1. The 50th anniversary of the mainframe
NYC Linux on z Customer Council
The 50th anniversary of the mainframe
System z – Security in the Cloud
Presented by:
J Alyn Ward
zSecurity Technical Specialist
World-wide Enablement Team
© 2014 IBM Corporation

2. “Traditional” Cloud Environment
Bluemix
z/OS
Employees
Contractors
Consultants
Citizens
Business Partners
Customers

3. System z in the Cloud z/VM Linux on z Linux on z z/OS Employees
Bluemix
Linux on z
Linux on z
z/OS
IMS
CICS
DB2
z/VM
Employees
Contractors
Consultants
Citizens
Business Partners
Customers

4. Cloud Computing Delivery Models
Flexible Delivery Models
Public …
Service provider owned and managed
Access by subscription
Delivers select set of standardized business process, application and/or infrastructure services on a flexible price per use basis.
Private …
Privately owned and managed.
Access limited to client and its partner network.
Drives efficiency, standardization and best practices while retaining greater customization and control
Cloud Services
Cloud Computing
Model
Hybrid …
Access to client, partner network, and third party resources
.…Standardization, capital preservation, flexibility and time to deploy
.… Customization, efficiency, availability, resiliency, security and privacy___
ORGANIZATION CULTURE GOVERNANCE
...service sourcing and service value 4 4

5. The Layers of IT-as-a-Service
Collaboration
CRM/ERP/HR
SAAS
Business
Processes
Industry
Applications
Software as a Service
Web 2.0 Application
Runtime
Java
Runtime
PAAS
Middleware
Database
Development
Tooling
Platform as a Service
Servers
Data Center
Fabric
IAAS
Networking
Storage
Infrastructure as a Service 5

6. Different Clouds, Different Responsibilities
The Cloud Curtain
Collaboration
CRM/ERP/HR
SAAS
Business
Processes
Industry
Applications
Software as a Service
Customer Control
The Cloud Curtain
Web 2.0 Application
Runtime
Java
Runtime
PAAS
Middleware
Database
Development
Tooling
Customer Control
Platform as a Service
Servers
Data Center
Fabric
Curtain
IAAS
Networking
Storage
Customer Control
Infrastructure as a Service 6 6

7. Traditional On-Premises
Infrastructure
as a Service
Platform
as a Service
Software
as a Service
Applications
Applications
Applications
Applications
Data
Data
Data
Data
Runtime
Runtime
Runtime
Runtime
Middleware
Middleware
Middleware
Middleware
O/S
O/S
O/S
O/S
Virtualization
Virtualization
Virtualization
Virtualization
Servers
Servers
Servers
Servers
Now, we know that most clients are going to need more than just infrastructure support. We also know that for certain workloads and applications, not everything will move to a cloud environment.
Cloud is all about the trade-offs. If you’re willing to trade in customization for a more standard environment, then you’ll get the benefits of lower-costs and faster time to value.
And that is really what happens as you move up the stack from traditional IT to infrastructure to platform to software as a service. You are willing to accept more standardized, automated solutions, but in return you also lower your Capex and Opex.
I call this “value for savings” when you bring CPU costs down to pennies per hour.
But I think the front office benefits of optimizing your business processes can be even more valuable.
By creating a standard catalog of services you can achieve productivity enhancements of 2 times, 3 times and even 10 times.
[Switch Image]
Storage
Storage
Storage
Storage
Networking
Networking
Networking
Networking
Vendor Manages in Cloud
Client Manages
Standardization; OPEX savings; faster time to value

8. Security as a Potential Market Differentiator: Different Workloads have Different Risk Profiles
High
Mission-critical workloads, personal information
High value / high risk workloads need
Quality of protection adapted to risk
Direct visibility and control
Significant level of assurance
Private
Analysis & simulation with public data
Need for Security Assurance
Hybrid
Today’s clouds are primarily here:
Lower risk workloads
One-size-fits-all approach to data protection
No significant assurance
Price is key
Training, testing with non-sensitive data
Transparent Security: Infrastructure enables client to stay in control, ie, security is transparent and verifiable. Minimizes client trust, minimizes provider risk, but maximizes technology costs.
Implicit Security: Provider acts as trusted guardian, client cannot directly inspect and verify security. Maximizes client trust, maximizes provider risk, but reduces technology costs.
Low
Public
Low-risk
Mid-risk
High-risk
Business Risk 8

9. System z Cloud Scenario #1: Private Cloud with Linux on z
Multiple workloads from distributed platforms consolidated into a single, scalable footprint utilizing Linux on z
Employees
Linux on z
Linux on z
Linux on z
Contractors
Consultants
z/VM
Web servers, portals, applications and data reside on the VM’s on System z utilizing zLinux
Theoretically, this would be equivalent to a VMWare ESX server type of deployment
Likely, it would only involve applications and data accessible by an organization’s employees, contractors and consultants.

10. System z Cloud Scenario #2: Private Cloud with Linux & z/OS
Multiple workloads from distributed platforms consolidated into a single, scalable footprint utilizing Linux on z and leveraging critical System z transactions and data
Linux on z
z/VM
Employees
Contractors
Consultants
z/OS
IMS
CICS
DB2
Web servers, portals, applications and data would reside on one, or more, VM’s utilizing zLinux and on z/OS. Examples:
CICS transactions running under z/OS accessing databases running on zLinux
Java applications running on zLinux accessing databases running on z/OS
Java applications running on zLinux “kicking off” CICS transactions on z/OS
As in the first scenario, it likely would only involve applications and data accessible by an organization’s employees, contractors and consultants.

11. System z Cloud Scenario #3: Hybrid Cloud (IaaS and PaaS)
Enterprise applications moved to public cloud environments, including IaaS and PaaS, and integrating with Systems of Record deployed on System z within the enterprise
Linux on z
z/VM
z/OS
IMS
CICS
DB2
PaaS
Bluemix
IaaS
Employees
Cloud applications are “reaching back to” the System z to either execute CICS transactions on z/OS or access databases on z/OS or zLinux
Private cloud scenario where it would only involve applications and data accessible by an organization’s employees, contractors and consultants or
Public cloud scenario where the applications are being accessed by customers, clients, citizens, etc.
Contractors
Consultants
Citizens
Business Partners
Customers

12. System z Cloud Scenario #4: Hybrid Cloud (SaaS)
Enterprises consuming SaaS applications delivered from the Cloud, which integrate with Systems of Record deployed on System z within the enterprise
Linux on z
z/VM
z/OS
IMS
CICS
DB2
SaaS
Employees
SaaS applications are “reaching back to” the System z to either execute CICS transactions on z/OS or access databases on z/OS or zLinux
Private cloud scenario where it would only involve applications and data accessible by an organization’s employees, contractors and consultants or
Public cloud scenario where the applications are being accessed by customers, clients, citizens, etc.
Contractors
Consultants
Citizens
Business Partners
Customers

13. Typical Client Security Requirements
Governance, Risk Management, Compliance
3rd-party audit (SAS 70(2), ISO27001, PCI)
Client access to tenant-specific log and audit data
Effective incident reporting for tenants
Visibility into change, incident, image management, etc.
SLAs, option to transfer risk from tenant to provider
Support for forensics
Support for e-Discovery
Application and Process
Application security requirements for cloud are phrased in terms of image security
Compliance with secure development best practices
Physical
Monitoring and control of physical access
People and Identity
Privileged user monitoring, including logging activities, physical monitoring and background checking
Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third party systems
Standards-based SSO
Data and Information
Data segregation
Client control over geographic location of data
Government: Cloud-wide data classification
Network, Server, Endpoint
Isolation between tenant domains
Trusted virtual domains: policy-based security zones
Built-in intrusion detection and prevention
Vulnerability Management
Protect machine images from corruption and abuse
Government: MILS-type separation
Based on interviews with clients and various analyst reports 13 13

