pre-con ed: reduce security cost and effort with ca cleanup and role based access control
TRANSCRIPT
World®’16
ReduceSecurityCostandEffortwithCACleanupandRoleBasedAccessControlCarlaFlores,CATechnologies JohnPinkowski,CATechnologiesSr.PrincipalConsultant Sr.PrincipalProductOwner
MAINFRAMEANDWORKLOADAUTOMATION
MFX41E
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Cost,effortandtimearethebiggestchallengescustomersfacewhenitcomestomainframesecurity.
ThissessionwillprovideanoverviewofhowCACleanupreducestheeffortandpressuresassociatedwithmaintainingcurrentregulatory,statutoryandauditrequirements.
We’llcoverhowsimpleitistouseCACleanupasthefirststeptogettingtoarole-basedaccesscontrolimplementationthatreducesthecostofadministeringmainframesecurity.
CarlaFloresCATechnologiesSr.PrincipalConsultant
JohnPinkowskiCATechnologiesSr.PrincipalConsultant
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
CLEAN-UPISYOURFIRSTLINEOFDEFENSE
HOWCACLEANUPWORKS
OPENDISCUSSION/Q&A
PHASEDIMPLEMENTATIONRECOMMENDATIONS
WHAT’SNEXT?
ROLEBASEDACCESSCONTROLBESTPRACTICES
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BusinessChallengesWhatdoyouwanttodo?
MITIGATERISK SUPPORTTHEBUSINESSREDUCECOSTOFCOMPLIANCE
Automateforefficiency(e.g.certification)
Centralizedvisibility
Reduceexceptionprocessing
LeastprivilegedaccessandSODviolations
Enablebusinesstobeaccountable(whileminimizingtheireffort)
Enablequickandsecureaccess
Improvesecurity,notjustpasstheaudit
On-goingremediationandimprovementofcompliance
Eliminateterminatedusers,orphanaccounts
Reduceexcessiveentitlements
Deleteinactiveaccounts
Improverolequality(redundancy)
AutomateHRchangesrelatedtoroleassignments
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thefinancialbenefitforthisriskmitigationapproachistoavoidthecostofadatabreach,whichaverages$5.9million foraclassactionlawsuitsettlement(Targetsettledat$39M,SonyPlaystation$171M,SonyEntertainment$100M,AnthemBCBS$100Mandstillgrowing).
KeyBenefits:§ Protectagainstbothexternaland
internalthreats§ Enablecomplianceforaccess
acrosstheMainframeenvironment§ Reducecostsandimprove
efficiencythroughautomatedsecuritycontrols
SecuringemployeeandcustomerdataandaccesstotheMainframeiskeyforprotectingbrandandreputation.
DiscoveringandmanagingaccessisastartingpointtowardsecuringtheMainframeenvironment.
AconsolidatedsolutionwithpreventiveanddetectivecontrolstoreducethelikelihoodofunauthorizedaccessiskeytoensuresecurityaswellasstreamliningtheadministrationandauditingofallMainframeaccess.
Mitigatetherisksofexternalattacks,insiderthreatandlateralmovementwithintheMainframeenvironment.
Keydrivers:§ Highlypublicizedsecuritybreaches(e.g.,
Sony,Anthem,Target,FedGovt OPM),mostlyaresultofprivilegeduseraccountcompromise,drivingbroaddemand
§ Regulationandcompliancedrivenneedsareexpandingwithlatestmandates
§ Threatsurfaceisexpandingwithtransitiontoevolvingtechnologystack
§ Lackofautomatedcapabilitiestodiscoveraccessandentitlementsandlimitedvisibilityintouseractivitiesonthemainframe.
BusinessChallengesWhatdoyouwanttodo?
CHALLENGE BENEFITSSOLUTION
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OpportunitiesforImprovementEfficacy,Efficiency,CostReductionandCostAvoidance
AmericanExpresscouldfacedevastatinglossesintheeventofunauthorizedaccess.Thereisa
needtoestablishuniquepreventiveanddetectivecontrolstoreducethelikelihoodofunauthorizedaccessandlimittheimpactof
suchanevent.
ReduceRiskGrowingregulatoryconcernsstemmingfromrecentsecuritybreachesaredrivingnewsecurityrequirements.Discoveringandcleaningaccessisthefirststeptobettermanagebothcurrentandfuturecompliancerequirements.
