encryption and hashing and keys – oh, my! demystifying interoperable encryption for the mainframe...
TRANSCRIPT
World®’16
EncryptionandHashingandKeys–Oh,my!DemystifyingInteroperableEncryptionfortheMainframeandfortheEnterpriseStuartMcIrvine – VP,ProductManagement- CATechnologiesJoeSturonas - ChiefTechnologyOfficer- PKWAREInc.
MFX119S
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract Increasingrisksofaccidentalandintentionalmainframedatacompromiseelevatesenterprises’interestinachievingsafeharborbyencryptingsensitiveandregulateddata.Encryptionintroducesmanynewelementsofconsiderationtoexistingworkflows,furthercomplicatedbytheneedforinteroperabilitybetweenthemainframeandotherenterpriseplatforms.Jointhissessiontolearnbestpracticesforapplyingencryptiontoprotectyourdata,evenwhileensuringyourexistingprocessesremainintact.
Topicsinclude:• Typesofcryptographicfunctions• Encryptionalgorithmselection• Sourcesofencryptionaccelerationonthemainframe• Considerationswhenencryptedmainframedatamustbeused
onotherplatforms• Encryptionkeyselection,management
StuartMcIrvineCATechnologiesVP,ProductManagement
JoeSturonasPKWARE,Inc.ChiefTechnologyOfficer
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
DATAANDREGULATIONS
THREATLANDSCAPE
DEMO
MANAGINGDATAONTHEMAINFRAME
PROTECTINGDATA– ANOVERVIEW
ENCRYPTIONANDKEYMANAGEMENTONZ/OS
1
2
3
4
5
6
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DataisanAsset
§ Datais businessvalue– Facebook,Google,Uber,Twitter,….
§ Industriesdependondata– Banking,Insurance,Healthcare,….
§ By2020therewillbe:– 44zettabytesofdata– Over6billionsmartphones– 50billionsmartdevices
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DataisaLiability
§ Highlyregulated– Industry,State,Nationalandbeyond
§ HIPAA,GLB,CA1798,GDPR,PrivacyShield
§ Itgetspersonal,quickly!– PIImustbemanaged
§ Whoownsit?Whatareyouallowedtodowithit?Deleteitwhenrequested
§ Data- thekeystothefuture– Businessstrategy,digitalsecrets,financialposture,….
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whataboutthoseregulations?§ PCIDSS
– Protectstoredcardholderdata
– Encrypttransmissions
– MaintainInfoSecpolicy
§ SOX/HIPAA&Hi-TechAct– PolicyManagement
– AuditandLogging
– DataIntegrity
§ FIPS140-2– Makingsureit’sdoneright§ GDPR
– Provethatdataisbeingprotected
– Appointadataprotectionofficer
– Finesof4%ofannualturnover
§ EU-U.S.PrivacyShield– U.S.DepartmentofCommerce
andEuropeanCommission
– Individualchoice&control
– Security
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreatLandscape- Thieves,SnoopsandIdiots
Externalattackers,internalrogues
Users,Administrators,developers,vendors…basicallyeveryone:)
Serviceproviders,administrators,threeletteragencies,etc.
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thieves
§ ExternalAttackers– Competitors– ScriptKiddies– NationStates(OPMbreach)– LexisNexisBreach
§ RogueAdministrators– Snowden
§ InternalBadActors– Espionage
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Snoops
§ PrivilegedAdministrators
§ Credentialcompromise
§ SonyAttackers
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Idiots
§ Users– Makemistakes(losedevices)– Havepoorsecurityeducation(password=123456)
§ Developers/Vendors– Lenovo– Fortinet
§ Administrators– Sony– Dropbox
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImpactofDataTheftHealthInsuranceAnnounced:March2015Recordsstolen:11MCost:TBD.Facingaclass-actionlawsuit&fines.
RetailAnnounced:September2014Recordsstolen:56MCost:$43Mandcounting.Estimatesputthisashighas$10B
HealthSystemsAnnounced:August2014Recordsstolen:4.5MCost:$75M– $150M
eCommerceAnnounced:May2014Recordsstolen:233MCost:$200Mandcounting.
RetailAnnounced:December2013Recordsstolen:70MCost:$162Mandcounting.Recentestimatesputthisatwellover$1B.
GovernmentAnnounced:May2015Recordsstolen:22MCost:Tobedetermined.Likelyfacingaclassactionlawsuitaswellasothers.
“Datasecurityeventsincreasedby38%”“Intellectualpropertytheftincreased56%”2016GlobalStateofInfoSecSurveyPriceWaterhouseCooper
“$400Million– estimatedlossesfrom700millioncompromisedrecords”2015VerizonDataBreachReport
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheMainframehasneverbeenhacked!
Mainframedatastaysonthemainframe;soitissafe!
Dataisfluidintoday’sworld.Dataanalytics;cloud
MarriageofMFdataandnonMFdata
Mainframeiswellunderstoodandcoveredunderthreelinesofriskcontrol– Operational,ComplianceandInternalaudit
DataontheMainframe
REALITYMYTH
Consider:Socialengineeringhacks
HumanerrorasMFexpertsretire
Mainframeisviewedasablack-boxbreedscomplacency–compoundingtherisk
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DealingWiththeThreat
Information
Applications
Devices
Networks
Advanced Persistent Threat Detection
Intrusion Detection
Access Control
ApplicationFirewalls
Security Gateways
VPNAntivirus
Mobile Device Management
Firewalls
Stateful Pocket Inspection
Mobile Application Management
Data LeakagePrevention Full Disk
Encryption
Antimalware
Network Access Control
Endpoint DLP
Access Brokers
DNS Security
Incident & Event Management
Intrusion Detection
Identity & Access Management
DATA CENTRIC
PROTECTION
§ Defenseindepth
§ Data-centricprotection
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Basedonregulationororganizationalsensitivity
Dataremainsonthez/OSplatform
Regulatedandsensitivedatainyourmainframedatastores
Protect
Data-CentricProtection
TheAppEconomycreatesnewrisksofcatastrophicdatacompromise“Withbreachesinthenewseveryday,beingabletofindwhereregulateddataresides- orrulingoutthe
existenceofsensitivedata- isacriticalfirststepinprotectingyourbusiness.”
X 70% oftheworldmissioncriticaldatatransactsonthemainframe.
Find ProtectClassify
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Public/PrivateKeyPairs
§ PublicKey– EncryptingData– AuthenticatingData
§ PrivateKey– DecryptingData– SigningData
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IBMHardwareCrypto
Machine z1962817
z1142818
zEC122827
zBC122828
z13 2964
Algorithm Supported
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
CryptoHardware
CPACFCEX3C
CPACFCEX3C
CPACFCEX3CCEX4C
CPACFCEX3CCEX4C
CPACFCEX4CCEX5C
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BatchJobToCreateEncryptedZIPFile//ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256)-PWD(PKWARE)-INCLUDE_CMD(JAS.MVS810.PROFILE(LDAP2)) -RECIPIENT(LDAP:[email protected],R) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt)JAS.TEXT.LIB
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BatchJobToEmailEncryptedZIPFile//TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP//SYSTSIN DD * %XMITIP [email protected] +
CC ( [email protected] ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' +SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM [email protected] + FILEDD DD1 + Format (BIN) + Filename jas.zip
38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJobJ E S 2 J O B L O G -- S Y S T E M P K W 1 -- N
15.54.04 JOB39394 ---- FRIDAY, 16 SEP 2016 ----15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS ------
16 SEP 2015 JOB EXECUTION DATE 38 CARDS READ
855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJob- PKWARE Inc.
-- Program Name SECZIP hh:mm:ss.th- Step Name ZIP1 Elapsed Time 01.46- Procedure Step TCB CPU Time 00.15- Return Code 00 SRB CPU Time 00.02- Total I/O 686 Total CPU Time 00.17- I/O Cost $ 0.68 CPU Cost $ 0.04- Service Units 1154 -
- PKWARE Inc. -- Program Name IKJEFT1B hh:mm:ss.th- Step Name TSOB Elapsed Time 00.73 - Procedure Step TCB CPU Time 00.24 - Return Code 00 SRB CPU Time 00.01 - Total I/O 499 Total CPU Time 00.25 - I/O Cost $ 0.49 CPU Cost $ 0.06 - Service Units 1870
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJobZPEN309I z/Architecture Hardware Available -zBC12 ZPEN313I CSNBSYE System Capable with ICSF when available. ZPEN313C AES is available. DES/3DES is available. ZPEN313C CPACF Protected Keys are available. ZPEN334I PKA callable services are enabled. ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12 ZPEN310I CP Assist For Cryptographic Functions Available ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHOZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGenZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File JAS.TEXT.LIB(CRC) ZPAM254I as crc.txtZPAM255I (DEFLATED 57%/56%) Smartcrypt(tm) AES256 ; DATA SIZE 1,600; ZIP SIZE ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC) ZPAM254I as ebcdic.txtZPAM255I (DEFLATED 34%/32%) Smartcrypt(tm) AES256 ; DATA SIZE 480; ZIP SIZE 32ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key );ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED
48 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX118SHowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis
11/16/2016at3:00pm
MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData
11/17/2016at12:45pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
49 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecret®MainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2™MainframeTheatre