mainframe security: a practical overview - c.ymcdn.com · check all that apply: our security...
TRANSCRIPT
Founded: 1986
30,000 Enterprise Customers
200 Government Entities
Notable Products:
PKZIP, SecureZIP, Viivo
SmartCrypt
Smart Encryption Platform
Milwaukee (Headquarters),
Dayton, New York, London
Check all that Apply:
Our security department doesn’t cover the mainframe.
Our mainframe has audit exclusions that others do not.
Our mainframe system programmers don’t work well with server and network administrators.
1970 1983 1988 1990 2000 2015
System / 370 - Virtual Addressing
System / 370-XA - 31-bit Extended Architecture
ESA / 370 - Dataspaces and Hyperspaces
z/Architecture – 64-bit Architecture
z Systems – z13 168 CP’s
System 390 - CMOS Technology
Mainframe Timeline
Mainframe Virtualization
Mainframe has been virtualized from the beginning.
z/OS Linux
Linux Linux Linux
z/VM
PR/SM LPAR PR/SM LPAR PR/SM LPAR
IBM System z
Common Workloads
Batch Job
Online (interactive)
transaction Access shared
data on behalf
of online user
Process data
to perform a
particular task
Input Data A P P L I C A T I O N P R O G R A M
A P P L I C A T I O N P R O G R A M
Output Data
Query
Reply
Common Subsystems
13
Languages
• COBOL, Java, Assembler, PL/I, JCL
Subsystems
• CICS, DB2, IMS, MQ, Websphere, OMVS
zBX
The Three Elements
of a Breach
They have to get in
They have to get to the information
They have to get it out
1
2
3
z/OS Security Servers
IBM RACF
CA ACF2
CA Top Secret
All access to the system requires authentication with RACF/ACF2/Top Secret
16
Typical Server
Security Issues
• Buffer Overflow
• Server Authentication
• Rogue Program Access
• TCP/IP stacks, ports and network addresses
17
Point Solution Encryption (Email, SharePoint, Office365)
FDE
Transparent Encryption
Data
Exchange SSL/TLS
Brokers
Gateways
Focus of
Compliance
Where Breaches
are Happening
Data Centric Encryption – Where it “Fits”
Focus of
Compliance
!
Data Centric Encryption
IBM Hardware Crypto
Machine z196
2817
z114
2818
zEC12
2827
zBC12
2828
z13
2964
Algorithm
Supported
DES
3DES
AES 128,
192, 256
DES
3DES
AES 128,
192, 256
DES
3DES
AES 128,
192, 256
DES
3DES
AES 128,
192, 256
DES
3DES
AES 128,
192, 256
Crypto
Hardware
CPACF
CEX3C
CPACF
CEX3C
CPACF
CEX3C
CEX4C
CPACF
CEX3C
CEX4C
CPACF
CEX4C
CEX5C
Symmetric Key
Operational Comparison
CLEAR
Fast, But Risky
PROTECTED
Fast & Secure
SECURE
Slow
ICSF Software
-or-
System z CPACF
System z CPACF Cryptographic Card
(CEX2C/CEX3C/CEX4C)
Passphrase Value
-or-
ICSF CKDS Registered
(clear)
ICSF CKDS registered
(encrypted)
ICSF CKDS Registered
(encrypted)
25
Batch job to create encrypted ZIP file
//ZIP1 EXEC PGM=SECZIP
//STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD
//SYSPRINT DD SYSOUT=*
//SYSABEND DD SYSOUT=*
//JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE),
// UNIT=SYSDA,SPACE=(CYL,(1,1)),
// DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998)
//SYSIN DD *
-ENCRYPTION_METHOD(AES256)
-PWD(PKWARE)
-COMPRESSION_LEVEL(1)
-COMPRESSION_METHOD(DEFLATE32)
-DATA_TYPE(TEXT)
-ARCHIVE_OUTFILE(JASOUT)
-ACTION(ADD)
-VERBOSE
-ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt)
-ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt)
JAS.TEXT.LIB
Batch job to email encrypted ZIP file
40
//TSOB EXEC PGM=IKJEFT1B
//SYSEXEC DD DISP=SHR,DSN=USER.CLIST
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP
//SYSTSIN DD *
%XMITIP [email protected] +
CC ( [email protected] ) +
MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' +
SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' +
FROM [email protected] +
FILEDD DD1 +
Format (BIN) +
Filename jas.zip
Output from Batch Job
J E S 2 J O B L O G -- S Y S T E M P K W 1 -- N
15.54.04 JOB39394 ---- FRIDAY, 11 SEP 2015 ----
15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB.
15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB
15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS
15.54.05 JOB39394 HTRT01I CPU (Total)
15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th
15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17
15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25
15.54.06 JOB39394 HTRT06I
15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42
15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18
15.54.06 JOB39394 $HASP395 JASA ENDED
------ JES2 JOB STATISTICS ------
11 SEP 2015 JOB EXECUTION DATE
38 CARDS READ
855 SYSOUT PRINT RECORDS
0 SYSOUT PUNCH RECORDS
Output from Batch Job
- PKWARE Inc.
-
- Program Name SECZIP hh:mm:ss.th
- Step Name ZIP1 Elapsed Time 01.46
- Procedure Step TCB CPU Time 00.15
- Return Code 00 SRB CPU Time 00.02
- Total I/O 686 Total CPU Time 00.17
- I/O Cost $ 0.68 CPU Cost $ 0.04
- Service Units 1154
-
- PKWARE Inc.
-
- Program Name IKJEFT1B hh:mm:ss.th
- Step Name TSOB Elapsed Time 00.73
- Procedure Step TCB CPU Time 00.24
- Return Code 00 SRB CPU Time 00.01
- Total I/O 499 Total CPU Time 00.25
- I/O Cost $ 0.49 CPU Cost $ 0.06
- Service Units 1870
Output from Batch Job
ZPEN309I z/Architecture Hardware Available -zBC12
ZPEN313I CSNBSYE System Capable with ICSF when available.
ZPEN313C AES is available. DES/3DES is available.
ZPEN313C CPACF Protected Keys are available.
ZPEN334I PKA callable services are enabled.
ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12
ZPEN310I CP Assist For Cryptographic Functions Available
ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHO
ZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGen
ZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified.
ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000
ZPAM253I ADDED File JAS.TEXT.LIB(CRC)
ZPAM254I as crc.txt
ZPAM255I (DEFLATED 57%/56%) SecureZIP(R) AES256 ; DATA SIZE 1,600; ZIP SIZE
ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key
ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC)
ZPAM254I as ebcdic.txt
ZPAM255I (DEFLATED 34%/32%) SecureZIP(R) AES256 ; DATA SIZE 480; ZIP SIZE 32
ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key );
ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED