The bits bytes and business benefits of securing your mq environment and messages final

© 2015 IBM Corporation

The bits, bytes and business benefits of securing your MQ environment and messagesMorag Hughson - [email protected]

Leif Davidsen – [email protected]

IBM Hursley - UK

mailto:[email protected]

mailto:[email protected]

Agenda The business fundamentals of why you need to secure your MQ

environment

What you need to know when securing your MQ environment

3AME4171 @LeifDavidsen @MoragHughson

The need for connectivity is growing

Connectivity in business infrastructure is increasing • More information, more systems, more

services, deployed anywhere

Connect systems together• Deliver timely updates of

targeted data• Gain business insight• Applications and data become

valuable assets, not growing costs

New sources of data are changing the world• However data without

connectivity becomes a burden not an asset


Connectivity outside the enterprise – clouds, mobile and more

Systems are dynamic – new applications, new sources of data, new consumers of data• The challenge of delivering data to meet

changing demands needs a flexible infrastructure

Roll-your-own code in the applications Increases cost, time and complexity, but can deliver the code

where you need it

Storing the data in a database or file Creates a permanent record, but does nothing to provide

timely analysis

A messaging infrastructure can meet both needs• Keeps the application simple and able to adapt to change• Can deliver filtered information to consuming applications, and

also deliver to a permanent information store


The realities of an increasingly connected environment

Increasing connectivity increases complexityComplexity is not just defining, building, operating environments but complexity in

security as well

What is a secure environment for an IT system?Connected systems are almost the definition of an insecure environment Every system represents a point of attack/riskAdding multiple security layers across multiple systems is likely to create an

unusable environmentNot to mention huge performance implications


What are the costs of security risks

Figures used in this presentation: 2014 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: https://ibm.biz/BdE5qP


Pressures deflecting from securityChallenge over Complex IT systems

Simpler approach requiredSpeed essential

Performance of systems

Time taken to achieve desired outcome

Pressure on skills and resourcesMore generalistsFewer specialists

8

• Differences between systems• Different rules and regulations for different countries

• Varying audit requirements between business divisions

• Security seen as burden rather than a business asset• Focus on IT/Resource spend on positive outcomes


Cost per record of data breach (per industry)


Can you afford to take risks?Your IT environment is becoming hyper-connected.

You need to secure your systemsYou need to understand the risks if you don’t secure themYou need to understand the risks if you secure them inefficiently

External threats to your businessTargeted attempts‘Mass-market’ attempts

Internal threatsDisaffected employeesErrors or poor processes

Regulatory complianceIndustry, legal or other types of rules/regulations

Business directivesCorporate directives to be met


Breakdown of the risks

Can’t simply focus on protecting from hacking – need robust processes and end to end security approaches


Risks with an external breachExposure and loss of corporate data

Loss of internal and external trust in the businessLoss of reputationCompromise of business systems and data can put at risk existing

products, and future developments

Exposure of customer informationPotential for damages

Penalties in market and from regulatorsPotential for legal action if due care was not taken to protect systems


Costs to your business with a security breach

The costs of cleaning up a security breach are likely to outweigh the costs of implementing a strong security policy


Risks with an internal breachWere processes followed?

Was it deliberate or accidental?What data has been exposed?

If a retailer breached, has customer data, especially payment data, been exposed?

If a healthcare provider breached, has patient or clinical data been affected

If a manufacturing company breached, have confidential designs or other materials been released?

Life sciences…Aerospace….Investment bank…


The burden of proofBeing secure is not enough – you need to prove it

The most secure system in the world is nothing without being able to pass an audit

Security is more than just authentication, authorization and encryptionProcessLoggingRecords

Every step from initial configuration, through to removal of access must be verifiable


Implications of applying securityAdds complexity to configuration, operation, maintenance

Who manages security?What other access do they have?

Is security done globally, locally, by system?

AuthenticationSystem specific, repository

AuthorisationUsers, roles, groups?

EncryptionData in flight? Data at rest?

