Reducing Risk for the Crown Jewels on your Mainframe

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation© 2015 IBM Corporation

Reducing Risk for the Crown Jewels on

your Mainframe (z Systems)

Jamie Pease CISA, CISM, CISSP, MBCS CITP

IT Security Specialist, z Systems Security &

Chairman of the GSE Security Working Group



22

Agenda

• The current landscape

• Challenges

• Recommendations


IBM Security

3

Today’s technologies have eliminated “mainframe isolation”

The increasingly desirable target of the Mainframe

Source: 2013 IBM zEnterprise Technology Summit

%of all active coderuns on the mainframe80

%of enterprise data ishoused on the mainframe80

Internet

Cloud

Social

Mobile

Big Data

Business

Innovation



4

Workloads that run on the Mainframe (z Systems)

Banking Insurance Retail HealthcarePublic

Sector

Core Banking Internet Rate

Quotes

On-line

Catalog

Patient Care Systems

Electronic IRS

Wholesale

Banking –

Payments

Policy Sales &

Management

(e.g. Life,

Annuity, Auto)

Supply Chain

Management

On– line Claims

Submission & Payments

Web based

Social

Security

Customer

Care & Insight

Claims

Processing

Customer

Analysis

Tax

processing

What is a workload?

The relationship between a group of applications and/or systems that are related across several business functions to satisfy one or more business processes, typically running on ‘virtual servers’.


IBM Security

5

Applications by the numbers

Mainframe legacy applications represent a massive exposure of core business information and functions

2/3 of ALL business transactions

for U.S. retail banks

run directly on mainframes

Who run’s DB2 on z/OS?

1 million active COBOL programs

80%active COBOL code

250+ billions lines of COBOL code today

Source: 2013 IBM zEnterprise Technology Summit

65 of the world’s top banks

24 of the top 25 U.S. retailers

10 of the top 10 global insurance providers

“Millions of users unknowingly activate CICS every day, and if it were

to disappear the world economywould grind to a halt.”

Phil ManchesterPersonal Computing Magazine


IBM Security

6

Key concerns

Mainframe customers are more vulnerable than ever before

Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for z Systems and the Enterprise

“As mainframes become a major component in service-

oriented architectures, they are increasingly exposed

to malware. Web services on the mainframe have

significantly impacted security.”

Meenu Gupta

President, Mittal Technologies Inc.

The solution…

%concerned with privileged insiders50%concerned with advanced persistent threats21

%concerned with web-enabled z/OS apps29

%of customers agree that deploying multiple layers of defense provides the best mainframe protection86



7

Mainframe Unix systems are less securely managed than distributed Unix / LINUX servers

Shared disks between environments (e.g., development, test and production)

Too many users circumventing controls

Excessive utility access allows security policy bypass

Poor data management practices (e.g., access to data, copying of data and reuse of data)

Inadequate attention to monitoring, alerting, and reporting

z/OS security implementation

z/OS security practices

Absent, or poorly conceived, security design

Lack of access controls allows elevated user privileges

Security policies are outdated or not properly executed

Common z/OS security challenges



88

Agenda

• The current landscape

• Challenges

• Recommendations


IBM Security

9

Where would you rank your Mainframe Security?

Maturity Level

1 2 3 4 5

1 - Initial

2 - Repeatable

3 - Defined

4 - Managed

5 - Optimising


IBM Security

10

Understand the risks and report them

Gain support from senior management

You need well defined security standards, aligned with policy

Perform a deep dive Audit of all your core systems; get all the issues out on the table

Do not limit to logical access controls, think detective controls, management controls, administrative controls . . . .

Don’t ignore those risk assessments with “Likelihood=low”; “Impact=high” concerns – these may bite you hard in the future.


IBM Security

11

Understand the risks and report them – cont.

Risk assess the issues and produce a report in a style that management can consume

Present the hard hitting facts to management ….

