This document discusses how CA Cleanup and CA Identity Governance can help organizations reduce the cost and effort of mainframe security. It provides an overview of how CA Cleanup automates the process of identifying and removing unused and unnecessary access entitlements from the mainframe security database. Implementing CA Cleanup as part of a phased approach is recommended to continuously clean up access rights over time. Role-based access control best practices are also discussed to further streamline access management after an initial cleanup.

1. World®
’16
Reduce Security Cost and Effort with
CA Cleanup and Role Based Access Control
Carla Flores, CA Technologies John Pinkowski, CA Technologies
Sr. Principal Consultant Sr. Principal Product Owner
MAINFRAME AND WORKLOAD AUTOMATION
MFX41E

2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

3. 3 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
Cost, effort and time are the biggest challenges customers face
when it comes to mainframe security.
This session will provide an overview of how CA Cleanup
reduces the effort and pressures associated with maintaining
current regulatory, statutory and audit requirements.
We’ll cover how simple it is to use CA Cleanup as the first step
to getting to a role-based access control implementation that
reduces the cost of administering mainframe security.
Carla Flores
CA Technologies
Sr. Principal Consultant
John Pinkowski
CA Technologies
Sr. Principal Consultant

4. 4 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
CLEAN-UP IS YOUR FIRST LINE OF DEFENSE
HOW CA CLEANUP WORKS
OPEN DISCUSSION / Q&A
PHASED IMPLEMENTATION RECOMMENDATIONS
WHAT’S NEXT?
ROLE BASED ACCESS CONTROL BEST PRACTICES
1
2
3
4
5
6

5. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Business Challenges
What do you want to do?
MITIGATE RISK SUPPORT THE BUSINESS REDUCE COST OF
COMPLIANCE
Automate for efficiency
(e.g. certification)
Centralized visibility
Reduce exception processing
Least privileged access
and SOD violations
Enable business to be accountable
(while minimizing their effort)
Enable quick and secure access
Improve security, not just pass the audit
On-going remediation and
improvement of compliance
Eliminate terminated users,
orphan accounts
Reduce excessive entitlements
Delete inactive accounts
Improve role quality (redundancy)
Automate HR changes related
to role assignments

6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The financial benefit for this risk
mitigation approach is to avoid the
cost of a data breach, which averages
$5.9 million for a class action law suit
settlement (Target settled at $39M,
Sony Playstation $171M, Sony
Entertainment $100M, Anthem BCBS
$100M and still growing).
Key Benefits:
§ Protect against both external and
internal threats
§ Enable compliance for access
across the Mainframe environment
§ Reduce costs and improve
efficiency through automated
security controls
Securing employee and customer
data and access to the Mainframe is
key for protecting brand and
reputation.
Discovering and managing access is a
starting point toward securing the
Mainframe environment.
A consolidated solution with
preventive and detective controls to
reduce the likelihood of unauthorized
access is key to ensure security as
well as streamlining the
administration and auditing of all
Mainframe access.
Mitigate the risks of external attacks,
insider threat and lateral movement within
the Mainframe environment.
Key drivers:
§ Highly publicized security breaches (e.g.,
Sony, Anthem, Target, Fed Govt OPM),
mostly a result of privileged user account
compromise, driving broad demand
§ Regulation and compliance driven needs
are expanding with latest mandates
§ Threat surface is expanding with
transition to evolving technology stack
§ Lack of automated capabilities to
discover access and entitlements and
limited visibility into user activities on
the mainframe.
Business Challenges
What do you want to do?
CHALLENGE BENEFITSSOLUTION

7. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Opportunities for Improvement
Efficacy, Efficiency, Cost Reduction and Cost Avoidance
American Express could face devastating losses
in the event of unauthorized access. There is a
need to establish unique preventive and
detective controls to reduce the likelihood of
unauthorized access and limit the impact of
such an event.
Reduce Risk
Growing regulatory concerns stemming from recent
security breaches are driving new security
requirements. Discovering and cleaning access is
the first step to better manage both current and
future compliance requirements.
Improve Compliance
Errors and mistakes made by administrators can lead to
system outages and SLA violations and are costly to
triage. Enhanced auditing and session recording
capabilities can solve the attribution problem and help
the engagement team address issues before they
negatively impact operations.
Improve Operational Efficiency
American Express has many manual or ad-hoc
processes to grant and manage access on the
Mainframe. This leads to administrators either
spending more time than necessary to grant
access or taking shortcuts to impact the
security posture of the entire organization. A
consolidated platform to simplify
administrator access can also enforce
accountability and compliance.
Increase Productivity

