IBM Messaging Security: Why Securing your environment is importantRobert Parker – parrobe@uk.ibm.com

Leif Davidsen – Leif_Davidsen@uk.ibm.com

IBM Hursley – UK

Please Note:

2

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Digital Enterprise

Reliability, security and scalability for Business Critical systems• Always on, always available• Security, control and governance

Speed and agility to drive innovation and growth• Explore, adopt, adapt• Rapid, Iterative prototypes

LoB roles CIO roles

A New Era of Teamwork

Application Developer

LoB Developer

Integration Architect

Administrator/ Developer

3

© 2015 IBM Corporation

Pain point :

“New information, systems and

services are springing up

everywhere, and all need to be

connected!”

“Configuration, maintenance and

operation of infrastructure take too

long”

Pain point :

“Deployments take months

instead of hours”

Pain Points :

“Our developers need to create

engaging new apps fast, and make

them interact with existing

infrastructure”

“I want to use the skills I have and

not be forced to waste time

learning stuff I won’t need”

What pressures is a business under?

4

Connectivity is exploding in your infrastructure

Connectivity in business infrastructure is increasing • More information, more systems,

more services, deployed anywhere

Connect systems together• Deliver timely updates of

targeted data

• Gain business insight

• Applications and data become

valuable assets, not growing

costs

New sources of data are

changing the world• However data without

connectivity becomes a burden

not an asset

5

The realities of an increasingly connected environment

• Increasing connectivity increases complexity

– Complexity is not just defining, building, operating environments but complexity in security as well

• What is a secure environment for an IT system?

– Connected systems are almost the definition of an insecure environment

– Every system represents a point of attack/risk for your applications and data

– Adding multiple security layers across multiple systems is likely to create an unusable environment

• Not to mention huge performance implications

6

MQ at the heart of applications

MQ cloud options

Connecting and moving your critical enterprise data

IBM MQ IBM MQ Appliance App AccessPartner

Enterprise MQ Backbone

Choices for MQ deploymentCloud

On-Prem

7

IBM MQ Advanced

Pressures deflecting from security as a priority

• Complex IT environments are too challenging

– Simpler approach required – possibly helped by MQ

– Speed of implementation and change is essential

• System performance and throughput

• Time taken to configure and achieve desired secure outcome

• Pressure on skills and resources

– More generalists

– Fewer specialists – whether MQ or security

• Differences between systems

• Different rules and regulations for different countries

• Varying audit requirements between business divisions

• Security seen as burden and cost rather than a business asset

• Focus on IT/Resource spend on positive business outcomes

8

What are the costs of security risks

• Figures used in this presentation: 2015 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: http://www-03.ibm.com/security/data-breach/

9

Global Cost per record in 20141 Global Cost per breach in 20141

$3.79M$154

6% increase on 2013 figures 8% increase on 2013 figures

2014 Cost per record of data breach (per industry)

Ponemon Institute© Research Report Page 9

Certain industries have higher data breach costs. Figure 4 reports the per capita costs for the

consolidated sample by industry classification. Heavily regulated industries such as healthcare, education, pharmaceutical and financial services have a per capita data breach cost substantially

above the overall mean of $154. Public sector, transportation, research and media organizations have a per capita cost well below the overall mean value.

While the cost of data breach stayed relatively constant for most industries, the retail sector experienced a significant increase from $105 in 2014 to $165 in 2015. Media reporting of these

events and consumers’ concerns about identity theft caused retail companies to spend more money to address the consequences of data breaches.

Figure 4. Per capita cost by industry classification Consolidated view (n=350), measured in US$

$68

$121

$124

$126

$127

$129

$132

$136

$137

$155

$165

$179

$215

$220

$300

$363

$- $50 $100 $150 $200 $250 $300 $350 $400

Public sector

Transportation

Research

Media

Technology

Hospitality

Energy

Consumer

Services

Industrial

Retail

Communications

Financial

Pharmaceuticals

Education

Health

Highly regulated industries have the highest

costs per breach

Retail saw a 57% increase in cost in 2014

How to protect against a breach

Network security advice from @swiftonsecurity

11

Can you afford to take risks given MQ’s connectivity?