Be prepared for the “so what” test

What’s the risk to the business

Highlight core services that the business is dependent on

Avoid technical jargon

Create a risk register and load it!

Make friends with Audit and get the issues formally raised as concerns

High visibility with senior exec = more chance of remediation

Remember that Auditors are your partner, not the enemy


IBM Security

12

Change the mind-set

THINK like a hacker! How would you compromise a system, what would you look for, what would you use and how would you prevent it

THINK end-to-end Security – requires a Security Engineering mind-set

The data might end up on z, but where did it start or end its journey?

THINK about the current threat landscape – things are different now compared to the 80’s and 90’s

THINK from a business perspective (security is an enabler)

Controls need to support business objectives – your job is to help protect the business

THINK . . . Security is everyone's responsibility, not just the security deptPeople are the weakest link in the chain!


IBM Security

13

1.SecurityPolicy

2.SecurityDesign

3.Security

Implementation

4.Security

Enforcement

5.Security Auditing

6.Measurement Against Policy

Adopt an iterative process of continuous improvement


IBM Security

14

Build a long term plan to fix things

Plan a 3-year security improvement programme; security remediation projects take time and they are often complex

Consider a Security Engineering function; you cannot drive security improvements using only operational staff

Review your resource pool – do you have sufficient skills to implement the improvements and maintain them?

Consider apprenticeships; they are becoming popular in the mainframe community


IBM Security

15

Integrate “Design” into your security practice

Controls for systems, applications and data should not be an afterthought

Often we find that many security features are not implemented or considered for future use

Lack of design equals poorly configured controls, that are not fit for purpose

SDLC (Systems development life-cycle) – security must be part of it!

You need to build security design into everything you do; this should be part of the Security Engineering role

Do not allow infrastructure teams, such as Systems Programming to make security design decisions on your behalf Often their focus is on availability and performance, not security

Remember, good design = better product


IBM Security

16

Start cleaning up

Too much dead wood in your security system can distort the picture, adding unnecessary complexity and additional costs

Start to collect data about what is being used in terms of access permissions and security definitions

Remove what is not being used; subsequent remediation activities often complete much quicker when you can see the “wood through the trees”

Clean-up often resolves other audit issues that are on your delivery plan

Proven to significantly reduce risk


IBM Security

17

Put a halt to new pollution occurring in your security system!

• People who implement security changes on z Systems can create “compliance issues”

These can occur for a number of reasons . . .

Not following standards, process . . .

Incorrect approval from an owner / authorizer

Lack of understanding

Failure to check and double check proposed changes

• zSecure Command Verifier can help maintain compliance


IBM Security

18

Get RBACing!

A large percentage of audit concerns can be attributed to excessive access / privileges

Design and implement a Role Based Access Controls infrastructure for your security database

It sounds more complicated than it is . . .

If you are already collecting “Access Decisions” from your security system, you have intelligence about what permissions are being used!

You can use this data to verify where access is not being used

Use it as part of your “business analysis” and decision making process

Build RBAC profiles based on “required” access usage


IBM Security

19

Offload services that cause a conflict

Are your implementers also responsible for security monitoring?

This is considered “self policing”, which is regarded as bad practice throughout the industry

Monitoring needs to be independent - you need “policemen” under separate management checking the implementers

Preventing fraud, enforcing separation of duties, reducing errors are extremely difficult to achieve

It is a drain on your resources

Conflicts can also be extended to Infrastructure teams performing security tasks, such as Systems Programming maintaining security for z/OS UNIX


IBM Security

20

Review the technology you use for Security

You’ve made an investment in technology to help secure your crown jewels; how much of this is utilised?

Many customers only use 25% of the functionality in their security software

Exploitation of security software = reduction in risk

Perform a gap analysis to determine what you’re not using; determine how these features may help improve controls Involve your vendor!


IBM Security

21

Test and simulate proposed changes

Many exposures on the mainframe are created by Security Administration errors

Changes to your security database can also impact on availability!

