pre-con ed: reduce security cost and effort with ca cleanup and role based access control

World®’16

ReduceSecurityCostandEffortwithCACleanupandRoleBasedAccessControlCarlaFlores,CATechnologies JohnPinkowski,CATechnologiesSr.PrincipalConsultant Sr.PrincipalProductOwner

MAINFRAMEANDWORKLOADAUTOMATION

MFX41E

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Cost,effortandtimearethebiggestchallengescustomersfacewhenitcomestomainframesecurity.

ThissessionwillprovideanoverviewofhowCACleanupreducestheeffortandpressuresassociatedwithmaintainingcurrentregulatory,statutoryandauditrequirements.

We’llcoverhowsimpleitistouseCACleanupasthefirststeptogettingtoarole-basedaccesscontrolimplementationthatreducesthecostofadministeringmainframesecurity.

CarlaFloresCATechnologiesSr.PrincipalConsultant

JohnPinkowskiCATechnologiesSr.PrincipalConsultant


Agenda

CLEAN-UPISYOURFIRSTLINEOFDEFENSE

HOWCACLEANUPWORKS

OPENDISCUSSION/Q&A

PHASEDIMPLEMENTATIONRECOMMENDATIONS

WHAT’SNEXT?

ROLEBASEDACCESSCONTROLBESTPRACTICES

1

2

3

4

5

6


BusinessChallengesWhatdoyouwanttodo?

MITIGATERISK SUPPORTTHEBUSINESSREDUCECOSTOFCOMPLIANCE

Automateforefficiency(e.g.certification)

Centralizedvisibility

Reduceexceptionprocessing

LeastprivilegedaccessandSODviolations

Enablebusinesstobeaccountable(whileminimizingtheireffort)

Enablequickandsecureaccess

Improvesecurity,notjustpasstheaudit

On-goingremediationandimprovementofcompliance

Eliminateterminatedusers,orphanaccounts

Reduceexcessiveentitlements

Deleteinactiveaccounts

Improverolequality(redundancy)

AutomateHRchangesrelatedtoroleassignments


Thefinancialbenefitforthisriskmitigationapproachistoavoidthecostofadatabreach,whichaverages$5.9million foraclassactionlawsuitsettlement(Targetsettledat$39M,SonyPlaystation$171M,SonyEntertainment$100M,AnthemBCBS$100Mandstillgrowing).

KeyBenefits:§ Protectagainstbothexternaland

internalthreats§ Enablecomplianceforaccess

acrosstheMainframeenvironment§ Reducecostsandimprove

efficiencythroughautomatedsecuritycontrols

SecuringemployeeandcustomerdataandaccesstotheMainframeiskeyforprotectingbrandandreputation.

DiscoveringandmanagingaccessisastartingpointtowardsecuringtheMainframeenvironment.

AconsolidatedsolutionwithpreventiveanddetectivecontrolstoreducethelikelihoodofunauthorizedaccessiskeytoensuresecurityaswellasstreamliningtheadministrationandauditingofallMainframeaccess.

Mitigatetherisksofexternalattacks,insiderthreatandlateralmovementwithintheMainframeenvironment.

Keydrivers:§ Highlypublicizedsecuritybreaches(e.g.,

Sony,Anthem,Target,FedGovt OPM),mostlyaresultofprivilegeduseraccountcompromise,drivingbroaddemand

§ Regulationandcompliancedrivenneedsareexpandingwithlatestmandates

§ Threatsurfaceisexpandingwithtransitiontoevolvingtechnologystack

§ Lackofautomatedcapabilitiestodiscoveraccessandentitlementsandlimitedvisibilityintouseractivitiesonthemainframe.

BusinessChallengesWhatdoyouwanttodo?

CHALLENGE BENEFITSSOLUTION


OpportunitiesforImprovementEfficacy,Efficiency,CostReductionandCostAvoidance

AmericanExpresscouldfacedevastatinglossesintheeventofunauthorizedaccess.Thereisa

needtoestablishuniquepreventiveanddetectivecontrolstoreducethelikelihoodofunauthorizedaccessandlimittheimpactof

suchanevent.

ReduceRiskGrowingregulatoryconcernsstemmingfromrecentsecuritybreachesaredrivingnewsecurityrequirements.Discoveringandcleaningaccessisthefirststeptobettermanagebothcurrentandfuturecompliancerequirements.

