Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation What is new in IBM Security zSecure 2.1? System z Security for today... and tomorrow.

Similar presentations


Presentation on theme: "© 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation What is new in IBM Security zSecure 2.1? System z Security for today... and tomorrow."— Presentation transcript:

1 © 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation What is new in IBM Security zSecure 2.1? System z Security for today... and tomorrow Tom Zeehandelaar, zSecure Technical Enablement Specialist Security Center of Excellence (CoE), Identity and Access Management Enablement Special thanks to: Hans Schoone, Chief Architect zSecure & manager Netherlands Lab 14 November, 2013

2 © 2013 IBM Corporation IBM Security Systems 2 System z Security for today... and tomorrow IBM Security zSecure is the most effective way to address customer security challenges for the mainframe environments STRENGTHEN SECURITY Improve quality of security to secure mainframe environments while lowering internal fraud and prevent incidents REDUCE COSTS Identify unnecessary cost and find new business models without risks. Lower help desk costs EASE COMPLIANCE Streamline compliance process while shrinking operational expenses for compliance by automation INCREASE PRODUCTIVITY Increase performance and remove unnecessary road blocks

3 © 2013 IBM Corporation IBM Security Systems 3 System z Security for today... and tomorrow New features in IBM Security zSecure 2.1  Digital Certificate Administration  Compliance Testing Framework  DB2 access control matrix, Guardium integration  Access Monitor improvements  TN3270 and FTP security settings  zSecure Visual custom actions  And many more....

4 © 2013 IBM Corporation IBM Security Systems 4 System z Security for today... and tomorrow The need for new digital certificate management  Difficult to find what to do where –Solution: Provide logical work flows to connect separate steps New menus, new line commands, and extended work flows  Error prone, difficult to remember all certificate parameters –Solution: introduce certificate templates for business purposes  Difficult to remember TKDS token names to use on BIND –Solution: display selection list of token names TKDS information is obtained via CKFREEZE data set  Difficult to find or sort on Distinguished Name parts –Solution: Added function to extract Distinguished Name parts

5 © 2013 IBM Corporation IBM Security Systems 5 System z Security for today... and tomorrow Digital certificate management – zSecure support  New Digital Certificate interface –With standard zSecure interface: select-display-action Selection panel with main selection options Also options to directly create new objects Action via line commands and overtyping –Options for follow-on commands (workflow) –Most parameters are verified before execution –Last specified parameters are retained for easy correction  Use of templates to specify values (site / user) –Allow forcing value or just default  Commands can be routed with zSecure server –Contrary to RRSF

6 © 2013 IBM Corporation IBM Security Systems 6 System z Security for today... and tomorrow Digital certificate management – the RA.5 menu  New “main” digital certificate menu RA.5  “Work with” items use selection interface for existing profiles  Other items allow adding/importing/creating new objects

7 © 2013 IBM Corporation IBM Security Systems 7 System z Security for today... and tomorrow New template setup menu SE.9 Use “F” column to force the value entered

8 © 2013 IBM Corporation IBM Security Systems 8 System z Security for today... and tomorrow Digital certificate management – Line commands Issue / line command to get popup with list of supported actions

9 © 2013 IBM Corporation IBM Security Systems 9 System z Security for today... and tomorrow Sample certificate workflow – Generate Request  Generate a request for signature into a data set  Follow up actions possible, for example, e-mail

10 © 2013 IBM Corporation IBM Security Systems 10 System z Security for today... and tomorrow Token management – Example detail output Detail shows certificate information, including SAF resource names

11 © 2013 IBM Corporation IBM Security Systems 11 System z Security for today... and tomorrow Compliance Testing Framework Demonstrate your progress in compliance !

12 © 2013 IBM Corporation IBM Security Systems 12 System z Security for today... and tomorrow Identified problems with compliance testing in the past  Builtin standards (C1 / C2 / B1) are inflexible –Need to adapt more quickly to external standard updates –Audit concern principle lacks the positive confirmation that it is OK –Audit concerns not customizable (exceptions / mitigating controls)  Customers create ad-hoc reports, partly 2-pass queries –Need something less ad-hoc and easier to customize –Need something that works almost out of the box –Need to combine information from many report types –Need to customize / define who is considered authorized  Scope of external standards is increasing –Need to collect more settings from more subsystems

13 © 2013 IBM Corporation IBM Security Systems 13 System z Security for today... and tomorrow Benefits from the Compliance Testing Framework  Support newer external standards –DISA STIG for z/OS RACF –DISA STIG for z/OS ACF2 –IBM outsourcing GSD331/iSec  Eliminate need for 2-pass queries with new TYPE=COMPLIANCE  Show positive compliance, not just non-compliance  Allow showing / reporting progress in compliance efforts  Support in-standard customization –Members with authorized (compliant) IDs (using STIG naming) –Allow rule override (suppression) with reason – visible in reporting –Allow creation and seamless integration of site-defined standards  Extend data collection CICS, IMS, DB2, IP, FTP, TELNET

