Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Encryption and Hashing and Keys – Oh, my! Demystifying Interoperable Encryption for the Mainframe and for the Enterprise

Encryption and Hashing and Keys – Oh, my! Demystifying Interoperable Encryption for the Mainframe and for the Enterprise

  • Be the first to comment

  • Be the first to like this

Encryption and Hashing and Keys – Oh, my! Demystifying Interoperable Encryption for the Mainframe and for the Enterprise

  1. 1. World® ’16 Encryption and Hashing and Keys – Oh, my! Demystifying Interoperable Encryption for the Mainframe and for the Enterprise Stuart McIrvine – VP, Product Management - CA Technologies Joe Sturonas - Chief Technology Officer - PKWARE Inc. MFX119S MAINFRAME AND WORKLOAD AUTOMATION
  2. 2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract Increasing risks of accidental and intentional mainframe data compromise elevates enterprises’ interest in achieving safe harbor by encrypting sensitive and regulated data. Encryption introduces many new elements of consideration to existing workflows, further complicated by the need for interoperability between the mainframe and other enterprise platforms. Join this session to learn best practices for applying encryption to protect your data, even while ensuring your existing processes remain intact. Topics include: • Types of cryptographic functions • Encryption algorithm selection • Sources of encryption acceleration on the mainframe • Considerations when encrypted mainframe data must be used on other platforms • Encryption key selection, management Stuart McIrvine CA Technologies VP, Product Management Joe Sturonas PKWARE, Inc. Chief Technology Officer
  4. 4. 4 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda DATA AND REGULATIONS THREAT LANDSCAPE DEMO MANAGING DATA ON THE MAINFRAME PROTECTING DATA – AN OVERVIEW ENCRYPTION AND KEY MANAGEMENT ON Z/OS 1 2 3 4 5 6
  5. 5. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Data and Regulations
  6. 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Data is an Asset § Data is business value – Facebook, Google, Uber, Twitter, …. § Industries depend on data – Banking, Insurance, Healthcare, …. § By 2020 there will be: – 44 zettabytes of data – Over 6 billion smart phones – 50 billion smart devices
  7. 7. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Data is a Liability § Highly regulated – Industry, State, National and beyond § HIPAA, GLB, CA 1798, GDPR, Privacy Shield § It gets personal, quickly! – PII must be managed § Who owns it? What are you allowed to do with it? Delete it when requested § Data - the keys to the future – Business strategy, digital secrets, financial posture, ….
  8. 8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What about those regulations? § PCI DSS – Protect stored cardholder data – Encrypt transmissions – Maintain InfoSec policy § SOX / HIPAA & Hi-Tech Act – Policy Management – Audit and Logging – Data Integrity § FIPS 140-2 – Making sure it’s done right§ GDPR – Prove that data is being protected – Appoint a data protection officer – Fines of 4% of annual turnover § EU-U.S. Privacy Shield – U.S. Department of Commerce and European Commission – Individual choice & control – Security
  9. 9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Threat Landscape
  10. 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Threat Landscape - Thieves, Snoops and Idiots External attackers, internal rogues Users, Administrators, developers, vendors… basically everyone :) Service providers, administrators, three letter agencies, etc.
  11. 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Thieves § External Attackers – Competitors – Script Kiddies – Nation States (OPM breach) – Lexis Nexis Breach § Rogue Administrators – Snowden § Internal Bad Actors – Espionage
  12. 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Snoops § Privileged Administrators § Credential compromise § Sony Attackers
  13. 13. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Idiots § Users – Make mistakes (lose devices) – Have poor security education (password=123456) § Developers / Vendors – Lenovo – Fortinet § Administrators – Sony – Dropbox
  14. 14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Managing Data on the Mainframe
  15. 15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Impact of Data Theft Health Insurance Announced: March 2015 Records stolen: 11M Cost: TBD. Facing a class-action lawsuit & fines. Retail Announced: September 2014 Records stolen: 56M Cost: $43M and counting. Estimates put this as high as $10B Health Systems Announced: August 2014 Records stolen: 4.5M Cost: $75M – $150M eCommerce Announced: May 2014 Records stolen: 233M Cost: $200M and counting. Retail Announced: December 2013 Records stolen: 70M Cost: $162M and counting. Recent estimates put this at well over $1B. Government Announced: May 2015 Records stolen: 22M Cost: To be determined. Likely facing a class action lawsuit as well as others. “Data security events increased by 38%” “Intellectual property theft increased 56%” 2016 Global State of InfoSec Survey Price Waterhouse Cooper “$400 Million – estimated losses from 700 million compromised records” 2015 Verizon Data Breach Report
  16. 16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Mainframe has never been hacked! Mainframe data stays on the mainframe; so it is safe! Data is fluid in today’s world. Data analytics; cloud Marriage of MF data and non MF data Mainframe is well understood and covered under three lines of risk control– Operational, Compliance and Internal audit Data on the Mainframe REALITYMYTH Consider: Social engineering hacks Human error as MF experts retire Mainframe is viewed as a black-box breeds complacency –compounding the risk
  17. 17. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Dealing With the Threat Information Applications Devices Networks Advanced Persistent Threat Detection Intrusion Detection Access Control Application Firewalls Security Gateways VPN Antivirus Mobile Device Management Firewalls Stateful Pocket Inspection Mobile Application Management Data Leakage Prevention Full Disk Encryption Antimalware Network Access Control Endpoint DLP Access Brokers DNS Security Incident & Event Management Intrusion Detection Identity & Access Management DATA CENTRIC PROTECTION § Defense in depth § Data-centric protection
