Mainframe Security:

A Practical Overview

JOE STURONAS - CTO - PKWARE, INC.

Founded: 1986

30,000 Enterprise Customers

200 Government Entities

Notable Products:

PKZIP, SecureZIP, Viivo

SmartCrypt

Smart Encryption Platform

Milwaukee (Headquarters),

Dayton, New York, London

Agenda

Level set on Mainframe

Mainframe Security Overview

Data Security Interoperability

Demo

Check all that Apply:

Our security department doesn’t cover the mainframe.

Our mainframe has audit exclusions that others do not.

Our mainframe system programmers don’t work well with server and network administrators.

Mainframe Evolution

Mainframe 51st Birthday

IBM System 360 • April 1964

1970 1983 1988 1990 2000 2015

System / 370 - Virtual Addressing

System / 370-XA - 31-bit Extended Architecture

ESA / 370 - Dataspaces and Hyperspaces

z/Architecture – 64-bit Architecture

z Systems – z13 168 CP’s

System 390 - CMOS Technology

Mainframe Timeline

IBM

zBC12

18 x 4.2GHz CP’s

489GB RAM

IBM

zEC12 120 x 5.5GHz CP’s

3TB RAM

Mainframe Virtualization

Mainframe has been virtualized from the beginning.

z/OS Linux

Linux Linux Linux

z/VM

PR/SM LPAR PR/SM LPAR PR/SM LPAR

IBM System z

Common Workloads

Batch Job

Online (interactive)

transaction Access shared

data on behalf

of online user

Process data

to perform a

particular task

Input Data A P P L I C A T I O N P R O G R A M

A P P L I C A T I O N P R O G R A M

Output Data

Query

Reply

Common Applications

12

Banks Insurance Travel

Manufacturing Government

Common Subsystems

13

Languages

• COBOL, Java, Assembler, PL/I, JCL

Subsystems

• CICS, DB2, IMS, MQ, Websphere, OMVS

zBX

Mainframe Security

Overview

The Three Elements

of a Breach

They have to get in

They have to get to the information

They have to get it out

1

2

3

z/OS Security Servers

IBM RACF

CA ACF2

CA Top Secret

All access to the system requires authentication with RACF/ACF2/Top Secret

16

Typical Server

Security Issues

• Buffer Overflow

• Server Authentication

• Rogue Program Access

• TCP/IP stacks, ports and network addresses

17

Point Solution Encryption (Email, SharePoint, Office365)

FDE

Transparent Encryption

Data

Exchange SSL/TLS

Brokers

Gateways

Focus of

Compliance

Where Breaches

are Happening

Data Centric Encryption – Where it “Fits”

Focus of

Compliance

!

Data Centric Encryption

Symmetric Key Encryption

Asymmetric Key Encryption

Digital Signing and

Authentication

Crypto Facilities

IBM Hardware Crypto

Machine z196

2817

z114

2818

zEC12

2827

zBC12

2828

z13

2964

Algorithm

Supported

DES

3DES

AES 128,

192, 256

DES

3DES

AES 128,

192, 256

DES

3DES

AES 128,

192, 256

DES

3DES

AES 128,

192, 256

DES

3DES

AES 128,

192, 256

Crypto

Hardware

CPACF

CEX3C

CPACF

CEX3C

CPACF

CEX3C

CEX4C

CPACF

CEX3C

CEX4C

CPACF

CEX4C

CEX5C

Key Exposures

Symmetric Key

Operational Comparison

CLEAR

Fast, But Risky

PROTECTED

Fast & Secure

SECURE

Slow

ICSF Software

-or-

System z CPACF

System z CPACF Cryptographic Card

(CEX2C/CEX3C/CEX4C)

Passphrase Value

-or-

ICSF CKDS Registered

(clear)

ICSF CKDS registered

(encrypted)

ICSF CKDS Registered

(encrypted)