14 © 2013 IBM Corporation IBM Security Systems 14 System z Security for today... and tomorrow Understanding STANDARD – simplest structure STANDARD mystandard VER(version) DOMAIN mydomain SELECT(type) RULE myrule DOMAIN(mydomain) TEST mytest type(field=value) ENDRULE ENDSTANDARD

15 © 2013 IBM Corporation IBM Security Systems 15 System z Security for today... and tomorrow Understanding STANDARD – imbed, desc, selection STANDARD mystandard VER(version) DESC(‘description’) IMBED M=member ENDSTANDARD SCKRCARL(member): RULE_SET myset DESC(‘description’) DOMAIN mydomain SELECT(type(selection-clause)), SUMMARY(type(field complex ver)) DESC(‘description’) RULE myrule DOMAIN(mydomain) SET(myset), DESC(‘description’) TEST mytest type(field=value), DESC(‘description’) ENDRULE ** If there is no RULE SET parameter, RULE_SET implicitly created

16 © 2013 IBM Corporation IBM Security Systems 16 System z Security for today... and tomorrow  New menu option AU.R  Can select more than one standard simultaneoulsly, including site standard Testing and reporting compliance

17 © 2013 IBM Corporation IBM Security Systems 17 System z Security for today... and tomorrow Testing and reporting compliance  New Meta-newlist TYPE=COMPLIANCE  Record level is an individual TEST for an object in DOMAIN  Zoom-in reporting with multi-level SUMMARY –AU.R hierarchy: Complex (=security database) Standard Rule set (=external standard rule id) Object (e.g. APF data set, SETROPTS setting, system, PPT entry) Test

18 © 2013 IBM Corporation IBM Security Systems 18 System z Security for today... and tomorrow Rule-level display – ACF2 STIG example STIG rules Count to show progress By database

19 © 2013 IBM Corporation IBM Security Systems 19 System z Security for today... and tomorrow Multiple tests in single rule - ACF2 STIG example Tests for object object

20 © 2013 IBM Corporation IBM Security Systems 20 System z Security for today... and tomorrow Detail display of test and result – ACF2 STIG example conclusion compare

21 © 2013 IBM Corporation IBM Security Systems 21 System z Security for today... and tomorrow Simple example - ACF2 STIG rule ACF0760  Supported standard Compliance members are stored in SCKRCARL library  Member C2AGA760 for rule ACF0760 DOMAIN LID_SECURITY, SELECT(ACF2_LID(Security=yes)) RULE ACF0760 DOMAIN(LID_SECURITY), DESC(“All LOGONIDs with the SECURITY attribute have the RULEVLD and RSRCVLD attributes specified") TEST Rulevld_Specified ACF2_LID(Rulevld=yes), DESC("All logonids with Security attribute have RULEVLD specified") TEST Rsrcvld_Specified ACF2_LID(Rsrcvld=yes), DESC("All logonids with Security attribute have RSRCVLD specified") ENDRULE

22 © 2013 IBM Corporation IBM Security Systems 22 System z Security for today... and tomorrow Detail display object identification – ACF2 STIG ACF2 database ACF2 logonid

23 © 2013 IBM Corporation IBM Security Systems 23 System z Security for today... and tomorrow Rule level display - RACF STIG example STIG rules Count to show progress STIG rules Count to show progress STIG rules Count to show progress STIG rules

24 © 2013 IBM Corporation IBM Security Systems 24 System z Security for today... and tomorrow Sample RACF STIG multi-test rule member For example, member CKAGR244 for rule RACF0244: DOMAIN FACILITY_class, SELECT(class(class=FACILITY)) RULE RACF0244 domain(FACILITY_class), DESC("FACILITY resource class is inactive") TEST facility_active class(active=yes), DESCRIPTION("FACILTY class is active") TEST facility_generic class(generic=yes), DESCRIPTION("Generic is active") TEST facility_gencmd class(gencmd=yes), DESCRIPTION("GENCMD is enabled for FACILITY class") TEST facility_racl class(raclist=yes), DESCRIPTION("FACILITY class is RACLISTed") ENDRULE

25 © 2013 IBM Corporation IBM Security Systems 25 System z Security for today... and tomorrow Zoom in to test level if multiple tests - RACF STIG Tests in object object

