reducing risk for the crown jewels on your mainframe
TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation© 2015 IBM Corporation
Reducing Risk for the Crown Jewels on
your Mainframe (z Systems)
Jamie Pease CISA, CISM, CISSP, MBCS CITP
IT Security Specialist, z Systems Security &
Chairman of the GSE Security Working Group
© 2014 IBM Corporation
IBM Security Systems
22
Agenda
• The current landscape
• Challenges
• Recommendations
© 2015 IBM Corporation
IBM Security
3
Today’s technologies have eliminated “mainframe isolation”
The increasingly desirable target of the Mainframe
Source: 2013 IBM zEnterprise Technology Summit
%of all active coderuns on the mainframe80
%of enterprise data ishoused on the mainframe80
Internet
Cloud
Social
Mobile
Big Data
Business
Innovation
© 2014 IBM Corporation
IBM Security Systems
4
Workloads that run on the Mainframe (z Systems)
Banking Insurance Retail HealthcarePublic
Sector
Core Banking Internet Rate
Quotes
On-line
Catalog
Patient Care Systems
Electronic IRS
Wholesale
Banking –
Payments
Policy Sales &
Management
(e.g. Life,
Annuity, Auto)
Supply Chain
Management
On– line Claims
Submission & Payments
Web based
Social
Security
Customer
Care & Insight
Claims
Processing
Customer
Analysis
Tax
processing
What is a workload?
The relationship between a group of applications and/or systems that are related across several business functions to satisfy one or more business processes, typically running on ‘virtual servers’.
© 2015 IBM Corporation
IBM Security
5
Applications by the numbers
Mainframe legacy applications represent a massive exposure of core business information and functions
2/3 of ALL business transactions
for U.S. retail banks
run directly on mainframes
Who run’s DB2 on z/OS?
1 million active COBOL programs
80%active COBOL code
250+ billions lines of COBOL code today
Source: 2013 IBM zEnterprise Technology Summit
65 of the world’s top banks
24 of the top 25 U.S. retailers
10 of the top 10 global insurance providers
“Millions of users unknowingly activate CICS every day, and if it were
to disappear the world economywould grind to a halt.”
Phil ManchesterPersonal Computing Magazine
© 2015 IBM Corporation
IBM Security
6
Key concerns
Mainframe customers are more vulnerable than ever before
Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for z Systems and the Enterprise
“As mainframes become a major component in service-
oriented architectures, they are increasingly exposed
to malware. Web services on the mainframe have
significantly impacted security.”
Meenu Gupta
President, Mittal Technologies Inc.
The solution…
%concerned with privileged insiders50%concerned with advanced persistent threats21
%concerned with web-enabled z/OS apps29
%of customers agree that deploying multiple layers of defense provides the best mainframe protection86
© 2014 IBM Corporation
IBM Security Systems
7
Mainframe Unix systems are less securely managed than distributed Unix / LINUX servers
Shared disks between environments (e.g., development, test and production)
Too many users circumventing controls
Excessive utility access allows security policy bypass
Poor data management practices (e.g., access to data, copying of data and reuse of data)
Inadequate attention to monitoring, alerting, and reporting
z/OS security implementation
z/OS security practices
Absent, or poorly conceived, security design
Lack of access controls allows elevated user privileges
Security policies are outdated or not properly executed
Common z/OS security challenges
© 2014 IBM Corporation
IBM Security Systems
88
Agenda
• The current landscape
• Challenges
• Recommendations
© 2015 IBM Corporation
IBM Security
9
Where would you rank your Mainframe Security?
Maturity Level
1 2 3 4 5
1 - Initial
2 - Repeatable
3 - Defined
4 - Managed
5 - Optimising
© 2015 IBM Corporation
IBM Security
10
Understand the risks and report them
Gain support from senior management
You need well defined security standards, aligned with policy
Perform a deep dive Audit of all your core systems; get all the issues out on the table
Do not limit to logical access controls, think detective controls, management controls, administrative controls . . . .
Don’t ignore those risk assessments with “Likelihood=low”; “Impact=high” concerns – these may bite you hard in the future.
