03-11-2015
Large Systems Update - 2015 Security in Mainframe context
Sven-Erik Vestergaard Security Architect IBM Security
[email protected]
2
Agenda • The Threat Landscape • What is the ‘problem’ with security on the mainframe • How to adopt Mainframe into the rest of the Enterprise
security • SCR
© 2015 IBM Corporation
Some Times we just don't think
3
© 2015 IBM Corporation
Example of an Advanced Persistent Threat at a State Government, USA
Malicious e-Mail (Phishing)
Stolen User IDs and Passwords
Databases / Systems
74.7 GB of data 3.8M SSN’s 3.3M Bank Acct Nos 4
•
Employee “unwittingly executed malware, and became compromised” after opening a link in an e-mail.
•
Attacker harvested the employee’s credentials.
•
Leveraging the user’s access rights, attacker logged in via a remote access service and was able to gain access to other Department of Revenue systems and databases.
•
Attacker was able to install backdoor software, password dumping tools, and “multiple generic utilities to execute commands against databases.”
•
33 unique pieces of malicious software and utilities was used to perform the attack
•
Breach went undetected for almost 2 months leading up to 44 systems to be compromised
•
74.7 GB of data was stolen from the State’s 44 systems, including Mainframe data copied to SQL servers
•
3.3 million unencrypted bank account numbers stolen
•
3.8 million social security numbers for tax filers compromised
•
Cost the state $14 million
•
Department of Revenue Director forced to resign
44 Systems Breached over Two Months © 2015 IBM Corporation
What an Architect sees: Services-enabled application
Directory & Security Services
CICS IMS
UI Data
Client
5
Internet Firewall
Web Server
Cache
Pervasive Devices
Load Balancer
Client
Internet Firewall
Existing Applications & Data
DNS Server
J2EE J2EE
Data Server Web Application Server
.Net
System i
Business Data
Storage Area Network
Business Partners and External Services
© 2015 IBM Corporation
The Three Guiding Security Principles • Confidentiality •
The set of rules or a promise that limits access or places restrictionson information. It is basically equivalent to privacy. Confidentiality involves protecting data from unauthorized access or disclosure.
• Integrity •
The assurance that the data being accessed or read has neither been tampered with nor been altered or damaged since the last authorized access. Integrity involves maintaining and assuring the accuracy and consistency of data through its life-cycle.
• Availablity •
6
Availability is about resilience, business continuity, and disaster recovery.
© 2015 IBM Corporation
7
Agenda
• What is the ‘problem’ with security and the mainframe
© 2015 IBM Corporation
The increasingly desirable target of the mainframe
80
% of all active code runs on the mainframe
80
% of enterprise data is housed on the mainframe
Today’s technologies have eliminated “mainframe isolation”
Cloud
Internet
Mobile Business Innovation
Social
8
Big Data
© 2015 IBM Corporation
The Security challenges is the same for the mainframe Rising costs Mainframe security administration is typically a manual operation and relies upon old and poorly-documented scripts; highly-skilled mainframe administration resources are limited
Increasing complexity The mainframe is an integral component of many large business services, making managing security threats extremely complex creating a higher risk to the business
9
Ensuring compliance Compliance verification is a manual task with alerts coming only AFTER a problem has occurred, if at all!
Lack of visibility Mainframe processes, procedures, and reports are often siloed from the rest of the organization
© 2015 IBM Corporation
How CISO/CSO normally see the mainframe • It is where most of the critical data and applications are running. • It is very different from all other platforms and quite difficult to understand. • It is extremely secure. • Everything on the mainframe is managed by the System Administration team, included Security. • There is no need to bother about Security on mainframe since it is everything under control, by definition.
10
© 2015 IBM Corporation
What our customers are telling us • Mainframe customers Strongly Agree that they are more vulnerable to security incidents that ever before • Customer’s Biggest Concerns: – 50% Privileged Insiders – 29% Web enabled z/OS applications – 21% Advanced Persistent Threats • 86% of Customers agree that Multiple Layers of Defense provides best protection against a mainframe security incident
Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for System z and the Enterprise
11
© 2015 IBM Corporation
IBM z System is a highly securable environment Security is embedded into the z Systems architecture Processor Hypervisor Operating system
Communication s Storage Applications
z Systems security addresses regulatory compliance for: Identity and access management Hardware and software encryption Communication security capabilities
Extensive security event logging and reporting capabilities Extensive security certifications including EAL5+ (e.g., Common Criteria and FIPS 140)
IBM RACF provides identity and access controls and audit capabilities
12
© 2015 IBM Corporation
IBM System z Core Capabilities Resilience and security have long been hallmarks of mainframe computing, making System z the application computing platform of choice Client Challenge Customer’s security challenges are compounded by starting with less secure computing platforms.
