System z provides technology that makes it one of the most secure platforms available. It also has the capability to secure other platforms. This presentation provides a number of examples of Enterprise Security. Reduce your cost, your risk, improve your security and resilience with System z.
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
System Z Mainframe Security For An Enterprise
1. Security in a Distributed Environment The role of the Mainframe The future runs on System z Jim Porell IBM Distinguished Engineer Deputy CTO, Federal Sales
2. Security on System z: Reducing risk for the Enterprise Basic Insurance Policy $100,000 Liability Rider: Excess replacement for valuable items Rider: Excess medical coverage Rider: Unlimited vehicle towing Rider: Excess liability insurance $3,000,000 Basic Security: System z RACF Data Encryption services Enterprise Key mgt Identity Management Compliance Reporting Fraud Prevention, Forensics and Analytics
3.
4. There are patterns for security as well Professional Services Managed Services Hardware & Software Authentication Access Control Data Privacy Audit/Compliance Registration/Enrollment Incident and Event Management Strategy: zEnterprise as a control point for the Enterprise Common Policy, Event Handling and Reporting The IBM Security Framework Security Governance, Risk Management and Compliance Security Governance, Risk Management and Compliance People and Identity Data and Information Application and Process Network, Server, and End-point Physical Infrastructure
5.
6.
7. Elements of an Enterprise Security Hub Encryption Key Management Tape encryption Common Criteria Ratings Support for Standards Audit, Authorization, Authentication, and Access Control RACF ® IDS, Secure Communications Communications Server IBM Tivoli Security Compliance Insight Manager Crypto Express 3 Crypto Cards System z SMF ITDS Scalable Enterprise Directory Network Authentication Service Kerberos V5 Compliant z/OS ® System SSL SSL/TLS suite ICSF Services and Key Storage for Key Material Certificate Authority PKI Services DS8000 ® Disk encryption DKMS DKMS TKLM Venafi Guardium Optim ™ Data Privacy Compliance and Audit Extended Enterprise Platform Infrastructure Venafi Encryption Director Venafi Encryption Director Multilevel Security TS1120 IBM Tivoli ® zSecure Suite DB2 ® Audit Management Expert Tivoli Identity Manager Tivoli Federated Identity Mgr LDAP Enterprise Fraud Solutions
8.
9.
10.
11.
12.
13.
14.
15. The Reality of Lifecycle Management P P P P P P P P P P P P P P P P Policy – W W W W W W W W W W W W Workflow – W W W P W Configure App Init/Manage Key Store Index (Metadata) Manage Roots/Trust Notify/ Alert Retire/ Revoke W Rotate Control Access Monitor/ Validate Distribute/ Provision Discover/ Inventory Store Archive/ Backup Acquire Certificate Destroy W Generate Audit – W W W A A A A A A A A A A A A A A A A A
16.
17.
18.
19.
20.
21.
22. Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk
When everyone thinks about mainframe security they only think about RACF. System z Security includes a comprehensive set of products and solutions that provide unmatched security capabilities that span data privacy, compliance and audit, and platform infrastructure – and we extend these capabilities beyond the mainframe and into the enterprise. These are a sample of the products and solutions that provide the enterprise capabilities.
System z Solution Edition for Security: Example: Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP) In a recent example, a local police department encountered an embarrassing leak when a police officer made unlawful inquiries into the National and State Wants and Warrants database to uncover “dirt” on the VP candidate – Joe Biden, in the hopes of selling the information to the tabloids. The fraud was detected through forensics, and the offending officer was terminated and charged accordingly. In a similar case involving an law enforcement, a State Police employee leaks information on planned arrests in a homicide case investigation to one of the suspects (a friend)
Japan example System z Solution Edition for Security: PKI management via Venafi In this example, the client failed detect digital certificates that had expired, and therefore, they went several days without on-line booking due to transaction failures. It took the airline several days to isolate the offending code and make the necessary corrections. This issue, which caught them by surprise, cost the company $3M dollars per day in lost bookings. The issue was caused by a break-down in their internal development and security procedures….a breakdown that could and would like occur in any shop that does not deploy a central control point for managing digital certificates. The Solution Edition for Security from IBM addresses this issue, and if implemented at the client referenced in this case, could have saved millions from one incident.
A DB admin decides to encrypt some data Keys get stale, so the must be rotated As time passes likelihood of compromize increases Later, that DB admin will rotate the key retire generate and re-encrypt destroy Is that it? No, a lot more to it.
