Presentation from IBM InterConnect 2016 . With growth in the number of business applications and exponential growth in connectivity between applications and systems, it is important to understand not just how to implement security, but why it is important to ensure all parts of the business can appreciate it and apply the right levels of security to their messaging system use. - jointly presented by Leif Davidsen and Rob Parker
What are the key points to focus on before starting to learn ETL Development....
IBM Messaging Security: Why Securing your environment is important
1. IBM Messaging Security: Why
Securing your environment is
important
Robert Parker – parrobe@uk.ibm.com
Leif Davidsen – Leif_Davidsen@uk.ibm.com
IBM Hursley – UK
2. Please Note:
2
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without
notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it
should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may not
be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products
remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the
I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be
given that an individual user will achieve results similar to those stated here.
3. Digital Enterprise
Reliability, security and scalability for
Business Critical systems
• Always on, always available
• Security, control and governance
Speed and agility to drive
innovation and growth
• Explore, adopt, adapt
• Rapid, Iterative prototypes
LoB roles CIO roles
A New Era of Teamwork
Application Developer
LoB Developer
Integration Architect
Administrator/ Developer
3
5. Connectivity is exploding in your infrastructure
Connectivity in business
infrastructure is
increasing
• More information, more systems,
more services, deployed anywhere
Connect systems together
• Deliver timely updates of
targeted data
• Gain business insight
• Applications and data become
valuable assets, not growing
costs
New sources of data are
changing the world
• However data without
connectivity becomes a burden
not an asset
5
6. The realities of an increasingly connected environment
• Increasing connectivity increases complexity
– Complexity is not just defining, building, operating environments but
complexity in security as well
• What is a secure environment for an IT system?
– Connected systems are almost the definition of an insecure environment
– Every system represents a point of attack/risk for your applications and data
– Adding multiple security layers across multiple systems is likely to create an
unusable environment
• Not to mention huge performance implications
6
7. MQ at the heart of applications
MQ cloud options
Connecting and moving your critical enterprise data
IBM MQ IBM MQ ApplianceApp AccessPartner
Enterprise MQ Backbone
Choices for MQ deployment
Cloud
On-Prem
7
IBM MQ Advanced
8. Pressures deflecting from security as a priority
• Complex IT environments are too challenging
– Simpler approach required – possibly helped by MQ
– Speed of implementation and change is essential
• System performance and throughput
• Time taken to configure and achieve desired secure
outcome
• Pressure on skills and resources
– More generalists
– Fewer specialists – whether MQ or security
• Differences between systems
• Different rules and regulations for different countries
• Varying audit requirements between business divisions
• Security seen as burden and cost rather than a business asset
• Focus on IT/Resource spend on positive business outcomes
8
9. What are the costs of security risks
• Figures used in this presentation: 2015 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: http://www-03.ibm.com/security/data-breach/
9
Global Cost per record in 20141 Global Cost per breach in 20141
$3.79M$154
6% increase on 2013 figures 8% increase on 2013 figures
10. 2014 Cost per record of data breach (per industry)
have a per capita cost well below the overall mean value.
While the cost of data breach stayed relatively constant for most industries, the retail sector
experienced a significant increase from $105 in 2014 to $165 in 2015. Media reporting of these
events and consumers’ concerns about identity theft caused retail companies to spend more
money to address the consequences of data breaches.
Figure 4. Per capita cost by industry classification
Consolidated view (n=350), measured in US$
$68
$121
$124
$126
$127
$129
$132
$136
$137
$155
$165
$179
$215
$220
$300
$363
$- $50 $100 $150 $200 $250 $300 $350 $400
Public sector
Transportation
Research
Media
Technology
Hospitality
Energy
Consumer
Services
Industrial
Retail
Communications
Financial
Pharmaceuticals
Education
Health
Highly regulated industries have the highest
costs per breach
Retail saw a 57% increase in cost in 2014
11. How to protect against a breach
Network security advice from @swiftonsecurity
11
12. Can you afford to take risks given MQ’s connectivity?
• Your IT environment is becoming hyper-connected.