CICS zBX DB2 IMS …
Solution z/OS has the highest security rating or classification of any commercially available system
SSOAP/https
Key Benefits • RACF and IBM Distributed Identity Data (IDID) provides discrete, end to end authentication, transactions auditing, and identity mapping • Cryptography options supports advanced encryption processing • PKI services centrally manage certificates • High level security connection to backend applications via hipersockets or IEDN
z/OS Hardware
z/OS
PKI Services
RACF
Cryptography cards
IDID
Common z/OS security challenges z/OS security implementation Absent, or poorly conceived, security design Lack of access controls allows elevated user privileges Security is often administered by system programmers due to complexity
z/OS security practices Mainframe Unix systems are less securely managed than distributed Unix / LINUX servers Shared disks between environments (e.g., development, test and production) Too many users circumventing controls Excessive utility access allows security policy bypass Poor data management practices (e.g., access to data, copying of data and reuse of data) Inadequate attention to monitoring, alerting, and reporting
14
© 2015 IBM Corporation
Mobile is changing the way we view the perimeter
15
© 2015 IBM Corporation
Building and Maintaining a Secure Enterprise Mobile Application 1. Start with the most secure operating system, applications and database 2. Build, deliver, deploy & maintain secure mobile applications 3. Identify and correct security vulnerabilities as the application is developed and maintained.
IBM Security AppScan Source
3
2
MFP zBX SOAP/https
Linux Linu z/VM z/V x M Hardware Hardwa PKI Services re Cryptography Cryptograph y cards cards
CICS CIC S DB2 DB IMS 2 IMS z/OS … z/O S z/OS z/ OS RACF IDID
Secure the Users & Devices for the Mobile Enterprise 4. Secure the device 5. Authenticate and authorize the user IBM Security AppScan Source
Trusteer Mobile
4
MFP SOAP/https SOAP/https
5 IBM Security Access Manager
Linux Linu z/VM z/V x M Hardware Hardwa PKI Services Services PKI re Cryptograph Cryptograph cards yy cards
zBX zBX
CICS CIC SDB2 IMS DB 2… IMS z/OS … z/O S z/OS z/ OS RACF RACF IDID IDID
Web & mobile applications can access data on the mainframe, regardless of where they are hosted
App Server
App Server
Other Platforms
App Server
The Internet/ Intranet
database database
• Application servers throughout the enterprise can have a direct or indirect connection to data on the mainframe • If not secured, these applications can be attack surfaces for mainframe based data
App Server
Linux
App Server
z/VM
z/OS
System z
18
© 2015 IBM Corporation
19
Agenda
• How to adopt Mainframe into the rest of the Enterprise security
© 2015 IBM Corporation
IBM Security zSecure suite automated capabilities Security audit and compliance Enhanced data collection z of SMF audit information from: • RACF, DB2, CICS, IMS, MQ, SKLM, WAS, UNIX, Linux on System z, OMEGAMON XE on z/OS, FTP, Communication Server, TCP/IP, PDSE and more Automated remediation to detect and prioritize potential threats with security event analysis Real-time alerts of potential threats and vulnerabilities Compliance monitoring and reporting • PCI-DSS, STIGs, GSD331, and site-defined requirements Comprehensive customized audit reporting Detect harmful system security settings with automated configuration change checking
Administration management Reduce administrative overhead with security management tasks Prevent abuse of special roles and authorization with privileged user monitoring Enforce security policies by blocking dangerous commands and potential errors RACF data set cleanup of unused security profiles and inactive / terminated users
zSecure Suite - A comprehensive and continuous approach to mainframe security development 6. Measurement Against Policy
1. Security Policy
2. Security Design
5. Security Auditing
4. Security Enforcement
21
3. Security Implementation © 2015 IBM Corporation
How about transforming this ...
