VP candidate – Joe Biden, in the hopes of selling the information to the tabloids. The fraud was detected through forensics, and the offending officer was terminated and charged accordingly. In a similar case involving an law enforcement, a State Police employee leaks information on planned arrests in a homicide case investigation to one of the suspects (a friend)
  • Japan example System z Solution Edition for Security: PKI management via Venafi In this example, the client failed detect digital certificates that had expired, and therefore, they went several days without on-line booking due to transaction failures. It took the airline several days to isolate the offending code and make the necessary corrections. This issue, which caught them by surprise, cost the company $3M dollars per day in lost bookings. The issue was caused by a break-down in their internal development and security procedures….a breakdown that could and would like occur in any shop that does not deploy a central control point for managing digital certificates. The Solution Edition for Security from IBM addresses this issue, and if implemented at the client referenced in this case, could have saved millions from one incident.
  • A DB admin decides to encrypt some data Keys get stale, so the must be rotated As time passes likelihood of compromize increases Later, that DB admin will rotate the key retire generate and re-encrypt destroy Is that it? No, a lot more to it.
  • Company information: With 35 years of experience, Payment Business Services (PBS) is a leading developer and supplier of payment solutions for banks, private organizations and public institutions in Denmark. Jointly owned by Danish banks, PBS handles payment transactions of all kinds -- from point-of-sale (POS) terminal networks to its local-brand debit card, Dankort, to international credit cards. PBS also offers a wide range of products and services designed to help simplify administration and operations for its clients, including direct debit service, e-invoicing and supplier services. Business need: PBS won the contract for implementing and running a digital signature (PKI) infrastructure for the national danID in Denmark. This solution was unique in that nowhere else in the world was there a national digital identity card project implemented on a country-wide scale. Solution: IBM proposed the operational platform for the digital signature infrastructure and established the IBM System z9 Enterprise Class server running z/OS platform for development, test and production. IBM then developed cryptographic security based on mandated security regulations. This solution allows all Danish citizens to sign-on and perform digital signatures in both banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio for the Java and crypto workloads. To meet the needs of the client, PBS had to be able to accommodate the following: Same userid and logon-id procedure for both the public and the banking infrastructure. Access from any computer. Improved security of a two-factor-authentication with a one-time password. Solution: IBM proposed the operational platform for the digital signature infrastructure and established the IBM System z9 Enterprise Class server running z/OS platform for development, test and production. IBM then developed cryptographic security based on mandated security regulations. This solution allows all Danish citizens to sign-on and perform digital signatures in both banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio for the Java and crypto workloads.
  • Fiat System z Solution Edition for Security: Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP) In this example, upon IBM’s urging the client implemented a security solution that successfully identified an exposure in the registration and enrollment policies of User ID’s. Before implementing this solution, the client was reluctant to purge User ID’s from the system for fear that an authorized user would be prevented access to a critical application. They had undergone significant layoffs, rehiring, strikes, lock-outs, and traditional employee transitions (maternity leave, leave of absence, resignation and rehire, retirement, etc.), so they had thought it best to keep User ID’s active until notified to delete. This had exposed the company to espionage, as former employees were unwittingly allowed access to sensitive proprietary data. In one case, a former employee used their old ID to gain access to company information which they later tried to sell to a competitor. Business risks in employee offboarding On 23 February2009, the Ponemon Institute released an independently conducted research study called Data Loss Risks During Downsizing 3, which documented the business risks associated with laid off employees by conducting surveys of laid off employees. The research