Businesses and governments alike are experiencing an alarming rate of malicious activity from both external and internal actors.
Not surprisingly, mission-critical mainframe applications make for desirable targets with large repositories of enterprise customer sensitive data. Mainframe environments are increasingly at risk opening accesses through the internet, mobile initiatives, big data initiatives, social initiatives, and more to drive the business forward. Additionally, there are some security challenges that are specific to the mainframe - traditional protection methods are no longer enough, insider threats are also on the rise, mainframe environments could be more vulnerable with reliance on privilege users to administer security, silo-ed mainframe IT management, limited ownership visibility, and lack of uniformed security management across the enterprise.
View this on-demand webcast to learn more about specific mainframe data protection challenges, top tips for protecting sensitive data, and key data protection capabilities that you should consider to address these challenges.
Register here for the playback: https://event.on24.com/wcc/r/1461947/D9664CC82EC641AA58D35462DB703470
Infrared simulation and processing on Nvidia platforms
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protected?
1. Your Mainframe Environment Is a Treasure
Trove: Is Your Sensitive Data Protected?
Data protection with visibility and control
8 August 2017
Peter Mandel
Guardium Product Manager
mandel@us.ibm.com
3. 3 IBM Security
What’s on the inside counts
Your next attacker is
likely to be someone
you thought you could
trust.**
**Source: IBM X-Force Research 2016 Cyber
Security Intelligence Index
60% of all attacks are
caused by insider
threats**
4. 4 IBM Security
Not all insider threats are created equal
Employees with privileged access to sensitive data carry
the greatest risks!
Who represents an insider threat?
An inadvertent actor
A malicious employee
A 3rd party/partner with
access to sensitive data
(And falls into one of
the categories above)
Image Source: IBM X-Force Research 2016 Cyber
Security Intelligence Index
5. 5 IBM Security
How are most companies combating insider threats today?
61% of organizations do not
monitor and audit the actions of users
with privileges more closely than non-
privileged users*
*According to a 2015 UBM study of more than 200 organizations
70% of organizations do not have
a data security solution that supports
entitlement reporting*
6. 6 IBM Security
Today’s technologies have eliminated “mainframe isolation”
The increasingly desirable target of the mainframe
%
of all active code
runs on the mainframe80
%
of enterprise data is
housed on the mainframe80
Internet
Cloud
Social
Mobile
Big Data
Business
Innovation
7. 7 IBM Security
Key concerns
Mainframe customers are more vulnerable to security incidents:
Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for System z and the Enterprise
“As mainframes become a major component in service-
oriented architectures, they are increasingly exposed
to malware. Web services on the mainframe have
significantly impacted security.”
Meenu Gupta
President, Mittal Technologies Inc.
The solution…
%
concerned with
privileged insiders50%
concerned with advanced
persistent threats21
%
concerned with web-
enabled z/OS apps29
%
of customers agree that deploying multiple layers of defense
provides the best mainframe protection86
8. 8 IBM Security
8
Can you prove that
privileged users have not
inappropriately accessed
or jeopardized the
integrity of your sensitive
customer, financial and
employee data?
9. 9 IBM Security
Where is the
sensitive data?
How to prevent
unauthorized
activities?
How to protect
sensitive data
to reduce risk?
How to secure
the repository?
Discovery
Classification
Identity & Access
Management
Activity
Monitoring
Blocking
Quarantine
Masking
Encryption
Vulnerability
Assessment
Who should
have access?
What is actually
happening?
Discover Harden Monitor Block Mask
Data Security best practices
10. 10 IBM Security
Comprehensive protection requires watchfulness and control
Watch sensitive data &
data access all the time
Monitor it everywhere it lives
Protect against unauthorized access
Easily review results and monitor
your data security heartbeat
11. 11 IBM Security
Automated analytics can highlight behavioral risks …
Apply machine learning & intelligence to uncover behavioral changes and risks
1. Policy-based, real-time
monitoring* reveals behavior
patterns over time
2. Analytics run and anomalies
are surfaced
3. Anomalies are sent for
manual review OR triggers
action
*including actions by privileged users
12. 12 IBM Security
… and specialized threat detection analytics can spot and
stop attack symptoms early
• Scan and analyze data to detect
symptoms of data repository attacks
• Look for specific patterns of events
and behaviors that indicate trouble
• Identify both SQL injections and
malicious stored procedures
• Do not rely on attack signature
dictionary comparisons (they go out
of date quickly)
Drill down on any aspect of a threat
13. 13 IBM Security
Security challenges specific to the mainframe:
Lack of visibilityIncreasing complexity
Ensuring complianceRising costs
Mainframe security
administration is typically
a manual operation
and relies upon old
and poorly-documented scripts; highly-skilled
mainframe administration resources are limited
Compliance verification
is a manual task
with alerts coming
only AFTER a problem
has occurred, if at all!
The mainframe is an integral
component of many large
business services, making
managing security threats
extremely complex creating
a higher risk to the business
Mainframe processes,
procedures, and
reports are often
siloed from the rest
of the organization
14. 14 IBM Security
But System z is already secure – why do we need more?
