Upload
robert-parker
View
94
Download
0
Embed Size (px)
Citation preview
IBM Messaging Security: Why Securing your environment is importantRobert Parker – [email protected]
Leif Davidsen – [email protected]
IBM Hursley – UK
Please Note:
2
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
Digital Enterprise
Reliability, security and scalability for Business Critical systems• Always on, always available• Security, control and governance
Speed and agility to drive innovation and growth• Explore, adopt, adapt• Rapid, Iterative prototypes
LoB roles CIO roles
A New Era of Teamwork
Application Developer
LoB Developer
Integration Architect
Administrator/ Developer
3
© 2015 IBM Corporation
Pain point :
“New information, systems and
services are springing up
everywhere, and all need to be
connected!”
“Configuration, maintenance and
operation of infrastructure take too
long”
Pain point :
“Deployments take months
instead of hours”
Pain Points :
“Our developers need to create
engaging new apps fast, and make
them interact with existing
infrastructure”
“I want to use the skills I have and
not be forced to waste time
learning stuff I won’t need”
What pressures is a business under?
4
Connectivity is exploding in your infrastructure
Connectivity in business infrastructure is increasing • More information, more systems,
more services, deployed anywhere
Connect systems together• Deliver timely updates of
targeted data
• Gain business insight
• Applications and data become
valuable assets, not growing
costs
New sources of data are
changing the world• However data without
connectivity becomes a burden
not an asset
5
The realities of an increasingly connected environment
• Increasing connectivity increases complexity
– Complexity is not just defining, building, operating environments but complexity in security as well
• What is a secure environment for an IT system?
– Connected systems are almost the definition of an insecure environment
– Every system represents a point of attack/risk for your applications and data
– Adding multiple security layers across multiple systems is likely to create an unusable environment
• Not to mention huge performance implications
6
MQ at the heart of applications
MQ cloud options
Connecting and moving your critical enterprise data
IBM MQ IBM MQ Appliance App AccessPartner
Enterprise MQ Backbone
Choices for MQ deploymentCloud
On-Prem
7
IBM MQ Advanced
Pressures deflecting from security as a priority
• Complex IT environments are too challenging
– Simpler approach required – possibly helped by MQ
– Speed of implementation and change is essential
• System performance and throughput
• Time taken to configure and achieve desired secure outcome
• Pressure on skills and resources
– More generalists
– Fewer specialists – whether MQ or security
• Differences between systems
• Different rules and regulations for different countries
• Varying audit requirements between business divisions
• Security seen as burden and cost rather than a business asset
• Focus on IT/Resource spend on positive business outcomes
8
What are the costs of security risks
• Figures used in this presentation: 2015 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: http://www-03.ibm.com/security/data-breach/
9
Global Cost per record in 20141 Global Cost per breach in 20141
$3.79M$154
6% increase on 2013 figures 8% increase on 2013 figures
2014 Cost per record of data breach (per industry)
Ponemon Institute© Research Report Page 9
Certain industries have higher data breach costs. Figure 4 reports the per capita costs for the
consolidated sample by industry classification. Heavily regulated industries such as healthcare, education, pharmaceutical and financial services have a per capita data breach cost substantially
above the overall mean of $154. Public sector, transportation, research and media organizations have a per capita cost well below the overall mean value.
While the cost of data breach stayed relatively constant for most industries, the retail sector experienced a significant increase from $105 in 2014 to $165 in 2015. Media reporting of these
events and consumers’ concerns about identity theft caused retail companies to spend more money to address the consequences of data breaches.
Figure 4. Per capita cost by industry classification Consolidated view (n=350), measured in US$
$68
$121
$124
$126
$127
$129
$132
$136
$137
$155
$165
$179
$215
$220
$300
$363
$- $50 $100 $150 $200 $250 $300 $350 $400
Public sector
Transportation
Research
Media
Technology
Hospitality
Energy
Consumer
Services
Industrial
Retail
Communications
Financial
Pharmaceuticals
Education
Health
Highly regulated industries have the highest
costs per breach
Retail saw a 57% increase in cost in 2014
How to protect against a breach
Network security advice from @swiftonsecurity
11
Can you afford to take risks given MQ’s connectivity?
