Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)


Published on

A walk through the challenges of implementing a Role-Based Access Control (RBAC) solution and Data Classification on the mainframe. A basic overview of the steps taken, the tools used, the problems encountered and the final benefits.

Published in: Technology

Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)

  1. 1. Implementation of RBAC and Data Classification Steve Tresadern Rui Miguel Feio RSM Partners September 2014 v1.5
  2. 2. Agenda l  Introductions l  Data Classification & Ownership l  Role-Based Access Control (RBAC) l  Maintain the environment l  Results l  Q&A
  3. 3. Who are we? l  Steve Tresadern l  27 years mainframe experience l  Former z/OS Systems Programmer l  Experience in Cryptography, RACF, Compliance l  Rui Miguel Feio l  15 years mainframe experience l  Experience in z/OS, RACF, zSecure, Development l  Last 4 years working in Security and implementing RBAC
  5. 5. Data Classification – What is it? l  Understanding what your data is Credit Card 11% Sarbanes Oxley 36% Customer - Confidential 16% Development 23% User 14%
  6. 6. Data Classification – What is it? l  Who owns your data Credit Card 7% Insurance 22% HR 13% Branch 27% Systems 9% Development 14% User 8%
  7. 7. Data Classification – Reasons to do it l  Audit requirements l  Compliance l  Who has privileged access? l  Who is accessing confidential information? l  Reduce the risk of fraud?
  8. 8. Data Classification – Aims l  Every dataset and resource profile must be; l  Classified in terms of confidentiality and integrity. l  All linked to an application. l  The basic security correctly defined l  Understand who has privileged access l  All applications have a business/data owner. l  Ideally they should approve all access l  Review who has access
  9. 9. Sources for Data Classification RACF Database Naming Standards Access Monitor Support Teams Local Knowledge XBridge Datasniff
  10. 10. Sources for Data Ownership Data Ownership RACF Database Service Management Support Teams Service Database Local Knowledge
  11. 11. Data Classification – Challenges l  Lack of knowledge in support teams l  Development Team Processes l  Business areas cooperation l  Non-RACF based security l  Unravelling of the environment l  Service Database – Up to date?
  12. 12. Data Classification Benefits Reduced Risk of Fraud Who has privileged access Focused Monitoring Recertification Audit Compliance
  14. 14. RBAC – Reasons to do it l  Business organisation keeps changing l  Managing the mainframe security environment l  Audit requirements l  Compliance l  Recertification l  Remove access not required
  15. 15. RBAC Common Challenges - I l  Historical code l  Global Access Table (GAT) l  Lack of technical knowledge l  Business areas cooperation l  Least Privilege access implementation l  DB2
  16. 16. RBAC Common Challenges - II l  Recertification tools l  Unravelling of the RBAC
  17. 17. RBAC – Define Standards and Rules Personal userid connected to one role group Role group describes the business role Role group contains all the access All role groups will have an ‘owner’ Define RBAC Rules
  18. 18. RBAC - Sources of data Sources HR Data RACF Business Org. Chart Phone List Global Address List Local Knowledge Access Monitor
  19. 19. RBAC Stages – An overview Update/Develop Processes Implement RBAC Test RBAC implementation Devise RBAC implementation plan Engage with managers and users Identify logical grouping Analyse and prepare mainframe environment
  20. 20. RBAC Implementation Tools l  RSM RBAC tool l  RSM DB2 RBAC Tools l  Access Monitor data l  RACF Offline l  CARLa code
  21. 21. RBAC Benefits – Some examples Reduced Risk Fraud Security Management Joiners Movers Leavers Recertification Audit Monitor Who is who Who does what Least Privilege Access
  23. 23. Tools – Maintain the environment l  In-House – Security Panels l  IBM zSecure Command Verifier l  IBM zSecure z/Alert l  RSM - zMonitor l  RSM – zDashboard
  24. 24. Tools – RSM zMonitor
  25. 25. Tools – RSM zDashboard
  26. 26. RESULTS
  27. 27. Reduction in Privileged Accesses 73,669 737,468 0 200,000 400,000 600,000 800,000 After Before
  28. 28. Reduction in Privileged Users 4,347 12,949 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 After Before
  29. 29. Questions
  30. 30. Contact Details l  Rui Miguel Feio - l  Steve Tresadern - l  RSM Partners -