System Z Mainframe Security For An Enterprise

© 2011 IBM Corporation

Security in a Distributed Environment

The role of the Mainframe

The future runs on System z

Jim PorellIBM Distinguished EngineerDeputy CTO, Federal Sales

© 2011 IBM Corporation2

Security on System z: Reducing risk for the Enterprise

Basic Insurance Policy

$100,000 Liability

Rider: Excess replacement for valuable items

Rider: Excess medical coverage

Rider: Unlimited vehicle towing

Rider: Excess liability insurance

$3,000,000

Basic Security: System z

RACF

Data Encryption services

Enterprise Key mgt

Identity Management

Compliance Reporting

Fraud Prevention, Forensics and

Analytics


Common “Data Processing” Program models

Transaction processing Point of sale Claims processing Credit/Debit/Transfer Working off an operational data store (ODS)

Data Mining/Data warehouse Batch operations – many times not on the operational data store Looking for new business opportunities

Operational Risk (OR) Leverages the data base Originally, it was also using a copy of the ODS for detection purposes

After 9/11, this proved to be inefficient. Fraud occurs during the batch window Now OR is more preventative, so it must work off of real time data

Additions to any OR database must also be considered in real time vs batch


There are patterns for security as well

4

ProfessionalServices

Managed

Services

Hardware

& Software

Common Policy, Event Handling and Reporting

The IBM Security Framework

Security Governance, Risk Management and ComplianceSecurity Governance, Risk Management

and Compliance

People and Identity

Data and Information

Application and Process

Network, Server, and End-point

Physical Infrastructure

Authentication

Access Control

Data Privacy

Audit/Compliance

Registration/Enrollment

Incident and Event Management

Strategy: zEnterprise as a control point for the Enterprise


Cross Domain Risks

LAN and Network Security

Secure Sign in

Cross Domain Authentication

Self Signed Certificates

Certificate Management

Data privacy

– Developers

– PII data

Abhorrent behavior

Insider Theft

Forensics

Prevention

Security is notSecurity is notall aboutall about

technology!technology!(it's really about people and (it's really about people and

processes)processes)


Security Admin Requirements Systems Admin/DBA

– Identification/Authentication

– Access Control

– Data Confidentiality

– Audit/Compliance

– Registration/Enrollment

– “Cloning” simplifies admin

Network Admin

– DMZ

• Denial of service attacks• Internet facing• Firewalls

– Network Bandwidth

– Intrusion Prevention/Defense

End to End reality (aka Cross Domain)

– Virtualization

• When does Cloning make sense? When not?

– Are all network security needs handled?

– Insider threats?

• Forensics; Fraud prevention

– Consistent application of security across domains?


Multilevel Security

Encryption

Key Management

TS1120

Tape encryption

Common Criteria Ratings

Support for Standards

Audit, Authorization,

Authentication, and Access

Control

RACF®

IDS, Secure Communications

Communications Server

IBM Tivoli Security Compliance Insight Manager

IBM Tivoli® zSecure Suite

DB2® Audit Management Expert

Tivoli Identity Manager

Tivoli Federated Identity Mgr

Crypto Express 3 Crypto Cards

System z SMF

LDAP

ITDS

Scalable Enterprise Directory

Network Authentication

Service

Kerberos V5 Compliant

z/OS® System SSL

SSL/TLS suite

ICSF

Services and Key Storage

for Key Material

Certificate Authority

PKI Services

DS8000®

Disk encryption

Enterprise Fraud Solutions

DKMS

DKMSTKLM

Venafi

GuardiumOptim™

Data Privacy

Compliance and Audit Extended Enterprise

Platform Infrastructure

Elements of an Enterprise Security Hub

Venafi Encryption

DirectorVenafi Encryption

Director


Wireless StoreInfrastructure

BankBank

HackerHacker

HQHQ

Regional Regional Data centerData center

BranchBranchManagerManager

Point ofPoint ofSaleSale


Branch uses WEP for LAN activity

Processes cards with banks

Hacker plugs in and gets copies of all transactions

Problem detected and branch systems get fixed

Mainframe doesn’t appear affected by distributed leaks

Hypothesis: Mainframe could help secure end users if they use good procedures

Branch managers run inventory transactions to mainframe

No encryption on sign in

No audit records analyzed

??????

?

?

?

Customer Problem


Real World Customer Problems That problem could never happen at my business

– Wrong – this problem can occur anywhere there is a change in security administrative control

The weakest link in an enterprise is typically the end user interface

– Virus, worms, Trojan Horses enable someone to hijack the end user interface

– In turn, that hijacked desktop can be used to log into any other server

• Is it “really the authorized end user”? Perhaps not.– That’s a large risk to a business.