ImproveCompliance

ErrorsandmistakesmadebyadministratorscanleadtosystemoutagesandSLAviolationsandarecostlytotriage.Enhancedauditingandsessionrecordingcapabilitiescansolvetheattributionproblemandhelptheengagementteamaddressissuesbeforetheynegativelyimpactoperations.

ImproveOperationalEfficiencyAmericanExpresshasmanymanualorad-hocprocessestograntandmanageaccessonthe

Mainframe.Thisleadstoadministratorseitherspendingmoretimethannecessarytogrant

accessortakingshortcutstoimpactthesecuritypostureoftheentireorganization.A

consolidatedplatformtosimplifyadministratoraccesscanalsoenforce

accountabilityandcompliance.

IncreaseProductivity


QuickAssessmentREDUCERISKOFOVER-PRIVILEGEDUSERS

§ DoIhaveSegregationofDutiesviolationsrightnow?§ Doallmyusershavethecorrectaccessfortheirrole(s)?

AUTOMATEIDENTITYPROCESSES§ Aremyprocessestoomanual?Aretheyinefficient?§ DoIhaveinconsistentsecuritypoliciesduetohumanerror?

§ CanIreducethetime&effortittakestosubmitauditreports?

§ CanIeasilyshow“whohasaccesstowhat”?

SIMPLIFYCOMPLIANCEAUDITS

IMPROVEEMPLOYEEPRODUCTIVITY§ Howmuchtimedomymanagersspendinaccess

certifications?§ HowlongdoesittakeanewemployeetohaveALL

theiraccessandaccountsavailable?

INCREASEUSERPARTICIPATION§ CanIprovideaone-stop-shopwheremyuserscaneasily

accessallidentityservicesinoneplace?§ CanIreducetheneedofITtomanageidentityprocesses?

PROVIDEOUTSTANDINGUSEREXPERIENCE§ CanthesysteminteractwithmyuserswithBusinessterms

thattheyunderstand?§ CanIimprovemyuserproductivityandsatisfaction?


WhereDoesYourOrganizationStand?

Continuouscompliance

Systematicidentificationofaccessrisk

Streamliningexistingprocesses

Repeatablesecuritypractice

Incorporatedbusinessrelevance

Intelligentdecisionsupport

Identityintelligence

Content-aware

SecurityintheCloud

Manual

IntegratedandAutomated

BusinessOptimized

Reactingtoauditswithspreadsheets

Complianceteamsinsiloswithoverlap

Besteffortsecuritypolicyenforcement


CACleanupforz/OS&CAIdentityGovernance

Awinningcombination…

- IT Specialist, Fortune 500 Banking Company

“CA Mainframe Security solutions provide us with a high level of confidence that access to sensitive data is secured and properly managed.”

Source: TechValidate., TVID: C58 – OCD – C5E


GoverningAccessontheMainframe(CACleanup+CAIdentityGovernance)Reducetimeandcostofcompliance,mitigateriskandsupportthebusiness

50%+ ofmainframesecuritydatabasescontainorphaned,obsoleteorredundantidentitiesandentitlements.

Automatedremovalofwrongentitlementsandaccessgroups

Restrictprivilegedaccessrightstominimumrequirements

Gainrapidinsight- Whohasaccesstowhat

Identifyexposures- wrongentitlements,inactiveaccounts,

etc

Continuouslymonitorsystemusageovertime

Automateandstreamlinecomplianceprocessesandestablishdetectivecontrols

ConsolidateEntitlements

RepeatableProcesses

CleanupAccess


CACleanupforz/OSHowItAllWorks

TrackingDatabase

SecurityDatabase

ReportandCommandGenerator

ReportFileCommandFiles DBRPTCMD

CAACF2,CATopSecretOrIBMRACF

DatabaseLoadUtility CA

CleanupStartedTask


CACleanupunreferencedsummaryreport(TSS)Typicalusecase:+50%unused


CACleanupunreferencedsummaryreport(ACF2)Typicalusecase:+50%unused

Record Type Total Unreferenced--------------- --------- ------------USER 15,865 7,637 48%DSN Rule Sets 9,031 4,605 50%DSN Rule Lines 103,308 79,177 76%RATX Rule Sets 1 1 100%RATX Rule Lines 2 2 100%RBBM Rule Sets 1 1 100%RBBM Rule Lines 1 1 100%RBCM Rule Sets 55 33 60%RBCM Rule Lines 209 178 85%RBJT Rule Sets 1 1 100%RBJT Rule Lines 3 3 100%RCAC Rule Sets 10 10 100%RCAC Rule Lines 79 79 100%RCAT Rule Sets 13 10 76%RCAT Rule Lines 77 69 89%RCBI Rule Sets 1 1 100%RCBI Rule Lines 2 2 100%RCCM Rule Sets 55 44 80%RCCM Rule Lines 209 194 92%RCKC Rule Sets 1 1 100%RCKC Rule Lines 1 1 100%