study showed a particular problem with data theft even from employees who left the organization on good terms with their employer. According to the study: “ More than 59% report that they kept organization data after leaving their employer. It is very interesting to note that employees who do not trust their former employer to act with integrity and fairness are more likely to take the data. Sixty-one percent of respondents who were negative about the organization took data while only 26% of those with a favorable view took data.” The research study also asked the laid off employees how they took the data: “ It is interesting that most employees (61%) who stole valuable customer and other business information are taking it in the form of paper documents or hard files. The next most popular means of transferring data is by downloading information onto a CD or DVD (53%) or onto a USB memory stick (42%) followed by sending documents as attachments to a personal e-mail account (38%).” Furthermore many employees who left were well aware that their IT credentials had not been revoked: “ Employees were able to access their former employer’s computer system or network after departure. According to 24% of respondents, their ability to access data continued after they left the organization creating a data security risk. Of these respondents, 32% say that they accessed the system and their credentials worked and 38% say their co-workers told them that their access rights continued. In the case of 35% of the respondents, access to the system continued one week or longer.” Even though the respondents were assured of their anonymity, the actual numbers may be under-reported due to the sensitive nature of the questions. The financial impact of these malicious incidents can be huge. On 6 October 6 2009, ComputerWorld posted an article Former DuPont researcher hit with federal data theft charges 4 relating the latest charges against Hong Meng, a former top researcher. Meng is accused of downloading hundreds of DuPont trade secret level documents regarding organic LED (OLED) technology with the intent of taking them with him to his next employer. 3 The study can be found at the following Web site: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Data%20Loss%20Risks%20During%20Do wnsizing%20FINAL%201.pdf 4 This article can be found at the following Web site: http://www.computerworld.com/s/article/9139014/Former_DuPont_researcher_hit_with_federal_data_theft_ charges 6 Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding As another example of the huge impact that these malicious events can have, the CERT Coordination Center and the US Secret Service published a public report in 2004 titled Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector 5. One of the case studies in the report was a case of employee offboarding risk: “ In March 2002, a ‘logic bomb’ deleted 10 billion files in the computer systems of an international financial services organization. The incident affected over 1300 of the organization’s servers throughout the United States. The organization sustained losses of approximately $3 million, the amount required to repair damage and reconstruct deleted files. Investigations by law enforcement professionals and computer forensic professionals revealed the logic bomb had been planted by a disgruntled employee who had recently quit the organization because of a dispute over the amount of his annual bonus.” A follow-up study by the same organizations in 2005 titled Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors 6 noted how common it is for insider threats to come from ex-employees: The majority of the insiders were former employees. At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors. The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).
  • This chart represents the business components of a large North American Bank
  • This chart represents the business components of a large North American Bank
  • System Z Mainframe Security For An Enterprise

    1. 1. Security in a Distributed Environment The role of the Mainframe The future runs on System z Jim Porell IBM Distinguished Engineer Deputy CTO, Federal Sales
    2. 2. Security on System z: Reducing risk for the Enterprise Basic Insurance Policy $100,000 Liability Rider: Excess replacement for valuable items Rider: Excess medical coverage Rider: Unlimited vehicle towing Rider: Excess liability insurance $3,000,000 Basic Security: System z RACF Data Encryption services Enterprise Key mgt Identity Management Compliance Reporting Fraud Prevention, Forensics and Analytics