26 © 2013 IBM Corporation IBM Security Systems 26 System z Security for today... and tomorrow Detail display example - RACF STIG compare conclusion

27 © 2013 IBM Corporation IBM Security Systems 27 System z Security for today... and tomorrow Use of SUMMARY COUNT and UNDECIDED Undecided – “see vendor doc” “Started tasks must run under a unique userid unless vendor doc says not”

28 © 2013 IBM Corporation IBM Security Systems 28 System z Security for today... and tomorrow Populate compliant user ID definitions - CKACUST  CKACUST data set with members to populate –PDS with member names from STIG, that contains 38 members like: SYSPAUDT – Systems Programmers SECAAUDT – Security Administration Personnel –Create all STIG members with SCKRSAMP member CKAZCUST –Add ID on pos 1-8 – can be a userid, logonid, or a group –Applied across all complexes allocated to the compliance test –Can be specified in zSecure configuration member C2R$PARM –Can be specified at user or site level (concatenated) - SE.8 or CO.1

29 © 2013 IBM Corporation IBM Security Systems 29 System z Security for today... and tomorrow Compliant user lookup – populate member Sample compliant user member for Systems Programmers

30 © 2013 IBM Corporation IBM Security Systems 30 System z Security for today... and tomorrow Use of OTHERWISE(TEST...) and compliant user lookup Example: member CKAGC170 for RACF STIG rule ACP0170 One compliant permit

31 © 2013 IBM Corporation IBM Security Systems 31 System z Security for today... and tomorrow Rule set display – IBM GSD sample GSD has individual rules where STIG had tests inside rule

32 © 2013 IBM Corporation IBM Security Systems 32 System z Security for today... and tomorrow DB2 Reporting Enable display of the Access Control Matrix

33 © 2013 IBM Corporation IBM Security Systems 33 System z Security for today... and tomorrow Phased implementation DB2 support  zSecure 1.13.0: –Minimal region and classes support  zSecure 1.13.1: –Regions, Tables, Packages and Plans –Limited ACL support ( ACL NORMAL )  zSecure 2.1.0: –Databases, Tablespaces, Stored procedures, User functions, JARs, Storage groups, Sequences –Full ACL support ( ACL EXPLODE / RESOLVE / EFFECTIVE )

34 © 2013 IBM Corporation IBM Security Systems 34 System z Security for today... and tomorrow DB2_ACL internal authority display formats  Can be set with ACL primary command –Or with format specification in CARLa  ACL ORIGIN | NOORIGIN –Toggles individual GRANT lines versus one line per grantee where date and grantor show most recent change  Applies to NORMAL mode of DB2_ACL only  Has no effect on other ACLs

35 © 2013 IBM Corporation IBM Security Systems 35 System z Security for today... and tomorrow DB2 Reporting RACF_DB2_ACL  Shows access in RACF, combined with DB2 internal security –DSNX@XAC Exit uses SAF resources: Object - Specific resources (allow / deny / undecided) Database - Specific resources (ACL RESOLVE or EFFECTIVE) - allow Region - Specific resources (ACL RESOLVE or EFFECTIVE) - allow If no access and no Object-Specific profile, fallback to DB2 internal security (ACL EFFECTIVE)  RACF_DB2_ACL also incorporates –Different rules for user-tables versus non-user-tables –Effect of SEPARATE_SECURITY –Owning authid for DB2 objects (for certain object types) –RACF profile OWNER –CLAUTH in resource class

36 © 2013 IBM Corporation IBM Security Systems 36 System z Security for today... and tomorrow DB2 Reporting RACF_DB2_ACL  Multiple formats supported. Can be set using ACL command –NORMALStandard ACL format –EXPLODEGroups are exploded into connected user IDs Default activation of SCOPE –RESOLVEShow one merged line per RACF user ID Includes effect of warning mode, UACC, ID(*) Includes database and system authorizations –EFFECTIVEIncludes information about fallback to DB2 Internal security Includes DB2 Owner of object of applicable –TRUSTIncludes information about administrative scope (separate output line)  Also options to include –All users in UNIVERSAL groups –Object within admin SCOPE over any contributing profile

37 © 2013 IBM Corporation IBM Security Systems 37 System z Security for today... and tomorrow RACF_DB2_ACL example: acl effective sort userid

38 © 2013 IBM Corporation IBM Security Systems 38 System z Security for today... and tomorrow Guardium Vulnerability Assessment integration  zSecure Audit job loads DB2 with CKADBVA tables –Date and time of zSecure extract for each DB2 region –User, Group and Connect information –Pass RACF_DB2_ACL for all supported object types, in 2 forms: ACL NORMAL ACL EFFECTIVE (access control matrix)  Guardium VA inside Guardium appliance –Picks up tables if new information –Applies policy –Creates exception and entitlement reports

39 © 2013 IBM Corporation IBM Security Systems 39 System z Security for today... and tomorrow

40 © 2013 IBM Corporation IBM Security Systems 40 System z Security for today... and tomorrow Access monitor improvements Keep those RFEs coming...