14. Fortunately IBM’s System z is Highly Secure
Highly secure platform for virtual environments and workloads
80% of all active code runs on the Mainframe1
80% of enterprise business data is housed on the Mainframe1
This makes the Mainframe a desirable target for hackers
Security is built into every level of the System z structure
Processor
Hypervisor
Operating system
System z security features address compliance
Identity and access management
Hardware and software encryption
Communication security capabilities
Extensive logging and reporting of security events
Communications
Storage
Applications
Extensive security certifications (e.g., Common Criteria and FIPS 140) including EAL5+
But today’s mainframe must interoperate in a complex environment including cloud, mobile, big data and social networking and is susceptible to multiple vulnerabilities
Build on last bullet: But the mainframe is exposed to multiple common security vulnerabilities
Outdated or insufficient security strategies on z/OS, including UNIX on z/OS (USS), that don’t acknowledge modern z/OS connectivity
Many internal users have unintended access to facilities in z/OS that bypass controls and therefore should be tightly managed:
specialized executable libraries (APF)
techniques that bypass tape controls
access to production data from less secure development and test environments
facilities in z/OS UNIX environment (USS)
Universal Access Authority (UACC) in RACF
Unmonitored specialized programs (SVCs)
These unintentional privileged users become unexpected targets for identity theft
Source: IBM Pre-Sale Mainframe Security Health Checks
1Source: 2013 IBM zEnterprise Technology Summit

15. http://www.vm.ibm.com/security/zvminteg.html Certification: z/VM
Statement of System Integrity
Common Criteria
z/VM 5.1 certified 2Q 2005
EAL 3+ for LSPP & CAPP
z/VM 5.3 certified 3Q 2008
EAL 4+ for LSPP & CAPP
z/VM 6.1 certified 1Q 2013
EAL 4+ for OSPP – LS –VIRT
Every other release, does this work for everyone? 15 15

16. Certification: Logical Partition (LPAR)
IBM eServer zSeries 900 (z900)
12/02 Common Criteria EAL4/EAL5
IBM eServer zSeries 800 (z800)
5/03 Common Criteria EAL4/EAL5
IBM eServer zSeries 990 (z990)
10/04 Common Criteria EAL4/EAL5
IBM eServer zSeries 890 (z890)
6/05 Common Criteria EAL4/EAL5
IBM System z9 109
3/06 Common Criteria EAL5
IBM System z9 EC & BC
8/06 Common Criteria EAL 5
IBM System z10 EC & BC
5/09 Common Criteria EAL 5
IBM System zEnterprise 196 & 114
3/12 Common Criteria EAL 5
IBM System zEnterprise EC12 & BC12
Common Criteria EAL 5+
Helps assure you have a certified stack on top of the 16 16

17. Certification: Linux on System z Distributions
Version
Certification Level
Status
Novell SUSE
SLES 8
CAPP – EAL 3 +
Complete
SLES 9
CAPP – EAL 4 +
SLES 10
SLES 11 SP2
OSPP – EAL 4 +
RedHat
RHEL 3
RHEL 4
RHEL 5
CAPP / LSPP – EAL 4 +
RHEL 6.2
OSPP – EAL 4 + (w/ SFR for MLS)
RHEL 7.1
In assessment
Moved to the point releases, as we notice customer are more likely to move a point release, typically a more stable release. 17 17

18. RACFVM Security Controls
Mixed-case passwords and long phrases
Virtual Switches and Guest LANs
VLANs
Minidisks
Shared memory
Shared virtual machines
Spool files
Control and auditing of security-relevant events can be configured through Discretionary or Mandatory Access Controls
Terminals (restricted login)
Multiple security zones (projects)
Security clearances within zones
Certain commands (e.g. STORE HOST)
Control Program interfaces
Full audit: interface, command, virtual machine
The z/VM Control Program (CP) manages authorization and authentication based upon roles and privileges. An ESM extends z/VM’s capabilities by providing both a finer granularity of control and the ability to enact more complete isolation of guests and projects … all in a consolidated interface.
An External Security Manager wraps around z/VM and provides a finer grain of control on commands, as well as far more extensive auditing. z/VM’s ESM of choice is RACFVM, which is a version of the z/OS RACF. Their capabilities are similar, and they come from a common code base, so the ideas translate from one operating system to another. Note that IBM does *NOT* recommend sharing a RACF database between a z/VM system and a z/OS system – they will understand one another, but their security contexts tend to be very different, and the requirements for making the sharing work may be prohibitive.
RACF enhances the VSWITCH technology mentioned earlier by allowing the system administrator to define a virtual machine as being a part of a VMLAN group. It can take zoning a step further by using “Mandatory Access Controls” – a system-wide set of rules which effectively “color-code” all the resources on the system. It’s through a combination of MAC and DAC (Discretionary Access Controls … ACLs and whitelists and the like) that one can implement multi-tenancy on a single z box: you could put Coca Cola and Pepsi on the same machine, and never the twain shall meet.
An ESM can return one of three possible answers to a security control request:
“Authorization granted.”
“Defer security decision to Native CP.”
“Authorization denied.”
Note that the decision to defer to CP can be overrode with the appropriate configuration changes.

19. Integrity of Virtual Machines
The z/VM System Integrity Statement:
The z/VM Control Program enforces the separation of virtual machines, and manages the ability to touch memory.
The point to emphasize here is the guest of virtual machines. For those unfamiliar with virtualization, it’s tempting to think that there can be data collisions in between two guests. In fact, System z enforces guest isolation at the hardware instruction level. The SIE instruction, whether you’re operating first or second level, is a container in which virtual addresses are used and operations are carried out.
Summary: a guest will be completely isolated from another guest, unless a system administrator grants special access in the USER DIRECTORY.
Review the “z/VM System Integrity Statement and Definition” at the URL above.
CP Real Memory

20. VSWITCH and VLANs z/VM z/OS DB2 LPAR 1 LPAR 2 web web db web db db app
A Virtual Switch is a special form of Guest LAN controlled by the z/VM Control Program (CP). It understands IEEE VLAN technology, so you can configure them to understand particular LANs that already exist on your network. This also means that you can have guest virtual servers isolated into different zones – a web app can talk to a web app reasonably well, but an app cannot talk to, say, DB2 running under z/OS in another LPAR without passing through a firewall of some sort.
You could put all outward-facing programs in one LPAR, and all inward-facing programs in another LPAR, and the databases in another LPAR … but z/VM’s networking is controllable to the point where that isn’t necessary.
To internet
With 1 VSWITCH, 3 VLANs, and a multi-domain firewall

21. Distributions Embracing Security
Hardening
Secure shell
Virtual Private Network
Enhanced Audit Capability
Enhanced Authentication Options
Enhanced Firewall Management
Intrusion Detection Systems
Cryptographic Libraries and Access to Hardware
Host and Network Scanning Tools
Certifications
11 years ago when linux started and traction in the market was gaining, it was deployed that everything was initial deployed, telnet, ftp, webserver came running out of the box. It was great, running, and everyone was happy.
As a server environment, you want everything off and start up what you need to require to help secure your env. We worked with SUSE and REDHAT to incorporate these functions into the linuxs releases. 21 21

22. Linux on System z Security Building Blocks
Access Control
SELinux, AppArmor, sudo, IBM Security Access Manager & WebSeal, CA's eTrust Access Control & Web Access
Anti-Virus/Anti-Spam
ClamAV, OpenAntiVirus, AmaViS, MIMEDefrag, TrendMicro’s ServerProtect & ScanMail, Network Associates, Roaring Penguin’s CanIt
Directory Services
Open LDAP, NIS/NIS+, IBM Directory Server, CA's eTrust Directory, PADL’s XAD, Quest’s VAS
Digital Certificates
Freeware PKI, z/OS PKI Services
Firewall
IPTables/NetFilter, IBM/ISS PSL* for Linux on System z, webApp.Secure
Intrusion Detection
Snort, AIDE, Snare, PortSentry, TripWire, OSSec, LIDS, IPLog, IBM/ISS PSL* for Linux on System z, PredatorWatch, SafeZoneNet
Note, Key technologies have been covered over the years working with vendors ongoing development
Open Source
Vendor
* Proventia Server for Linux 22 22

23. Linux on System z Security Building Blocks
Secure Network Communications
OpenSSH, GnuPG (OpenPGP compliant), USAGI IPv6, FreeS/WAN, CA's eTrust VPN, SecureAgent Software, PGP Command Line
Secure Socket Layer (SSL)
OpenSSL, PKCS#11, GSKIT
System Hardening
Bastille, Tiger, RedHat, Novell SuSe
Secure Data
dm-crypt, ppdd, CFS, Network Associates' e-Business Server
Distributed Policy Management
IBM Security Access Manager, CA's eTrust Directory
Proxy Server
Proxy Suite from SuSE, IBM Edge Server
Note, Key technologies have been covered over the years working with vendors ongoing development
Open Source
Vendor 23 23

24. System z Security Solutions System z Security solutions to address specific needs in the marketplace based on areas identified as key areas for Security. Solutions consist of HW, SW & Services
Enterprise Key Management Pillar -
Advanced Crypto Services Provider (ACSP)
Leverages z/OS, ICSF, & Crypto Express hardware to centralize operational keys on z/OS for distributed applications
Enterprise Key Management Pillar -
Crypto Analytics Tool (CAT)
Builds on EKMF foundation & provides insight on key usage and potential crypto key exposures
Key Management: Focus on management of keys & certificate while meeting compliance standards and audit reviews
Enterprise Key Management Foundation (EKMF) – Available
Provide a centralized key management solution that leverages clients’ investments IBM System z Hardware Cryptography for the ultimate protection of sensitive keys and meeting compliance standards
Compliance: Focus on keeping ahead of industry standards for System z – enabling our systems to be compliant to the latest standards and make passing audits easier – e.g. – PCI Compliance
IBM Payment Card Industry Hardware Collection – Available
The IBM Payment Card Industry Compliance collection is the basis in establishing a highly secure management hardware cryptographic model 24 24

25. Linux on System z Cryptography
Security on System z
Linux on System z Cryptography 25

26. Integrated System z processor based Crypto: CPACF
The Central Processor Assist for Cryptographic Function (CPACF) is available on every processor unit defined as a central processor (CP).
Provides a set of symmetric cryptographic functions that cab be used to enhance the encryption and decryption performance of clear-key operations for:
Secure Sockets Layer (SSL),
Virtual Private Networks (VPN) and
Applications not requiring a high level of security such as Federal Information Processing Standard (FIPS) Security Level 4.
CPACF is explicitly enabled using a no-charge enablement feature (#3863).
Secure hash algorithms (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512) are shipped enabled on all servers with processor units (PUs) defined as CPs, IFLs, zIIPs, or zAAPs.
The CP Assist for Cryptographic Function offers:
For data privacy and confidentiality
Data Encryption Standard (DES)
Triple Data Encryption Standard (TDES)
Advanced Encryption Standard (AES) for 128-bit, 192-bit, and 256-bit keys
For data integrity
Secure Hash Algorithms
SHA-1: 160 bit
SHA-2: 224, 256, 384, and 512 bit
For message authentication codes (MAC)
Single-length key MAC
Double-length key MAC
Core2
Core0
Core4
L3C 1
MCU
L3C 0 GX
Core1
Core3
Core5
zEC12 CP 26

27. Integrated System z Coprocessor Crypto: Crypto Express4S
Crypto Express4S represents the latest generation cryptographic feature
Designed to complement the cryptographic capabilities of the CPACF.
The Crypto Express4S:
Tamper-sensing and tamper-responding – "zeroizes" if a tamper is detected
Programmable cryptographic feature providing a secure cryptographic environment
Can be configured in one of three ways using the Hardware Management Console (HMC) panels:
IBM Common Cryptographic Architecture (CCA) coprocessor
Secure key operations
User-defined extension (UDX) services to implement custom cryptographic functions and algorithms
Applies only when configured as an IBM CCA coprocessor
Configured as an Accelerator, it is optimized for:
Secure Sockets Layer (SSL) acceleration using clear key RSA operations.
IBM Enterprise PKCS #11 (EP11) Coprocessor – new with the zEC12 processor
Designed to provide open industry standard cryptographic services.
EP11 is based on PKCS #11 specification v2.20 and more recent amendments
Designed to meet the rigorous FIPS Security Level 4 and Common Criteria EAL 4+ certifications.
Designed to meet public sector and European Union requirements where standardized crypto services and certifications are needed. 27

28. z/VM and Hardware Cryptography Virtualization
Virtual machines have access to CPACF
Crypto Card Support, starting with the CryptoExpress 2 feature
Available to guest virtual servers
Accelerator mode, coprocessor mode, and (CEX4S) EP11 modes
Clear key, secure key, and protected key operations for guests
Managed in the CP User Directory – dedicate domains to a virtual machine
z/VM has native TLS Support in its TCP/IP stack
z/VM System SSL and CPACF
z/VM supports Encrypted-Read and Encrypted-Write of data to/from the 3592 Model E05 tape drives (and C06 Control Unit)
Operations can be transparent after configuration (if using default keys); guests are unaware
Requires use of an “out of band” Encryption Key Manager (EKM)
CPACF can be used by any virtual machine. The z/VM SSL Server, which protects TCP/IP traffic in the CMS space (not the Linux space), uses CPACF. Any guest that can able CPACF can use it; it is not controlled by the directory.
z/VM controls a guest’s ability to use the Crypto Cards. Either a guest can use a domain dedicated to it in the User Directory, or it can use a domain from a queue of Shared Domains.
A CMS guest (a pure z/VM virtual machine) or a second-level z/VM guest won’t make use of the Crypto cards. Today, they’re specifically for use by guest virtual servers (e.g., Linux).

29. RAS in the Linux on System z Crypto Device Driver
crypto requests submitted by
user space applications:
Program submits crypto request with IOCTL to /dev/z90crypt.
Linux crypto device driver selects most appropriate adapter for request
supports requested function
has most capacity left
Linux crypto device driver submits request to selected adapter.
If request fails
crypto DD will retry on same adapter (if reasonable)
crypto DD will retry on an alternative appropriate adapter
If all recovery options in device driver fail
crypto DD will present error code
If the libica clear key crypto library observes an error code on rsa or random requests it will use a software fallback function.
RSA_modexpo
RSA_crt
CCA request
read random no
/dev/z90crypt
/dev/hwrng
kernel
crypto DD
crypto
request
scheduler
IOCTL , a mechanism to talk between the user address space and kernel.
LIBICA will route to SW if it can (clear key requests)
CEX3A
CEX2A
CEX3C 29 29

30. Update on Crypto Express 4S Support
Linux Toleration Support
CEX4A adapter is recognized as and works like CEX3A
CEX4C adapter is recognized as and works like CEX3C
available in RHEL 6.2 and SLES 11 SP2
available for RHEL 5.9 and SLES 10 SP4 per maintenance update
Linux Exploitation support
initially only for accelerator and CCA coprocessor personalities
displays HW type 10 and shows CEX4A and CEX4C in sysFS lszcrypt
displays ap_functions attribute in sysFS, human readable in lszcrypt
supersedes toleration support
available with RHEL 6.4 and SLES 11 SP3
targeted for SLES 12 and RHEL 7
z/VM support
CEX4A, CEX4C both dedicated and shared guest support
CEX4P only dedicated support
APAR VM65007 for versions 5.4, 6.1 and 6.2
CEX4C sharing requires APAR VM65308
Linux Toleration Support: Why do we do this toleration support. We do not preannounce HW. We have to be done 6 months prior to a distribution GAing, up to a year. 30 30

31. Clear Key / Secure Key / Protected Keys
Key may be in the clear, at least briefly, somewhere in the environment
Least secure as the key may be visible to application logic
Crypto engines built directly into the System z CP support clear key operations
Secure Key
Key value does not exist in the clear outside of the HSM
Keys are encrypted or "wrapped" by a hardware Master Key that resides in the System z Crypto Express coprocessor
Secure, tamper resistant boundary of the Crypto Express coprocessor card
Protected Key
Key value does not exist outside of physical hardware – keys not visible to OS or applications
Used by the System z CPACF for high speed secure processing of crypto operations
Exclusive to System z

32. Load Balancing Secure Key Requests in the Crypto DD
Program submits crypto request with IOCTL to /dev/z90crypt
Secure key crypto requests are typically directed to a specific adapter
Linux crypto device driver support directs requests to an adapter set
CCA requests to any CCA coprocessor
Device driver then selects the adapter with most capacity left
Resulting in
increased crypto capacity for applications
RAS in crypto device driver for secure key request
CCA library provides a programming interface to set a target adapter to “any coprocessor”
Note:
all potential target adapters must be of same/compatible types
all potential target adapters must have the same state
manage adapters only while application offline
no retained keys
crypto requests submitted by
user space applications:
RSA_modexpo
RSA_crt
CCA request
read random no
/dev/z90crypt
/dev/hwrng
kernel
crypto DD
crypto
request
scheduler
Remind them that if they have multiple card, in order to route them to either, they need to have the same Master key.
Retained Keys on Linux for system z should be avoided. If using them and routed functions to the other crd will not work. And how do you back up your retained keys? Need to consider persistent key stores, Java, PKCS11, CCA, etc.
CEX3A
CEX4C
CEX4C 32 32