Separation of duties
– Privileged users “need to know” vs abuse or mistake
– Trace-based auditing controlled by privileged users
– System Authorization Facility (SAF) plays a vital role in protection of
data on z/OS, but is not tamper-resistant and actionable
Achieving audit readiness is labor-intensive and
introduces latency
– RACF lacks sufficient granularity for reporting
– DB2 Audit Trace requires externalization to SMF and customer
provided reporting infrastructure
Real-time event collection
– Batch processing of audit data from external sources prevents real
time alerts
15. 15 IBM Security
Guardium helps secure mission-critical mainframe data
Guardium extends z Systems data security to provide
End-to-End access rights management and controls
Separation of Duty (SOD) with privilege users
Real-time data activity monitoring and actionable alerts
Block unauthorized database activities & quarantine at risk
users
Low monitoring overhead, can be offloaded to zIIP
Proof points to quickly and efficiently meet audit
requirements
Lower cost and complexity of meeting compliance
Guardium enhances mainframe security intelligence
Single consolidated view of security events across the entire enterprise
Bi-directional integration with Qradar, send alerts to Guardium of asset
risks such as rogue users and IP addresses
Machine learning and outlier activities detection, send real-time alerts
for investigation
Enterprise-wide search and forensics investigation of anomalous events
16. 16 IBM Security
Guardium for System z: Components
Guardium Collector appliance for System z
̶ Securely stores audit data collected on the mainframe
̶ Provides analytics, reporting & compliance workflow automation
̶ Integrated with Guardium enterprise architecture
Centralized, cross-platform audit repository for enterprise-wide analytics and compliance
reporting across mainframe & distributed environments
• S-TAP (for DB2, IMS or Data Sets) on z/OS event capture
̶ Mainframe probe
̶ Collects audit data for Guardium appliance
̶ Collection profiles managed on the Guardium appliance
̶ Extensive filtering available to optimize data volumes and performance
̶ Enabled for zIIP processing
̶ Audit data streamed to appliance – small mainframe footprint
16
17. 17 IBM Security
Guardium for DB2/z protection
• Capture all database activities on DB2 for z/OS
̶ Including: SELECTs, DML, DDL, and authorization changes
• Very low performance overhead (typically less than using DB2 traces)
̶ zIIP eligible processes
• Flexible filtering
̶ Helps manage data volume and performance overhead
• Direct streaming of audit data
• Centralized interaction
̶ Goes through the Guardium appliance
• Common event collection
̶ Is supported with IBM Query Monitor
18. 18 IBM Security
Guardium for Datasets protection
• Activity monitoring for files outside of a DBMS
̶ Monitor VSAM files, PDS, sequential file access activity
• Why should we monitor data store outside a DBMS?
̶ Sensitive data may be stored in these files
̶ DB2 and IMS store data in VSAM files
• Utilities operate directly on the VSAM LDS files
• Guardium for Datasets reports when the VSAM LDS files are accessed
̶ Monitor and audit configuration files
̶ Capture CICS transaction information and identify the CICS sign-on that was used
for a specific file access event
19. 19 IBM Security
Guardium for IMS protection
• Monitor all READ, INSERT, UPDATE and DELETE access to
databases and segments
• Applies to IMS Batch and IMS Online regions
• You can select which calls to audit per target
̶ For example: all databases, all segments, one DB and one segment of the DB, etc.
̶ Each segment can have different calls audited
• When a call is collected, all relevant information is captured
• call type, userid, PSB name, DBName, Segment Name, etc.
20. 20 IBM Security
Pervasive Encryption: Multiple layers of data privacy protection
App
Encryption
hyper-sensitive data
Database Encryption
Provide protection for sensitive data in-
use at DB level, in-flight & at-rest
File or Dataset Level Encryption
Provide broad coverage for sensitive data using
encryption tied to access control for in-flight &
at-rest data protection (from unauthorized
copying of the files)
Full Disk and Tape Encryption
Provide 100% coverage for in-flight & at-rest data with zero
host CPU cost
Coverage
Complexity&SecurityControl
Protection against
intrusion, tamper or
removal of physical
infrastructure
Broad protection & privacy
managed by OS… ability to
eliminate storage admins from
compliance scope
Granular privacy protection from DB
Privilege Users accesses … selective
encryption & key management to control
sensitive data access
Data protection & privacy provided and
managed by the application… encryption of
sensitive data when lower levels of encryption
not available or suitable
21. 21 IBM Security
Filters and
Sort
Controls
Result
History
Current Test
Results
Detailed
Remediation
Suggestions
Harden DB2/z further with Vulnerability Assessment
Prioritized
Breakdown
Detailed Test
Results
Identify key APARs and mis-configured systems
22. 22 IBM Security
Chosen by leading organizations worldwide to secure sensitive data
5 of the top 5 global banks XX
Protecting access to over
$10,869,929,241 in financial
assets
2 of the top 3 global
retailers XX
Safeguarding the integrity of
2.5 billion credit card or personal
information transactions per year
5 of the top 6 global insurers
Protecting more than 100,000
databases with personal and
private information
Top government agencies
Safeguarding the
integrity of the
world’s government
information and
defense
8 of the top 10 telcos worldwide
Maintaining the privacy of over
1,100,000,000 subscribers
4 of the top 4 global managed
healthcare providers
Protecting access to
136 million patients
private information
The most recognized name in
PCs Protecting over 7 million
credit card transactions per year