25

DEMO

Demo

27

Demo RACF

Demo RACF

29

Demo RACF

30

Demo UNIX File System Support

31

Demo UNIX File System Support

32

Demo UNIX File System Support

33

Demo – LPAR PKW1

Demo – LPAR PKW1

35

Demo 1 – PKW1

Demo 1 – PKW1

Demo 1 – PKW1

Batch job to create encrypted ZIP file

//ZIP1 EXEC PGM=SECZIP

//STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD

//SYSPRINT DD SYSOUT=*

//SYSABEND DD SYSOUT=*

//JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE),

// UNIT=SYSDA,SPACE=(CYL,(1,1)),

// DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998)

//SYSIN DD *

-ENCRYPTION_METHOD(AES256)

-PWD(PKWARE)

-COMPRESSION_LEVEL(1)

-COMPRESSION_METHOD(DEFLATE32)

-DATA_TYPE(TEXT)

-ARCHIVE_OUTFILE(JASOUT)

-ACTION(ADD)

-VERBOSE

-ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt)

-ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt)

JAS.TEXT.LIB

Batch job to email encrypted ZIP file

40

//TSOB EXEC PGM=IKJEFT1B

//SYSEXEC DD DISP=SHR,DSN=USER.CLIST

//SYSPRINT DD SYSOUT=*

//SYSTSPRT DD SYSOUT=*

//DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP

//SYSTSIN DD *

%XMITIP JOE.STURONAS@PKWARE.COM +

CC ( JSTURONAS@ME.COM ) +

MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' +

SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' +

FROM JOE.STURONAS@PKWARE.COM +

FILEDD DD1 +

Format (BIN) +

Filename jas.zip

Output from Batch Job

J E S 2 J O B L O G -- S Y S T E M P K W 1 -- N

15.54.04 JOB39394 ---- FRIDAY, 11 SEP 2015 ----

15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB.

15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB

15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS

15.54.05 JOB39394 HTRT01I CPU (Total)

15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th

15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17

15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25

15.54.06 JOB39394 HTRT06I

15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42

15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18

15.54.06 JOB39394 $HASP395 JASA ENDED

------ JES2 JOB STATISTICS ------

11 SEP 2015 JOB EXECUTION DATE

38 CARDS READ

855 SYSOUT PRINT RECORDS

0 SYSOUT PUNCH RECORDS

Output from Batch Job

- PKWARE Inc.

-

- Program Name SECZIP hh:mm:ss.th

- Step Name ZIP1 Elapsed Time 01.46

- Procedure Step TCB CPU Time 00.15

- Return Code 00 SRB CPU Time 00.02

- Total I/O 686 Total CPU Time 00.17

- I/O Cost $ 0.68 CPU Cost $ 0.04

- Service Units 1154

-

- PKWARE Inc.

-

- Program Name IKJEFT1B hh:mm:ss.th

- Step Name TSOB Elapsed Time 00.73

- Procedure Step TCB CPU Time 00.24

- Return Code 00 SRB CPU Time 00.01

- Total I/O 499 Total CPU Time 00.25

- I/O Cost $ 0.49 CPU Cost $ 0.06

- Service Units 1870

Output from Batch Job

ZPEN309I z/Architecture Hardware Available -zBC12

ZPEN313I CSNBSYE System Capable with ICSF when available.

ZPEN313C AES is available. DES/3DES is available.

ZPEN313C CPACF Protected Keys are available.

ZPEN334I PKA callable services are enabled.

ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12

ZPEN310I CP Assist For Cryptographic Functions Available

ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHO

ZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGen

ZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified.

ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000

ZPAM253I ADDED File JAS.TEXT.LIB(CRC)

ZPAM254I as crc.txt

ZPAM255I (DEFLATED 57%/56%) SecureZIP(R) AES256 ; DATA SIZE 1,600; ZIP SIZE

ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key

ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC)

ZPAM254I as ebcdic.txt

ZPAM255I (DEFLATED 34%/32%) SecureZIP(R) AES256 ; DATA SIZE 480; ZIP SIZE 32

ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key );

ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Demo - Mobile

Q & A

JOE STURONAS - CTO - PKWARE, INC.