Logging, auditingProve to yourselfProve to auditor


Connecting your enterprise with MQ

Provides messaging services to applications and Web services that need to exchange data and events with:

Universally supported by multiple platforms 20 years leading in transactional message delivery

• Inherent reliable delivery and transaction control

• Native, high-speed handling of any type of message or file

• Native lightweight capabilities for supporting remote devices & sensors

• End-to-end advanced security

• Single point of control, visibility, and management for all data movement

• Applications become more flexible and data movement becomes more reliable

• Capabilities like the Coupling Facility in System z provide unique strengths

• Extensive support through years of development, skills and partner ecosystem extensions

• Comprehensive single solution reduces complexity of deployment and operation

Message

Q Manager

Q Manager

Application ZApplication A

Channels

PervasiveDevice

Sensore.g. RFID

Regional Office

MobilePhone

PetrolForecourt

Refinery

BranchOffice

Retail Store

zEnterprise

Financial Services & Banking Manufacturing

GovernmentRetail


Moving data using files is risky too

Process Risk Delays in transferring files impacts collaboration with customers/partners

Integration files that are delayed impact SLAs

Failure of file delivery impacts the processes themselves

Security Risk Data encryption and governance of

sensitive information transmitted in files

Inability to apply corporate security policies to person-initiated file transfers

No visibility over the type and sensitivity of the data being transferred

No ability to support audit requirements18AME4171 @LeifDavidsen @MoragHughson

Authentication Digital Certificates

Mutual or queue manager only authentication Encrypt and tamper proof your traffic

User ID and Password Validation New in IBM MQ V8 Use of MQ Light is gated by password validation

SSL/TLS Password Validation IP Filtering

8 8 8 8 8 8 MQ (z & Dist)

8 8 MessageSight

8 8 8 8Restricted network

MQ Light(S/O & Bluemix Service)

8 DataPower

8 8 8 MQ Appliance

IP filtering In MQ you longer need exits, MQ V7.1 provides

CHLAUTH The MQ Light Service in Bluemix is on a restricted

network that only the users bound to that Bluemix instance can connect to.


Authorization

Machine specific External repository

8 8 @ MQ (z & Dist)

8 Demos only 8 MessageSight

N/A(Single User)

8(Bluemix Instance)

MQ Light(S/O & Bluemix Service)

DataPower

8 Demos only 8 MQ Appliance

Granular access control Covers operations by applications (e.g. put and get) and administrative tasks (e.g. alter and start) OAM on distributed MQ; SAF on z/OS MQ MQ utilises machine specific user IDs (OS IDs) Appliances can use machine specific user IDs for demo purposes, or for production expect use of

centralized repository of user IDs (LDAP) MQ Light only allows Bluemix users that are bound to that instance to have any access to the MQ

resources, but those users have no administration access.


Auditing Keep track of who does what

Security failures are reported to provide an audit trail MQ Event messages MessageSight log files MQ Light is self-service so no admin role, e.g. queues are automatically created on

first use

Security Failures Commands Issued Configuration Changes

8 via SAF 8 8 8 8 8 MQ (z & Dist)

8 8 8 MessageSight

N/A N/A N/A MQ Light(S/O & Bluemix Service)

DataPower

8 8 8 MQ Appliance


Encryption Hiding your valuable data from prying eyes

Link-level encryption from SSL/TLS protocols End-to-end encryption from AMS

Link-level End-to-end

8 8 8 8 MQ (z & Dist)

8 MessageSight

8 MQ Light(S/O & Bluemix Service)

8 DataPower

8 8 MQ Appliance


What now?Review your systems for currency

Are you using the latest MQ versions with the most robust features?Are you up to date on fixpacks?Have you applied the latest OS/firmware updates?

Do you have an end-to-end security policyProtecting your systems

Implementing built-in MQ security features?Protecting your messages

Implementing MQ AMS?

Do you know how to review your logs?Work with your audit teams to ensure they are happy with your policy, process and

implementation


Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

28

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank YouYour Feedback is

Important!

Access the InterConnect 2015 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone,

laptop or conference kiosk.

http://www.ibm.com/legal/copytrade.shtml

Software

The bits bytes and business benefits of securing your mq environment and messages final