8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Quick Assessment
REDUCE RISK OF OVER-PRIVILEGED USERS
§ Do I have Segregation of Duties violations right now?
§ Do all my users have the correct access for their role(s)?
AUTOMATE IDENTITY PROCESSES
§ Are my processes too manual? Are they inefficient?
§ Do I have inconsistent security policies due to human error?
§ Can I reduce the time & effort it takes to submit audit
reports?
§ Can I easily show “who has access to what”?
SIMPLIFY COMPLIANCE AUDITS
IMPROVE EMPLOYEE PRODUCTIVITY
§ How much time do my managers spend in access
certifications?
§ How long does it take a new employee to have ALL
their access and accounts available?
INCREASE USER PARTICIPATION
§ Can I provide a one-stop-shop where my users can easily
access all identity services in one place?
§ Can I reduce the need of IT to manage identity processes?
PROVIDE OUTSTANDING USER EXPERIENCE
§ Can the system interact with my users with Business terms
that they understand?
§ Can I improve my user productivity and satisfaction?

9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where Does Your Organization Stand?
Continuous compliance
Systematic identification of
access risk
Streamlining existing processes
Repeatable security practice
Incorporated business
relevance
Intelligent decision support
Identity intelligence
Content-aware
Security in the Cloud
Manual
Integrated and
Automated
Business
Optimized
Reacting to audits with
spreadsheets
Compliance teams in silos
with overlap
Best effort security policy
enforcement

10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Cleanup
for z/OS &
CA Identity
Governance
A winning
combination…
- IT Specialist, Fortune 500 Banking Company
“CA Mainframe Security solutions provide us with
a high level of confidence that access to sensitive
data is secured and properly managed.”
Source: TechValidate., TVID: C58 – OCD – C5E

11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Governing Access on the Mainframe
(CA Cleanup + CA Identity Governance)
Reduce time and cost of compliance, mitigate risk and support the business
50%+
of mainframe security databases contain
orphaned, obsolete or redundant identities and
entitlements.
Automated removal of wrong
entitlements and access groups
Restrict privileged access rights to
minimum requirements
Gain rapid insight - Who has
access to what
Identify exposures - wrong
entitlements, inactive accounts,
etc
Continuously monitor system
usage over time
Automate and streamline
compliance processes and
establish detective controls
Consolidate
Entitlements
Repeatable
Processes
Cleanup
Access

12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Cleanup for z/OS
How It All Works
Tracking
Database
Security
Database
Report and
Command
Generator
Report File
Command Files DBRPTCMD
CA ACF2,
CA Top Secret
Or IBM RACF
Database
Load Utility CA
Cleanup
Started Task

13. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Cleanup unreferenced summary report (TSS)
Typical use case: +50% unused

14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Cleanup unreferenced summary report (ACF2)
Typical use case: +50% unused
Record Type Total Unreferenced
--------------- --------- ------------
USER 15,865 7,637 48%
DSN Rule Sets 9,031 4,605 50%
DSN Rule Lines 103,308 79,177 76%
RATX Rule Sets 1 1 100%
RATX Rule Lines 2 2 100%
RBBM Rule Sets 1 1 100%
RBBM Rule Lines 1 1 100%
RBCM Rule Sets 55 33 60%
RBCM Rule Lines 209 178 85%
RBJT Rule Sets 1 1 100%
RBJT Rule Lines 3 3 100%
RCAC Rule Sets 10 10 100%
RCAC Rule Lines 79 79 100%
RCAT Rule Sets 13 10 76%
RCAT Rule Lines 77 69 89%
RCBI Rule Sets 1 1 100%
RCBI Rule Lines 2 2 100%
RCCM Rule Sets 55 44 80%
RCCM Rule Lines 209 194 92%
RCKC Rule Sets 1 1 100%
RCKC Rule Lines 1 1 100%
RCKP Rule Sets 6 6 100%
RCKP Rule Lines 6 6 100%
RCKZ Rule Sets 18 18 100%
RCKZ Rule Lines 21 21 100%
RCMN Rule Sets 265 154 58%
RCMN Rule Lines 1,195 764 63%
RCP1 Rule Sets 2 2 100%
RCP1 Rule Lines 127 127 100%
RCSM Rule Sets 1 1 100%
RDTA Rule Sets 4 4 100%
RDTA Rule Lines 199 199 100%
RDTR Rule Sets 53 53 100%
RDTR Rule Lines 144 144 100%
RECM Rule Sets 55 36 65%
RECM Rule Lines 209 182 87%
REJB Rule Sets 1 1 100%
REJB Rule Lines 1 1 100%
RESP Rule Sets 4 0 0%
RESP Rule Lines 341 250 73%
RFAC Rule Sets 15 12 80%
RFAC Rule Lines 66 63 95%
--------------- --------- ------------ ----
Totals 131,658 94,094 71%