ImproveCompliance
ErrorsandmistakesmadebyadministratorscanleadtosystemoutagesandSLAviolationsandarecostlytotriage.Enhancedauditingandsessionrecordingcapabilitiescansolvetheattributionproblemandhelptheengagementteamaddressissuesbeforetheynegativelyimpactoperations.
ImproveOperationalEfficiencyAmericanExpresshasmanymanualorad-hocprocessestograntandmanageaccessonthe
Mainframe.Thisleadstoadministratorseitherspendingmoretimethannecessarytogrant
accessortakingshortcutstoimpactthesecuritypostureoftheentireorganization.A
consolidatedplatformtosimplifyadministratoraccesscanalsoenforce
accountabilityandcompliance.
IncreaseProductivity
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
QuickAssessmentREDUCERISKOFOVER-PRIVILEGEDUSERS
§ DoIhaveSegregationofDutiesviolationsrightnow?§ Doallmyusershavethecorrectaccessfortheirrole(s)?
AUTOMATEIDENTITYPROCESSES§ Aremyprocessestoomanual?Aretheyinefficient?§ DoIhaveinconsistentsecuritypoliciesduetohumanerror?
§ CanIreducethetime&effortittakestosubmitauditreports?
§ CanIeasilyshow“whohasaccesstowhat”?
SIMPLIFYCOMPLIANCEAUDITS
IMPROVEEMPLOYEEPRODUCTIVITY§ Howmuchtimedomymanagersspendinaccess
certifications?§ HowlongdoesittakeanewemployeetohaveALL
theiraccessandaccountsavailable?
INCREASEUSERPARTICIPATION§ CanIprovideaone-stop-shopwheremyuserscaneasily
accessallidentityservicesinoneplace?§ CanIreducetheneedofITtomanageidentityprocesses?
PROVIDEOUTSTANDINGUSEREXPERIENCE§ CanthesysteminteractwithmyuserswithBusinessterms
thattheyunderstand?§ CanIimprovemyuserproductivityandsatisfaction?
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhereDoesYourOrganizationStand?
Continuouscompliance
Systematicidentificationofaccessrisk
Streamliningexistingprocesses
Repeatablesecuritypractice
Incorporatedbusinessrelevance
Intelligentdecisionsupport
Identityintelligence
Content-aware
SecurityintheCloud
Manual
IntegratedandAutomated
BusinessOptimized
Reactingtoauditswithspreadsheets
Complianceteamsinsiloswithoverlap
Besteffortsecuritypolicyenforcement
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CACleanupforz/OS&CAIdentityGovernance
Awinningcombination…
- IT Specialist, Fortune 500 Banking Company
“CA Mainframe Security solutions provide us with a high level of confidence that access to sensitive data is secured and properly managed.”
Source: TechValidate., TVID: C58 – OCD – C5E
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
GoverningAccessontheMainframe(CACleanup+CAIdentityGovernance)Reducetimeandcostofcompliance,mitigateriskandsupportthebusiness
50%+ ofmainframesecuritydatabasescontainorphaned,obsoleteorredundantidentitiesandentitlements.
Automatedremovalofwrongentitlementsandaccessgroups
Restrictprivilegedaccessrightstominimumrequirements
Gainrapidinsight- Whohasaccesstowhat
Identifyexposures- wrongentitlements,inactiveaccounts,
etc
Continuouslymonitorsystemusageovertime
Automateandstreamlinecomplianceprocessesandestablishdetectivecontrols
ConsolidateEntitlements
RepeatableProcesses
CleanupAccess
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CACleanupforz/OSHowItAllWorks
TrackingDatabase
SecurityDatabase
ReportandCommandGenerator
ReportFileCommandFiles DBRPTCMD
CAACF2,CATopSecretOrIBMRACF
DatabaseLoadUtility CA
CleanupStartedTask
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CACleanupunreferencedsummaryreport(TSS)Typicalusecase:+50%unused
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CACleanupunreferencedsummaryreport(ACF2)Typicalusecase:+50%unused
