implementation of rbac and data classification implementation...data classification – reasons to...
TRANSCRIPT
![Page 1: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/1.jpg)
Implementation of RBAC and
Data Classification
Steve Tresadern
Rui Miguel Feio
RSM Partners
December 2014
v1.7
![Page 2: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/2.jpg)
Agenda
Introductions
Data Classification & Ownership
Role-Based Access Control (RBAC)
Maintain the environment
Results
Q&A
![Page 3: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/3.jpg)
Who are we?
Steve Tresadern
27 years mainframe experience
Former z/OS Systems Programmer
Experience in Cryptography, RACF, Compliance
Rui Miguel Feio
15 years mainframe experience
Experience in z/OS, RACF, zSecure, Development
Last 4 years working in Security and implementing RBAC
![Page 4: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/4.jpg)
DATA CLASSIFICATION
&
OWNERSHIP
![Page 5: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/5.jpg)
Data Classification – What is it?
Understanding what your data is
Credit Card 11%
Sarbanes Oxley 36%
Customer - Confidential
16%
Development 23%
User 14%
![Page 6: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/6.jpg)
Data Classification – What is it?
Who owns your data
Credit Card 7%
Insurance 22%
HR 13%
Branch 27%
Systems 9%
Development 14%
User 8%
![Page 7: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/7.jpg)
Data Classification – Reasons to do it
Audit requirements
Compliance
Who has privileged access?
Who is accessing confidential information?
Reduce the risk of fraud?
![Page 8: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/8.jpg)
Data Classification – Reasons to do it
User 1 Group
A
Group
B
Group
C
Group
D
Access
List
Access
List
Access
List
Access
List
Access
List
User 2
![Page 9: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/9.jpg)
Data Classification – Aims
Every dataset and resource profile must be;
Classified in terms of confidentiality and integrity.
All linked to an application.
The basic security correctly defined
Understand who has privileged access
All applications have a business/data owner.
Ideally they should approve all access
Review who has access
![Page 10: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/10.jpg)
Sources for Data Classification
RACF Database
Naming Standards
Access Monitor
Support Teams
Local Knowledge
XBridge Datasniff
![Page 11: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/11.jpg)
Sources for Data Ownership
Data Ownership
RACF Database
Service Management
Support Teams
Service Database
Local Knowledge
![Page 12: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/12.jpg)
Data Classification – Challenges
Lack of knowledge in support teams
Development Team Processes
Business areas cooperation
Non-RACF based security
Unravelling of the environment
Service Database – Up to date?
![Page 13: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/13.jpg)
Data Classification Benefits
Reduced Risk of Fraud
Who has privileged
access
Focused Monitoring
Recertification
Audit
Compliance
![Page 14: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/14.jpg)
ROLE-BASED ACCESS CONTROL
(RBAC)
![Page 15: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/15.jpg)
RBAC – Reasons to do it
Business organisation keeps changing
Managing the mainframe security environment
Audit requirements
Compliance
Recertification
Remove access not required
![Page 16: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/16.jpg)
RBAC Common Challenges - I
Historical code
Global Access Table (GAT)
Lack of technical knowledge
Business areas cooperation
Least Privilege access implementation
DB2
![Page 17: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/17.jpg)
RBAC Common Challenges - II
Recertification tools
Unravelling of the RBAC
![Page 18: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/18.jpg)
RBAC – Define Standards and Rules
Personal userid connected to one role
group
Role group describes the business role
Role group contains all the access
All role groups will have an ‘owner’
Define RBAC Rules
![Page 19: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/19.jpg)
RBAC - Sources of data
Sources
HR Data
RACF
Business Org. Chart
Phone List Global
Address List
Local Knowledge
Access Monitor
![Page 20: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/20.jpg)
RBAC Stages – An overview
Update/Develop Processes
Implement RBAC
Test RBAC implementation
Devise RBAC implementation plan
Engage with managers and users
Identify logical grouping
Analyse and prepare mainframe environment
![Page 21: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/21.jpg)
RBAC Implementation Tools
RSM RBAC tool
RSM DB2 RBAC Tools
Access Monitor data
RACF Offline
CARLa code
![Page 22: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/22.jpg)
RBAC Benefits – Some examples
User 1 Role
Group A
Access
List
User 2 Role
Group B
Access
List
![Page 23: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/23.jpg)
RBAC Benefits – Some examples
Reduced Risk Fraud
Security Management
Joiners
Movers
Leavers
Recertification
Audit
Monitor
Who is who
Who does what
Least Privilege Access
![Page 24: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/24.jpg)
MAINTAINING THE ENVIRONMENT
![Page 25: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/25.jpg)
Tools – Maintain the environment
In-House Security Panels
IBM zSecure Command Verifier
IBM zSecure Alert
RSM ExceptionReporter
RSM RealtimeDashboard
![Page 26: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/26.jpg)
Tools – RSM ExceptionReporter
![Page 27: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/27.jpg)
Tools – RSM RealtimeDashboard
![Page 28: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/28.jpg)
RESULTS
![Page 29: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/29.jpg)
Reduction in Privileged Accesses
373.669
737.468
0 200.000 400.000 600.000 800.000
After
Before
![Page 30: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/30.jpg)
Reduction in Privileged Users
7.347
12.949
0 2.000 4.000 6.000 8.000 10.000 12.000 14.000
After
Before
![Page 31: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/31.jpg)
Questions
![Page 32: Implementation of RBAC and Data Classification Implementation...Data Classification – Reasons to do it User 1 Group A Group B Group C Group D Access List Access List Access List](https://reader033.vdocument.in/reader033/viewer/2022042408/5f242780f15f30780213bc55/html5/thumbnails/32.jpg)
Contact Details
Rui Miguel Feio - [email protected]
Steve Tresadern - [email protected]
RSM Partners - www.rsmpartners.com
RSM Software – www.rsmsoftware.com