• Your IT environment is becoming hyper-connected. – You need to secure your systems – MQ systems, applications, and the data flowing
both within MQ and around your enterprise
• You need to understand the risks if you don’t secure them
• You need to understand the risks if you secure them inefficiently
• Different types of threat require different security measures– External threats to your business
• ‘Mass-market’ attempts
• Targeted attempts
– Internal threats• Disaffected employees
• Errors or poor processes
• Regulatory compliance– Industry, legal or other types of rules/regulations
• Business directives– Corporate directives to be met
12
The burden of proof
• Being secure is not enough – you need to prove you are secure
• The most secure system in the world is nothing without being able to pass an audit
– Similar to use of MQ – not just about delivering the message; it is knowing you have delivered the message
• Security is more than just authentication, authorization and encryption
–Process
–Logging
–Records
• Every step from initial configuration, through to removal of access, and logging of failed attempts must be verifiable
13
Implications of applying security
• Adds complexity to configuration, operation, maintenance – not just to MQ but you’re your business and processes
– Who manages security for your MQ environment?
• What other MQ access do they have?
– Is MQ security done globally, locally, by system?
• Does it link seamlessly to other systems to provide complete end-to-end security
• Authentication
– System specific, repository
• Authorisation
– Users, roles, groups?
• Encryption
– Data in flight? Data at rest?
• Logging, auditing
– Prove to yourself
– Prove to auditor
• When is the best time to design and implement security for your system?14
Steps for implementing MQ Security
Security provided on Client to Queue Manager
connections
Channel Authentication
(BLOCKADDR)
SSL/TLS
Channel Authentication
(ADDR/USER/SSL Map)
Security Exit
Connection
Authentication
Channel Authentication
(BLOCKUSER)
Authorization
16
Security provided on Queue Manager to Queue Manager
connections
Channel Authentication
(BLOCKADDR)
SSL/TLS
Channel Authentication
(ADDR/QMGR/SSL Map)
Security Exit
Authorization
MQ Protocol
17
Connection Authentication
• Authentication is used to force clients to identify themselves.
• It is usually used in combination with authorization.
– First ask users to prove who they are then give them authority only do what
you want them to be able to do.
• Connection authentication was added as a feature of MQ in version 8
• Can be used in combination with channel authentication records to
provide granular control over who has to provide valid credentials.
18
Authorization
• Authorization is used to limit what connected applications can do.
– Stops unauthorized users from viewing, editing, deleting objects they do not
have permission to do.
• Authority to perform an action is given.
– By default a user/group will not have any authority
• Best practice is to only grant minimum required authority
19
Filtering with Channel Authentication
• Allows granular control over connections
• Allows you to block all connections that you do not trust
– Set up a whitelist to only allow the connections you trust
20
SSL/TLS Encryption
• SSL/TLS is used for two reasons in MQ:
– Authentication with a Queue Manager
– Encrypting and protecting data in transit between a client or Queue Manager
and destination Queue Manager.
• Transmission encryption using SSL/TLS prevents unauthorised users
from reading your communications and messages in transit.
• As IBM and other organisations discover weak CipherSpecs, MQ
deprecates vulnerable CipherSpecs
– Alerts for weak CipherSpecs given using Technotes
21
Security Exits
• Security exits are bespoke, customer created exits that are ran during
the security checks.
• Prior to MQ v8 a security exit was used in MVS to supply connection
authentication capabilities
– CSQ4BCX3
22
Additional Security
• MQ Protocol
– Prevents unauthorised users from creating unsupported connections
• For example Using client application to connect to a Queue Manager to Queue Manager channel.
• AMS
– AMS provides a higher level of protection to messages
– It is an end-to-end security model
• Messages are protected from creation until destruction
– Messages can be protected so that only authorised users can see message data
• This means even MQ Administrators cannot view a message.
– Messages are protected both in transit and at rest
• Satisfies the standards compliance for certain data types (HIPAA, PCI, etc)
23
Auditing
• For every security failure, MQ can write out an error message for
administrators to check
• Additionally MQ can output event messages which can be monitored
for unauthorized access attempts.
• Both allow you to keep track of who does what to your MQ Queue
Manager and its objects.