Outsourcers and mainframe IT operations have SLA’s that protect the data they host on their systems.

Do their customers and end users have SLA’s that specify minimum desktop security? Do they manage Desktops and mainframes together?

– Typically not – as a result, there is a major risk that a compromised end user interface can result in compromised mainframe access.

Our Goal is to look at security management across these domains


Examples of End to End Security

Wireless BusinessInfrastructure

BankBank

HQHQOutsourcerOutsourcer

RegionalRegionalData centerData center

BranchBranchManagerManager



Mainframe Userid and Password Encryption via Host on Demand

Virtual Private Network encryption (which exploits the zIIP)

Audit and anomaly detection via TCIM

Fraud Forensics, Analysis and Prevention via Intellinx (which exploits the zAAP)

LAN encryption via WPA which exploits z/OS PKI

z/OS PKI deployment with Global Services

PKI management via Venafi

HackerHackerOrOr

InsiderInsider

??????

?

?

?Compliance Insight Manager

Global Services:Security & Privacy Consulting

z/OS PKI Services


System z Solution Edition for Security – Fraud Reference Case

Client Scenario: State Criminal Justice System, Bullet-proof Mainframe security, Many access points

IBM Sales Team targets the CIO and CFO:“Experience has demonstrated that insider leaks may be utilized to help criminals escape prosecution or to release information about celebrities or high ranking government officials”.

“Your current IT infrastructure is exposed to these leaks which will likely result in civil and criminal penalties”

“At this very moment, policemen or detectives may be leaking information to criminals or the media. Also you are currently exposed to illegal access of sensitive information. Most alarming is that you may only become aware of such illegal access after your department has become fodder for the Tabloids. In such cases, departments have suffered high-level resignations and civil penalties

• Policemen access Driver information from portal within Police cruiser

• Detectives track case data via Cognos Analytics application

• Courts manage search warrants and court cases

Provocation:

Compliance Insight Manager

Solution Edition for Security

Mainframe Security Extended end-to-end across the Enterprise

“Joe Biden selected as

Obama’s running mate”

Wants and Warrants Database

Illegal queries


Deployment choices toward a Fraud & Forensic Clearing House on System z

Switch

3270 / 5250 / MQ / HTTP

IntellinxSensor

Analyzer IntellinxIntellinxSession Analyzer

Queue

Screen/Message Recording

Session Reconstruction

REPLAY

Actions

Event Analyzer

BacklogEvents Repository

Business Event

IntellinxReports

MQSeries

Files

Host

1

2

3 4

5

z/OS Business Goals

– A User activity monitor for forensic and fraud prevention

– Non-invasively capture activities from a wide variety of protocols and systems

– Stealthfully deploy, where possible

Intellinx in Action

– Identified thefts from Dormant bank accounts

– Eliminated RYO audit tools for major Police Dept

– Stopped leakage of personally identifiable information

Bladecenter deployment

– Over 200 blades to meet needs of large financial institution with the five distinct solution points of control

– Weeks to configure and deploy software

– Environmental and FTE costs are highest

– Coordination across security, network and server admin teams

Linux on System z deployment

– Multiple Linux server instances to cover the five distinct solution points of control

– Common hardware reduces environmentals and FTEs

– Network connections must be established to capture traffic

z/OS zWatch edition deployment

– Installation in under an hour, software only

– zIIP and zAAP eligible for 98% of processing keeps software pricing minimal

– High volume, low CPU utilization

– TCA and TCO are less than alternatives

– zWatch unique capability to handle network encrypted traffic

– With zBX, zWatch can handle non-z traffic with network admin assistance and simplify operations

– Reduced overhead and latency for real time analytics


System z Solution Edition for Security – Encryption Reference Case

Client Scenario: Large Airline, Web enabled reservation system, High volume transaction processing

IBM Sales Team targets the CIO and CFO:“Encryption is leveraged to protect personally identifiable information transmitted across the internet. Each application is signed to ensure that spoofing cannot occur. Self signed certificates are used by application developers to speed deployment. However, transactions fail when certificates expires”.

