© 2009 ibm corporation© 2010 ibm corporation ibm security solutions, system z solution edition for...
TRANSCRIPT
© 2009 IBM Corporation© 2010 IBM Corporation
IBM Security Solutions, System z Solution Edition for Security, & Other Recent Updates
© 2010 IBM Corporation2
Agenda
Introducing IBM Security Solutions
System z Solution Editions Overview
Solution Edition for Security Highlights
Solution Edition for Security Offerings
Tivoli Security Management for z/OS update
Tivoli Key Lifecycle Manager
Summary
© 2010 IBM Corporation33
Is the smarter planet secure?Introducing IBM Security Solutions
Pervasive instrumentation creates vast amounts of data
New services built using that data, raises Privacy and Security concerns…
Critical physical and IT infrastructure
Sensitive information protection
New denial of service attacks
Increasing risks of fraud
The planet is getting more Instrumented, Interconnected and Intelligent.
New possibilities.New risks...
© 2010 IBM Corporation44
Security challenges in a smarter planet
Introducing IBM Security Solutions
Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
Increasing Complexity
Rising Costs
Ensuring Compliance
Key drivers for security projects
Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billion in 2010
The cost of a data breach increased to $204 per compromised customer record
Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things”
© 2010 IBM Corporation5
Cost, complexity and compliance
Data and information explosion
Rising Costs: Do more with less
Compliance fatigue
Emerging technology
Death by point products
People are becoming more
and more reliant on security
IBM believes that security is
progressively viewed as every individual’s
right
Introducing IBM Security Solutions
© 2010 IBM Corporation6
Multilevel Security
Encryption
Key Management
TS1120
Tape encryption
Common Criteria Ratings
Support for Standards
Audit, Authorization,
Authentication, and Access
Control
RACF®
IDS, Secure Communications
Communications Server
IBM Tivoli Security Compliance Insight Manager
IBM Tivoli® zSecure Suite
DB2® Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Express 3 Crypto Cards
System z SMF
LDAP
ITDS
Scalable Enterprise Directory
Network Authentication
Service
Kerberos V5 Compliant
z/OS® System SSL
SSL/TLS suite
ICSF
Services and Key Storage
for Key Material
Certificate Authority
PKI Services
DS8000®
Disk encryption
Enterprise Fraud Solutions
DKMS
DKMSTKLM
Venafi
GuardiumOptim™
Data Privacy
Compliance and Audit Extended Enterprise
Platform Infrastructure
Elements of an Enterprise Security Hub
Venafi Encryption
DirectorVenafi Encryption
Director
© 2010 IBM Corporation7
DATA AND INFORMATIONUnderstand, deploy, and properly test controls for access to and usage of sensitive data
PEOPLE AND IDENTITYMitigate the risks associated with user access to corporate resources
APPLICATION AND PROCESSKeep applications secure, protected from malicious or fraudulent use, and hardened against failure
NETWORK, SERVER AND END POINTOptimize service availability by mitigating risks to network components
PHYSICAL INFRASTRUCTUREProvide actionable intelligence on the desired state of physical infrastructure security and make improvements
In addition to the foundational elements, the Framework identifies five security focus areas as starting points
Click for more information
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCEDesign, and deploy a strong foundation for security & privacy
Introducing IBM Security Solutions
9
GRCGRCGRCGRC
© 2010 IBM Corporation8
IBM Security portfolio
= Services
= Products Identity and Access Management
Identity and Access Management
Mainframe Security
Mainframe Security
Virtual System SecurityVirtual System Security
Database Monitoring and Protection
Database Monitoring and Protection
Encryption and Key Lifecycle Management
Encryption and Key Lifecycle Management
App Vulnerability Scanning
App Vulnerability Scanning
Access and Entitlement Management
Access and Entitlement Management
Web Application
Firewall
Web Application
Firewall
Data Loss PreventionData Loss Prevention
App Source Code Scanning
App Source Code Scanning
SOA SecuritySOA Security
Intrusion Prevention
System
Intrusion Prevention
System
Messaging Security
Messaging Security
Data MaskingData Masking
Threat Assessment, Mitigation, and Management
Threat Assessment, Mitigation, and Management
SIEMand
Log
Mgmt
SIEMand
Log
Mgmt
Security Governance and ComplianceSecurity Governance and Compliance
E-mail SecurityE-mail Security
Application SecurityApplication Security
Web/URL FilteringWeb/URL Filtering
Vulnerability AssessmentVulnerability Assessment
Security Events and Logs
Security Events and Logs
Identity ManagementIdentity Management
Data SecurityData
Security
Access Management
Access Management
GRCGRCGRCGRC
Physical SecurityPhysical SecurityClick for more information
8
Introducing IBM Security Solutions
© 2010 IBM Corporation
Enterprise Linux
Data Warehousing
SAP
WebSphere
GDPS®
Security
Chordiant
ACI
Cloud Computing
Application Development
Special package pricing for our most popular new workloads
– z10 hardware (standalone footprint or isolated LPAR)
– Prepaid hardware maintenance
– Comprehensive middleware stack
– Services and Storage (as needed)
Legendary mainframe quality
– Security, availability and scale
– Integration of applications with corporate data
– Industry leading virtualization, systems management and resource provisioning
– Unparallel investment protection
System z Solution EditionsUnmatched value, competitively priced
© 2010 IBM Corporation
Customer Value
In memory fraud detection, forensics supporting real time prevention not possible on distributed platforms
Centralized Identity and Access Management to simplify security administration, auditing, reporting and compliance.