© 2015 IBM Corporation
IBM Security
11
Understand the risks and report them – cont.
Risk assess the issues and produce a report in a style that management can consume
Present the hard hitting facts to management ….
Be prepared for the “so what” test
What’s the risk to the business
Highlight core services that the business is dependent on
Avoid technical jargon
Create a risk register and load it!
Make friends with Audit and get the issues formally raised as concerns
High visibility with senior exec = more chance of remediation
Remember that Auditors are your partner, not the enemy
© 2015 IBM Corporation
IBM Security
12
Change the mind-set
THINK like a hacker! How would you compromise a system, what would you look for, what would you use and how would you prevent it
THINK end-to-end Security – requires a Security Engineering mind-set
The data might end up on z, but where did it start or end its journey?
THINK about the current threat landscape – things are different now compared to the 80’s and 90’s
THINK from a business perspective (security is an enabler)
Controls need to support business objectives – your job is to help protect the business
THINK . . . Security is everyone's responsibility, not just the security deptPeople are the weakest link in the chain!
© 2015 IBM Corporation
IBM Security
13
1.SecurityPolicy
2.SecurityDesign
3.Security
Implementation
4.Security
Enforcement
5.Security Auditing
6.Measurement Against Policy
Adopt an iterative process of continuous improvement
© 2015 IBM Corporation
IBM Security
14
Build a long term plan to fix things
Plan a 3-year security improvement programme; security remediation projects take time and they are often complex
Consider a Security Engineering function; you cannot drive security improvements using only operational staff
Review your resource pool – do you have sufficient skills to implement the improvements and maintain them?
Consider apprenticeships; they are becoming popular in the mainframe community
© 2015 IBM Corporation
IBM Security
15
Integrate “Design” into your security practice
Controls for systems, applications and data should not be an afterthought
Often we find that many security features are not implemented or considered for future use
Lack of design equals poorly configured controls, that are not fit for purpose
SDLC (Systems development life-cycle) – security must be part of it!
You need to build security design into everything you do; this should be part of the Security Engineering role
Do not allow infrastructure teams, such as Systems Programming to make security design decisions on your behalf Often their focus is on availability and performance, not security
Remember, good design = better product
© 2015 IBM Corporation
IBM Security
16
Start cleaning up
Too much dead wood in your security system can distort the picture, adding unnecessary complexity and additional costs
Start to collect data about what is being used in terms of access permissions and security definitions
Remove what is not being used; subsequent remediation activities often complete much quicker when you can see the “wood through the trees”
Clean-up often resolves other audit issues that are on your delivery plan
Proven to significantly reduce risk
© 2015 IBM Corporation
IBM Security
17
Put a halt to new pollution occurring in your security system!
• People who implement security changes on z Systems can create “compliance issues”
These can occur for a number of reasons . . .
Not following standards, process . . .
Incorrect approval from an owner / authorizer
Lack of understanding
Failure to check and double check proposed changes
• zSecure Command Verifier can help maintain compliance
© 2015 IBM Corporation
IBM Security
18
Get RBACing!
A large percentage of audit concerns can be attributed to excessive access / privileges
Design and implement a Role Based Access Controls infrastructure for your security database
It sounds more complicated than it is . . .
If you are already collecting “Access Decisions” from your security system, you have intelligence about what permissions are being used!
You can use this data to verify where access is not being used
Use it as part of your “business analysis” and decision making process
Build RBAC profiles based on “required” access usage
© 2015 IBM Corporation
IBM Security
19
Offload services that cause a conflict
Are your implementers also responsible for security monitoring?
This is considered “self policing”, which is regarded as bad practice throughout the industry
Monitoring needs to be independent - you need “policemen” under separate management checking the implementers
Preventing fraud, enforcing separation of duties, reducing errors are extremely difficult to achieve
It is a drain on your resources
Conflicts can also be extended to Infrastructure teams performing security tasks, such as Systems Programming maintaining security for z/OS UNIX
© 2015 IBM Corporation
IBM Security
20
Review the technology you use for Security
You’ve made an investment in technology to help secure your crown jewels; how much of this is utilised?