  18. 18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Based on regulation or organizational sensitivity Data remains on the z/OS platform Regulated and sensitive data in your mainframe data stores Protect Data-Centric Protection The App Economy creates new risks of catastrophic data compromise “With breaches in the news every day, being able to find where regulated data resides - or ruling out the existence of sensitive data - is a critical first step in protecting your business.” X 70%of the world mission critical data transacts on the mainframe. Find ProtectClassify
  19. 19. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Public/Private Key Management on z/OS
  20. 20. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Public/Private Key Pairs § Public Key – Encrypting Data – Authenticating Data § Private Key – Decrypting Data – Signing Data
  21. 21. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Symmetric Encryption
  22. 22. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Asymmetric Encryption
  23. 23. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Digital Signing
  24. 24. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Authenticating Data
  25. 25. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Authenticating Data
  26. 26. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Encryption and Key Management on z/OS
  27. 27. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD z/OS Crypto Facilities
  28. 28. 28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IBM Hardware Crypto Machine z196 2817 z114 2818 zEC12 2827 zBC12 2828 z13 2964 Algorithm Supported DES 3DES AES 128, 192, 256 DES 3DES AES 128, 192, 256 DES 3DES AES 128, 192, 256 DES 3DES AES 128, 192, 256 DES 3DES AES 128, 192, 256 Crypto Hardware CPACF CEX3C CPACF CEX3C CPACF CEX3C CEX4C CPACF CEX3C CEX4C CPACF CEX4C CEX5C
  29. 29. 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Key Exposures
  30. 30. 30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  31. 31. 31 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  32. 32. 32 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  33. 33. 33 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  34. 34. 34 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  35. 35. 35 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo
  36. 36. 36 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Batch Job To Create Encrypted ZIP File //ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256) -PWD(PKWARE) -INCLUDE_CMD(JAS.MVS810.PROFILE(LDAP2)) -RECIPIENT(LDAP:EM=JOE.STURONAS@PKWARE.COM,R) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt) JAS.TEXT.LIB
  37. 37. 37 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Batch Job To Email Encrypted ZIP File //TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP //SYSTSIN DD * %XMITIP JOE.STURONAS@PKWARE.COM + CC ( JSTURONAS@ME.COM ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' + SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM JOE.STURONAS@PKWARE.COM + FILEDD DD1 + Format (BIN) + Filename jas.zip
  38. 38. 38 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Output From Batch Job J E S 2 J O B L O G -- S Y S T E M P K W 1 -- N 15.54.04 JOB39394 ---- FRIDAY, 16 SEP 2016 ---- 15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB 15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th 15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS ------ 16 SEP 2015 JOB EXECUTION DATE 38 CARDS READ 855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS
  39. 39. 39 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Output From Batch Job - PKWARE Inc. - - Program Name SECZIP hh:mm:ss.th - Step Name ZIP1 Elapsed Time 01.46 - Procedure Step TCB CPU Time 00.15 - Return Code 00 SRB CPU Time 00.02 - Total I/O 686 Total CPU Time 00.17 - I/O Cost $ 0.68 CPU Cost $ 0.04 - Service Units 1154 - - PKWARE Inc. - - Program Name IKJEFT1B hh:mm:ss.th - Step Name TSOB Elapsed Time 00.73 - Procedure Step TCB CPU Time 00.24 - Return Code 00 SRB CPU Time 00.01 - Total I/O 499 Total CPU Time 00.25 - I/O Cost $ 0.49 CPU Cost $ 0.06 - Service Units 1870
  40. 40. 40 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Output From Batch Job ZPEN309I z/Architecture Hardware Available -zBC12 ZPEN313I CSNBSYE System Capable with ICSF when available. ZPEN313C AES is available. DES/3DES is available. ZPEN313C CPACF Protected Keys are available. ZPEN334I PKA callable services are enabled. ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12 ZPEN310I CP Assist For Cryptographic Functions Available ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHO ZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGen ZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File JAS.TEXT.LIB(CRC) ZPAM254I as crc.txt ZPAM255I (DEFLATED 57%/56%) Smartcrypt(tm) AES256 ; DATA SIZE 1,600; ZIP SIZE ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC) ZPAM254I as ebcdic.txt ZPAM255I (DEFLATED 34%/32%) Smartcrypt(tm) AES256 ; DATA SIZE 480; ZIP SIZE 32 ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key ); ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED
  41. 41. 41 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  42. 42. 42 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  43. 43. 43 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  44. 44. 44 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  45. 45. 45 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  46. 46. 46 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Demo - Mobile
  47. 47. 47 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Questions?
  48. 48. 48 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME MFX118S How is Buying a Home Like Justifying Data Security Investments? Developing Return on Security Investment (ROSI) Analysis 11/16/2016 at 3:00 pm MFT174S Mainframe Security Strategy and Roadmap: Best Practices for Protecting Mission Essential Data 11/17/2016 at 12:45 pm MFT175S Gaps in Your Defense: Hacking the Mainframe 11/17/2016 at 3:00 pm
  49. 49. 49 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Real-Time Data Security & Compliance CA Data Content Discovery Mainframe Theatre Mainframe Security Smart Bar CA Top Secret® Mainframe Theatre Real-Time Data Security & Compliance CA Compliance Event Manager Mainframe Theatre Mainframe Security Smart Bar CA ACF2™ Mainframe Theatre
  50. 50. 50 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Stay connected at communities.ca.com Thank you.
  51. 51. 51 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Mainframe and Workload Automation For more information on Mainframe and Workload Automation, please visit: http://cainc.to/9GQ2JI

×