• Your IT environment is becoming hyper-connected. – You need to secure your systems – MQ systems, applications, and the data flowing

both within MQ and around your enterprise

• You need to understand the risks if you don’t secure them

• You need to understand the risks if you secure them inefficiently

• Different types of threat require different security measures– External threats to your business

• ‘Mass-market’ attempts

• Targeted attempts

– Internal threats• Disaffected employees

• Errors or poor processes

• Regulatory compliance– Industry, legal or other types of rules/regulations

• Business directives– Corporate directives to be met

12

The burden of proof

• Being secure is not enough – you need to prove you are secure

• The most secure system in the world is nothing without being able to pass an audit

– Similar to use of MQ – not just about delivering the message; it is knowing you have delivered the message

• Security is more than just authentication, authorization and encryption

–Process

–Logging

–Records

• Every step from initial configuration, through to removal of access, and logging of failed attempts must be verifiable

13

Implications of applying security

• Adds complexity to configuration, operation, maintenance – not just to MQ but you’re your business and processes

– Who manages security for your MQ environment?

• What other MQ access do they have?

– Is MQ security done globally, locally, by system?

• Does it link seamlessly to other systems to provide complete end-to-end security

• Authentication

– System specific, repository

• Authorisation

– Users, roles, groups?

• Encryption

– Data in flight? Data at rest?

• Logging, auditing

– Prove to yourself

– Prove to auditor

• When is the best time to design and implement security for your system?14

Steps for implementing MQ Security

Security provided on Client to Queue Manager

connections

Channel Authentication

(BLOCKADDR)

SSL/TLS

Channel Authentication

(ADDR/USER/SSL Map)

Security Exit

Connection

Authentication

Channel Authentication

(BLOCKUSER)

Authorization

16

Security provided on Queue Manager to Queue Manager

connections

Channel Authentication

(BLOCKADDR)

SSL/TLS

Channel Authentication

(ADDR/QMGR/SSL Map)

Security Exit

Authorization

MQ Protocol

17

Connection Authentication

• Authentication is used to force clients to identify themselves.

• It is usually used in combination with authorization.

– First ask users to prove who they are then give them authority only do what

you want them to be able to do.

• Connection authentication was added as a feature of MQ in version 8

• Can be used in combination with channel authentication records to

provide granular control over who has to provide valid credentials.

18

Authorization

• Authorization is used to limit what connected applications can do.

– Stops unauthorized users from viewing, editing, deleting objects they do not

have permission to do.

• Authority to perform an action is given.

– By default a user/group will not have any authority

• Best practice is to only grant minimum required authority

19

Filtering with Channel Authentication

• Allows granular control over connections

• Allows you to block all connections that you do not trust

– Set up a whitelist to only allow the connections you trust

20

SSL/TLS Encryption

• SSL/TLS is used for two reasons in MQ:

– Authentication with a Queue Manager

– Encrypting and protecting data in transit between a client or Queue Manager

and destination Queue Manager.

• Transmission encryption using SSL/TLS prevents unauthorised users

from reading your communications and messages in transit.

• As IBM and other organisations discover weak CipherSpecs, MQ

deprecates vulnerable CipherSpecs

– Alerts for weak CipherSpecs given using Technotes

21

Security Exits

• Security exits are bespoke, customer created exits that are ran during

the security checks.

• Prior to MQ v8 a security exit was used in MVS to supply connection

authentication capabilities

– CSQ4BCX3

22

Additional Security

• MQ Protocol

– Prevents unauthorised users from creating unsupported connections

• For example Using client application to connect to a Queue Manager to Queue Manager channel.

• AMS

– AMS provides a higher level of protection to messages

– It is an end-to-end security model

• Messages are protected from creation until destruction

– Messages can be protected so that only authorised users can see message data

• This means even MQ Administrators cannot view a message.

– Messages are protected both in transit and at rest

• Satisfies the standards compliance for certain data types (HIPAA, PCI, etc)

23

Auditing

• For every security failure, MQ can write out an error message for

administrators to check

• Additionally MQ can output event messages which can be monitored

for unauthorized access attempts.

• Both allow you to keep track of who does what to your MQ Queue

Manager and its objects.