Record Type Total Unreferenced--------------- --------- ------------USER 15,865 7,637 48%DSN Rule Sets 9,031 4,605 50%DSN Rule Lines 103,308 79,177 76%RATX Rule Sets 1 1 100%RATX Rule Lines 2 2 100%RBBM Rule Sets 1 1 100%RBBM Rule Lines 1 1 100%RBCM Rule Sets 55 33 60%RBCM Rule Lines 209 178 85%RBJT Rule Sets 1 1 100%RBJT Rule Lines 3 3 100%RCAC Rule Sets 10 10 100%RCAC Rule Lines 79 79 100%RCAT Rule Sets 13 10 76%RCAT Rule Lines 77 69 89%RCBI Rule Sets 1 1 100%RCBI Rule Lines 2 2 100%RCCM Rule Sets 55 44 80%RCCM Rule Lines 209 194 92%RCKC Rule Sets 1 1 100%RCKC Rule Lines 1 1 100%
RCKP Rule Sets 6 6 100%RCKP Rule Lines 6 6 100%RCKZ Rule Sets 18 18 100%RCKZ Rule Lines 21 21 100%RCMN Rule Sets 265 154 58%RCMN Rule Lines 1,195 764 63%RCP1 Rule Sets 2 2 100%RCP1 Rule Lines 127 127 100%RCSM Rule Sets 1 1 100%RDTA Rule Sets 4 4 100%RDTA Rule Lines 199 199 100%RDTR Rule Sets 53 53 100%RDTR Rule Lines 144 144 100%RECM Rule Sets 55 36 65%RECM Rule Lines 209 182 87%REJB Rule Sets 1 1 100%REJB Rule Lines 1 1 100%RESP Rule Sets 4 0 0%RESP Rule Lines 341 250 73%RFAC Rule Sets 15 12 80%RFAC Rule Lines 66 63 95%--------------- --------- ------------ ----Totals 131,658 94,094 71%
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PhasedClean-upSteps
§ RunDBRPTunref=999
§ Reviewsummaryreport
§ Startwith100%non-use
§ RunDBRPTCwithselectedresourcetypes*
*ACF2=OPTION(commentaccessnone)
§ Reviewoutput
§ Schedulecleanupcycle
§ Executedeletesviabatch
§ Maintaindelete/recoverycommandfilesasGDG(s)
§ Considerupdate‘reload’jobtorunnightly(off-hours)
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PhasedClean-upSteps
§ Re-runDBRPTunref=999
§ Reviewsummaryreport
§ Nowwith80-99%non-use
§ RunDBRPTCwithselectedresourcetypes*
*ACF2=OPTION(commentaccessnone)
§ Reviewoutput
§ Schedulecleanupcycle
§ Executedeletesviabatch
§ Maintaindelete/recoverycommandfilesasGDG(s)
§ Considerupdate‘reload’jobtorunnightly(off-hours)
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
On-goingCleanup
§ RunDBRPTorDBRPTCweeklytomeetSLAforaccount/entitlementremovals– Bestpractice=400days
§ Executedeletesviabatch
§ Maintaindelete/recoverycommandfilesviaGDG Time
Level ofprivilege
Employee is hired and ID is provisioned
Not all entitlements are removed ~
This creates a security risk!
Orphan Accounts & Entitlements
New entitlements
Employee leaves andID is de-provisioned
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CaseStudy:LargeRetailerStreamliningMainframeaccess
CONTRACTORS
Fragmentedentitlements§ lackofvisibilityofaccess§ un-optimizedgroupaccess§ orphanaccounts§ overlappingaccess
Manualentitlementreviews
Nostandardizedroledefinitions
PARTNERSEMPLOYEES
ProvenhighlyscalablesolutionAnalyzed250,000accounts,66millionaccessrightsanddiscovered200roleswithin3minutes
“CAIdentityGovernanceprovidedthemostrapidTTVofanyIAMproductI’veeverused…”- VPofIT
Challenges:
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
“Whohasaccesstowhat?”Exampleassessment
Mainframe
CustomerDatabase
Directory
HR
UNIX
CorporateNetwork
SallyBrownFinanceBobThomasPaymentsHirokiShimadaITHaroldFletcherFinanceJaneCoorsPaymentsMorganSmithITCarlosBayezITLauraDempseyPayments
1,000,000’sEntitlements15,000+People 100’sApplications
Finance
ü 1,123combinationsofUIDstringvalues,minustheLID.
ü 443refertoonly1LID,76referto2,42referto3,32referto4and29referto5.
ü 662uniquecombinations,oralittlemorethanhalf,referto5orlessLIDs.
