Mainframe Security: A Practical Overview
JOE STURONAS - CTO - PKWARE, INC.
Founded: 1986 30,000 Enterprise Customers 200 Government Entities Notable Products: PKZIP, SecureZIP, Viivo SmartCrypt Smart Encryption Platform Milwaukee (Headquarters), Dayton, New York, London
Agenda Level set on Mainframe Mainframe Security Overview Data Security Interoperability Demo
Check all that Apply: Our security department doesn’t cover the mainframe. Our mainframe has audit exclusions that others do not. Our mainframe system programmers don’t work well with server and network administrators.
Mainframe Evolution
Mainframe 51st Birthday
IBM System 360 • April 1964
Mainframe Timeline
1970
1983
1988
System / 370 - Virtual Addressing
1990
System 390 - CMOS Technology ESA / 370 - Dataspaces and Hyperspaces
System / 370-XA - 31-bit Extended Architecture
2015
2000
z/Architecture – 64-bit Architecture z Systems – z13 168 CP’s
IBM zBC12 18 x 4.2GHz CP’s 489GB RAM
IBM zEC12 120 x 5.5GHz CP’s 3TB RAM
Mainframe Virtualization Linux z/OS
Linux
Linux
Linux z/VM
PR/SM LPAR
PR/SM LPAR
PR/SM LPAR
IBM System z
Mainframe has been virtualized from the beginning.
Common Workloads Input Data Batch Job
APPLICATION PROGRAM
Process data to perform a particular task Output Data
Query
Online (interactive) transaction
Reply
APPLICATION PROGRAM
Access shared data on behalf of online user
Common Applications
Banks
Manufacturing
Insurance
Travel
Government 12
Common Subsystems Languages • COBOL, Java, Assembler, PL/I, JCL Subsystems • CICS, DB2, IMS, MQ, Websphere, OMVS zBX
13
Mainframe Security Overview
The Three Elements of a Breach
1
3
They have to get in
They have to get it out
2
They have to get to the information
z/OS Security Servers IBM RACF CA ACF2 CA Top Secret
All access to the system requires authentication with RACF/ACF2/Top Secret
16
Typical Server Security Issues •
Buffer Overflow
•
Server Authentication
•
Rogue Program Access
•
TCP/IP stacks, ports and network addresses
17
Data Centric Encryption – Where it “Fits”
! Focus of Compliance
Where Breaches are Happening
Focus of Compliance
Transparent Encryption
Gateways
Data Exchange
FDE
Point Solution Encryption (Email, SharePoint, Office365)
Data Centric Encryption
SSL/TLS
Brokers
Symmetric Key Encryption
Asymmetric Key Encryption
Digital Signing and Authentication
Crypto Facilities
IBM Hardware Crypto z196 2817
z114 2818
zEC12 2827
zBC12 2828
z13 2964
Algorithm Supported
DES 3DES AES 128, 192, 256
DES 3DES AES 128, 192, 256
DES 3DES AES 128, 192, 256
DES 3DES AES 128, 192, 256
DES 3DES AES 128, 192, 256
Crypto Hardware
CPACF CEX3C
CPACF CEX3C
CPACF CEX3C CEX4C
CPACF CEX3C CEX4C
CPACF CEX4C CEX5C
Machine
Key Exposures
Symmetric Key Operational Comparison CLEAR Fast, But Risky
PROTECTED Fast & Secure
SECURE Slow
ICSF Software -orSystem z CPACF
System z CPACF
Cryptographic Card (CEX2C/CEX3C/CEX4C)
Passphrase Value -orICSF CKDS Registered (clear)
ICSF CKDS registered (encrypted)
ICSF CKDS Registered (encrypted)
25
DEMO
Demo
27
Demo RACF
Demo RACF
29
Demo RACF
30
Demo UNIX File System Support
31
Demo UNIX File System Support
32
Demo UNIX File System Support
33
Demo – LPAR PKW1
Demo – LPAR PKW1
35
Demo 1 – PKW1
Demo 1 – PKW1
Demo 1 – PKW1
Batch job to create encrypted ZIP file //ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256) -PWD(PKWARE) -COMPRESSION_LEVEL(1) -COMPRESSION_METHOD(DEFLATE32) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt) JAS.TEXT.LIB
Batch job to email encrypted ZIP file //TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP //SYSTSIN DD * %XMITIP
[email protected] + CC (
[email protected] ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' + SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM
[email protected] + FILEDD DD1 + Format (BIN) + Filename jas.zip
40
Output from Batch Job
J E S 2
J O B
L O G
--
S Y S T E M
P K W 1
--
N
15.54.04 JOB39394 ---- FRIDAY, 11 SEP 2015 ---15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB 15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th 15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS -----11 SEP 2015 JOB EXECUTION DATE 38 CARDS READ 855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS
Output from Batch Job
- PKWARE -
Inc.
- PKWARE -
Inc.
Program Name Step Name Procedure Step Return Code Total I/O I/O Cost $ Service Units
Program Name Step Name Procedure Step Return Code Total I/O I/O Cost $ Service Units
SECZIP ZIP1
00 686 0.68 1154
IKJEFT1B TSOB 00 499 0.49 1870
Elapsed Time TCB CPU Time SRB CPU Time Total CPU Time CPU Cost $
hh:mm:ss.th 01.46 00.15 00.02 00.17 0.04
Elapsed Time TCB CPU Time SRB CPU Time Total CPU Time CPU Cost $
hh:mm:ss.th 00.73 00.24 00.01 00.25 0.06
Output from Batch Job
ZPEN309I ZPEN313I ZPEN313C ZPEN313C ZPEN334I ZPEN315I ZPEN310I ZPEN205I ZPEN205I ZPCM017I ZPCM100I ZPAM253I ZPAM254I ZPAM255I ZPAM255C ZPAM253I ZPAM254I ZPAM255I ZPAM255C ZPAM140I
z/Architecture Hardware Available -zBC12 CSNBSYE System Capable with ICSF when available. AES is available. DES/3DES is available. CPACF Protected Keys are available. PKA callable services are enabled. AES(128, 192, 256) Clear Key Hardware Available -zBC12 CP Assist For Cryptographic Functions Available Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHO Cryptographic facility {IBMHardware } is selected for PseudoRandGen A total of 1 ADD/UPDATE candidate data sets were identified. Configuration Manager Shutdown. Posting Main Task: 00000000 ADDED File JAS.TEXT.LIB(CRC) as crc.txt (DEFLATED 57%/56%) SecureZIP(R) AES256 ; DATA SIZE 1,600; ZIP SIZE . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ADDED File JAS.TEXT.LIB(EBCDIC) as ebcdic.txt (DEFLATED 34%/32%) SecureZIP(R) AES256 ; DATA SIZE 480; ZIP SIZE 32 . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key ); FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED
Demo - Mobile
Demo - Mobile
Demo - Mobile
Demo - Mobile
Demo - Mobile
Demo - Mobile
Q&A
JOE STURONAS - CTO - PKWARE, INC.