securing end to end workflows using multi level security how good is mainframe security?...
TRANSCRIPT
1
Securing end to end workflows using
Multi Level Security
How good is mainframe security?
Unfortunately, only as good as the end user
device.
October 20, 2015
4/15/2015
4
Agenda
Necessity of a cross platform Trust model How compartmentalization and Multi level security works Product & Solution Overview
Trusted Access – Thin Client Trusted Access – Mobile
Executive Summary Contact Information
4/15/2015
5
Summary of MLS discussion
• Privacy, Security and Policies must be enforced regardless of device ownership• Virtualize Enterprise Mobile and Desktop operations
– Simplifies BYOD; Protects against and prevents data leakage; Reduces help desk costs by 90%
“Traditional” VDI solutions are not enough to meet these requirements Theft, Loss, Virus, Trojan Horse, misuse can put information at risk
Value of $ spent on prevention far exceeds $ on detection Detection has non-budgeted expenses
How much will be spent on forensics to identify damage? How much will be spent toward improving a tarnished brand image?
• Centralizing/consolidation of operations has game changing value for IT solutions– Performance – reduce latency and improve scale– Security – Improve Trust and Fraud prevention– Business Resilience – end to end fault avoidance– Shared Skills – reduced labor, faster learning curve – Cost – lower Total Cost of Ownership, Cost of Acquisition, Cost of Upgrade
• Integrating Systems of Engagement, Record and Insight can solve problems not possible before– Fraud prevention, location aware marketing, new channels– Share data – improves Privacy Policy, reduces costs
6
Security is one of the Strategic Foundations of System z
Integrated security that spans from: Hardware Firmware Hypervisors System z Operating Systems Network Middleware and applications
Hardware and firmware assists enhance security Quality of Service
System z security is integrated at all “levels” of the platform
From a strategic view -- multiple security strategies converge -- to create unified view of security on System z
System z Leadership Delivery Capability
Cloud Computing Industry Frameworks
Strategic Foundations
ConsumabilityRAS
Continuous Availability
Data & Transaction ServingHigh transaction ratesHigh Quality of ServicePeak workloadsResiliency and security
Data Analytics Compute or I/O intensive High memory bandwidth Floating point Scale out capable
Security
Performance ManagementStorage Management
Business AppsScaleHigh Quality of ServiceLarge memory footprintResponsive infrastructure
Virtualization Highly threadedThroughput-orientedScale out capableLower Quality of Service
Mid RangeHigh End
New Accounts
Client Segments
Linux & z/VMz/OS z/VSE z/TPF
4/15/2015
7
Security challenges are impacting innovation
Cyber attacks Organized crime Corporate espionage State-sponsored attacks
External threats
Sharp rise in external attacks from non-traditional sources
Administrative mistakes Careless inside behavior Internal breaches Disgruntled employee actions
Internal threats
Ongoing risk of careless and malicious insider behavior
National regulations Industry standards Local mandates
Compliance
Growing need to address an increasing number of mandates
Impacting innovation
Cloud Computing Mobile Computing Social Business Business Analytics
Security is not all about technology(it's really about people and processes)4/15/2015
8
The Trust model requires Hybrid solutions
• Who initiates a transaction and where has changed.– Employee Agent Consumer Device ??