33. Current Linux on System z Crypto Stack
openssh
(ssh, scp,
sftp)
Apache
(mod_ssl)
Apache
(mod_nss)
IBM
C/C++
SW.
Customer
C/C++
SW using
PKCS#11
WAS
Customer
Java/JCE SW
Customer
CCA SW
Application
Layer
NSS
GSKIT
JCA/JCE
Standard
Crypto Interfaces
ICC
IBMPKCS11Impl
openssl / libcrypt
Opencryptoki (PKCS#11)
ibmca
engine
ica
token
cca
token
System z
HW Crypto
Libraries
ICA (libica)
CCA (libcsulcaa)
In Linux 2.6 Kernel, they added support for kernel primitives. Is 2.6 and later, the crypto primitives can be backed automatically by the CPACF. If Ipsec and DM-Crypt are compiled for Z, you get the CPACF exploitation automatically when available.
Kernel
Operating
System
IPsec
dm-crypt
Kernel crypto framework
zcrypt device driver
System z backend
Hardware
CPU
Crypto Adapters
CPACF
(DES, 3DES, AES, SHA, PRNG)
Accelerator
(RSA)
EP11
Co-Processor
CCA
Co-Processor
(RSA, RNG, ECC)
clear key
protected key
secure key 33 33

34. Remote EP11 Crypto Stack Java API JCA cross platform solution
PKCS#11 API via openCryptoki (version 3.0)
new ICSF token for openCryptoki (open source, cross platform)
new LDAP service in z/OS with EP11 support
Timeline
released to open source
push open source code into distributions
z/OS part to be included in in z/OS 2.1
IBMPKCS11
Impl
C/C++ API
openCryptoki
(PKCS#11)
ICSF token
network
z/OS with
EP11 Server (LDAP) 34 34

35. Latest on Linux on System z Crypto Stack
openssh
(ssh, scp,
sftp)
Apache
(mod_ssl)
Apache
(mod_nss)
IBM
C/C++
SW.
Customer
C/C++
SW using
PKCS#11
WAS
Customer
Java/JCE SW
Customer
CCA SW
Application
Layer
NSS
GSKIT
JCA/JCE
Standard
Crypto Interfaces
ICC
IBMPKCS11Impl
openssl / libcrypt
via
network
opencryptoki
(pkcs#11)
ibmca
engine
ica
token
cca
token
icsf
token
z/OS
EP11
server
System z
HW Crypto
Libraries
ICA (libica)
CCA (libcsulcaa)
Server that sits and runs on LDAP for 2.1 Remote Crypto see, z/OS 2.1 RFA
Kernel
Operating
System
IPsec
dm-crypt
Kernel crypto framework
zcrypt device driver
System z backend
Hardware
CPU
Crypto Adapters
CPACF
(DES, 3DES, AES, SHA, PRNG)
Accelerator
(RSA)
EP11
Co-Processor
CCA
Co-Processor
(RSA, RNG, ECC)
clear key
protected key
secure key 35

36. openCryptoki Key Stores
openCryptoki stores token objects (keys, certificates) “with” the token
PKCS#11: token objects are persistent objects (e.g. keys, certificates)
for ICA, CCA, EP11 tokens: stored in an encrypted file associated with the token (access permissions should be restricted to the token owner)
access to (private) token objects is USER PIN protected
JCA can access openCryptoki key store via PKCS11IMPLKS key store (access requires USER PIN)
The CCA token does not support retained keys.
The EP11 token does not support retained keys 36 36

37. EKMP-ACSP Components – Crypto as a Service
The IBM EKMP- ACSP is a client/server solution that enables distributed platforms to use cryptographic hardware on a System z resulting in a cost effective use of available cryptographic capacity; and centralized key storage on System z helping simplify key management
Distributed Platforms
(System i/p/x or third party)
Server with IBM Crypto Hardware
Business Application
ACSP Client
ACSP Server
IBM Crypto Hardware
Secure channel
Here's a different view of the ACSP componments – and the platforms and environents. The left hand side of the page shows the client platforms supported by ACSP that communicate via a protected channed to the ACSP server. As you can see from the right hand side of the slide – the ACSP server supports multiple hardware and OS environments – where IBM HW cryptography is supported
ACSP client platforms
AIX, i5, Linux, Windows
PureSystems
(in reality any Java platform)
ACSP client APIs
CCA in Java and C
PKCS#11, JCE
Transport network IP
SSL/TLS protected (client/server auth,)
ACSP server platform
System z: z/OS (CEX3/4)
System p: AIX (4765)
System x: SLES, RHEL (4765)
PureSystems

38. Crypto Health Checks Linux Health Checker (LNXHC)
a framework & tool to check whether the set up of a system is correct or follows best practices
the set of checks is extensible
adaptable profiles to match set of applicable checks to customer environment
provides
indications of problems found
Explanation of the problems
hints to resolve problems
Crypto health checks to validate crypto configuration:
crypto_cca_stack
crypto_cpacf
crypto_opencryptoki_ckc
crypto_opencryptoki_ckc_32bit
crypto_opencryptoki_skc
crypto_opencryptoki_skc_32bit
crypto_openssl_ibmca_config
crypto_openssl_stack
crypto_openssl_stack_32bit
crypto_z_module_loaded
User
Framework
Health checks are for the entire systems not just crypto of security. This checks plug into that framework and can be extended by customers as needed.
Health Checker
Collect system
information
Generate results
Target system
Plug-ins
Health Checks
Consumers
Report 38
Notification
© 2013 IBM Corporation 38

39. Public Key Infrastructure (PKI)
Public/Private Key Pair
Confidentiality and Data Integrity
RACF’s Digital Certificate Support
Life Cycle Management (create, manage, store, distribute, verify)
z/OS as Certificate Authority (trusted third party)
SSL Support
System z
z/OS
z/VM
Linux:
CA/PKI Administration
CA Server
HTTPD
Linux:
Web Server
Windows
RACF
PKI Services
Sign for data integrity
Browser
Linux:
End User
Linux is an exploiter of z/OS PKI. Using IEDN for guest communication, physical security. Also allows PKI services to stretch into the zBX environments for additional exploitation on X and P for appservers, webservers, etc.
Encrypt for confidentiality
Linux
RACF DB
Browser
LPAR
Workstation
HW Crypto
Manageme nt of PKI Services
Browser 39 39

40. Centralized Authentication & User Management
Common Client – PAM
Integrated LDAP Server on z/OS and z/VM
LDAP backed by RACF or DB2® or BFS
System z
z/VM
z/OS
Linux
ITDS
(LDAP)
PAM
Linux
Linux
PAM
DB2 or
Linux
PAM
Distributed
ITDS
(LDAP)
RACF
Linux
Linux
PAM
Mapping Distributed Identities on RACF, get PAM as part of Linux. PAM calls LDAP, verified identities. LDAP can be backed by DB2, RACF.
RACF get authentication.
DB2 get NSS data, home directory, what shell are you using, etc. or
PAM
PAM
BFS
RACF
Linux
LPAR
PAM 40 40

41. Redbook: Enterprise Multiplatform Auditing (SG247472)
Centralized Audit
System z
Common Client – auditD with plug-in
Integrated LDAP Server on z/OS and z/VM
LDAP backed by RACF
z/VM
z/OS or z/VM
Linux
auditD
Plug- in
ITDS
(LDAP)
Linux
Linux
auditD
Plug-in
auditD
Plug-in
Linux
Distributed
Audit Demon (open source) that is distributed, uses LDAP Xops, to centralize audit info from linux guests to a centralize z/OS or zVM.
Back end, any audit analysis tools you use on z/OS or z/VM can also run on your linux audit data.
auditD
Linux
RACF
Plug-in
auditD
Plug-in
LPAR
Redbook: Enterprise Multiplatform Auditing (SG247472) 41 41