“Your system is not immune to this issue and when certificates expire, your online reservations will fail”

“You currently lack a central control point to manage certificate expiration. Failure to detect an impending expiration will lead to an outage that will result in lost bookings. Based on your transaction volumes, your firm will lose $3M dollars per day in perishable reservations. This need not be left to chance….IBM has a solution to eliminate this costly exposure”

• Consumers and Travel Agents leverage SOA portal to access reservations

• 10,000’s of tickets sold daily via the web

• Secure access for client access and privacy is essential to workflow

Provocation:



Lost Revenues

(and Customers)


Three types of encryption keys to be managed Symmetric keys

– Used for encrypting storage devices – Tapes and Disks

– Management comes from:

• Initially managed by EKM• Evolving toward TKLM. However, TKLM requires an Asymmetric key to be boot strapped

Asymmetric keys

– Used for identification and authentication

– Used by applications, interactive sessions, web services, networking, POS Devices

– Management comes from

• Roll your own applications, such as the sample web pages shipped with PKI Services• DKMS – a services offering• Venafi or Verisign – third party vendors

Root Keys

– Both of the above keys are stored in a hardware security manager (HSM) or “vault”. There needs to be a key to the vault.

– On System z, the Trusted Key Entry desktop is used to manage the crypto hardware

– For other HSMs, (e.g. ATM root, 4758 crypto hardware, oem), GTS has developed DKMS

•

•


P

P P

PPPP

PPPP

P P P P

The Reality of Lifecycle Management

PPolicy –

W

WWW

W

W

W

W W

W

W

W

Workflow – W

WW

P

W

A A A A A

AAA

A A A A A

AA

Configure App

Init/Manage Key Store

Index(Metadata)

Manage Roots/Trust

Notify/ Alert

Retire/ Revoke

WRotate

Control Access

Monitor/ ValidateA

Distribute/ Provision

Discover/ Inventory

Store

Archive/ Backup

Acquire Certificate

DestroyWGenerate

Audit – A

WW

W


Payment Services A unique national digital identity card project implemented on a country-wide scale

Business Need:Payment Business Services (PBS) won the contract for implementing and running a digital signature (PKI) infrastructure for the national danID in Denmark.

To meet the needs of the client, PBS had to be able to accommodate the following:• Same userid and logon-id procedure for both the public and the banking infrastructure.• Access from any computer. • Improved security of a two-factor-authentication with a one-time password.

Benefit:This solution allows all Danish citizens to sign-on and perform digital signatures banking and public systems using a single shared one-time password (OTP) device. It is an innovative solution combining a general purpose engine, specialty engines and hybrid-accelerators, used together to improve the price/performance ratio.

IBM provides the operational platform for the digital signature infrastructure. The IBM System z9 Enterprise Class server running z/OS is the platform for development, test and production. IBM developed cryptographic security based on mandated security regulations.


System z Solution Edition for Security – CI&AM Reference Case

Client Scenario: Automobile manufacturer, automated assembly line, employee administration

IBM Sales Team targets the CIO and CFO:“Common roles defined across workflow processes are critical to business success. Registration and enrollment of users must be rapid and consistent across application environments ”.

“300,000 former employees, who have retired or terminated, still have discrete ids and access to critical data.”

“Your firm is susceptible to espionage and/or sabotage from former employees. You are putting your operations at risk because of the ad hoc provisioning of users to disparate systems. Failure to centralize the administration and removal of unauthorized people from your systems (in a timely fashion) could cost you millions. IBM can help you eliminate this risk and potential for future loss”

• Many applications across a wide variety of systems

• Critical workflows to ensure automated assembly line

• 10,000 active employees that communicate with critical applications

Provocation:

Identity Manager



In the News: Former DuPont employee used access to steal trade secrets on OLED.

In the News: Disgruntled employee of International Financial Services organization planted “logic bomb” which deleted 10 billion files and affected over 1300 servers causing $3M in losses.


Application Architecture: The Complexity of DistributedBusiness Objectives A bank has four basic transactions

– Credit, Debit, Transfer, Inquiry And they have a variety of choices for front end interface

– ATM, Branch Terminal, Kiosk, Web browser, PDA, Cellphone Customer uses a Bladecenter to drive multi channel transformation The back end processing remains the same regardless of the

presentation deviceFully Distributed Model (if deployed) Each application becomes a cluster of server images and must be

individually authenticated and managed Each line is a separate network connection, requiring high bandwidth

and protection Data is replicated across enterprise to meet scalability Customer deploys/builds automation processes to facilitate system

recovery with additional software – this is not trivial and requires additional software and unique development

High environmental needs and full time employees to manage infrastructure

Management Considerations for an enterprise

AuthenticationAlert processingFirewallsVirtual Private Networks

Network BandwidthEncryption of dataAudit Records/ReportsProvisioning Users/Work

Disaster Recovery plansStorage ManagementData TransformationsApplication Deployment

How does the Virtualization Manager improve these?