• User Authentication must combat fraud– Userid/Password Card Swipe Chip/PIN Two Factor Authentication with inanimate object
Multi Factor Authentication using biometrics and other Insight
• Authentication call out from System of Record– Engagement: Point of Sale/ATM/VPN/Desktop/Mobile– Record: Calls out to MFA service for authentication– Insight: Is object/phone cloned? Is this really that person?– Future: card-less and password-less ATM’s and Point of Sale
Consistency of Authentication across Engagement systems is critical to driving end to end security
9
Trust model must be consistent across All Systems
Suppose a business adopts a new policy: • Multi Factor Authentication for mobile and/or desktop
– Sign on to PC / Mobile / VPN requires call out to MFA– That user then goes to web page with malware
• A key logger gets installed prior to any “detection” – User signs on to “System of Record” with userid/password
• Those credentials are now stolen by key logger• An insider theft occurs via unlocked device while user is out
What prevents the thief from signing on to the system of Record? • Better policy: Replace Userid/PW with MFA
– Sign on to PC / Mobile / VPN requires call out to MFA– Subsequent human sign on to System of Record requires call out to MFA– Screen saver time out requires call out to MFA– New Insight: Cross system audit log showing user sign on behaviors
Consistency of Authentication across All systems is critical to driving end to end security
10
Data Privacy Policy must be consistent across Systems
• Data resides in many places– Systems of Record
• Transactional systems (memory, disk – local and network)• Backups (tape, Optical, Disk, network)• Cluster and DR copies• Read only copies• Test and Development
– Systems of Insight and Engagement• Physically on system or on Mobile or Laptop device (e.g. Spreadsheet)
• Authentication, Access Control, Confidentiality and Audit should be consistent where ever it occurs– Physical security is not sufficient– Reduce the number of copies by sharing across applications/systems
• New Insight: logs identify how/when/where/who referenced data. Anomalies? – Leverage data masking tools to anonymize data for test & development
Consistency of Privacy Policy across systems is critical to driving end to end security
11
When Sharing Data, consider compartmentalization
• Sharing data has operational and cost benefits– Backup/Archive, Business Resilience, Policy Management,
• However, it increases the # of access channels (engagements), which increases risk
• Compartmentalization, also known as Multi Level Security (MLS) infers there is a need to know certain information– It can apply to columns or rows within a database– Separate users get different results from the same query if data is properly
labeled– One means to simplify sharing of data at an ISP when hosting for cloud access– Userid, network address, application id and other factors can be leveraged as
Insight prior to providing access to data• Leveraging MLS capable architectures across systems can improve end to
end security
Example of Compartmentalized Data Sharing
12
ManufacturingSystem
SupplierData
Supplier 1
Supplier 2
Supplier 3
Original View
All suppliers see all info
ManufacturingSystem
Supplier 1
Supplier 2
Supplier 3
Multi Layered Security View
Suppliers only see their data
Single DBSupplierData
SupplierData
SupplierData
Unique IP @ + Userid: used for Insight
REQUIREMENT: Data shared between
people/organizations with different "need to know"
This can include a Cloud deployment
Original View: • Suppliers could see each other’s data
They could collude and cheat the manufacturer on price
Or lower their prices to compete against each other
Implementing Labeled Security:• Additional security information gathered
from suppliers during sign on• Result: suppliers can only see their data• Manufacturing employees see all data• No applications were changed
13
Will the End to End solution be protected and resilient?
Transactions,Applications,Data
Developer Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users Shared Storage
Linux on x86
WindowsVDI layer
Theft LossVirusTrojan HorseMisuse
Puts corporate and agency data at risk.Are you managing end to end?
• Security is delivered via People, Process and Technology– You might have the greatest technology, but
• Uneducated users and poor processes will get you• You are going to be attacked. You may even be breached.• You cannot defend against everything. • Can you recover? And how quickly? • So think about this as insurance and risk mitigation.
4/15/2015
14
“Typical” Layers of a Thin Client PC and Mobile SolutionVirtualizing Desktops with a Server-hosted Architecture
Ethernet/ Wireless
Shared Storage
Developer Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-HHS21 LS21 LS41
x3650 x3850DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
1. Thin Client Front-end 3. User Management
4. Virtualization Software
5. Data CenterHardware
2. Network
6. Systems Management
Connection Server
PC Centric deployment model4/15/2015
Target Customer: Breaking down organizational barriers
X86 vs Enterprise Server VDI mgt Similar to desktop/VDI mgt +: Fewer management servers Desktops that access mainframe apps
and data have direct interconnect Reduces intranet bandwidth
Coordinated DR and security for end to end workloads
Windows, Linux, VDI mgt
Desktops, Thin Client, mobile Unix Mainframe
Desktop to Thin Client Reduce deskside support 90% Share processing capacity; fewer
processors Removing Enterprise data from
local user device Standardize on software and
central change managementBut: Device can be
lost/stolen/misused Multiple desktops may be
required
Thin Client to Trusted Thin Client Military grade security Controlling access from the desktop to
network resources Up to 8:1 desktop consolidation
Reduces network cabling, electricity, noise
DVR-like capability to watch for fraud and provide forensics
But: Many servers may be required Disaster recovery adds complexity Inconsistent security across depts
Reduced risk when managed end to end
Typical x86 VDI Trusted Mobile Value add System z Value add
Risk across organizations
4/15/2015 15
Typical Industry Use Cases
Manufacturing• Casual users in manufacturing plants• Contact center representatives• Travelling salespeople and
executives
Healthcare• Doctors, nurses, administrators• Patients in hospitals, assisted living
and health centers
Education• Students, Teachers, Staff,
Administrators• K-12, Universities, Training Centers
Banks•Tellers, supervisors, advisers in the front office, contact center representatives, back-office users
Retail•Store workers, contact center representatives, back-office users
Professional and IT services•Accountants, advisers, law firms, global delivery center employees
State, Local, Federal Agencies• Leaders, Staff, Service Agents, Case workers, Analysts
4/15/2015 16
17
Positioning End User value
End user equipment Usage Example Risk mitigation?