Errors can consist of . . . Applying too much access

Removing security definitions that protect resources

Deleting access permissions that are still required

Changing attributes that can enable a user to circumvent system security

Historically, Mainframe Security teams don’t have a safe testing environment where they can test & simulate the effect of high impact changes

The RACF-Offline feature in zSecure Admin can help with this challenge


IBM Security

22

Test controls against external standards

Are your corporate standards still “fit for purpose”; were they designed for the threat landscape a decade ago?

Regularly bench marking your controls against standards that were developed by other institutions results in stronger controls for your enterprise

Consider utilising standards from NIST, DISA


IBM Security

23

Start classifying your resources

You cannot apply an appropriate level of control, if you don’t understand the sensitivity of the resource you are protecting

Data classification projects can be expensive and time consuming to implement, however there is no reason why you cannot implement the foundations on your mainframe

You immediately start to reduce risk when you classify something and apply the appropriate controls

Solutions like IBM Security zSecure already have a knowledge base of sensitive operating system resources – you can start to use this intelligence to classify resources in the Trusted Computing Base.


IBM Security

24

Understand who can bypass system security

You need to understand which users have access to resources that can be used to bypass your security system

There is no point building strong defences if 20% of your user population can bypass them

These resources are part of the Trusted Computing Base Users who have access to these are referred to as “Trusted Users”

READ access to some of these resources is sufficient to bypass control mechanisms

Significantly reduce the number of “Trusted Users”

Regularly review these users through recertification; don’t be afraid to apply your own knowledge and speak up when access is not appropriate

Implement auditing and monitoring of the Trusted Computing Base


IBM Security

25

Move from point in time to real time

Detective controls often report critical changes many hours or days following the event

This is often too late as it provides a window of opportunity to cause significant damage

Focus should never be limited to changes that occur in the security system

Remember, we also need to monitor security in the operating system, sub systems, middleware . . .

Need to establish an independent process for handling these events

Integrate with your enterprise monitoring practice and SIEM solution


IBM Security

26

Think outside of the security system

You can’t just focus your efforts on the security system (E.g. RACF)

The consequences are that you leave too many doors unlocked

Security for the operating system (z/OS, z/VM), sub-systems (TCP/IP, UNIX) middleware (CICS, IMS, MQ) is just as important

There are parameters and settings that need to be activated, regularly reviewed and monitored!

Don’t forget that some of your applications will use “internal control mechanisms”; these don’t call your security system for “security decisions”


IBM Security

27

Don’t stop, remember its an iterative process

Are your corporate standards still “fit for purpose”; were they designed for the threat landscape a decade ago?

Your security practice must always strive to improve …..

Is the Security that you implemented today, good enough for the threats of tomorrow?

Constantly evaluate everything you do and implement, to ensure it remains “fit for purpose”


IBM Security

28

Invest in training & education

Employees cannot work in isolation . . .

They must keep up-to-date with the latest threats, trends, best practices

Need to understand what other organisations are doing to improve their security

Need to share problems, ideas to help come up with solutions

Keep their knowledge current on security solutions, including new capabilities

Network with other customers and vendors

Need to understand security from an enterprise wide perspective

Difficult to improve the maturity of your mainframe security when employees cannot develop in their profession

They need to be allowed to attend . . .

User Groups

Conferences

Webinars

Training courses

and . . . . be given the time to do research activities!


IBM Security

29

Make it personal!

On a mainframe somewhere around the world, your own personal data resides in a database

The mainframe serving your business probably holds your personal data (think Bank account, Insurance Policy, Payroll, Pension . . .)

