Embed Size (px)
Citation preview
Implementation of RBAC and Data Classification
Steve Tresadern Rui Miguel Feio
RSM Partners
September 2014
v1.5
Agenda
l Introductions
l Data Classification & Ownership
l Role-Based Access Control (RBAC)
l Maintain the environment
l Results
l Q&A
Who are we? l Steve Tresadern
l 27 years mainframe experience
l Former z/OS Systems Programmer
l Experience in Cryptography, RACF, Compliance
l Rui Miguel Feio
l 15 years mainframe experience
l Experience in z/OS, RACF, zSecure, Development
l Last 4 years working in Security and implementing RBAC
DATA CLASSIFICATION &
OWNERSHIP
Data Classification – What is it?
l Understanding what your data is
Credit Card 11%
Sarbanes Oxley 36%
Customer - Confidential
16%
Development 23%
User 14%
Data Classification – What is it?
l Who owns your data
Credit Card 7%
Insurance 22%
HR 13% Branch
27%
Systems 9%
Development 14%
User 8%
Data Classification – Reasons to do it
l Audit requirements
l Compliance
l Who has privileged access?
l Who is accessing confidential information?
l Reduce the risk of fraud?
Data Classification – Aims
l Every dataset and resource profile must be; l Classified in terms of confidentiality and integrity.
l All linked to an application.
l The basic security correctly defined
l Understand who has privileged access
l All applications have a business/data owner.
l Ideally they should approve all access
l Review who has access
Sources for Data Classification
RACF Database
Naming Standards
Access Monitor
Support Teams
Local Knowledge
XBridge Datasniff
Sources for Data Ownership
Data Ownership RACF Database
Service Management
Support Teams
Service Database
Local Knowledge
Data Classification – Challenges
l Lack of knowledge in support teams
l Development Team Processes
l Business areas cooperation
l Non-RACF based security
l Unravelling of the environment
l Service Database – Up to date?
Data Classification Benefits
Reduced Risk of Fraud
Who has privileged
access
Focused Monitoring
Recertification
Audit
Compliance
ROLE-BASED ACCESS CONTROL (RBAC)
RBAC – Reasons to do it
l Business organisation keeps changing
l Managing the mainframe security environment
l Audit requirements
l Compliance
l Recertification
l Remove access not required
RBAC Common Challenges - I
l Historical code
l Global Access Table (GAT)
l Lack of technical knowledge
l Business areas cooperation
l Least Privilege access implementation
l DB2
RBAC Common Challenges - II
l Recertification tools
l Unravelling of the RBAC
RBAC – Define Standards and Rules
Personal userid connected to one role
group Role group describes
the business role
Role group contains all the access
All role groups will have an ‘owner’
Define RBAC Rules
RBAC - Sources of data
Sources
HR Data
RACF
Business Org. Chart
Phone List Global
Address List
Local Knowledge
Access Monitor
RBAC Stages – An overview
Update/Develop Processes
Implement RBAC
Test RBAC implementation
Devise RBAC implementation plan
Engage with managers and users
Identify logical grouping
Analyse and prepare mainframe environment
RBAC Implementation Tools
l RSM RBAC tool
l RSM DB2 RBAC Tools
l Access Monitor data
l RACF Offline
l CARLa code
RBAC Benefits – Some examples
Reduced Risk Fraud
Security Management
Joiners Movers Leavers
Recertification
Audit
Monitor
Who is who
Who does what
Least Privilege Access
MAINTAINING THE ENVIRONMENT
Tools – Maintain the environment
l In-House – Security Panels
l IBM zSecure Command Verifier
l IBM zSecure z/Alert
l RSM - zMonitor
l RSM – zDashboard
Tools – RSM zMonitor
Tools – RSM zDashboard
RESULTS
Reduction in Privileged Accesses
73,669
737,468
0 200,000 400,000 600,000 800,000
After
Before
Reduction in Privileged Users
4,347
12,949
0 2,000 4,000 6,000 8,000 10,000 12,000 14,000
After
Before
Questions
Contact Details
l Rui Miguel Feio - [email protected]
l Steve Tresadern - [email protected]
l RSM Partners - www.rsmpartners.com