24

Much more detail in…

3429A

How to

Transform your

Messaging

Environment to

a Secure

Messaging

Environment

Mandalay Bay

NORTH -

South Pacific

Ballroom I

Wed, 24-Feb

3:45 PM – 4:30

PM

25

Monday

10:30-11:30 3592 New MQ features

3452 Managing applications

12:00-13:00 2835 MQ on z/OS and Distributed

15:00-16:00 3470 Latest MQ z/OS features

2833 Where is my message?

3544 MQ Light in an MQ infrastructure

16:30-17:30 3573 Hybrid cloud messaging

2941 MQ Advanced

Tuesday

08:30-09:30 3540 The MQ Light API

12:00-13:00 3456 The IBM MQ Appliance

13:15-14:15 3499 Introducing Message Hub

3458 MQ Appliance administration

14:30-15:30 6432 MQ updates and futures (InnerCircle)

2849 Messaging feedback roundtable

16:00-17:00 3544 MQ Light in an MQ infrastructure

3513 MQ hands on lab

Wednesday

08:30-09:30 3602 Managing your MQ environment

12:00-13:00 3613 Designing MQ self service

6408 Hybrid messaging roadmap (InnerCircle)

13:15-14:00 3416 HA and DR with MQ

3433 Why secure your messaging?

15:45-16:30 3429 Securing MQ

2847 Meet the messaging experts

16:00-17:00 3508 MQ Light hands on lab

16:45-17:30 2275 Migrating to the IBM MQ Appliance

Thursday

08:30-09:15 3420 MQ Clustering

2931 Business agility with self service MQ

09:30-10:15 3479 MQ z/OS clusters and shared queue

3450 Optimising MQ applications

2849 Messaging feedback roundtable

10:30-11:15 3465 MQ Appliance high availability

3481 MQ z/OS messaging connectivity

11:30-12:15 3474 Active-active messaging

3537 Monitoring and managing MQ

3425 MQ publish/subscribe

Find us at the EXPO:

Hybrid Integration peds 65-68

Check out the Hybrid Messaging sub topic under

Hybrid Integration topic for further customer and

business partner sessions

Hybrid Messaging from the IBM experts at InterConnect 2016

Sunday

14:30-15:30 6408 Hybrid messaging roadmap (InnerCircle)

• Hybrid Integration Strategy• Cloud Integration • Accelerating Digital Business• Integration Bus • IBM MQ • API Management• BPM / ODM • DataPower• CICS • WASSpend time with IBM experts, at the home of many of IBM's software products. This summit is by

invitation only - a limited seating engagement for executives and architects who would like to learn how to harness IBM connectivity and application integration solutions to deliver access to data, applications and information regardless of platform, device or data formats - across both on-premises and cloud environments.Learn more about how we are transforming our technologies using Hybrid Cloud to enable you to harness your existing assets to achieve greater capacity, efficiency and integration across platforms, whilst retaining the security, capability and resiliency you would expect from IBM.

• Discover and influence IBM's strategy for key messaging and integration technologies, including, IBM MQ, IBM Integration Bus and IBM API Management

• Engage in technical sessions and one-on-one interactions with top IBM Hursley Lab architects and senior executives to refine your 2016 strategic plans

• Expand your network with industry-leading peers from other companies

• Plus learn about other IBM technology, such as IBM intelligent business process management solutions (BPM & ODM), DataPower gateways, CICS and WebSphere Application Server on-premise and cloud

This event is conducted under a Non-Disclosure agreement, so we will be able to share product directions with you.

Hursley: a visit to talk aboutThe IBM Hursley Lab is the largest software development facility in Europe; situated in a beautiful 100 acre park with a historic setting. Attendees stay in the local city of Winchester which is a vibrant heritage destination with many attractions and classical architecture including a magnificent cathedral.Enjoy the award-winning pubs and restaurants and a tempting array of independent shops.

Talk to your IBM rep to find out more

Be part of the conversationKeep up to date with the latest information, join the conversations and help to shape the event to meet your interests. Use #IBMhursum in your Tweets to keep in touch.

#IBMhursum

European & North American

Hursley Summit 2016Integration across applications, data and processes for mobile and cloud

May 10 – 12 & May 16 - 19 | IBM Hursley Lab #IBMhursum

Notices and Disclaimers

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

28

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank YouYour Feedback is important to us.

Please Access the InterConnect 2016 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.