30
IBM Messaging Security: Why Securing your environment is important Robert Parker – [email protected] Leif Davidsen – [email protected] IBM Hursley – UK

IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Embed Size (px)

Citation preview

Page 1: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

IBM Messaging Security: Why Securing your environment is importantRobert Parker – [email protected] Davidsen – [email protected] Hursley – UK

Page 2: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Please Note:

2

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Page 3: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Digital EnterpriseReliability, security and scalability for Business Critical systems• Always on, always available• Security, control and governance

Speed and agility to drive innovation and growth• Explore, adopt, adapt• Rapid, Iterative prototypes

LoB roles CIO roles

A New Era of Teamwork

Application Developer

LoB Developer

Integration Architect

Administrator/ Developer

3

Page 4: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

© 2015 IBM Corporation

Pain point : “New information, systems and services are springing up everywhere, and all need to be connected!”“Configuration, maintenance and operation of infrastructure take too long”

Pain point : “Deployments take months instead of hours”

Pain Points : “Our developers need to create engaging new apps fast, and make them interact with existing infrastructure”“I want to use the skills I have and not be forced to waste time learning stuff I won’t need”

What pressures is a business under?

4

Page 5: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Connectivity is exploding in your infrastructure

Connectivity in business infrastructure is increasing

• More information, more systems, more services, deployed anywhere

Connect systems together• Deliver timely updates of

targeted data• Gain business insight• Applications and data become

valuable assets, not growing costs

New sources of data are changing the world• However data without

connectivity becomes a burden not an asset

5

Page 6: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

The realities of an increasingly connected environment

• Increasing connectivity increases complexity– Complexity is not just defining, building, operating environments but complexity in

security as well

• What is a secure environment for an IT system?– Connected systems are almost the definition of an insecure environment – Every system represents a point of attack/risk for your applications and data– Adding multiple security layers across multiple systems is likely to create an

unusable environment• Not to mention huge performance implications

6

Page 7: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

MQ at the heart of applications

MQ cloud options

Connecting and moving your critical enterprise data

IBM MQ IBM MQ Appliance App AccessPartner

Enterprise MQ Backbone

Choices for MQ deploymentCloud

On-Prem

7

IBM MQ Advanced

Page 8: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Pressures deflecting from security as a priority

• Complex IT environments are too challenging– Simpler approach required – possibly helped by MQ– Speed of implementation and change is essential

• System performance and throughput• Time taken to configure and achieve desired secure

outcome

• Pressure on skills and resources– More generalists– Fewer specialists – whether MQ or security

• Differences between systems• Different rules and regulations for different countries• Varying audit requirements between business divisions

• Security seen as burden and cost rather than a business asset• Focus on IT/Resource spend on positive business outcomes

8

Page 9: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

What are the costs of security risks

• Figures used in this presentation: 2015 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: http://www-03.ibm.com/security/data-breach/

9

Global Cost per record in 20141 Global Cost per breach in 20141

$3.79M$154

6% increase on 2013 figures 8% increase on 2013 figures

Page 10: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

2014 Cost per record of data breach (per industry)Highly regulated industries have the highest costs per breachRetail saw a 57% increase in cost in 2014

Page 11: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

How to protect against a breach

Network security advice from @swiftonsecurity

11

Page 12: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Can you afford to take risks given MQ’s connectivity?

• Your IT environment is becoming hyper-connected. – You need to secure your systems – MQ systems, applications, and the data flowing both

within MQ and around your enterprise• You need to understand the risks if you don’t secure them• You need to understand the risks if you secure them inefficiently

• Different types of threat require different security measures– External threats to your business

• ‘Mass-market’ attempts• Targeted attempts

– Internal threats• Disaffected employees• Errors or poor processes

• Regulatory compliance– Industry, legal or other types of rules/regulations

• Business directives– Corporate directives to be met

12

Page 13: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

The burden of proof

• Being secure is not enough – you need to prove you are secure• The most secure system in the world is nothing without being able to

pass an audit– Similar to use of MQ – not just about delivering the message; it is knowing you

have delivered the message

• Security is more than just authentication, authorization and encryption–Process–Logging–Records

• Every step from initial configuration, through to removal of access, and logging of failed attempts must be verifiable

13

Page 14: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Implications of applying security• Adds complexity to configuration, operation, maintenance – not just to MQ but

you’re your business and processes– Who manages security for your MQ environment?