    3. 3. Common “Data Processing” Program models <ul><li>Transaction processing </li></ul><ul><ul><li>Point of sale </li></ul></ul><ul><ul><li>Claims processing </li></ul></ul><ul><ul><li>Credit/Debit/Transfer </li></ul></ul><ul><ul><li>Working off an operational data store (ODS) </li></ul></ul><ul><li>Data Mining/Data warehouse </li></ul><ul><ul><li>Batch operations – many times not on the operational data store </li></ul></ul><ul><ul><li>Looking for new business opportunities </li></ul></ul><ul><li>Operational Risk (OR) </li></ul><ul><ul><li>Leverages the data base </li></ul></ul><ul><ul><li>Originally, it was also using a copy of the ODS for detection purposes </li></ul></ul><ul><ul><ul><li>After 9/11, this proved to be inefficient. Fraud occurs during the batch window </li></ul></ul></ul><ul><ul><li>Now OR is more preventative, so it must work off of real time data </li></ul></ul><ul><ul><ul><li>Additions to any OR database must also be considered in real time vs batch </li></ul></ul></ul>
    4. 4. There are patterns for security as well Professional Services Managed Services Hardware & Software Authentication Access Control Data Privacy Audit/Compliance Registration/Enrollment Incident and Event Management Strategy: zEnterprise as a control point for the Enterprise Common Policy, Event Handling and Reporting The IBM Security Framework Security Governance, Risk Management and Compliance Security Governance, Risk Management and Compliance People and Identity Data and Information Application and Process Network, Server, and End-point Physical Infrastructure
    5. 5. Cross Domain Risks <ul><li>LAN and Network Security </li></ul><ul><li>Secure Sign in </li></ul><ul><li>Cross Domain Authentication </li></ul><ul><li>Self Signed Certificates </li></ul><ul><li>Certificate Management </li></ul><ul><li>Data privacy </li></ul><ul><ul><li>Developers </li></ul></ul><ul><ul><li>PII data </li></ul></ul><ul><li>Abhorrent behavior </li></ul><ul><li>Insider Theft </li></ul><ul><li>Forensics </li></ul><ul><li>Prevention </li></ul>Security is not all about technology! (it's really about people and processes)
    6. 6. Security Admin Requirements <ul><li>Systems Admin/DBA </li></ul><ul><ul><li>Identification/Authentication </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Data Confidentiality </li></ul></ul><ul><ul><li>Audit/Compliance </li></ul></ul><ul><ul><li>Registration/Enrollment </li></ul></ul><ul><ul><li>“ Cloning” simplifies admin </li></ul></ul><ul><li>Network Admin </li></ul><ul><ul><li>DMZ </li></ul></ul><ul><ul><ul><li>Denial of service attacks </li></ul></ul></ul><ul><ul><ul><li>Internet facing </li></ul></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><li>Network Bandwidth </li></ul></ul><ul><ul><li>Intrusion Prevention/Defense </li></ul></ul><ul><li>End to End reality (aka Cross Domain) </li></ul><ul><ul><li>Virtualization </li></ul></ul><ul><ul><ul><li>When does Cloning make sense? When not? </li></ul></ul></ul><ul><ul><li>Are all network security needs handled? </li></ul></ul><ul><ul><li>Insider threats? </li></ul></ul><ul><ul><ul><li>Forensics; Fraud prevention </li></ul></ul></ul><ul><ul><li>Consistent application of security across domains? </li></ul></ul>
    7. 7. Elements of an Enterprise Security Hub Encryption Key Management Tape encryption Common Criteria Ratings Support for Standards Audit, Authorization, Authentication, and Access Control RACF ® IDS, Secure Communications Communications Server IBM Tivoli Security Compliance Insight Manager Crypto Express 3 Crypto Cards System z SMF ITDS Scalable Enterprise Directory Network Authentication Service Kerberos V5 Compliant z/OS ® System SSL SSL/TLS suite ICSF Services and Key Storage for Key Material Certificate Authority PKI Services DS8000 ® Disk encryption DKMS DKMS TKLM Venafi Guardium Optim ™ Data Privacy Compliance and Audit Extended Enterprise Platform Infrastructure Venafi Encryption Director Venafi Encryption Director Multilevel Security TS1120 IBM Tivoli ® zSecure Suite DB2 ® Audit Management Expert Tivoli Identity Manager Tivoli Federated Identity Mgr LDAP Enterprise Fraud Solutions
    8. 8. Customer Problem Wireless Store Infrastructure HQ Regional Data center <ul><li>Branch uses WEP for LAN activity </li></ul><ul><li>Processes cards with banks </li></ul><ul><li>Hacker plugs in and gets copies of all transactions </li></ul><ul><li>Problem detected and branch systems get fixed </li></ul><ul><li>Mainframe doesn’t appear affected by distributed leaks </li></ul><ul><li>Hypothesis: Mainframe could help secure end users if they use good procedures </li></ul><ul><li>Branch managers run inventory transactions to mainframe </li></ul><ul><li>No encryption on sign in </li></ul><ul><li>No audit records analyzed </li></ul>? ? ? ? ? ? ? ? ? Bank Hacker Branch Manager Point of Sale Point of Sale