Simplified Encryption and Key Management to protect data at rest, data in flight and data on removable media
A robust set of capabilities that have been integrated within hardware and software for over 30 years
Reduced complexity and easier management with the highest levels of security certification and a full suite of services available in a single server
Delivering trust and confidence to directly impact your bottom line
Customer Pain Point Reduced brand image and risk of
financial loss resulting from internal and external Fraud
Need to support escalating security priorities due to security breaches, identity theft, and increasing compliance requirements
Complexity of monitoring security exposures due to an expanding list of identities
Need for more encryption and reduced complexity of management to protect sensitive information throughout the enterprise
Complexity of implementing security policies across multiple IT initiatives such as server consolidation, green IT, virtualization, TCO
Solution Edition for SecurityUltimate protection for the enterprise at a lower price
Solution Edition for Security
© 2010 IBM Corporation
Offering Solutions:
Enterprise Fraud Analysis– Record and playback of insider actions, forensic analysis tools, real
time prevention workflow applied to distributed and mainframe operations
– Discover relationships via analytics
Centralized Identity & Access Management– Cross platform user provisioning and management; Web 2.0 and
cross platform authentication services
Enterprise Encryption and Key Management– Protecting personally identifiable data; enterprise encryption
management services: Discover, audit and monitor encryption keys
Securing Virtualization: z/VM®, Linux– Easily secure applications; security lifecycle management of server
images running in Linux for System z server
Compliance / Risk Mitigation / Secure Infrastructure: z/OS– Audit and Alerts processing, Simplified management operations, Data
anonymization for development and test processes
A deeper view into the Solution Edition for Security
What it is
• A comprehensive list of recommended rich Security products for each solution!
• Flexibility to choose the products you need!
• Accelerated solution deployment with the implementation services provided!
• Competitively priced to meet your budget expectations!
© 2010 IBM Corporation12
Enterprise Fraud Analysis Solution
Customer Challenges• Internal and external fraud cost billions of dollars in losses • Reduction in brand equity and substantial financial losses• Executives face personal fines, penalties and legal repercussions
Solution Capabilities • Provides automated policy enforcement, centralized reporting and analysis, centralized auditing controls, risk mitigation
• Record and playback insider actions• Forensic analysis tools, real time prevention workflow • Discover relationships via analytics
Solution Components• IBM Tivoli zSecure Manager for RACF z/VM• RACF ® Security Server feature for z/VM • z/VM ® V5 • z/VM V5 DirMaintTM Feature• ISPF V3 for VM• Optional: Intellinx zWatch
© 2010 IBM Corporation13
Enterprise Encryption and Key Management Solution
Customer Challenges Encryption can be complex to implement and manage Without encrypted data, companies face great exposure risks Many PKI solutions from third parties can be costly
Solution Capabilities Provides encryption capabilities Uses auditable granular access controls Provides auditing and monitoring of encryption keys Protects integrity and confidentiality of data and transactions Low cost digital certificates and PKI infrastructure
Solution Components z/OS ® V1 includes: z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 ® for z/OS V9 OptimTM Data Privacy Solution Encryption Facility for z/OS V1 Data Encryption for IMS and DB2 Databases V1 Crypto Express3 Features TKE Workstation OSA Cards Tivoli® Key Lifecycle Manager (TKLM) IBM System Services Runtime Environment for z/OS
Optional: IBM Distributed Key
Management System (DKMS)
Venafi Encryption Director
© 2010 IBM Corporation14
Centralized Identity and Access Management
Customer Challenges Increased complexity of security administration and monitoring More security exposures and an expanding list of identities and access controls increases complexity Business portals increase need to better manage and monitor identities Cost of management and administration is too high
Solution Capabilities Provides reduced infrastructure, simplified security management More efficient centralized identity lifecycle and access management Centralized auditing controls, and improved ability to meet compliance needs Cross platform user provisioning and authentication
Solution Componentsz/OS version includes: z/OS Security Server RACF, DFSMS,