Many customers only use 25% of the functionality in their security software
Exploitation of security software = reduction in risk
Perform a gap analysis to determine what you’re not using; determine how these features may help improve controls Involve your vendor!
© 2015 IBM Corporation
IBM Security
21
Test and simulate proposed changes
Many exposures on the mainframe are created by Security Administration errors
Changes to your security database can also impact on availability!
Errors can consist of . . . Applying too much access
Removing security definitions that protect resources
Deleting access permissions that are still required
Changing attributes that can enable a user to circumvent system security
Historically, Mainframe Security teams don’t have a safe testing environment where they can test & simulate the effect of high impact changes
The RACF-Offline feature in zSecure Admin can help with this challenge
© 2015 IBM Corporation
IBM Security
22
Test controls against external standards
Are your corporate standards still “fit for purpose”; were they designed for the threat landscape a decade ago?
Regularly bench marking your controls against standards that were developed by other institutions results in stronger controls for your enterprise
Consider utilising standards from NIST, DISA
© 2015 IBM Corporation
IBM Security
23
Start classifying your resources
You cannot apply an appropriate level of control, if you don’t understand the sensitivity of the resource you are protecting
Data classification projects can be expensive and time consuming to implement, however there is no reason why you cannot implement the foundations on your mainframe
You immediately start to reduce risk when you classify something and apply the appropriate controls
Solutions like IBM Security zSecure already have a knowledge base of sensitive operating system resources – you can start to use this intelligence to classify resources in the Trusted Computing Base.
© 2015 IBM Corporation
IBM Security
24
Understand who can bypass system security
You need to understand which users have access to resources that can be used to bypass your security system
There is no point building strong defences if 20% of your user population can bypass them
These resources are part of the Trusted Computing Base Users who have access to these are referred to as “Trusted Users”
READ access to some of these resources is sufficient to bypass control mechanisms
Significantly reduce the number of “Trusted Users”
Regularly review these users through recertification; don’t be afraid to apply your own knowledge and speak up when access is not appropriate
Implement auditing and monitoring of the Trusted Computing Base
© 2015 IBM Corporation
IBM Security
25
Move from point in time to real time
Detective controls often report critical changes many hours or days following the event
This is often too late as it provides a window of opportunity to cause significant damage
Focus should never be limited to changes that occur in the security system
Remember, we also need to monitor security in the operating system, sub systems, middleware . . .
Need to establish an independent process for handling these events
Integrate with your enterprise monitoring practice and SIEM solution
© 2015 IBM Corporation
IBM Security
26
Think outside of the security system
You can’t just focus your efforts on the security system (E.g. RACF)
The consequences are that you leave too many doors unlocked
Security for the operating system (z/OS, z/VM), sub-systems (TCP/IP, UNIX) middleware (CICS, IMS, MQ) is just as important
There are parameters and settings that need to be activated, regularly reviewed and monitored!
Don’t forget that some of your applications will use “internal control mechanisms”; these don’t call your security system for “security decisions”
© 2015 IBM Corporation
IBM Security
27
Don’t stop, remember its an iterative process
Are your corporate standards still “fit for purpose”; were they designed for the threat landscape a decade ago?
Your security practice must always strive to improve …..
Is the Security that you implemented today, good enough for the threats of tomorrow?
Constantly evaluate everything you do and implement, to ensure it remains “fit for purpose”
© 2015 IBM Corporation
IBM Security
28
Invest in training & education
Employees cannot work in isolation . . .
They must keep up-to-date with the latest threats, trends, best practices
Need to understand what other organisations are doing to improve their security
Need to share problems, ideas to help come up with solutions
Keep their knowledge current on security solutions, including new capabilities
Network with other customers and vendors
Need to understand security from an enterprise wide perspective
Difficult to improve the maturity of your mainframe security when employees cannot develop in their profession
They need to be allowed to attend . . .
User Groups
Conferences
Webinars
Training courses
and . . . . be given the time to do research activities!
© 2015 IBM Corporation
IBM Security
29
Make it personal!
On a mainframe somewhere around the world, your own personal data resides in a database
The mainframe serving your business probably holds your personal data (think Bank account, Insurance Policy, Payroll, Pension . . .)