24
Much more detail in…
3429A
How to
Transform your
Messaging
Environment to
a Secure
Messaging
Environment
Mandalay Bay
NORTH -
South Pacific
Ballroom I
Wed, 24-Feb
3:45 PM – 4:30
PM
25
Monday
10:30-11:30 3592 New MQ features
3452 Managing applications
12:00-13:00 2835 MQ on z/OS and Distributed
15:00-16:00 3470 Latest MQ z/OS features
2833 Where is my message?
3544 MQ Light in an MQ infrastructure
16:30-17:30 3573 Hybrid cloud messaging
2941 MQ Advanced
Tuesday
08:30-09:30 3540 The MQ Light API
12:00-13:00 3456 The IBM MQ Appliance
13:15-14:15 3499 Introducing Message Hub
3458 MQ Appliance administration
14:30-15:30 6432 MQ updates and futures (InnerCircle)
2849 Messaging feedback roundtable
16:00-17:00 3544 MQ Light in an MQ infrastructure
3513 MQ hands on lab
Wednesday
08:30-09:30 3602 Managing your MQ environment
12:00-13:00 3613 Designing MQ self service
6408 Hybrid messaging roadmap (InnerCircle)
13:15-14:00 3416 HA and DR with MQ
3433 Why secure your messaging?
15:45-16:30 3429 Securing MQ
2847 Meet the messaging experts
16:00-17:00 3508 MQ Light hands on lab
16:45-17:30 2275 Migrating to the IBM MQ Appliance
Thursday
08:30-09:15 3420 MQ Clustering
2931 Business agility with self service MQ
09:30-10:15 3479 MQ z/OS clusters and shared queue
3450 Optimising MQ applications
2849 Messaging feedback roundtable
10:30-11:15 3465 MQ Appliance high availability
3481 MQ z/OS messaging connectivity
11:30-12:15 3474 Active-active messaging
3537 Monitoring and managing MQ
3425 MQ publish/subscribe
Find us at the EXPO:
Hybrid Integration peds 65-68
Check out the Hybrid Messaging sub topic under
Hybrid Integration topic for further customer and
business partner sessions
Hybrid Messaging from the IBM experts at InterConnect 2016
Sunday
14:30-15:30 6408 Hybrid messaging roadmap (InnerCircle)
• Hybrid Integration Strategy• Cloud Integration • Accelerating Digital Business• Integration Bus • IBM MQ • API Management• BPM / ODM • DataPower• CICS • WASSpend time with IBM experts, at the home of many of IBM's software products. This summit is by
invitation only - a limited seating engagement for executives and architects who would like to learn how to harness IBM connectivity and application integration solutions to deliver access to data, applications and information regardless of platform, device or data formats - across both on-premises and cloud environments.Learn more about how we are transforming our technologies using Hybrid Cloud to enable you to harness your existing assets to achieve greater capacity, efficiency and integration across platforms, whilst retaining the security, capability and resiliency you would expect from IBM.
• Discover and influence IBM's strategy for key messaging and integration technologies, including, IBM MQ, IBM Integration Bus and IBM API Management
• Engage in technical sessions and one-on-one interactions with top IBM Hursley Lab architects and senior executives to refine your 2016 strategic plans
• Expand your network with industry-leading peers from other companies
• Plus learn about other IBM technology, such as IBM intelligent business process management solutions (BPM & ODM), DataPower gateways, CICS and WebSphere Application Server on-premise and cloud
This event is conducted under a Non-Disclosure agreement, so we will be able to share product directions with you.
Hursley: a visit to talk aboutThe IBM Hursley Lab is the largest software development facility in Europe; situated in a beautiful 100 acre park with a historic setting. Attendees stay in the local city of Winchester which is a vibrant heritage destination with many attractions and classical architecture including a magnificent cathedral.Enjoy the award-winning pubs and restaurants and a tempting array of independent shops.
Talk to your IBM rep to find out more
Be part of the conversationKeep up to date with the latest information, join the conversations and help to shape the event to meet your interests. Use #IBMhursum in your Tweets to keep in touch.
#IBMhursum
European & North American
Hursley Summit 2016Integration across applications, data and processes for mobile and cloud
May 10 – 12 & May 16 - 19 | IBM Hursley Lab #IBMhursum
Notices and Disclaimers
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
28
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is important to us.
Please Access the InterConnect 2016 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.