– You need to secure your systems – MQ systems, applications, and the data flowing
both within MQ and around your enterprise
• You need to understand the risks if you don’t secure them
• You need to understand the risks if you secure them inefficiently
• Different types of threat require different security measures
– External threats to your business
• ‘Mass-market’ attempts
• Targeted attempts
– Internal threats
• Disaffected employees
• Errors or poor processes
• Regulatory compliance
– Industry, legal or other types of rules/regulations
• Business directives
– Corporate directives to be met
12
13. The burden of proof
• Being secure is not enough – you need to prove you are secure
• The most secure system in the world is nothing without being able to
pass an audit
– Similar to use of MQ – not just about delivering the message; it is knowing you
have delivered the message
• Security is more than just authentication, authorization and
encryption
–Process
–Logging
–Records
• Every step from initial configuration, through to removal of access,
and logging of failed attempts must be verifiable
13
14. Implications of applying security
• Adds complexity to configuration, operation, maintenance – not just to MQ but
you’re your business and processes
– Who manages security for your MQ environment?
• What other MQ access do they have?
– Is MQ security done globally, locally, by system?
• Does it link seamlessly to other systems to provide complete end-to-end security
• Authentication
– System specific, repository
• Authorisation
– Users, roles, groups?
• Encryption
– Data in flight? Data at rest?
• Logging, auditing
– Prove to yourself
– Prove to auditor
• When is the best time to design and implement security for your system?
14
18. Connection Authentication
• Authentication is used to force clients to identify themselves.
• It is usually used in combination with authorization.
– First ask users to prove who they are then give them authority only do what
you want them to be able to do.
• Connection authentication was added as a feature of MQ in version 8
• Can be used in combination with channel authentication records to
provide granular control over who has to provide valid credentials.
18
19. Authorization
• Authorization is used to limit what connected applications can do.
– Stops unauthorized users from viewing, editing, deleting objects they do not
have permission to do.
• Authority to perform an action is given.
– By default a user/group will not have any authority
• Best practice is to only grant minimum required authority
19
20. Filtering with Channel Authentication
• Allows granular control over connections
• Allows you to block all connections that you do not trust
– Set up a whitelist to only allow the connections you trust
20
21. SSL/TLS Encryption
• SSL/TLS is used for two reasons in MQ:
– Authentication with a Queue Manager
– Encrypting and protecting data in transit between a client or Queue Manager
and destination Queue Manager.
• Transmission encryption using SSL/TLS prevents unauthorised users
from reading your communications and messages in transit.
• As IBM and other organisations discover weak CipherSpecs, MQ
deprecates vulnerable CipherSpecs
– Alerts for weak CipherSpecs given using Technotes
21
22. Security Exits
• Security exits are bespoke, customer created exits that are ran during
the security checks.
• Prior to MQ v8 a security exit was used in MVS to supply connection
authentication capabilities
– CSQ4BCX3
22
23. Additional Security
• MQ Protocol
– Prevents unauthorised users from creating unsupported connections
• For example Using client application to connect to a Queue Manager to Queue
Manager channel.
• AMS
– AMS provides a higher level of protection to messages
– It is an end-to-end security model
• Messages are protected from creation until destruction
– Messages can be protected so that only authorised users can see message
data
• This means even MQ Administrators cannot view a message.
– Messages are protected both in transit and at rest
• Satisfies the standards compliance for certain data types (HIPAA, PCI, etc)
23
24. Auditing
• For every security failure, MQ can write out an error message for
administrators to check
• Additionally MQ can output event messages which can be monitored
for unauthorized access attempts.
• Both allow you to keep track of who does what to your MQ Queue
Manager and its objects.