42. IBM Enterprise Key Management Foundation for Integrated Key Management
IBM Enterprise Key Management Foundation powered by DKMS Centralized key lifecycle management with single point of control, policy, reporting, and standardized processes for compliance
EMV & PCI Standards
EKMF provides proven experience in the enterprise key management space
Capabilities tailored to the needs of the banking and finance community
Adherence to key banking and finance standards
Trusted Key Entry (TKE) workstation provides a secure environment for the management of crypto hardware and host master keys
SKLM for z/OS provides proven key serving and management for self encrypting tape and disk storage capabilities to devices
The capabilities of EKMF, TKE, and SKLM provides an optimum solution that addresses the needs of multiple client and marketplace needs
Tape devices
Enterprise Tape Library
EKMF
SKLM
Disk Storage
Array
TKE for Crypto Express Hardware management
EKMF for application key management
IBM’s EKMF provides the foundation for Integrated and Extensible Key Management

43. Introducing EKMP – Crypto Analytics Tool (CAT)
The IBM EKMP - Crypto Analytics Tool (CAT) collects crypto information from a z/OS, analyzes it and delivers reports and tree view of key material
Solution Summary
- CAT is a tool that collects all kinds of crypto information from various sources on IBM System z. It then performs correlations and analysis that are presented to the user in a comprehensible fashion bringing a complete overview of the crypto system on z (current setup, possible security issues, real time use of crypto, etc)
Requirements – Bill of Materials
z196/z114/EC12/BC12
z/OS ICSF Version 1.13 or higher
DB2 V 9.1 or higher
IBM Enterprise Key Management Foundation - Installation & Configuration
Enterprise Key Management Foundation Licenses and Service
EKMP – Crypto Analytics Tool (CAT)
Solution Benefits
Control – Clients need to have control over which applications are using which cryptographic functions and keys
Up to date view – Clients need to be able to monitor the keys and functions being used by their users as well as be able to highlight possible security issues
Determines if weak keys are being used

44. Introducing IBM Payment Card Industry Hardware Collection
The IBM PCI Hardware Collection configuration supports critical System z environments while delivering the Ultimate Security with an extensive range of unique System z Security
Solution Summary
The IBM Payment Card Industry Compliance collection is the basis in establishing a highly secure management hardware cryptographic model.
Composition of Offering:
CryptoExpress 3/4S
Trusted Key Workstation (TKE)
SmartCard Reader
SmartCard
The Trusted Key Entry Workstation, Smart Card & Crypto Card combination provide the highest level of protection of data while addressing the robust and comprehensive PCI Standards business need to adhere to.
Business outcomes
“If you don’t have a Mainframe but are committed to centralized databases, Linux, Java, SOA and/or WebSphere, there’s an option here that might make your future a lot simpler, especially with respect to securing the data and IT infrastructure end to end. Don’t fall for the mythology; take a closer look at why the Mainframe may be the best vehicle to achieving your PCI DSS goals.”
Source: Joe Clabby, The Clipper Group Captain’s Log, Oct. 31, 2007
Solution Benefits
Helps to simplify management of System z hardware cryptographic coprocessors, simplifies processor migrations and improves the security of cryptographic keys.

45. Poodle SSL Vulnerability Attack
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0 – CVE ID’s: CVE , CVE
To mitigate POODLE attack:
Completely disable SSL 3.0 on both the client side and the server side
However, some old clients and servers do not support TLS 1.0 and above. Thus, browser and server implementation of TLS_FALLBACK_SCSV is encouraged, which will make downgrade attacks impossible
Implement "anti-POODLE record splitting". It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations

46. X-Force Assessment of SSL Vulnerability
X-Force Assessment:     Medium Risk
*CVSS:
Consequences:
Obtain Information
Remedy:
Customers are encouraged to disable SSLv3
Base Score:
4.3
  Access Vector:
Network
  Access Complexity:
Medium
  Authentication:
None
  Confidentiality Impact:
Partial
  Integrity Impact:
  Availability Impact:
Temporal Score:
3.5
  Exploitability:
Unproven
  Remediation Level:
Workaround
  Report Confidence:
Confirmed

47. Poodle SSL Vulnerability Mitigation
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Google's Chrome browser and their servers already support TLS_FALLBACK_SCSV, and Google stated in October, 2014 it is planning to remove SSL 3.0 support from their products completely within a few months
Mozilla will also disable SSL 3.0 in Firefox 34, which will be released in November 2014, and add support of TLS_FALLBACK_SCSV in Firefox 35
Microsoft has published the security advisory to explain how to disable SSL 3.0 in Internet Explorer and Windows OS, and in October 29, 2014, Microsoft released "Fix it" which disables SSL 3.0 in Internet Explorer on Windows Vista / Server 2003 and above and announced the plan to disable SSL 3.0 by default in their products and services within a few months
Some web sites have dropped support of SSL 3.0 to prevent the POODLE attack, such as CloudFlare, and Wikimedia
NSS version , released on October 3, 2014, and , released on October 27, 2014, introduced support for TLS_FALLBACK_SCSV, and NSS will disable SSL 3.0 by default in April OpenSSL versions 1.0.1j, 1.0.0o and 0.9.8zc, released on October 15, 2014, introduced support for TLS_FALLBACK_SCSV. LibreSSL version 2.1.1, released on October 16, 2014, disabled SSL 3.0 by default

48. IBM Guidance on SSL Vulnerability
The IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings
IBM is analyzing its products to determine which ones may be affected by this vulnerability and those that still rely on it have a mandate to migrate off of it. Please actively monitor both your IBM Support Portal for available fixes and mitigations and this blog for additional information 
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions.  The most immediate mitigation action that can be taken is disabling SSLv3.  You should verify disabling SSLv3 does not cause any compatibility issues

49. Threat Vulnerability Exploitation Protection
IBM’s GX and XGS IPS are able to detect and protect from the Poodle vulnerability as well as the variant that was identified shortly there after
In addition to protecting systems from the attack, the GX and XGS IPS we are able to identify any systems still using SSL v3 over the network
Other IDS/IPS vendors (i.e. Juniper, McAfee, etc.) may offer this same capability – check with your IDS/IPS vendor!

50. IBM Server and Software Support for TLS
System z z/TPF:
OpenSSL does not properly enforce the no-ssl3 build option. Servers that are configured with this option could accept and complete an SSL handshake. An attacker could then use this vulnerability to perform unauthorized actions and obtain data
Workarounds and Mitigations
None
Remediation/Fixes
Apply APAR PJ42658
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service

51. IBM Server and Software Support for TLS
WebSphere:
For all releases and versions of Apache based IBM HTTP Server, IBM recommends disabling SSLv3
For all releases and versions of WebSphere Application Server, SSLV3 users will want to disable SSLV3 using IBM JDK, both Full Profile and Liberty Profile. This will disable SSLv3 by default
If you have SSL hard coded in your application code, such as SSLContext.getInstance("SSL") then you should install the interim fixes since the current implementation defaults that context to SSLv3. The interim fix is an enhancement in the IBM JDK
You should also consider the options listed in the IBM Security Bulletin for a full solution

52. IBM Server and Software Support for TLS
WebSphere MQ:
IBM WebSphere MQ - All versions
SSLv3 users will want to disable SSLv3 on WebSphere MQ servers and clients and switch to using the TLS protocol
UNIX, Linux and Windows Use of TLS protocol is enforced by enabling FIPS compliance mode. Enabling FIPS compliance mode disables SSLv3 connections from being accepted by the IBM WebSphere MQ listener
DB2
By default, DB2 does not use TLS/SSL for client-server communication and therefore, potential exposure only exists if you are using TLS/SSL. A TLS/SSL connection using a malformed certificate chain could cause the server process to hang or crash.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this vulnerability.