• What other MQ access do they have?

– Is MQ security done globally, locally, by system?• Does it link seamlessly to other systems to provide complete end-to-end security

• Authentication– System specific, repository

• Authorisation– Users, roles, groups?

• Encryption– Data in flight? Data at rest?

• Logging, auditing– Prove to yourself– Prove to auditor

• When is the best time to design and implement security for your system? 14

Page 15: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Steps for implementing MQ Security

Page 16: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Security provided on Client to Queue Manager connections

Channel Authentication(BLOCKADDR)

SSL/TLS

Channel Authentication(ADDR/USER/SSL Map)

Security Exit

Connection Authentication

Channel Authentication(BLOCKUSER)

Authorization

16

Page 17: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Security provided on Queue Manager to Queue Manager connections

Channel Authentication(BLOCKADDR)

SSL/TLS

Channel Authentication(ADDR/QMGR/SSL Map)

Security Exit

Authorization

MQ Protocol

17

Page 18: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Connection Authentication

• Authentication is used to force clients to identify themselves.

• It is usually used in combination with authorization.– First ask users to prove who they are then give them authority only do what

you want them to be able to do.

• Connection authentication was added as a feature of MQ in version 8

• Can be used in combination with channel authentication records to provide granular control over who has to provide valid credentials.

18

Page 19: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Authorization

• Authorization is used to limit what connected applications can do.– Stops unauthorized users from viewing, editing, deleting objects they do not

have permission to do.

• Authority to perform an action is given. – By default a user/group will not have any authority

• Best practice is to only grant minimum required authority

19

Page 20: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Filtering with Channel Authentication

• Allows granular control over connections

• Allows you to block all connections that you do not trust– Set up a whitelist to only allow the connections you trust

20

Page 21: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

SSL/TLS Encryption

• SSL/TLS is used for two reasons in MQ:– Authentication with a Queue Manager– Encrypting and protecting data in transit between a client or Queue Manager

and destination Queue Manager.

• Transmission encryption using SSL/TLS prevents unauthorised users from reading your communications and messages in transit.

• As IBM and other organisations discover weak CipherSpecs, MQ deprecates vulnerable CipherSpecs – Alerts for weak CipherSpecs given using Technotes

21

Page 22: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Security Exits

• Security exits are bespoke, customer created exits that are ran during the security checks.

• Prior to MQ v8 a security exit was used in MVS to supply connection authentication capabilities– CSQ4BCX3

22

Page 23: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Additional Security

• MQ Protocol– Prevents unauthorised users from creating unsupported connections

• For example Using client application to connect to a Queue Manager to Queue Manager channel.

• AMS– AMS provides a higher level of protection to messages– It is an end-to-end security model

• Messages are protected from creation until destruction

– Messages can be protected so that only authorised users can see message data• This means even MQ Administrators cannot view a message.

– Messages are protected both in transit and at rest• Satisfies the standards compliance for certain data types (HIPAA, PCI, etc)

23

Page 24: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Auditing

• For every security failure, MQ can write out an error message for administrators to check

• Additionally MQ can output event messages which can be monitored for unauthorized access attempts.

• Both allow you to keep track of who does what to your MQ Queue Manager and its objects.