If you were able to retrieve “all” of your personal data, you’d be amazed how much is stored on the mainframe

How would you feel if that data was compromised

You probably guard your personal assets

We all have a responsibility to uphold the confidentiality, integrity and availability of our data . . . the crown jewels of the enterprise


IBM Security

30

IBM z Systems is a highly securable environment

Security is embedded into the z Systems architecture

Processor

Hypervisor

Operating system

Communications

Storage

Applications

z Systems security addresses regulatory compliance for:

Extensive security event logging

and reporting capabilities

Extensive security certifications including

EAL5+ (e.g., Common Criteria and FIPS 140)

Identity and access management

Hardware and software encryption

Communication security capabilities

IBM RACF provides identity and access controls and audit capabilities


IBM Security

31

Mainframe Security requires a defense in depth solution

DomainsSecurity

Server

Operating

SystemData

Security

Intelligence

EndpointsRACF,

ACF2, Top

Secret

z/OSDB2, IMS,

VSAMAll

IBM SolutionszSecure

Admin, Visual

zSecure

Audit, Alert

InfoSphere

Guardium

QRadar

SIEM

Automated cleanup of unused, obsolete and under-protected access permissions ●

Externalization of DB2 security into RACF, including automated clean-up

of prior DB2 access permissions

●

Separation of duties in provisioning access ●

Continuous, policy-based, real-time monitoring ● ●

Infrastructure scanning for missing patches, misconfigurations and other vulnerabilities ● ●

Automated Compliance Protection ● ●

Knowledge base for compliance reports with SOX, PCI DSS, etc. ● ●

Provides contextual and actionable surveillance to detect and remediate threats ●

Identifies changes in behavior against applications, hosts, servers and network. ●

Correlates, analyzes and reduces realtime data into actionable offenses ●


IBM Security

32

Administration management Security audit and compliance

Improve Mainframe Security with IBM Security zSecure

Reduce administrative overhead

with security management tasks

Prevent abuse of special

roles and authorization

with privileged user monitoring

Enforce security policies

by blocking dangerous commands

and potential errors

RACF data set cleanup

of unused security profiles and

inactive / terminated users

Enhanced data collection z

of SMF audit information from:• RACF, DB2, CICS, IMS, MQ, SKLM, WAS,

UNIX, Linux on z Systems, OMEGAMON XE

on z/OS, FTP, Communication Server, TCP/IP,

PDSE and more

Automated remediation

to detect and prioritize potential threats

with security event analysis

Real-time alerts of potential threats

and vulnerabilities

Compliance monitoring and reporting• PCI-DSS, STIGs, GSD331,

and site-defined requirements

Comprehensive customized

audit reporting

Detect harmful system security

settings with automated configuration

change checking


IBM Security

33

z System products enable integration with QRadar

RACF CA ACF2 CA Top Secretz/OS CICS DB2

Event sources from z Systems

Guardium

• DB2

• IMS

• VSAM

zSecure• z/OS• RACF• ACF2, TSS• CICS

Extensive Data SourcesDeep

IntelligenceExceptionally Accurateand Actionable Insight+ =

AppScan

• Web Apps

• Mobile Apps

• Web Services

• Desktop Apps



34

Learn more about IBM Security zSecure solutions

zSecure website

zSecure product library

zSecure information center

zSecure latest release

zSecure forum

zSecure Redbook

http://www.ibm.com/software/tivoli/products/zsecure/

http://www-01.ibm.com/software/tivoli/products/zsecure-library.html?S_CMP=rnav

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_1.13/welcome.html

http://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/7/897/ENUS212-337/index.html&lang=en&request_locale=en

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1255

http://www.redbooks.ibm.com/abstracts/sg247633.html?Open

Discover the latest IBM solutions and hear real-life experiences from IBM clients

who are working with us to drive advanced security controls into their organizations

IBM Security @ Interconnect delivers:

Three Days of keynotes and general sessions featuring industry thought leaders

100+ Security Sessions including hands-on labs and certification testing

Solution Expo featuring demonstrations of the latest products and services from IBM

Security and IBM partners

More Networking Events than ever to expand and strengthen your sphere of influence

Register at ibm.com/interconnect today!



36

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

Software

Reducing Risk for the Crown Jewels on your Mainframe