53. IBM Server and Software Support for TLS
Lotus Notes/Domino:
IBM has released Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack. Implementing TLS 1.0 for Domino will protect against the POODLE attack and will allow browsers to still connect to Domino after they have been changed to address the POODLE attack.
IBM has provided Interim Fixes for the following Domino releases:
9.0.1 Fix Pack 2 -
8.5.3 Fix Pack 6 -
8.5.2 Fix Pack 4 -
8.5.1 Fix Pack 5 -
Note: For any Domino release, a proxy server in front of Domino to handle TLS communication will also address this issue. Select a proxy server that disables SSLv3 or prevents downgrading a TLS communication down to SSLv3.  Domino 9.0x for Windows has a proxy solution by including the IBM HTTP Server (IHS) that supports TLS

54. Mainframe Administration Compliance and Auditing
5454
5454
Mainframe Security Management Vision
Mainframe Security Intelligence
System z identity and access context, real-time event correlation
Mainframe Governance, Risk and Compliance
Regulations, IT Security Policies and Third Party Integrations
Mainframe Administration
Mainframe
Compliance and Auditing
Effective user and access control administration for z/OS
Simplifies user and resource management
Offers a Windows GUI to administer security
Provides automated monitoring, analysis and auditing
Enforces compliance best practices and security policy
Provides intrusion detection and generates real time alerts
This is IBM’s strategy for mainframe security management
Start with the hardware, the data, the application, the native security element and extends to the mainframe as a cloud computing platform
Working with that are tools to easy the mainframe security administration and the tools to automate the mainframe security monitoring, auditing and compliance reporting
Integrating these components is enterprise security intelligence, not just mainframe
And sitting on top of that is enterprise Governance, Risk and Compliance
Mainframe
Data
Applications
RACF
Cloud Computing

55. Resource Access Control Facility (RACF) The foundation of mainframe security
Authentication Authorization Administration Auditing
Administration
Administration
Enables application and database security without modifying applications
Data & Applications
Applications
Can reduce security complexity and expense:
Central security process that is easy to apply to new workloads or as user base increases
Tracks activity to address audit and compliance requirements
Networks
Networks
RACF
z/OS
z/OS
Integration with distributed system security domain
Checking for “Best Practices” with z/OS HealthChecker
Serving mainframe enterprises for over 30 years
Architecture
Architecture
Hardware
Hardware

56. Securing the Cloud Environment
IaaS
PaaS
SaaS
So, let’s talk about the security requirements for such a powerful and dynamic environment.
You will need to be able to:
Secure the hypervisor, i.e. z/VM
Provide administrator access to the VM’s
Be able to Provision users to the applications and data
Manage and Control access to the applications and data
Monitor, Alert, Audit and Report on accesses to and attempted access to the applications and data
Detect and Prevent against vulnerabilities, threats, malware and fraud
Safeguard the data and protect from data loss
Does this sound familiar?

57. Integrated Security for Today’s Business Environment
Mobile -
Social
Access customer data through your mobile device
Securely store critical customer information in your enterprise cloud
Analyze customer information to gain insight around suspected fraud
Improve economics through hardware based cryptography and centralized enterprise key management
Mitigate risk with comprehensive auditing and reporting
Assurance that MSP‘s multi-tenanted public and private cloud workloads remain securely isolated through industry leading certifications
Confidence that your assets are protected with intrusion detection and secured communications
Synergy between Linux on System z and z/OS via exploiting the centralized security capabilities present in z/OS
SSL transactions up to 19K/sec
Security is arguably the most important part of your enterprise. After all, without it, your business can’t be successful. System z offers you end to end security, access controls, compliance and auditing from the your mobile device through the system of record into your Cloud environment and can secure the customer data you are accessing all over secured communications on your network. System z provides cost effective options for encrypting and securing transactions by offering high speed, secure encryption with the cryptographic coprocessors and on chip crypto operations.
Clients can manage risk and assure compliance with a comprehensive suite of products to assist with user authorization, auditing and reporting.
With FIPS Level4 certified Cryptographic HW, IBM provides the most secure tamper sensing, tamper resistant security module available in the market.
As clients look to deploy mission critical workloads into public and private clouds, System Z offers an industry leading EAL5+ certification, giving MSPs the assurance that public and private clouds environments remain isolated, or air gaped, in a multi-tenanted environment and data that between LPARs cannot be compromised.
Linux on System Z has a differentiation over other Linux environments in that is can take of advantage of the high speed system z encryption technologies, exploit z/OS PKI using IEDN and allow the mapping of Distributed Identities on RACF through a LDAP to verify identities. This brings to Linux on Z the strengths of scalability, availability and the auditing capabilities of RACF.
High-end security is a primary requirement for the current and next generation of Mainframes and we continue bring rich new technologies to System z to support emerging business opportunities in Analytics, Mobile, Social, and Cloud that depend on a secure infrastructure.
FIPS Level 4 certified Crypto Coprocessor
EAL5+ Certification 57 57

58. Identity Protection Insight
Enterprise hybrid cloud adoption requires integrated security solutions
Identity
Protection
Insight
Software as a service (SaaS)
Enable users to connect securely to SaaS
SaaS access governance
Identity federation
Secure connectivity and data movement to SaaS
Data tokenization
Secure proxy to SaaS
Application control
Monitoring and risk profiling of enterprise SaaS usage
Monitor SaaS usage
Risk profiling of SaaS apps
Compliance reporting
Platform as a Service (PaaS)
Integrate identity and access into services and applications
DevOps access management
Authentication and authorization APIs
Build and deploy secure services and applications
Database encryption
App security scanning
Fraud protection and threats
Log, audit at service and application level
Monitor services and platform
Service vulnerabilities
Infrastructure as a Service (IaaS)
Manage cloud administration and workload access
Privileged user management
Access management of web workloads
Identity federation for B2B
Protect the cloud infrastructure to securely deploy workloads
Storage encryption
Network protection ‒ firewalls, IPS
Host security, vulnerability scanning
Security monitoring and intelligence
Monitor hybrid cloud infrastructure
Monitor workloads
Log, audit, analysis and compliance reporting
Note: Listed capabilities in the above table are examples of capabilities, and not a comprehensive list 58

60. Security Solutions for System z Cloud Scenarios
Private Cloud with Linux on Z
Private Cloud with Linux & z/OS
Hybrid Cloud (IaaS and PaaS)
Hybrid Cloud (SaaS)
People & Identity:
Identity Management
Yes
Privileged ID Management
Possibly
Federated Directory Services
Federated ID Management
Likely not
Access Management for Web
Access Management for Mobile
Applications:
Application Vulnerability
Data:
Database Protection
Encryption Key Management

61. Security Solutions for System z Cloud Scenarios
Private Cloud with Linux on Z
Private Cloud with Linux on Z & z/OS
Hybrid Cloud (IaaS and PaaS)
Hybrid Cloud (SaaS)
Infrastructure:
IDS/IPS
Yes
zSecure:
Admin No
Audit
Alert
Command Verifier
Visual
Manager for RACF z/VM
Possibly
CICS Toolkit
Fraud:
Fraud Prevention
Intelligence/Analytics:
SIEM

62. Linux on System z Redbook
Introduction
Hardware, z/VM and Storage Configuration
The z/VM security management support utilities
Configuring and using the System z LDAP servers
For both z/OS and z/VM
Authentication and access control
Cryptographic hardware
Clear and secure key and CPACF
Physical and infrastructure security on System z
Protecting the HMC, system configuration, disk security, z/VM minidisks, firewall
Security implications of z/VM SSI and LGR
Best Practices
Where to find:
Single System Image and Live Guest Relocation - zVM technology to take a running guest and move it to another running z/VM. Think of LLBEAN or some other order being submit and they need to apply service to the server and the guest with the order is moved to another z/VM, customer doesn’t notice any change as his order is placed. 62 62

63. Questions? 63 System z Security Conference for Today and Tomorrow
© 2014 IBM Corporation

64. Thank You! 64 System z Security Conference for Today and Tomorrow
© 2014 IBM Corporation

65. Backup Slides

66. IBM Security zSecure Manager for RACF z/VM Overview
Cloud Hypervisor Security
IBM Security zSecure Manager for RACF z/VM Overview
Helps ensure security by automating auditing and administration and allowing users to:
Ensure compliance with security policy and regulatory requirements
Reduces administrative costs
Lower overhead in performing audit and compliance tasks
Help improve completeness and accuracy of the identification of security events of audit interest
Help improve the integrity of vital z/VM assets
Lower administrative costs 66

67. IBM Security zSecure Manager for RACF z/VM key features
Cloud Hypervisor Security
IBM Security zSecure Manager for RACF z/VM key features
Combined administration and audit functionality for the z/VM environment:
Automate complex, time consuming z/VM security management tasks with simple, one-step actions that can be performed without detailed knowledge of RACF commands
Create comprehensive audit trails without substantial manual effort (RACF SMF records & more) from both z/VM & Linux for System z
Quickly identify and prevent problems in RACF before they become a threat to security and compliance
Help ease the burden of database consolidation
Generate customized reports