Multiple PC’s with separate networks Trading Floor Isolating customers from internal network – complex IT
Single PC’s with multiple network cables
Administrator Isolating customers from internal network – complex IT
Single PC Internet and intranet Majority of users Large risk of malware attacks
VDI with Internet and intranet looking to reduce PC IT costs Large risk of malware attacks
BYOD – PC with Internet Traveling users and home Large risk of malware attacks
BYOD – Mobile with Internet Traveling users and home Large risk of malware attacks
There is not a “one sized” fits all deployment model Each customer is in different stage of VDI, BYOD, network deployments
Network Compartmentalization Separate Intranet from Internet
Keep Back end systems safe from Internet attacks
4/15/2015
18
Product & Solution OverviewTrusted Access –Thin Client & Mobile
4/15/2015
194/15/2015
Raytheon Cyber Products
Raytheon Cyber Products, a leading provider of commercial-off-the-shelf (COTS) cyber security
solutions for government and industry, is a wholly owned subsidiary of Raytheon Company.
The company’s broad portfolio of products addresses a variety of cyber challenges that
organizations face today including insider threat, secure information sharing, data loss
prevention, and data analysis.
With over 20 years of collective experience in delivering the highest caliber security solutions,
customers trust Raytheon Cyber Products to deliver solutions that are innovative, flexible, and
scalable, meeting their security needs today and in the future.
About Raytheon
22
Trusted Access: Thin Client
Trusted Thin Client provides users with secure simultaneous access to information on any number of networks from a single endpoint. Designed for enterprise deployments, Trusted Thin Client provides administrators with centralized management and monitoring, scalability to easily add networks and clients, and the flexibility to enable users in offices, in-theater, and in the field.
An independent Trusted Thin Client study conducted on an intelligence agency customer demonstrated a 54% return on investment over a 6.2 month payback period by significantly reducing hardware, infrastructure, support costs and power usage.
Hardware and virtual desktop agnostic, supports numerous peripherals Reduces desktop hardware and allows for space reclamation Reduces infrastructure for cabling and cooling Streamlines administration while increasing enterprise data security
Protection Level 4 (PL4), Commercial-Off-The-Shelf (COTS) solution Accredited by authorities in the United States and 5-Eyes nations
4/15/2015
23
Trusted Access: MobileTrusted Access: Mobile provides the highest level of security available today for access to sensitive data from mobile devices. The use of mobile app virtualization and secure redisplay technologies protect data at the source.
Trusted Access: Mobile eliminates the attack vectors associated with having sensitive data and mission-specific mobile apps resident on the device.
Nested Suite B tunnels are implemented to protect redisplay traffic between the remote mobile device and the Virtual Mobile Infrastructure (VMI).
For users requiring secure access to sensitive data from a mobile device (smartphone or tablet) Reduced risk of data loss or leakage as no data is resident on the device Ensures that mission-sensitive data never crosses the enclave boundary Redisplayed mobile apps are isolated from attacks against the physical mobile device
4/15/2015
4/15/2015 24
Trusted Access: Thin Client & Mobile SolutionSimplification of Networking and Collaboration
Shared Storage
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-HHS21 LS21 LS41
x3650 x3850DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
X86 Servers
Fault & security isolated
3. User Management4. Virtualization Software
5. Datacenter Hardware
6. Systems Management
Secure Connection
ServerEthernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
1. Trusted Thin Client Front-end
8. Multiple Secure Networks
2. Network
25
ApplicationsandData
Trusted Mobile Desktop Infrastructure Secure Hosts: Simplifying Security and Resilience
Ethernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data Center Hardware
2. Network
6. Systems Management
IBM System z
z/VM
Server Mgt
Server
Fraud Analytics Server
Security Server
Linux on System z
7. Fraud Analytics
Shared Storage
1. Trusted Access: Thin Client or Mobile Front-end
Distribution Console
x86 server
Linux on x86
Windows
VDI layer
SPICE
SPICE
RDP
Nx
9. Virtual Tape Server
8. Multiple Secure Networks
4. Virtualization Software
Fault & security isolated
UNIQUE to STASH
4/15/2015
26
Myths – try not to propagate them
• The mainframe has never been hacked– Not true. There has been a case where a poorly managed IT
infrastructure was deployed that didn’t keep software up to date for known system integrity issues and an outsider got in.