    9. 9. Real World Customer Problems <ul><li>That problem could never happen at my business </li></ul><ul><ul><li>Wrong – this problem can occur anywhere there is a change in security administrative control </li></ul></ul><ul><li>The weakest link in an enterprise is typically the end user interface </li></ul><ul><ul><li>Virus, worms, Trojan Horses enable someone to hijack the end user interface </li></ul></ul><ul><ul><li>In turn, that hijacked desktop can be used to log into any other server </li></ul></ul><ul><ul><ul><li>Is it “really the authorized end user”? Perhaps not. </li></ul></ul></ul><ul><ul><ul><ul><li>That’s a large risk to a business. </li></ul></ul></ul></ul><ul><li>Outsourcers and mainframe IT operations have SLA’s that protect the data they host on their systems. </li></ul><ul><li>Do their customers and end users have SLA’s that specify minimum desktop security? Do they manage Desktops and mainframes together? </li></ul><ul><ul><li>Typically not – as a result, there is a major risk that a compromised end user interface can result in compromised mainframe access. </li></ul></ul><ul><li>Our Goal is to look at security management across these domains </li></ul>
    10. 10. Examples of End to End Security Wireless Business Infrastructure HQ Outsourcer <ul><li>Mainframe Userid and Password Encryption via Host on Demand </li></ul><ul><li>Virtual Private Network encryption (which exploits the zIIP) </li></ul><ul><li>Audit and anomaly detection via TCIM </li></ul><ul><li>Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP) </li></ul><ul><li>LAN encryption via WPA which exploits z/OS PKI </li></ul><ul><li>z/OS PKI deployment with Global Services </li></ul><ul><li>PKI management via Venafi </li></ul>zIIP ? ? ? ? ? ? ? ? ? zAAP z/OS PKI Services Bank Regional Data center Branch Manager Point of Sale Point of Sale Hacker Or Insider Compliance Insight Manager Global Services: Security & Privacy Consulting
    11. 11. System z Solution Edition for Security – Fraud Reference Case <ul><li>Client Scenario : State Criminal Justice System, Bullet-proof Mainframe security, Many access points </li></ul><ul><li>IBM Sales Team targets the CIO and CFO: </li></ul><ul><ul><li>“ Experience has demonstrated that insider leaks may be utilized to help criminals escape prosecution or to release information about celebrities or high ranking government officials”. </li></ul></ul>“ Your current IT infrastructure is exposed to these leaks which will likely result in civil and criminal penalties” “ At this very moment, policemen or detectives may be leaking information to criminals or the media. Also you are currently exposed to illegal access of sensitive information. Most alarming is that you may only become aware of such illegal access after your department has become fodder for the Tabloids. In such cases, departments have suffered high-level resignations and civil penalties <ul><li>Policemen access Driver information from portal within Police cruiser </li></ul><ul><li>Detectives track case data via Cognos Analytics application </li></ul><ul><li>Courts manage search warrants and court cases </li></ul>Provocation: zIIP zAAP Solution Edition for Security Mainframe Security Extended end-to-end across the Enterprise “ Joe Biden selected as Obama’s running mate” Wants and Warrants Database Illegal queries Compliance Insight Manager
    12. 12. Deployment choices toward a Fraud & Forensic Clearing House on System z <ul><li>Business Goals </li></ul><ul><ul><li>A User activity monitor for forensic and fraud prevention </li></ul></ul><ul><ul><li>Non-invasively capture activities from a wide variety of protocols and systems </li></ul></ul><ul><ul><li>Stealthfully deploy, where possible </li></ul></ul><ul><li>Intellinx in Action </li></ul><ul><ul><li>Identified thefts from Dormant bank accounts </li></ul></ul><ul><ul><li>Eliminated RYO audit tools for major Police Dept </li></ul></ul><ul><ul><li>Stopped leakage of personally identifiable information </li></ul></ul><ul><li>Bladecenter deployment </li></ul><ul><ul><li>Over 200 blades to meet needs of large financial institution with the five distinct solution points of control </li></ul></ul><ul><ul><li>Weeks to configure and deploy software </li></ul></ul><ul><ul><li>Environmental and FTE costs are highest </li></ul></ul><ul><ul><li>Coordination across security, network and server admin teams </li></ul></ul><ul><li>Linux on System z deployment </li></ul><ul><ul><li>Multiple Linux server instances to cover the five distinct solution points of control </li></ul></ul><ul><ul><li>Common hardware reduces environmentals and FTEs </li></ul></ul><ul><ul><li>Network connections must be established to capture traffic </li></ul></ul><ul><li>z/OS zWatch edition deployment </li></ul><ul><ul><li>Installation in under an hour, software only </li></ul></ul><ul><ul><li>zIIP and zAAP eligible for 98% of processing keeps software pricing minimal </li></ul></ul><ul><ul><li>High volume, low CPU utilization </li></ul></ul><ul><ul><li>TCA and TCO are less than alternatives </li></ul></ul><ul><ul><li>zWatch unique capability to handle network encrypted traffic </li></ul></ul><ul><ul><li>With zBX , zWatch can handle non-z traffic with network admin assistance and simplify operations </li></ul></ul><ul><ul><li>Reduced overhead and latency for real time analytics </li></ul></ul>Switch 3270 / 5250 / MQ / HTTP Intellinx Sensor Analyzer Intellinx Session Analyzer Queue Screen/ Message Recording Session Reconstruction REPLAY Actions Event Analyzer Backlog Events Repository Business Event Intellinx Reports MQSeries Files Host 1 2 3 4 5 z/OS
