Upload
leif-davidsen
View
298
Download
1
Tags:
Embed Size (px)
Citation preview
© 2015 IBM Corporation
The bits, bytes and business benefits of securing your MQ environment and messagesMorag Hughson - [email protected]
Leif Davidsen – [email protected]
IBM Hursley - UK
Agenda The business fundamentals of why you need to secure your MQ
environment
What you need to know when securing your MQ environment
3AME4171 @LeifDavidsen @MoragHughson
The need for connectivity is growing
Connectivity in business infrastructure is increasing • More information, more systems, more
services, deployed anywhere
Connect systems together• Deliver timely updates of
targeted data• Gain business insight• Applications and data become
valuable assets, not growing costs
New sources of data are changing the world• However data without
connectivity becomes a burden not an asset
4AME4171 @LeifDavidsen @MoragHughson
Connectivity outside the enterprise – clouds, mobile and more
Systems are dynamic – new applications, new sources of data, new consumers of data• The challenge of delivering data to meet
changing demands needs a flexible infrastructure
Roll-your-own code in the applications Increases cost, time and complexity, but can deliver the code
where you need it
Storing the data in a database or file Creates a permanent record, but does nothing to provide
timely analysis
A messaging infrastructure can meet both needs• Keeps the application simple and able to adapt to change• Can deliver filtered information to consuming applications, and
also deliver to a permanent information store
5AME4171 @LeifDavidsen @MoragHughson
The realities of an increasingly connected environment
Increasing connectivity increases complexityComplexity is not just defining, building, operating environments but complexity in
security as well
What is a secure environment for an IT system?Connected systems are almost the definition of an insecure environment Every system represents a point of attack/riskAdding multiple security layers across multiple systems is likely to create an
unusable environmentNot to mention huge performance implications
66AME4171 @LeifDavidsen @MoragHughson
What are the costs of security risks
Figures used in this presentation: 2014 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: https://ibm.biz/BdE5qP
77AME4171 @LeifDavidsen @MoragHughson
Pressures deflecting from securityChallenge over Complex IT systems
Simpler approach requiredSpeed essential
Performance of systems
Time taken to achieve desired outcome
Pressure on skills and resourcesMore generalistsFewer specialists
8
• Differences between systems• Different rules and regulations for different countries
• Varying audit requirements between business divisions
• Security seen as burden rather than a business asset• Focus on IT/Resource spend on positive outcomes
8AME4171 @LeifDavidsen @MoragHughson
Cost per record of data breach (per industry)
99AME4171 @LeifDavidsen @MoragHughson
Can you afford to take risks?Your IT environment is becoming hyper-connected.
You need to secure your systemsYou need to understand the risks if you don’t secure themYou need to understand the risks if you secure them inefficiently
External threats to your businessTargeted attempts‘Mass-market’ attempts
Internal threatsDisaffected employeesErrors or poor processes
Regulatory complianceIndustry, legal or other types of rules/regulations
Business directivesCorporate directives to be met
1010AME4171 @LeifDavidsen @MoragHughson
Breakdown of the risks
Can’t simply focus on protecting from hacking – need robust processes and end to end security approaches
1111AME4171 @LeifDavidsen @MoragHughson
Risks with an external breachExposure and loss of corporate data
Loss of internal and external trust in the businessLoss of reputationCompromise of business systems and data can put at risk existing
products, and future developments
Exposure of customer informationPotential for damages
Penalties in market and from regulatorsPotential for legal action if due care was not taken to protect systems
1212AME4171 @LeifDavidsen @MoragHughson
Costs to your business with a security breach
The costs of cleaning up a security breach are likely to outweigh the costs of implementing a strong security policy
1313AME4171 @LeifDavidsen @MoragHughson
Risks with an internal breachWere processes followed?
Was it deliberate or accidental?What data has been exposed?
If a retailer breached, has customer data, especially payment data, been exposed?
If a healthcare provider breached, has patient or clinical data been affected
If a manufacturing company breached, have confidential designs or other materials been released?
Life sciences…Aerospace….Investment bank…
1414AME4171 @LeifDavidsen @MoragHughson
The burden of proofBeing secure is not enough – you need to prove it
The most secure system in the world is nothing without being able to pass an audit
Security is more than just authentication, authorization and encryptionProcessLoggingRecords
Every step from initial configuration, through to removal of access must be verifiable
1515AME4171 @LeifDavidsen @MoragHughson
Implications of applying securityAdds complexity to configuration, operation, maintenance
Who manages security?What other access do they have?
Is security done globally, locally, by system?
