Mainframe Security: A Practical Overview J O E S T U R O N A S - C T O - P K W A R E, I N C

Mainframe Security: A Practical Overview JOE STURONAS - CTO - PKWARE, INC. Founded: 1986 30,000 Enterprise Customers 200 Government Entities Notabl...
Author: Noah Richards
24 downloads 5 Views 6MB Size
Mainframe Security: A Practical Overview

JOE STURONAS - CTO - PKWARE, INC.

Founded: 1986 30,000 Enterprise Customers 200 Government Entities Notable Products: PKZIP, SecureZIP, Viivo SmartCrypt Smart Encryption Platform Milwaukee (Headquarters), Dayton, New York, London

Agenda Level set on Mainframe Mainframe Security Overview Data Security Interoperability Demo

Check all that Apply:  Our security department doesn’t cover the mainframe.  Our mainframe has audit exclusions that others do not.  Our mainframe system programmers don’t work well with server and network administrators.

Mainframe Evolution

Mainframe 51st Birthday

IBM System 360 • April 1964

Mainframe Timeline

1970

1983

1988

System / 370 - Virtual Addressing

1990

System 390 - CMOS Technology ESA / 370 - Dataspaces and Hyperspaces

System / 370-XA - 31-bit Extended Architecture

2015

2000

z/Architecture – 64-bit Architecture z Systems – z13 168 CP’s

IBM zBC12 18 x 4.2GHz CP’s 489GB RAM

IBM zEC12 120 x 5.5GHz CP’s 3TB RAM

Mainframe Virtualization Linux z/OS

Linux

Linux

Linux z/VM

PR/SM LPAR

PR/SM LPAR

PR/SM LPAR

IBM System z

Mainframe has been virtualized from the beginning.

Common Workloads Input Data Batch Job

APPLICATION PROGRAM

Process data to perform a particular task Output Data

Query

Online (interactive) transaction

Reply

APPLICATION PROGRAM

Access shared data on behalf of online user

Common Applications

Banks

Manufacturing

Insurance

Travel

Government 12

Common Subsystems Languages • COBOL, Java, Assembler, PL/I, JCL Subsystems • CICS, DB2, IMS, MQ, Websphere, OMVS zBX

13

Mainframe Security Overview

The Three Elements of a Breach

1

3

They have to get in

They have to get it out

2

They have to get to the information

z/OS Security Servers IBM RACF CA ACF2 CA Top Secret

All access to the system requires authentication with RACF/ACF2/Top Secret

16

Typical Server Security Issues •

Buffer Overflow



Server Authentication



Rogue Program Access



TCP/IP stacks, ports and network addresses

17

Data Centric Encryption – Where it “Fits”

! Focus of Compliance

Where Breaches are Happening

Focus of Compliance

Transparent Encryption

Gateways

Data Exchange

FDE

Point Solution Encryption (Email, SharePoint, Office365)

Data Centric Encryption

SSL/TLS

Brokers

Symmetric Key Encryption

Asymmetric Key Encryption

Digital Signing and Authentication

Crypto Facilities

IBM Hardware Crypto z196 2817

z114 2818

zEC12 2827

zBC12 2828

z13 2964

Algorithm Supported

DES 3DES AES 128, 192, 256

DES 3DES AES 128, 192, 256

DES 3DES AES 128, 192, 256

DES 3DES AES 128, 192, 256

DES 3DES AES 128, 192, 256

Crypto Hardware

CPACF CEX3C

CPACF CEX3C

CPACF CEX3C CEX4C

CPACF CEX3C CEX4C

CPACF CEX4C CEX5C

Machine

Key Exposures

Symmetric Key Operational Comparison CLEAR Fast, But Risky

PROTECTED Fast & Secure

SECURE Slow

ICSF Software -orSystem z CPACF

System z CPACF

Cryptographic Card (CEX2C/CEX3C/CEX4C)

Passphrase Value -orICSF CKDS Registered (clear)

ICSF CKDS registered (encrypted)

ICSF CKDS Registered (encrypted)

25

DEMO

Demo

27

Demo RACF

Demo RACF

29

Demo RACF

30

Demo UNIX File System Support

31

Demo UNIX File System Support

32

Demo UNIX File System Support

33

Demo – LPAR PKW1

Demo – LPAR PKW1

35

Demo 1 – PKW1

Demo 1 – PKW1

Demo 1 – PKW1

Batch job to create encrypted ZIP file //ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256) -PWD(PKWARE) -COMPRESSION_LEVEL(1) -COMPRESSION_METHOD(DEFLATE32) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt) JAS.TEXT.LIB

Batch job to email encrypted ZIP file //TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP //SYSTSIN DD * %XMITIP [email protected] + CC ( [email protected] ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' + SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM [email protected] + FILEDD DD1 + Format (BIN) + Filename jas.zip

40

Output from Batch Job

J E S 2

J O B

L O G

--

S Y S T E M

P K W 1

--

N

15.54.04 JOB39394 ---- FRIDAY, 11 SEP 2015 ---15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB 15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th 15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS -----11 SEP 2015 JOB EXECUTION DATE 38 CARDS READ 855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS

Output from Batch Job

- PKWARE -

Inc.

- PKWARE -

Inc.

Program Name Step Name Procedure Step Return Code Total I/O I/O Cost $ Service Units

Program Name Step Name Procedure Step Return Code Total I/O I/O Cost $ Service Units

SECZIP ZIP1

00 686 0.68 1154

IKJEFT1B TSOB 00 499 0.49 1870

Elapsed Time TCB CPU Time SRB CPU Time Total CPU Time CPU Cost $

hh:mm:ss.th 01.46 00.15 00.02 00.17 0.04

Elapsed Time TCB CPU Time SRB CPU Time Total CPU Time CPU Cost $

hh:mm:ss.th 00.73 00.24 00.01 00.25 0.06

Output from Batch Job

ZPEN309I ZPEN313I ZPEN313C ZPEN313C ZPEN334I ZPEN315I ZPEN310I ZPEN205I ZPEN205I ZPCM017I ZPCM100I ZPAM253I ZPAM254I ZPAM255I ZPAM255C ZPAM253I ZPAM254I ZPAM255I ZPAM255C ZPAM140I

z/Architecture Hardware Available -zBC12 CSNBSYE System Capable with ICSF when available. AES is available. DES/3DES is available. CPACF Protected Keys are available. PKA callable services are enabled. AES(128, 192, 256) Clear Key Hardware Available -zBC12 CP Assist For Cryptographic Functions Available Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHO Cryptographic facility {IBMHardware } is selected for PseudoRandGen A total of 1 ADD/UPDATE candidate data sets were identified. Configuration Manager Shutdown. Posting Main Task: 00000000 ADDED File JAS.TEXT.LIB(CRC) as crc.txt (DEFLATED 57%/56%) SecureZIP(R) AES256 ; DATA SIZE 1,600; ZIP SIZE . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ADDED File JAS.TEXT.LIB(EBCDIC) as ebcdic.txt (DEFLATED 34%/32%) SecureZIP(R) AES256 ; DATA SIZE 480; ZIP SIZE 32 . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key ); FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Q&A

JOE STURONAS - CTO - PKWARE, INC.

Suggest Documents