    13. 13. System z Solution Edition for Security – Encryption Reference Case <ul><li>Client Scenario : Large Airline, Web enabled reservation system, High volume transaction processing </li></ul><ul><li>IBM Sales Team targets the CIO and CFO: </li></ul><ul><ul><li>“ Encryption is leveraged to protect personally identifiable information transmitted across the internet. </li></ul></ul><ul><ul><li>Each application is signed to ensure that spoofing cannot occur. Self signed certificates are used by application developers to speed deployment. However, transactions fail when certificates expires”. </li></ul></ul>“ Your system is not immune to this issue and when certificates expire, your online reservations will fail” “ You currently lack a central control point to manage certificate expiration. Failure to detect an impending expiration will lead to an outage that will result in lost bookings. Based on your transaction volumes, your firm will lose $3M dollars per day in perishable reservations. This need not be left to chance….IBM has a solution to eliminate this costly exposure” <ul><li>Consumers and Travel Agents leverage SOA portal to access reservations </li></ul><ul><li>10,000’s of tickets sold daily via the web </li></ul><ul><li>Secure access for client access and privacy is essential to workflow </li></ul>Provocation: zAAP Solution Edition for Security Mainframe Security Extended end-to-end across the Enterprise Lost Revenues (and Customers)
    14. 14. Three types of encryption keys to be managed <ul><li>Symmetric keys </li></ul><ul><ul><li>Used for encrypting storage devices – Tapes and Disks </li></ul></ul><ul><ul><li>Management comes from: </li></ul></ul><ul><ul><ul><li>Initially managed by EKM </li></ul></ul></ul><ul><ul><ul><li>Evolving toward TKLM. However, TKLM requires an Asymmetric key to be boot strapped </li></ul></ul></ul><ul><li>Asymmetric keys </li></ul><ul><ul><li>Used for identification and authentication </li></ul></ul><ul><ul><li>Used by applications, interactive sessions, web services, networking, POS Devices </li></ul></ul><ul><ul><li>Management comes from </li></ul></ul><ul><ul><ul><li>Roll your own applications, such as the sample web pages shipped with PKI Services </li></ul></ul></ul><ul><ul><ul><li>DKMS – a services offering </li></ul></ul></ul><ul><ul><ul><li>Venafi or Verisign – third party vendors </li></ul></ul></ul><ul><li>Root Keys </li></ul><ul><ul><li>Both of the above keys are stored in a hardware security manager (HSM) or “vault”. There needs to be a key to the vault. </li></ul></ul><ul><ul><li>On System z, the Trusted Key Entry desktop is used to manage the crypto hardware </li></ul></ul><ul><ul><li>For other HSMs, (e.g. ATM root, 4758 crypto hardware, oem), GTS has developed DKMS </li></ul></ul>
    15. 15. The Reality of Lifecycle Management P P P P P P P P P P P P P P P P Policy – W W W W W W W W W W W W Workflow – W W W P W Configure App Init/Manage Key Store Index (Metadata) Manage Roots/Trust Notify/ Alert Retire/ Revoke W Rotate Control Access Monitor/ Validate Distribute/ Provision Discover/ Inventory Store Archive/ Backup Acquire Certificate Destroy W Generate Audit – W W W A A A A A A A A A A A A A A A A A
    16. 16. Payment Services A unique national digital identity card project implemented on a country-wide scale <ul><li>Business Need: </li></ul><ul><li>Payment Business Services (PBS) won the contract for implementing and running a digital </li></ul><ul><li>signature (PKI) infrastructure for the national danID in Denmark. </li></ul><ul><li>To meet the needs of the client, PBS had to be able to accommodate the following: </li></ul><ul><ul><li>Same userid and logon-id procedure for both the public and the banking infrastructure. </li></ul></ul><ul><ul><li>Access from any computer. </li></ul></ul><ul><ul><li>Improved security of a two-factor-authentication with a one-time password. </li></ul></ul>Benefit: This solution allows all Danish citizens to sign-on and perform digital signatures banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio. IBM provides the operational platform for the digital signature infrastructure. The IBM System z9 Enterprise Class server running z/OS is the platform for development, test and production. IBM developed cryptographic security based on mandated security regulations.
    17. 17. System z Solution Edition for Security – CI&AM Reference Case <ul><li>Client Scenario : Automobile manufacturer, automated assembly line, employee administration </li></ul><ul><li>IBM Sales Team targets the CIO and CFO: </li></ul><ul><ul><li>“ Common roles defined across workflow processes are critical to business success. Registration and enrollment of users must be rapid and consistent across application environments ”. </li></ul></ul>“ 300,000 former employees, who have retired or terminated, still have discrete ids and access to critical data.” “ Your firm is susceptible to espionage and/or sabotage from former employees. You are putting your operations at risk because of the ad hoc provisioning of users to disparate systems. Failure to centralize the administration and removal of unauthorized people from your systems (in a timely fashion) could cost you millions. IBM can help you eliminate this risk and potential for future loss” <ul><li>Many applications across a wide variety of systems </li></ul><ul><li>Critical workflows to ensure automated assembly line </li></ul><ul><li>10,000 active employees that communicate with critical applications </li></ul>Provocation: Solution Edition for Security Mainframe Security Extended end-to-end across the Enterprise In the News : Former DuPont employee used access to steal trade secrets on OLED. In the News : Disgruntled employee of International Financial Services organization planted “logic bomb” which deleted 10 billion files and affected over 1300 servers causing $3M in losses. zIIP zAAP Identity Manager
    18. 18. Application Architecture: The Complexity of Distributed <ul><li>Business Objectives </li></ul><ul><li>A bank has four basic transactions </li></ul><ul><ul><li>Credit, Debit, Transfer, Inquiry </li></ul></ul><ul><li>And they have a variety of choices for front end interface </li></ul><ul><ul><li>ATM, Branch Terminal, Kiosk, Web browser, PDA, Cellphone </li></ul></ul><ul><li>Customer uses a Bladecenter to drive multi channel transformation </li></ul><ul><li>The back end processing remains the same regardless of the presentation device </li></ul><ul><li>Fully Distributed Model (if deployed) </li></ul><ul><li>Each application becomes a cluster of server images and must be individually authenticated and managed </li></ul><ul><li>Each line is a separate network connection, requiring high bandwidth and protection </li></ul><ul><li>Data is replicated across enterprise to meet scalability </li></ul><ul><li>Customer deploys/builds automation processes to facilitate system recovery with additional software – this is not trivial and requires additional software and unique development </li></ul><ul><li>High environmental needs and full time employees to manage infrastructure </li></ul>Application Server WebSphere ® Service Platform Database Connectors SQLJ Service Message Servlet Loan Applic. Bank Teller General Ledger Credit Card Processing Risk Analysis Service Service Connectors/Appliances Current Accounts Batch Programs Bill Payment Database SQLJ Currency Exchange Temp data to Electronic Data Warehouse Batch Process RMI/IIOP EJB WAS Bill Payment EJBs Authentication Server Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Management Considerations for an enterprise Authentication Alert processing Firewalls Virtual Private Networks Network Bandwidth Encryption of data Audit Records/Reports Provisioning Users/Work Disaster Recovery plans Storage Management Data Transformations Application Deployment How does the Virtualization Manager improve these?
