1. Implementation of RBAC and
Data Classification
Steve Tresadern
Rui Miguel Feio
RSM Partners
September 2014
v1.5

2. Agenda
l Introductions
l Data Classification & Ownership
l Role-Based Access Control (RBAC)
l Maintain the environment
l Results
l Q&A

3. Who are we?
l Steve Tresadern
l 27 years mainframe experience
l Former z/OS Systems Programmer
l Experience in Cryptography, RACF, Compliance
l Rui Miguel Feio
l 15 years mainframe experience
l Experience in z/OS, RACF, zSecure, Development
l Last 4 years working in Security and implementing RBAC

4. DATA CLASSIFICATION
&
OWNERSHIP

5. Data Classification – What is it?
l Understanding what your data is
Credit Card
11%
Sarbanes Oxley
36%
Customer -
Confidential
16%
Development
23%
User
14%

6. Data Classification – What is it?
l Who owns your data
Credit
Card
7%
Insurance
22%
HR
13%
Branch
27%
Systems
9%
Development
14%
User
8%

7. Data Classification – Reasons to do it
l Audit requirements
l Compliance
l Who has privileged access?
l Who is accessing confidential information?
l Reduce the risk of fraud?

8. Data Classification – Aims
l Every dataset and resource profile must be;
l Classified in terms of confidentiality and integrity.
l All linked to an application.
l The basic security correctly defined
l Understand who has privileged access
l All applications have a business/data owner.
l Ideally they should approve all access
l Review who has access

9. Sources for Data Classification
RACF
Database
Naming
Standards
Access
Monitor
Support
Teams
Local
Knowledge
XBridge
Datasniff

10. Sources for Data Ownership
Data
Ownership
RACF Database
Service
Management
Support Teams
Service Database
Local Knowledge

11. Data Classification – Challenges
l Lack of knowledge in support teams
l Development Team Processes
l Business areas cooperation
l Non-RACF based security
l Unravelling of the environment
l Service Database – Up to date?

12. Data Classification Benefits
Reduced
Risk of
Fraud
Who has
privileged
access
Focused
Monitoring
Recertification
Audit
Compliance

13. ROLE-BASED ACCESS CONTROL
(RBAC)

14. RBAC – Reasons to do it
l Business organisation keeps changing
l Managing the mainframe security environment
l Audit requirements
l Compliance
l Recertification
l Remove access not required

15. RBAC Common Challenges - I
l Historical code
l Global Access Table (GAT)
l Lack of technical knowledge
l Business areas cooperation
l Least Privilege access implementation
l DB2

16. RBAC Common Challenges - II
l Recertification tools
l Unravelling of the RBAC

17. RBAC – Define Standards and Rules
Personal userid
connected to one role
group
Role group describes
the business role
Role group contains all
the access
All role groups will
have an ‘owner’
Define
RBAC Rules

18. RBAC - Sources of data
Sources
HR Data
RACF
Business
Org. Chart
Phone List
Global
Address
List
Local
Knowledge
Access
Monitor

19. RBAC Stages – An overview
Update/Develop Processes
Implement RBAC
Test RBAC implementation
Devise RBAC implementation plan
Engage with managers and users
Identify logical grouping
Analyse and prepare mainframe environment

20. RBAC Implementation Tools
l RSM RBAC tool
l RSM DB2 RBAC Tools
l Access Monitor data
l RACF Offline
l CARLa code

21. RBAC Benefits – Some examples
Reduced Risk
Fraud
Security
Management
Joiners
Movers
Leavers
Recertification
Audit
Monitor
Who is who
Who does what
Least Privilege
Access

22. MAINTAINING THE ENVIRONMENT

23. Tools – Maintain the environment
l In-House – Security Panels
l IBM zSecure Command Verifier
l IBM zSecure z/Alert
l RSM - zMonitor
l RSM – zDashboard

24. Tools – RSM zMonitor

25. Tools – RSM zDashboard

26. RESULTS

27. Reduction in Privileged Accesses
73,669
737,468
0 200,000 400,000 600,000 800,000
After
Before

28. Reduction in Privileged Users
4,347
12,949
0 2,000 4,000 6,000 8,000 10,000 12,000 14,000
After
Before

29. Questions

30. Contact Details
l Rui Miguel Feio - ruif@rsmpartners.com
l Steve Tresadern - stevet@rsmpartners.com
l RSM Partners - www.rsmpartners.com