41 © 2013 IBM Corporation IBM Security Systems 41 System z Security for today... and tomorrow Access Monitor enhancements  RACINIT reporting support –New intercept routine (ICHRIX02), installed automatically –New fields in newlist type=ACCESS –New newlist type=RACF_ACCESS_ID Counts are based on RACINIT events Dates are based on any recorded event  STATUS=ACCESS request bit added (explains ALTER access)  New field SIM_VIA_GROUPS –List of all connect groups that would allow access  New SIMULATE SETROPTS –CLASSACT GENERIC GENCMD RACLIST

42 © 2013 IBM Corporation IBM Security Systems 42 System z Security for today... and tomorrow New options on AM  AM.V for reporting about recorded events  AM.I for reporting usage of IDs in RACF database

43 © 2013 IBM Corporation IBM Security Systems 43 System z Security for today... and tomorrow AM.V selection on new flags

44 © 2013 IBM Corporation IBM Security Systems 44 System z Security for today... and tomorrow Access Monitor – SIM_VIA and SIM_VIA_GROUPS

45 © 2013 IBM Corporation IBM Security Systems 45 System z Security for today... and tomorrow TN3270 and FTP configuration audit Enable your PCI-DSS audit

46 © 2013 IBM Corporation IBM Security Systems 46 System z Security for today... and tomorrow TN3270 and FTP security configuration audit  New support added to z/OS 2.1 at request zSecure  New newlist type=IP_TELNET_REGION - 10 fields  New newlist type=IP_TELNET_PORT - 50 fields  New fields type=SMF - 60 fields TN_* for new 119-24  New newlist type=FTP_REGION – 100 fields  New fields type=SMF - 100 fields FTP_* for new 119-71

47 © 2013 IBM Corporation IBM Security Systems 47 System z Security for today... and tomorrow Reporting TELNET server status – sample output

48 © 2013 IBM Corporation IBM Security Systems 48 System z Security for today... and tomorrow Reporting TELNET port status – sample output (1/2)

49 © 2013 IBM Corporation IBM Security Systems 49 System z Security for today... and tomorrow Reporting TELNET port status – sample output (2/2)

50 © 2013 IBM Corporation IBM Security Systems 50 System z Security for today... and tomorrow Reporting FTP region status – Sample output (only 1/3)

51 © 2013 IBM Corporation IBM Security Systems 51 System z Security for today... and tomorrow Miscellaneous Just a few highlights, there is much more...

52 © 2013 IBM Corporation IBM Security Systems 52 System z Security for today... and tomorrow Restrict output to user's scope for CICS and IMS  Simplifies ‘Show me all transactions in scope of user’  Popup:

53 © 2013 IBM Corporation IBM Security Systems 53 System z Security for today... and tomorrow Support site-specific REXX scripts in zSecure Visual zSecure Visual Client can now be configured to run site- defined REXX scripts through context menu or “Action” menu Needs configuration at the Visual Server side - C2RSCRPT in C2RWCUST

54 © 2013 IBM Corporation IBM Security Systems 54 System z Security for today... and tomorrow Support site-specific REXX scripts in zSecure Visual

55 © 2013 IBM Corporation IBM Security Systems 55 System z Security for today... and tomorrow Other Resources  White Papers –Mainframe Security IntelligenceMainframe Security Intelligence –Mainframe Cloud SecurityMainframe Cloud Security –Centralized Mainframe SecurityCentralized Mainframe Security –Creating the ultimate security platformCreating the ultimate security platform  Information Links –zSecure homepagezSecure homepage –zSecure product libraryzSecure product library –zSecure information centerzSecure information center –zSecure latest release informationzSecure latest release information –zSecure forumzSecure forum –zSecure RedbookzSecure Redbook  If you have any questions later please contact –Tom Zeehandelaar:Tom.Zeehandelaar@nl.ibm.comTom.Zeehandelaar@nl.ibm.com –Hans Schoone:Hans.Schoone@nl.ibm.comHans.Schoone@nl.ibm.com

56 © 2013 IBM Corporation IBM Security Systems 56 System z Security for today... and tomorrow Questions?


Download ppt "© 2012 IBM Corporation IBM Security Systems 1 © 2013 IBM Corporation What is new in IBM Security zSecure 2.1? System z Security for today... and tomorrow."

Similar presentations


Ads by Google