22
© 2015 IBM Corporation
... into this
A view of the RACF commands that have been executed over a 24 hour period – mainframe customers typically run this type of report on a daily basis!
23
Event data collected by zSecure Audit
© 2015 IBM Corporation
ANALYZE. PROTECT. ADAPT. Discovery, classification, vulnerability assessment, entitlement management
Encryption, masking, and redaction Data and file activity monitoring Dynamic blocking and masking, alerts, and quarantine Compliance automation and auditing
ANALYTICS
Guardium - Scalable Multi-tier architecture S-TAP for DB2/z S-TAP for IMS S-TAP for Data Sets
Integration with LDAP, IAM, IM .IBM TSM, Remedy, …
25
© 2015 IBM Corporation
IBM QRadar Security Intelligence Platform INTELLIGENT Correlation, analysis and massive data reduction
AUTOMATED Driving simplicity and accelerating time-to-value
26
IBM QRadar Security Intelligence Platform
INTEGRATED Unified architecture delivered in a single console
© 2015 IBM Corporation
QRadar Optimizing security while expanding monitoring scope for data sources Improve analytics performance by offloading data analysis
Save on storage costs for duplicating data audit logs Save on network bandwidth for data audit logs
File
Big Data
Data Warehouse
Guardium Normalized audit logs
Database
Application
Real-time analysis and preventive measures
Network Infrastructure
No need to turn audit logs on DB. Save on DB/App performance
Mainframe
Identity
An integrated, unified architecture in a single web-based console Log Management
Security Intelligence
Network Activity Monitoring
Risk Management
Vulnerability Management
Network Forensics
28
© 2015 IBM Corporation
ISIG brings Identity and Access Governance to the mainframe by providing visibility to System z users and their entitlements to auditors and business users
The problem Mainframe external security managers (IBM RACF, CA-ACF2 and CA-Top Secret) provide an extensive access control framework, but cannot present a comprehensive view of users and their mainframe access rights or toxic combinations of access.
Customer value •
29
Apply a business-driven approach to Identity and Access Governance across all systems, including mainframe –
Enterprise-wide visibility to entitlements, across mainframe and distributed systems, ERP and other applications
–
Auditor- and business-friendly presentation of complex/cryptic mainframe access rights
•
Identify and report on toxic combinations of mainframe access rights, users with high-level access rights and direct user to resource mapping
•
Apply access certification to the mainframe access rights to drive access cleanup activities – reducing risk to the business
•
Reduce cost in preparing for audits involving the mainframe
© 2015 IBM Corporation
30
Agenda
• SCR
© 2015 IBM Corporation
Mainframe Security Control Review The Mainframe Security Control Review (MSCR) is a guided maturity selfassessment of security controls IBM sees the most focus on at our customers. The MSCR is perfect for an organization looking to mature their security practices, to provide a rapid checkpoint against the top focus controls in the industry, or to provide a baseline review for a new CISO or other security leaders. The controls covered include: • • • •
Collect, Normalize, Correlate, Analyze, Report & Monitor Security Information Real-Time Analysis Authentication and Access Management Identity & Access Governance
• • • • • •
Data Activity Monitoring Encryption Data Obfuscation Static Source Code Analysis Vulnerability Management Privileged Identity Management
Format: The MSCR is facilitated by an IBM Security Architect, and one or two additional technical experts will facilitate this half-day workshop.
31
© 2015 IBM Corporation
Mainframe Security Control Review What to Expect: This workshop focuses on high-level concepts at the architecture and policy level. We begin by gathering baseline information about the vision and current state of your security program. For each control we will map your existing solutions and processes and help you self-assess your as-is maturity, and identify your to-be goal. Your Participation: Key participants are a management leader and a technical leader, each who have an understanding of your security program, and authority to identify next step actions. Typical roles include the CISO or Director of Security, and a Security Architect or technical leader, Technical Support Manager, Applications Manager. What’s Produced: You will receive a report that documents your maturity level, and specific, ‘very next actions’ for each control not at the desired state. The output of this activity is considered IBM and Customer Confidential. Cost: This no-fee workshop is an investment both of your and IBM’s time, and provides significant value to your organization.
32
© 2015 IBM Corporation
Questions ??
z
z
z
z
zz z