If you were able to retrieve “all” of your personal data, you’d be amazed how much is stored on the mainframe
How would you feel if that data was compromised
You probably guard your personal assets
We all have a responsibility to uphold the confidentiality, integrity and availability of our data . . . the crown jewels of the enterprise
© 2015 IBM Corporation
IBM Security
30
IBM z Systems is a highly securable environment
Security is embedded into the z Systems architecture
Processor
Hypervisor
Operating system
Communications
Storage
Applications
z Systems security addresses regulatory compliance for:
Extensive security event logging
and reporting capabilities
Extensive security certifications including
EAL5+ (e.g., Common Criteria and FIPS 140)
Identity and access management
Hardware and software encryption
Communication security capabilities
IBM RACF provides identity and access controls and audit capabilities
© 2015 IBM Corporation
IBM Security
31
Mainframe Security requires a defense in depth solution
DomainsSecurity
Server
Operating
SystemData
Security
Intelligence
EndpointsRACF,
ACF2, Top
Secret
z/OSDB2, IMS,
VSAMAll
IBM SolutionszSecure
Admin, Visual
zSecure
Audit, Alert
InfoSphere
Guardium
QRadar
SIEM
Automated cleanup of unused, obsolete and under-protected access permissions ●
Externalization of DB2 security into RACF, including automated clean-up
of prior DB2 access permissions
●
Separation of duties in provisioning access ●
Continuous, policy-based, real-time monitoring ● ●
Infrastructure scanning for missing patches, misconfigurations and other vulnerabilities ● ●
Automated Compliance Protection ● ●
Knowledge base for compliance reports with SOX, PCI DSS, etc. ● ●
Provides contextual and actionable surveillance to detect and remediate threats ●
Identifies changes in behavior against applications, hosts, servers and network. ●
Correlates, analyzes and reduces realtime data into actionable offenses ●
© 2015 IBM Corporation
IBM Security
32
Administration management Security audit and compliance
Improve Mainframe Security with IBM Security zSecure
Reduce administrative overhead
with security management tasks
Prevent abuse of special
roles and authorization
with privileged user monitoring
Enforce security policies
by blocking dangerous commands
and potential errors
RACF data set cleanup
of unused security profiles and
inactive / terminated users
Enhanced data collection z
of SMF audit information from:• RACF, DB2, CICS, IMS, MQ, SKLM, WAS,
UNIX, Linux on z Systems, OMEGAMON XE
on z/OS, FTP, Communication Server, TCP/IP,
PDSE and more
Automated remediation
to detect and prioritize potential threats
with security event analysis
Real-time alerts of potential threats
and vulnerabilities
Compliance monitoring and reporting• PCI-DSS, STIGs, GSD331,
and site-defined requirements
Comprehensive customized
audit reporting
Detect harmful system security
settings with automated configuration
change checking
© 2015 IBM Corporation
IBM Security
33
z System products enable integration with QRadar
RACF CA ACF2 CA Top Secretz/OS CICS DB2
Event sources from z Systems
Guardium
• DB2
• IMS
• VSAM
zSecure• z/OS• RACF• ACF2, TSS• CICS
Extensive Data SourcesDeep
IntelligenceExceptionally Accurateand Actionable Insight+ =
AppScan
• Web Apps
• Mobile Apps
• Web Services
• Desktop Apps
© 2014 IBM Corporation
IBM Security Systems
34
Learn more about IBM Security zSecure solutions
zSecure website
zSecure product library
zSecure information center
zSecure latest release
zSecure forum
zSecure Redbook
Discover the latest IBM solutions and hear real-life experiences from IBM clients
who are working with us to drive advanced security controls into their organizations
IBM Security @ Interconnect delivers:
Three Days of keynotes and general sessions featuring industry thought leaders
100+ Security Sessions including hands-on labs and certification testing
Solution Expo featuring demonstrations of the latest products and services from IBM
Security and IBM partners
More Networking Events than ever to expand and strengthen your sphere of influence
Register at ibm.com/interconnect today!
© 2014 IBM Corporation
IBM Security Systems
36
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY