Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?

World®’16

IntheVoiceofaMainframeMillennial:HowCanMainframeSecurityBeMadeEasier?JoshBroadhurst,AssociateSoftwareEngineerCATechnologies

MFT53T

MAINFRAMEANDWORKLOADAUTOMATION

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Abstract

Agilebusinessesneedtobalancesecuritywitheaseofuse.Youneedtoknowwhoisaccessingyourdata,wherethedataislocatedandthatitissecure.Butatthesametime,authorizedusersneedaccessatalltimestopropelthebusinessforward.Howcanweoursimplifymainframesecuritypracticestoachievethisbalance?Inthissession,amainframemillennialprovidesafreshperspectiveonthelandscapeofmainframesecurityandprovidesnewinsightsonhowwecansimplifymainframesecuritypracticeswhileimprovingoursecurityandcomplianceposture.

JoshBroadhurstCATechnologiesAssociateSoftwareEngineer

QuickIntroduction

§ GraduatedfromUIUC– B.S.ComputerEngineering

§ StartedatCAinJanuary– AssociateSoftwareEngineer

§ WorkattheLisle,ILoffice– CADataContentDiscovery(DCD)

AboutMe

Agenda

BACKGROUNDANDCHALLENGES

ADDRESSINGINTERNALSECURITYRISKS

CREATINGARISK-AWARECULTURE

PREPARINGAYOUNGERWORKFORCE

QUESTIONSANDCOMMENTS5

BackgroundandChallenges

§ 80%ofFortune2000companieshavemainframestaffeligibleforretirement

§ Managementtasksbelievedwouldsuffermostfromshortfallsinmainframestaffing:– Security(55%)– Storage(47%)– Workloadmanagement(46%)

– Databasemanagement(26%)

MainframeSkillsShortage

SOURCE:“TheMainframeConundrum:EscalatingWorkloads,ShrinkingStaff”byTheInfoPro,Inc.(2008)

PasswordSecurity

DataLoss

UnauthorizedAccess

Whichsecuritychallengesarelargeenterprises“extremelyconcerned”with?

EnterpriseSecurityChallenges

SOURCE:NokiaandPennSchoenBerland surveyof1500seniorITdecisionmakers(2015)

§ LPARonIBMSystemzisEAL5certified

§ Problem:EALislimitedtospecificTargetofEvaluation(TOE)– Onlypropertiesofsecurityproductsorsystemsconsidered

§ Whatabout– Administration?– Usertraining?– Compliance?

MeasuringSecurity

AddressingInternalSecurityRisks

§ Toptwocausesofsecurityincidentsrelatetointernalrisks

InvestigatingSecurityIncidents

SOURCE:“DataBreachInvestigationsReport”byVerizon(2016)

10,490

11,347

EverythingElse

Denial-of-Service

PhysicalTheft/Loss

PrivilegeMisuse

MiscellaneousErrors

§ 63%ofconfirmedbreachesinvolvedweak,default,orstolenpasswords

§ 26%ofmiscellaneouserrorbreachesinvolvedemployeessendingsensitiveinformationtowrongperson

§ 70%ofinsidermisusebreachestookmonthsoryearstodiscover

SomeUsefulFigures

27 6 3 2

7 1Internal

External

DiscoverymethodsofbreacheswithinMiscellaneousErrors

CustomerReport LeakedDocumentsorFiles ActorDisclosure Audit EmployeeReport ITReview

HowAreBreachesDiscovered?

§ Employeecompliancewithsecurityguidelinesisamajorfactorinsecurityincidents

§ Whyaren’temployeesfollowingexistingsecurityguidelines?

§ Needmoreinternaldiligencetoidentifybreachesandrespondearlierinthelifecycle

RootoftheProblem

CreatingaRisk-AwareCulture

§ Monitorsystemsandusers– Log,analyze,andreportonsecurityevents– SIEMsoftware

§ CAComplianceEventManager

§ Knowyourdata– Whereissensitivedatalocated?– Whohasaccesstoit?– DLPsoftware

§ CADataContentDiscovery

TechnicalMeasures

§ Changingattitudes– Peoplewillfollowprocedureonlyifperceivedbenefitoutweighscost– Initiatives,programs,andpoliciesoftenconsidered“extrawork”– Fearofpunishmentcouldinhibitreporting

§ Activesupportfrommanagement– Authorizeriskmanagementcostsandresourceallocation– Acceptaccountabilityforsecurityfailuresandpolicyviolations– Provideongoingtrainingtosecurityteam

Non-technicalMeasures

“Activeandvisibleinvolvementoftopmanagement…notonlychangestherelevantcultureoftheorganizationbutalso

directlyinfluencesthecognitivebeliefsofemployeeswhichtheninfluencetheircomplianceintentions.”

ManagingEmployeeCompliancewithInformationSecurityPolicies:TheCriticalRoleof

TopManagementandOrganizationalCulture

PreparingaYoungerWorkforce

PreparingaYoungerWorkforcePersonalExperience

§ x86/Linuxbackground– Computingfundamentalsnot

sodifferent

§ MainframeASEProgram– 7weeksofficialtraining

§ z/ArchitectureBasics§ TSOandISPFPanels§ z/OSlanguages

PreparingaYoungerWorkforce

§ Currentofferingsfocusonmainframeplatformasawhole

§ Whataboutsecuritypractices?

§ IBM“EnterpriseSkillsSurvey”of130customersandpartnersshowslackofemphasisonmainframesecurityskills

What’sMissing?

SOURCE:IBMAcademicInitiative,SystemzProgram,EnterpriseSkillsSurveyResults(2006-2009)

SkillsArea StronglyRequired NotRequiredSecurityTraining 36.03% 17.30%

VulnerabilityLabsFirst-handexperienceonvariousvulnerabilities,attacks,andcountermeasures

DesignLabsApplysecurityprinciplesindesigningandimplementingsystems

ExplorationLabsEnhancestudentlearningviaobservation,playingandexploration

PreparingaYoungerWorkforceCasestudy:SEED

SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)

PreparingaYoungerWorkforceCasestudy:SEED

"Thelabsparksmyinterestincomputersecurity"

StronglyAgree Agree Neutral

SOURCE:“SEED:Asuiteofinstructionallaboratoriesforcomputersecurityeducation”byDu,W.andWang,R.(2008)

"Thelabwasavaluablepartofthiscourse"

StronglyAgree Agree Neutral

ConclusionActionorinactionbyemployeesposessignificantrisktoinformationalassets.Awarenessofthreatsandtherationalebehindsecuritycontrolscanencourageappropriatepreventivebehavior.

Informationsecurityisprimarilyamanagementproblem.Topmanagementsupportisacriticalfactorinprocuringresourcestodevelopaneffectivesecurityculture.

Controlledaccesstoreal-worldsystemsisaninvaluableeducationaltool.Trainingfornewemployeesshouldbedesignedtoencouragecomplianceasaneasyanddesirabletask.

SummaryAFewWordstoReview

Questions?

RecommendedSessions

SESSION# TITLE DATE/TIME

MFX173S TheImportanceofMainframeSecurityEducation 11/16/2016at3:45pm

MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData

11/17/2016at12:45pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm

MustSeeDemos

Real-TimeDataSecurity&Compliance

CADataContentDiscoveryMainframeTheatre

MainframeSecuritySmartBar

CATopSecret®MainframeTheatre

Real-TimeDataSecurity&Compliance

CAComplianceEventManagerMainframeTheatre

MainframeSecuritySmartBar

CAACF2™MainframeTheatre

Thankyou.

Stayconnectedatcommunities.ca.com

MainframeandWorkloadAutomation

FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI

Tech Talk: In the Voice of a Mainframe Millennial: How Can Mainframe Security Be Made Easier?

Technology

Millennial and sub-millennial scale climatic variations

IBM Mainframe-Integration Mainframe Change Data Capture

MILLENNIAL BUSINESS OWNERSmedia.bizj.us/view/img/7596552/smb-millennial-business... · MILLENNIAL BUSINESS OWNERS: Optimism Abounds. Page Research Method 3 Executive Summary 4 Millennial

Building a Millennial Mainframe Powerhouse: 7 Tips to Attract and Retain Millennial Mainframe Developers

IBM Mainframe-Integration Mainframe Change Data Capture Presented by

Mainframe Backup Modernization Disk Library for mainframe EMC Disk Library for mainframe (DLm) .pdf · Dell EMC has a global mainframe division and global mainframe support organization

Millennial powerpoint

Millennial to Millennial: A Young Professionals Panel

Introducción al nuevo mainframe Capítulo 1: El nuevo mainframe

Millennial Media

Mainframe Performance Optimization · Mainframe Performance Optimization More power from your mainframe, using your current IT assets. THE MAINFRAME NEW CHALLENGES ... • Mobile

Millennial Learners

Mainframe Integration Handling Legacy Application Challenges · •Fine grain APIs (microservices) may be easier to build, but put more work onto the consumer. •More intelligent

Millennial Temple

Mainframe Modernisation - Infosys · Mainframe Modernisation Keywords: Mainframe Modernisation Created Date: 4/19/2016 1:49:03 PM

CA Software Change Manager for Mainframe Implementation Guide · CA Software Change Manager for Mainframe (CA SCM for Mainframe) CA Software Change Manager for Mainframe Automated

Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook 2020 The Arcati Mainframe ... · 2020-01-30 · Arcati Limited, 2020 3 Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook

The Millennial Compass: The Millennial Generation In The Workplace

MILLENNIAL ENGAGEMENT GUIDE - Amazon S3 · MILLENNIAL ENGAGEMENT GUIDE ... to begin to engage with the Millennial community in a ... practices.It also profoundly affected the Millennial

Mainframe Event Handling - Think global - Event Handling.pdf · 4 Mainframe Overview Definition Description Event handler Mainframe Events Goals Mainframe Consoles and Message Suppression