68. Federated Directory Services
Cloud Directory Services
Federated Directory Services
IAM Analytics & Security Intelligence
Directories, Databases, Files, SAP, Web Services, Applications
Directory Services
Search
Federated Directory Service
Access
Oracle
- Multiple directories
- traditional VD, performance affected by the weak link
- No SIEM integration
Radiant Logic
- Strong, mature VD
- Invested in Federated SSO
Dell
- Strong VD
- Struggling with acquisition integration
- De-investing in Access
ForgeRock
- Sun centric
- Open source, not highly scalable
Microsoft
- Windows centric
IBM
- Single SDI package to support Identity silo use cases including virtual directory scenarios
- additional value offered with SDI including Whitepages, SCIM support
- SIEM integration
- Flexible pricing
Enterprise Directory
(hybrid, virtual)
Cloud Intgr. (SCIM)
Authentication (multi-directory) 68

69. IBM Security Identity Manager
Cloud Identity Management
IBM Security Identity Manager
Real-time insider fraud detection with integrated IAM Analytics and Security Intelligence
IAM Analytics & Security Intelligence
Identity Management
Identity
Change
Access
Policy
Access Certification
Accounts Updated
On/Off-premise Resources
Detect and Correct Local Privilege Settings
HR Systems/Identity Stores
Applications
Data
Cloud
Mobile
User Provisioning (B2E, B2B)
Failed Audits (B2E, B2B)
Governance (CrossIdeas)

70. IBM Security Access Manager
Cloud Access Management
IBM Security Access Manager
Security Team
Application Team
Manage consistent
security policies
Consumers
Web Applications and Portal
Access Management
On/Off-premise Resources
Internet
Applications
Data
Employees BYOD CA
- Siteminder + Layer 7
EMC
- leads with RBA F5
- leads with threat
Ping/Okta/SFDC
- targeting Cloud SSO
Cloud
Mobile
Web Access (B2E, B2C, WAF)
Mobile Access (BYOD, B2C)
Risk Access (B2B, B2C)
Fed. SSO (B2B, B2C) 70

71. Federated Identity Management
Cloud Federation
Tivoli Federated Identity Manager – Made for clouds
On Premise Cloud Stacks
Off Premise Cloud Stacks
Federated Identity Management
IT Administrator
External IdPs
Enterprise IdPs
Enterprise Applications
Cloud Applications
Cloud Access (B2E, B2C)
Cloud Administration
Fed. SSO (B2B, B2C)
BYO ID (B2C)
Details
Provides out-of-the-box integration with TAMeb and WebSphere Application Server as “point-of-contact” servers - designed for integration with other identity providers.
Tools for user enrollment and web access management
Supports customizable points of contact to manage identities across multiple cloud patterns.
Supports wide variety of Federated Single Sign On protocols including user-centric identity support (SAML 1.[01]/2.0, WS-Federation 1.[13], Liberty ID-FF 1.[12], Information Card Profile 1.0, OpenID 1.1/2.0)
WS-Trust based security token services
WS-Trust 1.2/1.3
Supported token types: LTPA, Username, SAML 1.0/1.1./2.0, RACF Passticket, X.509 Certificate, Kerberos (Kerberosv5_AP_REQ/GSS_Kerberosv5_AP_REQ)
End-to-end identity propagation across Portal, DataPower and Federated ESBs
Simplifies integration to Java, .NET, mainframe environments
Integration with Cloud Services such as IBM LotusLive, Google Apps, salesforce.com, etc.
Offered as TFIM, TFIM for z/OS, and TFIM Business Gateway packages. (TFIM Business Gateway helps quickly and securely establish FSSO with an existing application environment

72. Cloud Administrator Access Management
Privileged Identity Management: Centralized management of privileged and shared identities
Addressing insider threat with privileged users access management
Business challenge
Track and audit activities of privileged users (e.g., root, financial app administrators) for effective governance
IBM Security Privileged Identity Management
Key solution highlights
Check in / check out using secure credential vault
Control shared access to sensitive user IDs
Request, approve and re-validate privileged access
Reduce risk, enhance compliance
Track usage of shared identities
Provide increased accountability and audit trail
Automated password management
Automated checkout of IDs, hide password from requesting employee, automate password reset to eliminate password theft
Databases ID
IBM security solution
New Privileged Identity Management (PIM) solution providing complete identity management and enterprise single sign-on capabilities for privileged users

73. IBM Guardium Provides Real-Time Database Security & Compliance
Cloud Data Protection
IBM Guardium Provides Real-Time Database Security & Compliance
Continuous, policy-based, real-time monitoring of all database activities, including actions by privileged users
Database infrastructure scanning for missing patches, misconfigured privileges and other vulnerabilities
Data protection compliance automation
Key Characteristics
Single Integrated Appliance
Non-invasive/disruptive, cross-platform architecture
Dynamically scalable
SOD enforcement for DBA access
Auto discover sensitive resources and data
Detect unauthorized & suspicious activity
Granular, real-time policies
Who, what, when, how
Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.
Growing integration with broader security and compliance management vision
z/OS
Integration with LDAP, IAM, SIEM, TSM, Remedy, …
The crown jewels of any business are in the database. Financial information, Customer information, and intellectual property are all house in the data base.
95% of Fortune 1000 companies store their data on System z. These customers must comply w/ strict restrictions on how to protect that data.
IBM acquired the industry-leading technology vendor Guardium in 2009 to complete these capabilities.
Guardium enables IBM clients to maintain trusted information infrastructures by continuously monitoring access and activity to protect high-value databases against threats from legitimate users and potential hackers.
Additionally, Guardium also assesses the vulnerability of the database infrastructure itself to ensure their continued highest level of security.
Guardium’s real-time database monitoring and vulnerability assessment platform helps clients safeguard their data, monitor database activity across heterogeneous environments, and reduce operational costs by automating regulatory compliance tasks.
Guardium automates the lifecycle protection that data. Automating the security and compliance lifecycle regardless of the type of data.
Detect the classify data, detect vulnerability and configuration flaws. Provides centralized reporting capability where you can aggregate all audit, security and compliance data
Also very scalable. Doesn't require changes in the DB or infrastructure.
We’ve seen customer manage 10K+ databases with a Guarduim implementation
This is a very important part and very relevant part to implementing an E2E mainframe security framework
It does this using a single integrated appliance, which can be configured as a Collector, a Central Policy Manager, or Vulnerability Assessment Server with the simple use of license keys.
The key to monitoring non-intrusively is the STAP, which is a light-weight kernel shim that goes on the DB server, and taps all DB traffic (operations, data, errors.. Inbound and outbound). No DB, app, or network changes are necessary.
All this traffic is collected at the Collector, which runs policy against it and provides real-time alerting.
If you want to also control or block traffic the STAP can be configured as an SGATE.
The Central Policy Manager is the central point of control for all collectors.
You may notice that all major DB infrastrutures and some major applications are supported.
z/OS
z/OS 73 73 73

74. EKMF and SKLM for Integrated Key Management
Cloud Data Protection
EKMF and SKLM for Integrated Key Management
IBM Enterprise Key Management Foundation powered by DKMS Centralized key lifecycle management with single point of control, policy, reporting, and standardized processes for compliance
All new keys are generated on the secured workstation by users authenticated with smart cards. The EKMF Workstation includes a IBM 4765.
Trusted Key Entry (TKE) workstation provides a secure environment for the management of crypto hardware and host master keys
The EKMF Browser application features monitoring capabilities and enables planning of future key handling session to be executed on the workstation.
The central repository contains keys and metadata for all cryptographic keys produced by the EKMF workstation. This enables easy backup and recovery of key material.
ISKLM for z/OS provides proven key serving and management for self encrypting tape and disk storage capabilities to devices
Tape devices
Enterprise Tape Library
EKMF
ISKLM
Disk Storage
Array
TKE for Crypto Express Hardware management
EKMF for application key management
IBM provides the foundation for Integrated and Extensible Key Management 74

75. Application security concerns in Cloud environments
Cloud Application Security
Application security concerns in Cloud environments
Applications natively connected to the Cloud and remotely accessible to outsiders increase the attack surfaces
Rapid pace of development and provisioning of Web services puts pressure on developers to deliver functionality on-time and on-budget – but not to develop secure applications
Security tests executed just before launch adds time and cost to fix vulnerabilities late in the process
Growing number of web applications but small security staff
Most enterprises scan ~10% of all applications
Continuous monitoring of production apps limited or non-existent
Unidentified vulnerabilities and risk