AuthenticationSystem specific, repository
AuthorisationUsers, roles, groups?
EncryptionData in flight? Data at rest?
Logging, auditingProve to yourselfProve to auditor
1616AME4171 @LeifDavidsen @MoragHughson
Connecting your enterprise with MQ
Provides messaging services to applications and Web services that need to exchange data and events with:
Universally supported by multiple platforms 20 years leading in transactional message delivery
• Inherent reliable delivery and transaction control
• Native, high-speed handling of any type of message or file
• Native lightweight capabilities for supporting remote devices & sensors
• End-to-end advanced security
• Single point of control, visibility, and management for all data movement
• Applications become more flexible and data movement becomes more reliable
• Capabilities like the Coupling Facility in System z provide unique strengths
• Extensive support through years of development, skills and partner ecosystem extensions
• Comprehensive single solution reduces complexity of deployment and operation
Message
Q Manager
Q Manager
Application ZApplication A
Channels
PervasiveDevice
Sensore.g. RFID
Regional Office
MobilePhone
PetrolForecourt
Refinery
BranchOffice
Retail Store
zEnterprise
Financial Services & Banking Manufacturing
GovernmentRetail
17AME4171 @LeifDavidsen @MoragHughson
Moving data using files is risky too
Process Risk Delays in transferring files impacts collaboration with customers/partners
Integration files that are delayed impact SLAs
Failure of file delivery impacts the processes themselves
Security Risk Data encryption and governance of
sensitive information transmitted in files
Inability to apply corporate security policies to person-initiated file transfers
No visibility over the type and sensitivity of the data being transferred
No ability to support audit requirements18AME4171 @LeifDavidsen @MoragHughson
Authentication Digital Certificates
Mutual or queue manager only authentication Encrypt and tamper proof your traffic
User ID and Password Validation New in IBM MQ V8 Use of MQ Light is gated by password validation
SSL/TLS Password Validation IP Filtering
8 8 8 8 8 8 MQ (z & Dist)
8 8 MessageSight
8 8 8 8Restricted network
MQ Light(S/O & Bluemix Service)
8 DataPower
8 8 8 MQ Appliance
IP filtering In MQ you longer need exits, MQ V7.1 provides
CHLAUTH The MQ Light Service in Bluemix is on a restricted
network that only the users bound to that Bluemix instance can connect to.
19AME4171 @LeifDavidsen @MoragHughson
Authorization
Machine specific External repository
8 8 @ MQ (z & Dist)
8 Demos only 8 MessageSight
N/A(Single User)
8(Bluemix Instance)
MQ Light(S/O & Bluemix Service)
DataPower
8 Demos only 8 MQ Appliance
Granular access control Covers operations by applications (e.g. put and get) and administrative tasks (e.g. alter and start) OAM on distributed MQ; SAF on z/OS MQ MQ utilises machine specific user IDs (OS IDs) Appliances can use machine specific user IDs for demo purposes, or for production expect use of
centralized repository of user IDs (LDAP) MQ Light only allows Bluemix users that are bound to that instance to have any access to the MQ
resources, but those users have no administration access.
21AME4171 @LeifDavidsen @MoragHughson
Auditing Keep track of who does what
Security failures are reported to provide an audit trail MQ Event messages MessageSight log files MQ Light is self-service so no admin role, e.g. queues are automatically created on
first use
Security Failures Commands Issued Configuration Changes
8 via SAF 8 8 8 8 8 MQ (z & Dist)
8 8 8 MessageSight
N/A N/A N/A MQ Light(S/O & Bluemix Service)
DataPower
8 8 8 MQ Appliance
23AME4171 @LeifDavidsen @MoragHughson
Encryption Hiding your valuable data from prying eyes
Link-level encryption from SSL/TLS protocols End-to-end encryption from AMS
Link-level End-to-end
8 8 8 8 MQ (z & Dist)
8 MessageSight
8 MQ Light(S/O & Bluemix Service)
8 DataPower
8 8 MQ Appliance
25AME4171 @LeifDavidsen @MoragHughson
What now?Review your systems for currency
Are you using the latest MQ versions with the most robust features?Are you up to date on fixpacks?Have you applied the latest OS/firmware updates?
Do you have an end-to-end security policyProtecting your systems
Implementing built-in MQ security features?Protecting your messages
Implementing MQ AMS?
Do you know how to review your logs?Work with your audit teams to ensure they are happy with your policy, process and
implementation
2727AME4171 @LeifDavidsen @MoragHughson
Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
28
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone,
laptop or conference kiosk.