– There are also cases where insiders have sabotaged the system. Is that a hack? Depends on the definition. • Could it have been prevented. Probably with some additional analytics
deployed.
– There have been several cases where PC’s and mobile devices have been compromised. • From those devices, sign on to the mainframe was done and trusted. • That might not be a hack either, but results in data theft. • It can also be prevented.
Collaboration of IT operations across systems is critical to driving end to end security •
27
Myths – try not to propagate them
• Everything can be consolidated to run on System z– Not True: No Mobile or Desktop Systems run on the mainframe – The terms Consolidation and Centralization need to evolve:
• Mainframe “advocates” would use them to direct physical consolidation of other architectures onto System z– In some camps, this makes mainframe IT orgs the “enemy” of distributed
organizations• Instead, the term should apply to Operations.
– A sharing of policies and IT resources for end to end solution value– Leverage the best of each server technology – The Integration of Systems of Engagement, Record and Insight
Collaboration of IT operations across systems is critical
28
Irrelevant facts – not myths, but not always helpful
• The mainframe is 99.999% available and fault tolerant/fault avoidant. The z = zero down time– That’s true. However, if the web app front end, mobile, desktop or
network are down and the mainframe can’t be accessed, it doesn’t matter.
– As a result, availability of “solutions” should be measured and managed end to end. A business should deploy across IT architecture that will minimize down time and costs.
– Collaboration of IT operations across systems is critical to driving end to end availability
29
Irrelevant facts – not myths, but not always helpful
• The mainframe is hacker resistant with security built in. – That’s true. However, security is about People, Process and
Technology. The best technology can easily be circumvented by poor processes, human error and insider theft.
– Security is also only as good as the weakest link. The weakest link is typically the end user device which is usually a PC or mobile device. • If that device is insecure or compromised, then all systems that the device
accesses can be compromised as well. – Collaboration of IT operations across systems is critical to driving end
to end security
30
Summary of MLS discussion
• Privacy, Security and Policies must be enforced regardless of device ownership• Virtualize Enterprise Mobile and Desktop operations
– Simplifies BYOD; Protects against and prevents data leakage; Reduces help desk costs by 90%
“Traditional” VDI solutions are not enough to meet these requirements Theft, Loss, Virus, Trojan Horse, misuse can put information at risk
Value of $ spent on prevention far exceeds $ on detection Detection has non-budgeted expenses
How much will be spent on forensics to identify damage? How much will be spent toward improving a tarnished brand image?
• Centralizing/consolidation of operations has game changing value for IT solutions– Performance – reduce latency and improve scale– Security – Improve Trust and Fraud prevention– Business Resilience – end to end fault avoidance– Shared Skills – reduced labor, faster learning curve – Cost – lower Total Cost of Ownership, Cost of Acquisition, Cost of Upgrade
• Integrating Systems of Engagement, Record and Insight can solve problems not possible before– Fraud prevention, location aware marketing, new channels– Share data – improves Privacy Policy, reduces costs
31
For more information or to engage a customer
• Jim Porell– Consultant to IBM Premier Business Partner: Vicom
Infinity• Can speak to any customer without existing BP relationship• [email protected]
– Principal – James Porell Consulting LLC• Can speak to any customer with a BP relationship once details
are worked out• [email protected]
– Cell: +1-914-474-1864– Website with blog entries and more on these topics
www.jimporell.com
32
Len Santalucia, CTO & Business Development ManagerVicom Infinity, Inc.One Penn Plaza – Suite 2010New York, NY 10119804-918-3728 office917-856-4493 [email protected]
About Vicom InfinityAccount Presence Since Late 1990’sIBM Premier Business PartnerReseller of IBM Hardware, Software, and MaintenanceVendor Source for the Last 10 Generations of Mainframes/IBM StorageProfessional and IT Architectural ServicesVicom Family of Companies Also Offer Leasing & Financing,Computer Services, and IT Staffing & IT Project Management
For more information
4/15/2015