RCKP Rule Sets 6 6 100%RCKP Rule Lines 6 6 100%RCKZ Rule Sets 18 18 100%RCKZ Rule Lines 21 21 100%RCMN Rule Sets 265 154 58%RCMN Rule Lines 1,195 764 63%RCP1 Rule Sets 2 2 100%RCP1 Rule Lines 127 127 100%RCSM Rule Sets 1 1 100%RDTA Rule Sets 4 4 100%RDTA Rule Lines 199 199 100%RDTR Rule Sets 53 53 100%RDTR Rule Lines 144 144 100%RECM Rule Sets 55 36 65%RECM Rule Lines 209 182 87%REJB Rule Sets 1 1 100%REJB Rule Lines 1 1 100%RESP Rule Sets 4 0 0%RESP Rule Lines 341 250 73%RFAC Rule Sets 15 12 80%RFAC Rule Lines 66 63 95%--------------- --------- ------------ ----Totals 131,658 94,094 71%


PhasedClean-upSteps

§ RunDBRPTunref=999

§ Reviewsummaryreport

§ Startwith100%non-use

§ RunDBRPTCwithselectedresourcetypes*

*ACF2=OPTION(commentaccessnone)

§ Reviewoutput

§ Schedulecleanupcycle

§ Executedeletesviabatch

§ Maintaindelete/recoverycommandfilesasGDG(s)

§ Considerupdate‘reload’jobtorunnightly(off-hours)


PhasedClean-upSteps

§ Re-runDBRPTunref=999

§ Reviewsummaryreport

§ Nowwith80-99%non-use

§ RunDBRPTCwithselectedresourcetypes*

*ACF2=OPTION(commentaccessnone)

§ Reviewoutput

§ Schedulecleanupcycle


§ Maintaindelete/recoverycommandfilesasGDG(s)

§ Considerupdate‘reload’jobtorunnightly(off-hours)


On-goingCleanup

§ RunDBRPTorDBRPTCweeklytomeetSLAforaccount/entitlementremovals– Bestpractice=400days


§ Maintaindelete/recoverycommandfilesviaGDG Time

Level ofprivilege

Employee is hired and ID is provisioned

Not all entitlements are removed ~

This creates a security risk!

Orphan Accounts & Entitlements

New entitlements

Employee leaves andID is de-provisioned


CaseStudy:LargeRetailerStreamliningMainframeaccess

CONTRACTORS

Fragmentedentitlements§ lackofvisibilityofaccess§ un-optimizedgroupaccess§ orphanaccounts§ overlappingaccess

Manualentitlementreviews

Nostandardizedroledefinitions

PARTNERSEMPLOYEES

ProvenhighlyscalablesolutionAnalyzed250,000accounts,66millionaccessrightsanddiscovered200roleswithin3minutes

“CAIdentityGovernanceprovidedthemostrapidTTVofanyIAMproductI’veeverused…”- VPofIT

Challenges:


“Whohasaccesstowhat?”Exampleassessment

Email

Mainframe

CustomerDatabase

Directory

HR

UNIX

CorporateNetwork

SallyBrownFinanceBobThomasPaymentsHirokiShimadaITHaroldFletcherFinanceJaneCoorsPaymentsMorganSmithITCarlosBayezITLauraDempseyPayments

1,000,000’sEntitlements15,000+People 100’sApplications

Finance

ü 1,123combinationsofUIDstringvalues,minustheLID.

ü 443refertoonly1LID,76referto2,42referto3,32referto4and29referto5.

ü 662uniquecombinations,oralittlemorethanhalf,referto5orlessLIDs.