    19. 19. Application Architecture: A Large Enterprise <ul><li>zNext Combinations – reducing control points </li></ul><ul><li>Assumes the Bladecenter for the multi channel transformation </li></ul><ul><li>Can leverage Websphere on either Linux for System z or z/OS </li></ul><ul><li>The Bladecenter functionality can be migrated to zBX in the future </li></ul><ul><li>TCA and TCO advantages over distributed </li></ul><ul><li>It’s the very same programming model in a different container that provides a superior operations model </li></ul>End User – Hosted Client Application Server Service Platform Desktop Framework Devices Websphere Service Platform Database Connectors SQLJ Service Message Servlet Loan Applic. Bank Teller General Ledger Credit Card Processing Risk Analysis Service Service Connectors Current Accounts Banking Portal Device Apps. XML over HTTP(S) Middleware Services Batch Programs Bill Payment Database SQLJ Desktop Framework Services Personalization Service Systems & Databases MQ Currency Exchange Temp data to Electronic Data Warehouse Batch Process RMI/IIOP EJB WAS Bill Payment EJBs Authentication Server System zEnterprise Potential advantages of consolidating your application and data serving <ul><li>Security Fewer points of intrusion </li></ul><ul><li>Resilience Fewer Points of Failure </li></ul><ul><li>Performance Avoid Network Latency </li></ul><ul><li>Operations Fewer parts to manage </li></ul><ul><li>Environmentals Less Hardware </li></ul><ul><li>Capacity Management On Demand additions/deletions </li></ul>With IFL With zAAP & zIIP <ul><li>Utilization Efficient use of resources </li></ul><ul><li>Scalability Batch and Transaction Processing </li></ul><ul><li>Auditability Consistent identity </li></ul><ul><li>Simplification Problem Determination/diagnosis </li></ul><ul><li>Transaction Integrity Automatic recovery/rollback </li></ul><ul><li>Security Fewer points of intrusion </li></ul><ul><li>Connectivity Improved throughput </li></ul><ul><li>Simplification Problem Determination/Monitoring </li></ul><ul><li>Development Consistent, cross platform tools </li></ul>With zBX
    20. 20. Imagine the possibilities….. <ul><li>Business Problem </li></ul><ul><ul><li>Data warehouse can detect trends, but not necessarily prevent fraud or upgrade transactions in real time because data is copied in bulk or batch mode </li></ul></ul><ul><li>Insight instead of Hindsight </li></ul><ul><ul><li>Data is copied in nanoseconds instead of hours or days </li></ul></ul><ul><ul><li>Opens up opportunities for real time analytics </li></ul></ul><ul><ul><ul><li>Preventing fraud </li></ul></ul></ul><ul><ul><ul><li>Making business analytic decisions faster </li></ul></ul></ul><ul><ul><li>Improved performance and lowers cost </li></ul></ul><ul><ul><li>Uses blade-based specialty processors, storage for warehouse workloads </li></ul></ul><ul><ul><li>Boosts overall query performance 5x – 10x </li></ul></ul><ul><ul><li>Customers could see a 40% reduction in storage utilization </li></ul></ul><ul><ul><li>Supports in-memory column store for parallel star schema queries </li></ul></ul><ul><ul><li>Uses column-based compression to minimize storage needs </li></ul></ul><ul><ul><li>Unchanged interfaces to DB2 for z/OS and thus no changes to the BI/DW applications </li></ul></ul><ul><ul><li>Provides capability to perform both transactional (OLTP) and warehousing (OLAP) type of queries in the same database management system </li></ul></ul>R I I N S T C E L M A I N F R A M E Claims POS Credit/Debit Decision Support Filter Extract Move PII input DB tmp tmp result result result Traditional Operations zNext ISAO or A S B s Decision Support Transform z Claims POS Credit/Debit DB Cognos On Linux
    21. 21.
    22. 22. Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk
    23. 23. Cross Domain Risks <ul><li>LAN and Network Security </li></ul><ul><li>Secure Sign in </li></ul><ul><li>Cross Domain Authentication </li></ul><ul><li>Self Signed Certificates </li></ul><ul><li>Certificate Management </li></ul><ul><li>Data privacy </li></ul><ul><ul><li>Developers </li></ul></ul><ul><ul><li>PII data </li></ul></ul><ul><li>Abhorrent behavior </li></ul><ul><li>Insider Theft </li></ul><ul><li>Forensics </li></ul><ul><li>Prevention </li></ul>
    24. 24. IT Management Trends are changing X86, RISC IT Operations Application Architects Mainframe IT operations <ul><li>As a result, businesses can more rapidly meet their Global Responsibilities </li></ul><ul><li>Governance </li></ul><ul><li>Risk and Compliance </li></ul><ul><li>Business Continuity </li></ul><ul><li>Privacy </li></ul><ul><li>Agility </li></ul><ul><li>Lean and Green </li></ul>Good Enough <ul><li>The mainframe must demonstrate that it is Good Enough to support the next generation of workloads </li></ul><ul><li>It should also demonstrate that collaborating with other systems can yield Fit for Purpose instead of Fit for Politics </li></ul>Good Enough Global IT operations Application Architects Mainframe Application Sandbox Bladecenter Virtual Clients IT Operations Mainframe IT Operations Next Gen Applications
    25. 25. Questions The future runs on System z
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×