Application Server

WebSphere®

Service PlatformDatabase

Connectors

SQLJ

Service

MessageServlet

Loan Applic.

Bank Teller

GeneralLedger

Credit CardProcessing

Risk AnalysisService

Service

Con

nectors/Ap

pliances

CurrentAccounts

BatchPrograms

Bill PaymentDatabase

SQLJ

CurrencyExchange

Temp data toElectronic Data Warehouse

Batch Process

RMI/IIOP

EJB

WAS

BillPayment

EJBs

AuthenticationServer

M

gt

M

gt

M

gt

M

gt

M

gt

Mg

t

M

gt

M

gt

Mg

t

Mg

tMg

t

Mg

t

Mg

t


Application Architecture: A Large EnterpriseEnd User –

Hosted Client

Application Server

Service Platform

Desktop Framework

Devices

Websphere

Service PlatformDatabase

Connectors

SQLJ

Service

MessageServlet

Loan Applic.

Bank Teller

GeneralLedger

Credit CardProcessing

Risk Analysis Service

Service

Connectors

CurrentAccounts

Banking Portal

Device Apps.

XML over HTTP(S)

Middleware Services

BatchPrograms

Bill PaymentDatabase

SQLJ

Desktop Framework Services

Personalization

Service Systems& Databases

MQ

CurrencyExchange

Temp data toElectronic Data Warehouse

Batch Process

RMI/IIOP

EJB

WASBillPayment

EJBs

AuthenticationServer

System zEnterprise

Potential advantages of consolidating your application and data serving Security Fewer points of intrusion Resilience Fewer Points of Failure Performance Avoid Network Latency Operations Fewer parts to manage Environmentals Less Hardware Capacity Management On Demand additions/deletions

With

IFLWith zAAP

& zIIP Utilization Efficient use of resources Scalability Batch and Transaction Processing Auditability Consistent identity Simplification Problem Determination/diagnosis Transaction Integrity Automatic recovery/rollback

Security Fewer points of intrusion Connectivity Improved throughput Simplification Problem Determination/Monitoring Development Consistent, cross platform tools

With

zBX

zNext Combinations – reducing control points Assumes the Bladecenter for the multi

channel transformation Can leverage Websphere on either Linux for

System z or z/OS The Bladecenter functionality can be

migrated to zBX in the future TCA and TCO advantages over distributed It’s the very same programming model in a

different container that provides a superior operations model


Imagine the possibilities…..

R I I NS TC E L

MA INFRAME

ClaimsPOS

Credit/Debit

DecisionSupport

FilterExtract

Move

PII input

DB

tmp

tmp

resultresult

result

Traditional Operations

zNext

ISAO or ASBs

DecisionSupport

Transform

zClaims

POSCredit/Debit

DB

CognosOn

Linux

Business Problem–Data warehouse can detect trends, but not necessarily prevent fraud or upgrade transactions in real time because data is copied in bulk or batch mode

Insight instead of Hindsight–Data is copied in nanoseconds instead of hours or days–Opens up opportunities for real time analytics

–Preventing fraud–Making business analytic decisions faster

–Improved performance and lowers cost–Uses blade-based specialty processors, storage for warehouse workloads–Boosts overall query performance 5x – 10x–Customers could see a 40% reduction in storage utilization–Supports in-memory column store for parallel star schema queries –Uses column-based compression to minimize storage needs–Unchanged interfaces to DB2 for z/OS and thus no changes to the BI/DW applications–Provides capability to perform both transactional (OLTP) and warehousing (OLAP) type of queries in the same database management system



Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk


Cross Domain Risks LAN and Network Security

Secure Sign in

Cross Domain Authentication

Self Signed Certificates

Certificate Management

Data privacy

– Developers

– PII data

Abhorrent behavior

Insider Theft

Forensics

Prevention


X86, RISC

IT Operations

Application Architects

IT Management Trends are changing

Mainframe

IT

operations

As a result, businesses can more rapidly meet their Global Responsibilities Governance Risk and Compliance Business Continuity Privacy Agility Lean and Green

Global IT operations

Application Architects

Mainframe

Application Sandbox

Bladecenter

Virtual Clients

IT Operations

Mainframe

IT Operations

Next G

en

Applic

atio

ns

Next G

en

Applic

atio

ns

•The mainframe must demonstrate that it is Good Enough to support the next generation of workloads•It should also demonstrate that collaborating with other systems can yield Fit for Purpose instead of Fit for Politics


Questions

The future runs on System z

Technology

System Z Mainframe Security For An Enterprise