DFSORT, RMF, SDSF DB2 for z/OS V9 WebSphere for z/OS V7 IBM Tivoli Security Management for z/OS Tivoli Federated Identity Manager Tivoli Identity Manager
Linux version includes: IBM Tivoli zSecure Manager for RACF z/VM RACF Security Server Feature for z/VM z/VM v5 z/VM v5 Dirmaint Feature ISPF V3 for z/VM IBM Tivoli Identity and Access Assurance V1
© 2010 IBM Corporation15
Securing Virtualization: z/VM®, Linux® on System z®
Customer Challenges
Secured virtualized environment needed both for traditional and virtualized environments Virtualization offers compelling TCO but needs to be secure as well Customers are considering secured private cloud environments Cost effective security management is needed to avoid air gapped solutions
Solution Capabilities Proven secured virtualization for decades Common criteria ratings Centralized Auditing and Reporting Workload isolation, common criteria, architecture design Easily to secure new workloads
Solution Components IBM Tivoli Secure Manager for RACF z/VM RACF Security Server Feature for z/VM zVM v5 zVM v5 Dirmaint Feature ISPF V3 for VM IBM Tivoli Identity and Access Assurance V1
© 2010 IBM Corporation16
Compliance / Risk Mitigation / Secure Infrastructure: z/OS
Customer Challenges Security breaches, identity theft are growing Companies face large financial losses PCI and HIPAA compliance are required by law Many environments are plagued by viruses and a continued cycle of patches
Solution Capabilities Security certifications (z/OS EAL 4+, LPAR EAL 5, FIPS 140-2 Level 4), System z/OS integrity statement Centralized security controls, auditing and administration Anonymous data for development and test
Solution Components z/OS V1 including: z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 for z/OS V9 WebSphere for z/OS V7 Optim Data Privacy Solution Encryption Facility for z/OS V1 Data Encryption for IMS and DB2 Databases V1 Crypto Express3 Features TKE Workstation OSA Cards IBM Tivoli Security Management for z/OS
Tivoli® Key Lifecycle Manager (TKLM) IBM System Services Runtime Environment for z/OS IMS Audit Management Expert for z/OS DB2 Audit Management Expert for z/OS
Optional: IBM Distributed Key Management System (DKMS) Intellinx zWatch Venafi Encryption Director
© 2010 IBM Corporation17
Tivoli Security Management for z/OS
Offers the capability to: – Administer your mainframe security & reduce administration time, effort, and costs– Monitor for threats by auditing security changes that affect z/OS, RACF & DB2 – Audit usage of resources – Monitor and audit security configurations – Enforce policy compliance– Capture comprehensive log data – Increase capabilities in analyzing data from the mainframe for z/OS, RACF& DB2– Interpret log data through sophisticated log analysis – Efficient auditing, streamlined for enterprise-wide audit & compliance reporting
© 2010 IBM Corporation18 18
IBM Tivoli Key Lifecycle Manager
Focused on device key serving • IBM encrypting tape – TS1120, TS1130, LTO gen 4• IBM encrypting disk – DS8000
Lifecycle functions• Notification of certificate expiry• Automated rotation of certificates• Automated rotation of groups of keys
Designed to be Easy to use Provide a Graphical User Interface
Initial configuration wizards
Easy backup and restore of TKLM files– TKLM backup, DB2 backup, Key backup– Simple to clone instances
Installer to simplify installation experience – Simple to use install, can be silent
Platforms for V1– z/OS 1.9, 1.10, 1.11– AIX 5.3, 6.1 or later– Red Hat Enterprise Linux 4.0 and 5.0– SuSE Linux 9 and 10– Solaris 9, 10 Sparc– Windows Server 2003 and 2008
© 2010 IBM Corporation
A Strategy for clients to expand their usage of the System z platform:
The Future Runs on System z
– Deliver greater value for clients as they grow existing workloads
– A new proposition that enables new application adoption
– A new class of offering to deliver dedicated enterprise Linux servers at unprecedented low cost
The Ideal platform for new workloads and consolidation:System z: unmatched value, superior quality
© 2010 IBM Corporation20
IBM Security Solutions – SC Magazine's Best Security Companyhttp://www-03.ibm.com/security/awards/
Al Zollar, General Manager, IBM
© 2010 IBM Corporation
Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.INFINIBAND, InfiniBand Trade Association and the INFINIBAND design marks are trademarks and/or service marks of the INFINIBAND Trade Association.Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
IBM*IBM eServerIBM (logo)*ibm.com*AIX*Cognos*DB2*
GDPS*Geographically Dispersed Parallel SysplexHyperSwap*InfoSphereRational*System p*System Storage
System xSystem z*System z10System z10 Business ClassTivoli*WebSphere*z/OS*
z/VM*10 BCz10 ECz9*zSeries*