15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Phased Clean-up Steps
§ Run DBRPT unref=999
§ Review summary report
§ Start with 100% non-use
§ Run DBRPTC with selected
resource types*
*ACF2 = OPTION(commentaccessnone)
§ Review output
§ Schedule cleanup cycle
§ Execute deletes via batch
§ Maintain delete/recovery
command files as GDG(s)
§ Consider update ‘reload’ job
to run nightly (off-hours)

16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Phased Clean-up Steps
§ Re-run DBRPT unref=999
§ Review summary report
§ Now with 80-99% non-use
§ Run DBRPTC with selected
resource types*
*ACF2 = OPTION(commentaccessnone)
§ Review output
§ Schedule cleanup cycle
§ Execute deletes via batch
§ Maintain delete/recovery
command files as GDG(s)
§ Consider update ‘reload’ job
to run nightly (off-hours)

17. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
On-going Cleanup
§ Run DBRPT or DBRPTC
weekly to meet SLA for
account/entitlement
removals
– Best practice = 400 days
§ Execute deletes via batch
§ Maintain delete/recovery
command files via GDG Time
Level of
privilege
Employee is hired
and ID is provisioned
Not all entitlements are
removed ~
This creates a security
risk!
Orphan Accounts
& Entitlements
New entitlements
Employee leaves and
ID is de-provisioned

18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Case Study: Large Retailer
Streamlining Mainframe access
CONTRACTORS
Fragmented entitlements
§ lack of visibility of access
§ un-optimized group access
§ orphan accounts
§ overlapping access
Manual entitlement reviews
No standardized role definitions
PARTNERS
EMPLOYEES
Proven highly scalable solution
Analyzed 250,000 accounts, 66 million access rights and discovered 200 roles within 3 minutes
“CA Identity Governance provided the most rapid TTV of any IAM product I’ve ever used…” - VP of IT
Challenges:

19. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
“Who has access to what?” Example assessment
Email
Mainframe
Customer
Database
Directory
HR
UNIX
Corporate
Network
Sally Brown
Finance
Bob Thomas
Payments
Hiroki Shimada
IT
Harold Fletcher
Finance
Jane Coors
Payments
Morgan Smith
IT
Carlos Bayez
IT
Laura Dempsey
Payments
1,000,000’s Entitlements15,000+ People 100’s Applications
Finance
ü 1,123 combinations
of UID string values,
minus the LID.
ü 443 refer to only 1
LID, 76 refer to 2, 42
refer to 3, 32 refer to
4 and 29 refer to 5.
ü 662 unique
combinations, or a
little more than half,
refer to 5 or less LIDs.

20. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Typical Findings/Recommendations
Sensitive Data
Discovery
Phased Cleanup
Compliance
Monitoring
§ Leverage CA Identity Governance
role mining recommendations and
attestation
§ Steps:
- Determine acceptable level of
role matching via surveys
- Identity SoD violation
- Identify where people fall
outside the normal access
structure
- Definition of Role groupings in
ESM
Role survey /
RBAC
§ Phased implementation
- Define everyone based on
new role
- Migrate based on business
tolerance
6-8 weeks
1-2 weeks
4-6 weeks
12+ weeks
§ Findings:
- Reporting is cluttered due to
excessive security data that is
obsolete
• Steps:
- Purge obsolete rule lines
- Leverage ACFRULCU (ACF2 only)
- Rule nextkey consolidation
(ACF2 only)
- Ongoing cleanup
§ Findings:
- Difficult to identify sensitive data
with 100% certainty
- Reporting process is cluttered
due to excessive inclusion
• Steps:
- Implement CA Data Content
Discovery to identify sensitive
data
- Implement CA Compliance Event
Manager for on-going real time
alerts
§ Findings:
- Need more detailed data on
current entitlement reports
- Ongoing entitlement certification
process could be enhanced
- Integrity monitoring not in place
• Steps:
- Explore Compliance
Information Analysis (CIA) as
part of base prodcut
(ACF2 & Top Secret only)

21. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Role Based Access Control - Best Practice Approach
Phase 1:
Planning
Phase 2:
Foundation
Phase 3:
Automation
Phase 4:
Optimization
Gap Analysis
Visibility, Audit &
Clean-Up
Role Modeling
Business Case
Development
Project Planning
Ongoing
Refinement
Executive Sponsorship & Business Acceptance
Data Discovery
Entitlements
Certification
Role Management
User Provisioning
Segregation of
Duties Policies
User Activity
Monitoring

22. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Defense in Depth Strategy for z Systems™
Full identity lifecycle
management
CA Identity Suite
Manage your privileged account
access across both physical and
virtual systems
CA Privileged Access Manager
Role discovery and
entitlement certification for
all end-points
CA Identity Governance
Sensitive data discovery tool for
z/OS to identity, classify and
protect mainframe data
CA Data Content Discovery
Identify and remove obsolete,
redundant, unused IDs and
entitlements
CA Cleanup
z/OS integrity monitoring and
security information event
management
CA Auditor/
CA Compliance Event Manager
70%
of mission
critical data

23. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME/ROOM
MFX119S Encryption and Hashing and Keys – Oh, my! 11/16/2016 at 1:45pm Jasmine E
MFX118S
How is Buying a Home Like Justifying Data Security
Investments? Developing Return on Security Investment
(ROSI) Analysis
11/16/2016 at 3:00pm Jasmine E
MFX173S The Importance of Mainframe Security Education 11/16/2016 3:45pm Jasmine E
MFX172S
The Key to Complying With New Regulations and
Standards: Comprehensive Mainframe Security
11/16/2016 at 4:30pm Jasmine E
MFT174S Mainframe Security Strategy and Roadmap: Best Practices
for Protecting Mission Essential Data
11/17/2016 12:45pm
Mainframe Theater
MFT175S Gaps in Your Defense: Hacking the Mainframe
11/17/2016 3:00pm
Mainframe Theater

24. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Tech Talks and Demos – Expo Floor
MFT53T
How Can
Mainframe Security
be Made Easier?
11/16/2016 @
12:45pm
Mainframe Theater
Mainframe
Security and
Enterprise
Security
Demos
SCT38T SCX05E
PAM Threat
Analytics
11/17/2016 @
4:00pm
Security Theater
Governing Your
Privileged Users
11/16/2016 @
3:45pm
Security Theater

25. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Questions?

26. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Thank you.
Stay connected at communities.ca.com

27. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Summary
§ Protects against both external and internal
threats
§ Enables compliance for privileged identity and
administrative access across the Mainframe
§ Reduces costs and improve efficiency through
automated security controls
§ Leverage existing negotiated rates on license for
aggressive discounts and product value
§ Offers the most comprehensive solution,
providing both preventive & detective controls
§ Provides defense in depth for privileged account
management:
– Comprehensive credential management
– Least-privilege, policy-based SSO access control with
command filtering
– Privileged session monitoring and recording
– Fine-grained server access controls
§ Rated Best-of-breed solution by leading industry
analysts
§ Proven scalability in some of the largest and
most complex IT environments in the world
THE VALUE WHY CA TECHNOLOGIES

28. @CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.28 @CAWORLD #CAWORLD
Mainframe and Workload Automation
For more information on Mainframe and Workload Automation,
please visit: http://cainc.to/9GQ2JI