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TypicalFindings/Recommendations
SensitiveDataDiscovery
PhasedCleanup
ComplianceMonitoring
§ LeverageCAIdentityGovernanceroleminingrecommendationsandattestation
§ Steps:- Determineacceptablelevelof
rolematchingviasurveys- IdentitySoD violation- Identifywherepeoplefalloutsidethenormalaccessstructure
- DefinitionofRolegroupingsinESM
Rolesurvey/RBAC
§ Phasedimplementation- Defineeveryonebasedonnewrole
- Migratebasedonbusinesstolerance
6-8weeks1-2weeks
4-6weeks
12+weeks
§ Findings:- Reportingisclutteredduetoexcessivesecuritydatathatisobsolete
• Steps:- Purgeobsoleterulelines- LeverageACFRULCU(ACF2only)- Rulenextkey consolidation(ACF2only)- Ongoingcleanup
§ Findings:- Difficulttoidentifysensitivedatawith100%certainty
- Reportingprocessisclutteredduetoexcessiveinclusion
• Steps:- ImplementCADataContentDiscoverytoidentifysensitivedata
- ImplementCAComplianceEventManagerforon-goingrealtimealerts
§ Findings:- Needmoredetaileddataoncurrententitlementreports- Ongoingentitlementcertificationprocesscouldbeenhanced
- Integritymonitoringnotinplace
• Steps:- ExploreComplianceInformationAnalysis(CIA)aspartofbaseprodcut(ACF2&TopSecretonly)
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RoleBasedAccessControl- BestPracticeApproachPhase1:Planning
Phase2:Foundation
Phase3:Automation
Phase4:Optimization
GapAnalysis
Visibility,Audit&Clean-Up
RoleModeling
BusinessCaseDevelopment
ProjectPlanning
OngoingRefinement
ExecutiveSponsorship&BusinessAcceptance
DataDiscovery
EntitlementsCertification
RoleManagement
UserProvisioning
SegregationofDutiesPolicies
UserActivityMonitoring
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DefenseinDepthStrategyforzSystems™
Fullidentitylifecyclemanagement
CAIdentitySuiteManageyourprivilegedaccountaccessacrossbothphysicaland
virtualsystems
CAPrivilegedAccessManager
Rolediscoveryandentitlementcertificationforallend-points
CAIdentityGovernance
Sensitivedatadiscoverytoolforz/OStoidentity,classifyand
protectmainframedata
CADataContentDiscovery
Identifyandremoveobsolete,redundant,unusedIDsandentitlements
CACleanup
z/OSintegritymonitoringandsecurityinformationevent
management
CAAuditor/CAComplianceEventManager
70%ofmissioncriticaldata
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessionsSESSION# TITLE DATE/TIME/ROOM
MFX119S EncryptionandHashingandKeys– Oh,my! 11/16/2016at1:45pmJasmineE
MFX118SHowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis
11/16/2016at3:00pmJasmineE
MFX173S TheImportanceofMainframeSecurityEducation 11/16/20163:45pmJasmineE
MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pmJasmineE
MFT174S MainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData
11/17/201612:45pmMainframeTheater
MFT175S GapsinYourDefense:HackingtheMainframe11/17/20163:00pmMainframeTheater
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeTechTalksandDemos– ExpoFloor
MFT53THowCanMainframeSecuritybeMadeEasier?
11/16/2016@12:45pmMainframeTheater
MainframeSecurityandEnterpriseSecurityDemos
SCT38T SCX05EPAMThreatAnalytics
11/17/2016@4:00pmSecurityTheater
GoverningYourPrivilegedUsers
11/16/2016@3:45pmSecurityTheater
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Summary
§ Protectsagainstbothexternalandinternalthreats
§ EnablescomplianceforprivilegedidentityandadministrativeaccessacrosstheMainframe
§ Reducescostsandimproveefficiencythroughautomatedsecuritycontrols
§ Leverageexistingnegotiatedratesonlicenseforaggressivediscountsandproductvalue
§ Offersthemostcomprehensivesolution,providingbothpreventive&detectivecontrols
§ Providesdefenseindepthforprivilegedaccountmanagement:– Comprehensivecredentialmanagement– Least-privilege,policy-basedSSOaccesscontrolwith
commandfiltering– Privilegedsessionmonitoringandrecording– Fine-grainedserveraccesscontrols
§ RatedBest-of-breedsolutionbyleadingindustryanalysts
§ ProvenscalabilityinsomeofthelargestandmostcomplexITenvironmentsintheworld
THEVALUE WHYCATECHNOLOGIES