24

Page 25: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Much more detail in…

3429A

How to Transform your Messaging Environment to a Secure Messaging Environment

Mandalay Bay NORTH - South Pacific Ballroom I

Wed, 24-Feb 3:45 PM – 4:30 PM

25

Page 26: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Monday10:30-11:30 3592 New MQ features

3452 Managing applications

12:00-13:00 2835 MQ on z/OS and Distributed

15:00-16:00 3470 Latest MQ z/OS features2833 Where is my message?3544 MQ Light in an MQ infrastructure

16:30-17:30 3573 Hybrid cloud messaging2941 MQ Advanced

Tuesday08:30-09:30 3540 The MQ Light API

12:00-13:00 3456 The IBM MQ Appliance

13:15-14:15 3499 Introducing Message Hub3458 MQ Appliance administration

14:30-15:30 6432 MQ updates and futures (InnerCircle)2849 Messaging feedback roundtable

16:00-17:00 3544 MQ Light in an MQ infrastructure3513 MQ hands on lab

Wednesday08:30-09:30 3602 Managing your MQ environment

12:00-13:00 3613 Designing MQ self service6408 Hybrid messaging roadmap (InnerCircle)

13:15-14:00 3416 HA and DR with MQ3433 Why secure your messaging?

15:45-16:30 3429 Securing MQ2847 Meet the messaging experts

16:00-17:00 3508 MQ Light hands on lab

16:45-17:30 2275 Migrating to the IBM MQ Appliance

Thursday08:30-09:15 3420 MQ Clustering

2931 Business agility with self service MQ

09:30-10:15 3479 MQ z/OS clusters and shared queue3450 Optimising MQ applications2849 Messaging feedback roundtable

10:30-11:15 3465 MQ Appliance high availability3481 MQ z/OS messaging connectivity

11:30-12:15 3474 Active-active messaging3537 Monitoring and managing MQ3425 MQ publish/subscribe

Find us at the EXPO:Hybrid Integration peds 65-68

Check out the Hybrid Messaging sub topic under Hybrid Integration topic for further customer and

business partner sessions

Hybrid Messaging from the IBM experts at InterConnect 2016 Sunday

14:30-15:30 6408 Hybrid messaging roadmap (InnerCircle)

Page 27: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

• Hybrid Integration Strategy• Cloud Integration • Accelerating Digital Business• Integration Bus • IBM MQ • API Management• BPM / ODM • DataPower• CICS • WASSpend time with IBM experts, at the home of many of IBM's software products. This summit is by

invitation only - a limited seating engagement for executives and architects who would like to learn how to harness IBM connectivity and application integration solutions to deliver access to data, applications and information regardless of platform, device or data formats - across both on-premises and cloud environments.Learn more about how we are transforming our technologies using Hybrid Cloud to enable you to harness your existing assets to achieve greater capacity, efficiency and integration across platforms, whilst retaining the security, capability and resiliency you would expect from IBM.

• Discover and influence IBM's strategy for key messaging and integration technologies, including, IBM MQ, IBM Integration Bus and IBM API Management

• Engage in technical sessions and one-on-one interactions with top IBM Hursley Lab architects and senior executives to refine your 2016 strategic plans

• Expand your network with industry-leading peers from other companies• Plus learn about other IBM technology, such as IBM intelligent business process management

solutions (BPM & ODM), DataPower gateways, CICS and WebSphere Application Server on-premise and cloud

This event is conducted under a Non-Disclosure agreement, so we will be able to share product directions with you.

Hursley: a visit to talk aboutThe IBM Hursley Lab is the largest software development facility in Europe; situated in a beautiful 100 acre park with a historic setting. Attendees stay in the local city of Winchester which is a vibrant heritage destination with many attractions and classical architecture including a magnificent cathedral.Enjoy the award-winning pubs and restaurants and a tempting array of independent shops.

Talk to your IBM rep to find out more

Be part of the conversationKeep up to date with the latest information, join the conversations and help to shape the event to meet your interests. Use #IBMhursum in your Tweets to keep in touch.

#IBMhursum

European & North American

Hursley Summit 2016Integration across applications, data and processes for mobile and cloudMay 10 – 12 & May 16 - 19 | IBM Hursley Lab #IBMhursum

Page 28: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Notices and DisclaimersCopyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

28

Page 29: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Notices and Disclaimers (con’t)Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Page 30: IBM Messaging Security - Why securing your environment is important : IBM InterConnect 2016

Thank YouYour Feedback is important to us.

Please Access the InterConnect 2016 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.