24
25. Much more detail in…
3429A
How to
Transform your
Messaging
Environment to
a Secure
Messaging
Environment
Mandalay Bay
NORTH -
South Pacific
Ballroom I
Wed, 24-Feb
3:45 PM – 4:30
PM
25
26. Monday
10:30-11:30 3592 New MQ features
3452 Managing applications
12:00-13:00 2835 MQ on z/OS and Distributed
15:00-16:00 3470 Latest MQ z/OS features
2833 Where is my message?
3544 MQ Light in an MQ infrastructure
16:30-17:30 3573 Hybrid cloud messaging
2941 MQ Advanced
Tuesday
08:30-09:30 3540 The MQ Light API
12:00-13:00 3456 The IBM MQ Appliance
13:15-14:15 3499 Introducing Message Hub
3458 MQ Appliance administration
14:30-15:30 6432 MQ updates and futures (InnerCircle)
2849 Messaging feedback roundtable
16:00-17:00 3544 MQ Light in an MQ infrastructure
3513 MQ hands on lab
Wednesday
08:30-09:30 3602 Managing your MQ environment
12:00-13:00 3613 Designing MQ self service
6408 Hybrid messaging roadmap (InnerCircle)
13:15-14:00 3416 HA and DR with MQ
3433 Why secure your messaging?
15:45-16:30 3429 Securing MQ
2847 Meet the messaging experts
16:00-17:00 3508 MQ Light hands on lab
16:45-17:30 2275 Migrating to the IBM MQ Appliance
Thursday
08:30-09:15 3420 MQ Clustering
2931 Business agility with self service MQ
09:30-10:15 3479 MQ z/OS clusters and shared queue
3450 Optimising MQ applications
2849 Messaging feedback roundtable
10:30-11:15 3465 MQ Appliance high availability
3481 MQ z/OS messaging connectivity
11:30-12:15 3474 Active-active messaging
3537 Monitoring and managing MQ
3425 MQ publish/subscribe
Find us at the EXPO:
Hybrid Integration peds 65-68
Check out the Hybrid Messaging sub topic under
Hybrid Integration topic for further customer and
business partner sessions
Hybrid Messaging from the IBM experts at InterConnect 2016
Sunday
14:30-15:30 6408 Hybrid messaging roadmap (InnerCircle)
27. • Hybrid Integration Strategy
• Cloud Integration
• Accelerating Digital Business
• Integration Bus
• IBM MQ
• API Management
• BPM / ODM
• DataPower
• CICS
• WASSpend time with IBM experts, at the home of many of IBM's software products. This summit is by
invitation only - a limited seating engagement for executives and architects who would like to learn
how to harness IBM connectivity and application integration solutions to deliver access to data,
applications and information regardless of platform, device or data formats - across both on-
premises and cloud environments.
Learn more about how we are transforming our technologies using Hybrid Cloud to enable you to
harness your existing assets to achieve greater capacity, efficiency and integration across platforms,
whilst retaining the security, capability and resiliency you would expect from IBM.
• Discover and influence IBM's strategy for key messaging and integration technologies, including,
IBM MQ, IBM Integration Bus and IBM API Management
• Engage in technical sessions and one-on-one interactions with top IBM Hursley Lab architects
and senior executives to refine your 2016 strategic plans
• Expand your network with industry-leading peers from other companies
• Plus learn about other IBM technology, such as IBM intelligent business process management
solutions (BPM & ODM), DataPower gateways, CICS and WebSphere Application Server on-
premise and cloud
This event is conducted under a Non-Disclosure agreement, so we will be able to share product
directions with you.
Hursley: a visit to talk about
The IBM Hursley Lab is the largest
software development facility in
Europe; situated in a beautiful 100
acre park with a historic setting.
Attendees stay in the local city of
Winchester which is a vibrant
heritage destination with many
attractions and classical architecture
including a magnificent cathedral.
Enjoy the award-winning pubs and
restaurants and a tempting array of
independent shops.
Talk to your IBM rep to find out more
Be part of the conversation
Keep up to date with the latest
information, join the
conversations and help to shape
the event to meet your interests.
Use #IBMhursum in your Tweets
to keep in touch.
#IBMhursum
European & North American
Hursley Summit 2016
Integration across applications, data and processes for mobile and cloud
May 10 – 12 & May 16 - 19 | IBM Hursley Lab
#IBMhursum
29. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business
Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,
OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®,
PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-
Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
30. Thank You
Your Feedback is important to us.
Please Access the InterConnect 2016 Conference
CONNECT Attendee Portal to complete your session
surveys from your smartphone, laptop or conference kiosk.