76. Network Intrusion Prevention
Cloud Threat Protection
Network intrusion protection is a primary building block in Cloud security
Firewall
Network Intrusion Prevention
Datacenter
Protect both applications and network from being exploited
Control protocols and applications
Monitor traffic for anomalous traffic patterns
Protect users from being attacked (e.g., through malicious documents)
Prove compliance with regulation requirements (e.g., PCI)
Enforce corporate policy with employees and 3rd parties (e.g., consultants)
Monitor network traffic for sensitive information leaving the company
Prevent data from being stolen from databases via web applications
A web application firewall usually addresses inbound access to web applications; specialized coverage
Protection for HTTP/HTTPS protocols
Watching inbound web traffic over TCP ports 80 and 443
Limited performance
The IPS can address inbound and outbound access; broader coverage
Protection for many protocols and a wide range of attacks
Wire speed
Per packet inspection
Where firewalls block and allow traffic through, IDS/IPS detect and look at that traffic in close detail to see if it is an attack. IDS/IPS systems are made up of sensors, analysers and GUI’s in order to do their specialised job. 76

77. Cloud Fraud Protection
Problems We Solve
Online Banking
TRX
ATO
Fraud from Customer Device
Fraud from Criminal Device
Customer
Criminal
Cross Channel Fraud
Attack
WWW
Credentials, Data
Attack
Employee
APEX
Going back more than 5 years ago, just when institutions had become satisfied with securing their customer-facing apps with various perimeter controls (VPN, WAF, etc), criminals began writing zero-day financial malware (Zeus, SpyEye, etc) designed to infect customers/other 3rd parties in order to (1) automate tampering of transactions and (2) steal credentials for use online or cross-channel. This malware quickly became the source of most online fraud and credential theft. It routinely bypasses AV, strong authentication, and behavioral analysis and can compromise end user systems at the kernel, memory, and application layers. We’ve done great job in past 5 years helping customers solve this problem by stopping the threat early before the attack can be executed.
Similar types of attacks (APTs, advanced malware) are now compromising your employee machines, vast majority of time introduced via an exploit. The original form of corporate malware protection for employees was A/V which relies on blacklisting, as we know not effective. More recently came sandboxing/whitelisting/HIPPS that look at application behavior. Problem here is that while right goal is to track application behavior, these approaches are easy to trick because they just look at the result of the behavior – i.e. what is’ trying to do. And, whitelisting, for example is difficult to deploy and manage. So, we developed “next generation” application control that looks at the what AND the why.
TRX
Fraud from Employee Device
Wire, ACH, Internal Apps
Malware Install
Credential Phishing 77

78. Leverage advanced analytics across all stages of the attack
Cloud Intelligence and Analytics
Leverage advanced analytics across all stages of the attack
Monitor everything
Logs, network traffic, user activity
Correlate intelligently
Connect the dots of disparate activity
Prioritize for action
Attack high-priority incidents
Detect anomalies
Unusual yet hidden behavior
We’ve seen how clients are using a combination of zSecure Audit and Alert, Guardium on z/OS, RACF and other SMF based facilities to act as feed mechanisms into QRadar to proivide a single real-time view of security events across the entire enterprise.

79. QRadar provides security visibility and Security Intelligence
Cloud Intelligence and Analytics
QRadar provides security visibility and Security Intelligence
IBM X-Force® Threat Information Center
Real-time Security Overview
w/ IP Reputation Correlation
This is an example of a QRadar dashboard; can be easily customizable to add, remove or modify content
All of the elements of IBM’s end-to-end security solution for the mainframe plug into QRadar.
This now gives you the ability to correlate an attempted SQL injection though a distributed web server with the atypical movement of data from the mainframe. More on that particular example in a moment.
Inbound Security Events
Real-time Network Visualization and Application Statistics
Identity and User Context 79

80. QRadar and zSecure Integration
6 DSM
6 DSM
1 DSM

81. System z QRadar Integration: zSecure vs. legacy integration
zSecure (Alert & Audit) integration
Legacy z/OS integration
Real Time Event Capture
Yes, via Alert
No, only historical SMF data
Extended User/Resource Information
Yes No
Inputs:
RACF
ACF2
Top Secret
DB2
CICS
z/OS UNIX
FTP, Telnet
Dataset Access
PDS Member updates IK
zSecure provides real time input; Legacy only accesses historical SMF datasets
zSecure adds descriptions to events, Legacy provides no descriptions
zSecure provides a wide range of input; Legacy only provides RACF records
zSecure provides more comprehensive input, improving the quality of the analysis
Bottom line: the customer gets what they pay for. 81

82. New zSecure Adapters for QRadar SIEM vs zSecure Audit
Capability
zSecure Adapters
zSecure Audit
Collects and formats information from over 40 different IBM System z SMF record types - such as, z/OS, RACF, ACF2, Top Secret, DB2, and CICS events.
Yes
Additional SMF record types generated by IBM z/OS® and its sub-systems, for data set access, z/VM, PDS member updates and deletes, UNIX file activity, FTP, Telnet and other TCP/IP activity and many others.
Adds enriched descriptive audit information about the user and the resource from the security database and zSecure system snapshot information
Support for more frequent collection than once a day – job available for use with scheduling software
Additional QRadar reporting, including customization using CARLa No
Additional SMF analysis and reporting for QRadar SIEM
Compliance testing framework: STIG (RACF and ACF2); GSD331 / iSEC; PCI DSS; Custom regulations/compliance points
Auditing and reporting:
z/OS subsystems and operating features – USS, CICS, IMS, DB2, ComServer, ESMs, TCP/IP, FTP, Telnet, MQ, TLMS, TWS, VTAM, Guardium and many others;
Audit vulnerability testing 82

83. System z Cloud Scenario #1: Private Cloud with Linux on z
Multiple workloads from distributed platforms consolidated into a single, scalable footprint utilizing Linux on z
Employees
Linux on z
Linux on z
Linux on z
Contractors
Consultants
z/VM
So, going back to this first scenario, lets take a look at how security solutions detect and prevent exploitations of security vulnerabilities.

84. Break into application to get AppID
Cloud Security – the Total Picture
Anatomy of an attack: Preventing losses and closing security gaps example
Look at application logs and access history
Social Engineer privileged user id (PID) for Joe.Admin 3
Hacker uses the AppID from non-App server impersonating Joe.Admin to request large number of credit card numbers 1 5
Break into application to get AppID
Unnoticed stolen PID logs on from new unknown rogue IP over time 4 2
Hacker changes config settings, creates back door for later use 6
Hacker
(Rogue Sources)
Auth server
WebSphere
Internet
DB2
Sensitive Data
RACF
Web servers RK
DSM
User
IDS/IPS
Trusteer 9 8
AppScan 7
Detects attempted exploitations of security vulnerabilities
Prevents intrusion attacks such as SQL injections, cross site scripting
Provides zero day protection against security vulnerabilities
Detects abnormal activity violating comprised credentials
Detects and prevents attempts at account takeover
Detects application vulnerabilities
Alert IDS/IPS to modify protection policies
Alert QRadar with raised severity 84

85. Break into application to get AppID
Cloud Security – the Total Picture
Anatomy of an attack: Preventing losses and closing security gaps example
Look at application logs and access history
Social Engineer privileged user id (PID) for Joe.Admin 3
Hacker uses the AppID from non-App server impersonating Joe.Admin to request large number of credit card numbers 1 5
Break into application to get AppID
Unnoticed stolen PID logs on from new unknown rogue IP over time 4 2
Hacker changes config settings, creates back door for later use 6
Hacker
(Rogue Sources)
Auth server
WebSphere
Internet
DB2
Sensitive Data
RACF
Web servers RK
DSM
User
QRadar
zSecure 8
Guardium
Correlates App ID violation with Joe.Admin activity
Open ticket to fix compromised AppID and investigate Joe.Admin
Determine new rogue sources
Detect abnormal activity violating several security policies
Alert QRadar with raised severity 9
Detect abnormal activity violating several data access policies
Block specific request
Alert QRadar with raised severity 7 85

86. System z – Security in the Cloud
Summary:
System z in the Cloud
Cloud – 3 delivery models:
Private Cloud
Public Cloud
Hybrid Cloud
Cloud – 3 layers:
IaaS
PaaS
SaaS
Security Domains:
Identity
Data
Security Intelligence and Analytics
System z – 4 Typical Scenarios:
Private Cloud with Linux on z
Private Cloud with Linux and z/OS
Hybrid Cloud (IaaS & PaaS)
Hybrid Cloud (SaaS)
Linux on z
Linux on z
z/OS
IMS
CICS
DB2
z/VM
Applications
Infrastructure