TypicalFindings/Recommendations

SensitiveDataDiscovery

PhasedCleanup

ComplianceMonitoring

§ LeverageCAIdentityGovernanceroleminingrecommendationsandattestation

§ Steps:- Determineacceptablelevelof

rolematchingviasurveys- IdentitySoD violation- Identifywherepeoplefalloutsidethenormalaccessstructure

- DefinitionofRolegroupingsinESM

Rolesurvey/RBAC

§ Phasedimplementation- Defineeveryonebasedonnewrole

- Migratebasedonbusinesstolerance

6-8weeks1-2weeks

4-6weeks

12+weeks

§ Findings:- Reportingisclutteredduetoexcessivesecuritydatathatisobsolete

• Steps:- Purgeobsoleterulelines- LeverageACFRULCU(ACF2only)- Rulenextkey consolidation(ACF2only)- Ongoingcleanup

§ Findings:- Difficulttoidentifysensitivedatawith100%certainty

- Reportingprocessisclutteredduetoexcessiveinclusion

• Steps:- ImplementCADataContentDiscoverytoidentifysensitivedata

- ImplementCAComplianceEventManagerforon-goingrealtimealerts

§ Findings:- Needmoredetaileddataoncurrententitlementreports- Ongoingentitlementcertificationprocesscouldbeenhanced

- Integritymonitoringnotinplace

• Steps:- ExploreComplianceInformationAnalysis(CIA)aspartofbaseprodcut(ACF2&TopSecretonly)


RoleBasedAccessControl- BestPracticeApproachPhase1:Planning

Phase2:Foundation

Phase3:Automation

Phase4:Optimization

GapAnalysis

Visibility,Audit&Clean-Up

RoleModeling

BusinessCaseDevelopment

ProjectPlanning

OngoingRefinement

ExecutiveSponsorship&BusinessAcceptance

DataDiscovery

EntitlementsCertification

RoleManagement

UserProvisioning

SegregationofDutiesPolicies

UserActivityMonitoring


DefenseinDepthStrategyforzSystems™

Fullidentitylifecyclemanagement

CAIdentitySuiteManageyourprivilegedaccountaccessacrossbothphysicaland

virtualsystems

CAPrivilegedAccessManager

Rolediscoveryandentitlementcertificationforallend-points

CAIdentityGovernance

Sensitivedatadiscoverytoolforz/OStoidentity,classifyand

protectmainframedata

CADataContentDiscovery

Identifyandremoveobsolete,redundant,unusedIDsandentitlements

CACleanup

z/OSintegritymonitoringandsecurityinformationevent

management

CAAuditor/CAComplianceEventManager

70%ofmissioncriticaldata


RecommendedSessionsSESSION# TITLE DATE/TIME/ROOM

MFX119S EncryptionandHashingandKeys– Oh,my! 11/16/2016at1:45pmJasmineE

MFX118SHowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis

11/16/2016at3:00pmJasmineE

MFX173S TheImportanceofMainframeSecurityEducation 11/16/20163:45pmJasmineE

MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pmJasmineE

MFT174S MainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData

11/17/201612:45pmMainframeTheater

MFT175S GapsinYourDefense:HackingtheMainframe11/17/20163:00pmMainframeTheater


MustSeeTechTalksandDemos– ExpoFloor

MFT53THowCanMainframeSecuritybeMadeEasier?

11/16/2016@12:45pmMainframeTheater

MainframeSecurityandEnterpriseSecurityDemos

SCT38T SCX05EPAMThreatAnalytics

11/17/2016@4:00pmSecurityTheater

GoverningYourPrivilegedUsers

11/16/2016@3:45pmSecurityTheater


Questions?


Thankyou.

Stayconnectedatcommunities.ca.com


Summary

§ Protectsagainstbothexternalandinternalthreats

§ EnablescomplianceforprivilegedidentityandadministrativeaccessacrosstheMainframe

§ Reducescostsandimproveefficiencythroughautomatedsecuritycontrols

§ Leverageexistingnegotiatedratesonlicenseforaggressivediscountsandproductvalue

§ Offersthemostcomprehensivesolution,providingbothpreventive&detectivecontrols

§ Providesdefenseindepthforprivilegedaccountmanagement:– Comprehensivecredentialmanagement– Least-privilege,policy-basedSSOaccesscontrolwith

commandfiltering– Privilegedsessionmonitoringandrecording– Fine-grainedserveraccesscontrols

§ RatedBest-of-breedsolutionbyleadingindustryanalysts

§ ProvenscalabilityinsomeofthelargestandmostcomplexITenvironmentsintheworld

THEVALUE WHYCATECHNOLOGIES

pre-con ed: reduce security cost and effort with ca cleanup and role based access control

Technology