Company information: With 35 years of experience, Payment Business Services (PBS) is a leading developer and supplier of payment solutions for banks, private organizations and public institutions in Denmark. Jointly owned by Danish banks, PBS handles payment transactions of all kinds -- from point-of-sale (POS) terminal networks to its local-brand debit card, Dankort, to international credit cards. PBS also offers a wide range of products and services designed to help simplify administration and operations for its clients, including direct debit service, e-invoicing and supplier services. Business need: PBS won the contract for implementing and running a digital signature (PKI) infrastructure for the national danID in Denmark. This solution was unique in that nowhere else in the world was there a national digital identity card project implemented on a country-wide scale. Solution: IBM proposed the operational platform for the digital signature infrastructure and established the IBM System z9 Enterprise Class server running z/OS platform for development, test and production. IBM then developed cryptographic security based on mandated security regulations. This solution allows all Danish citizens to sign-on and perform digital signatures in both banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio for the Java and crypto workloads. To meet the needs of the client, PBS had to be able to accommodate the following: Same userid and logon-id procedure for both the public and the banking infrastructure. Access from any computer. Improved security of a two-factor-authentication with a one-time password. Solution: IBM proposed the operational platform for the digital signature infrastructure and established the IBM System z9 Enterprise Class server running z/OS platform for development, test and production. IBM then developed cryptographic security based on mandated security regulations. This solution allows all Danish citizens to sign-on and perform digital signatures in both banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio for the Java and crypto workloads.
Fiat System z Solution Edition for Security: Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP) In this example, upon IBM’s urging the client implemented a security solution that successfully identified an exposure in the registration and enrollment policies of User ID’s. Before implementing this solution, the client was reluctant to purge User ID’s from the system for fear that an authorized user would be prevented access to a critical application. They had undergone significant layoffs, rehiring, strikes, lock-outs, and traditional employee transitions (maternity leave, leave of absence, resignation and rehire, retirement, etc.), so they had thought it best to keep User ID’s active until notified to delete. This had exposed the company to espionage, as former employees were unwittingly allowed access to sensitive proprietary data. In one case, a former employee used their old ID to gain access to company information which they later tried to sell to a competitor. Business risks in employee offboarding On 23 February2009, the Ponemon Institute released an independently conducted research study called Data Loss Risks During Downsizing 3, which documented the business risks associated with laid off employees by conducting surveys of laid off employees. The research study showed a particular problem with data theft even from employees who left the organization on good terms with their employer. According to the study: “ More than 59% report that they kept organization data after leaving their employer. It is very interesting to note that employees who do not trust their former employer to act with integrity and fairness are more likely to take the data. Sixty-one percent of respondents who were negative about the organization took data while only 26% of those with a favorable view took data.” The research study also asked the laid off employees how they took the data: “ It is interesting that most employees (61%) who stole valuable customer and other business information are taking it in the form of paper documents or hard files. The next most popular means of transferring data is by downloading information onto a CD or DVD (53%) or onto a USB memory stick (42%) followed by sending documents as attachments to a personal e-mail account (38%).” Furthermore many employees who left were well aware that their IT credentials had not been revoked: “ Employees were able to access their former employer’s computer system or network after departure. According to 24% of respondents, their ability to access data continued after they left the organization creating a data security risk. Of these respondents, 32% say that they accessed the system and their credentials worked and 38% say their co-workers told them that their access rights continued. In the case of 35% of the respondents, access to the system continued one week or longer.” Even though the respondents were assured of their anonymity, the actual numbers may be under-reported due to the sensitive nature of the questions. The financial impact of these malicious incidents can be huge. On 6 October 6 2009, ComputerWorld posted an article Former DuPont researcher hit with federal data theft charges 4 relating the latest charges against Hong Meng, a former top researcher. Meng is accused of downloading hundreds of DuPont trade secret level documents regarding organic LED (OLED) technology with the intent of taking them with him to his next employer. 3 The study can be found at the following Web site: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Data%20Loss%20Risks%20During%20Do wnsizing%20FINAL%201.pdf 4 This article can be found at the following Web site: http://www.computerworld.com/s/article/9139014/Former_DuPont_researcher_hit_with_federal_data_theft_ charges 6 Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding As another example of the huge impact that these malicious events can have, the CERT Coordination Center and the US Secret Service published a public report in 2004 titled Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector 5. One of the case studies in the report was a case of employee offboarding risk: “ In March 2002, a ‘logic bomb’ deleted 10 billion files in the computer systems of an international financial services organization. The incident affected over 1300 of the organization’s servers throughout the United States. The organization sustained losses of approximately $3 million, the amount required to repair damage and reconstruct deleted files. Investigations by law enforcement professionals and computer forensic professionals revealed the logic bomb had been planted by a disgruntled employee who had recently quit the organization because of a dispute over the amount of his annual bonus.” A follow-up study by the same organizations in 2005 titled Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors 6 noted how common it is for insider threats to come from ex-employees: The majority of the insiders were former employees. At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors. The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).
This chart represents the business components of a large North American Bank
This chart represents the business components of a large North American Bank