locating unmanaged but regulated data on system z: ca data content discovery
TRANSCRIPT
Locating Unmanaged but Regulated Data on z Systems: CA Data Content Discovery
Mary Ann Furno
Mainframe
CA Technologies
Director, Software Engineering
MFX25S
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
Terms of this Presentation
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA
World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer
references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in
this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such
release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-
available basis. The information in this presentation is not deemed to be incorporated into any contract.
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
CA Data Content Discovery helps you identify data exposure risks on z Systems by scanning through the mainframe data infrastructure. By discovering where the data is located, classifying the data to determine sensitivity level, and providing comprehensive reporting on the scan results, data can be adequately protected and exposure risks can be mitigated.
Mary Ann
FurnoCA Technologies
Director, Software Engineering
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
CISOS, REGULATED DATA, AND THE MAINFRAME
SENSITIVE DATA DEFINED
DATA CONTENT DISCOVERY ON THE MAINFRAME
DATA CONTENT DISCOVERY ROADMAP
1
2
3
4
CISOs, Regulated Data, and the Mainframe
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Mainframe has never been hacked!
Mainframe data stays on the
mainframe; so it is safe!
Data is fluid in today’s world.Data analytics; cloud
Marriage of MF data and non MF data
Mainframe is well understood and
covered under three lines of risk
control– Operational, Compliance and
Internal audit
The Current State
REALITYMYTH
Consider:Social engineering hacks
Human error as MF experts retire
Mainframe is viewed as a black-box breeds complacency –compounding the risk
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
71% of the world’s mission critical data is on the mainframe
The mainframe acts as the enterprise IT server and has more entry and exit vectors.
We must protect the mainframe and all business critical data as the strategic assets that they are, plus ensure
easily confirmed regulatory compliance.
Years in the making…
Source: Rehabilitating the Perception of Mainframes, Enterprise systems Media, 22 July 2015
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What We Hear From Clients
Regulated data has to be protected, regardless of what type of server it sits on or how it got there. That includes the mainframe, and existing controls may not cover all of it.
We know where our sensitive, regulated data is…. It’s in our data center.
Audit
MF Security analystCISO
The mainframe is now just another always-on server connected to all the others in our TCP/IP network. I’m not sure all the data hosted there is being managed to policy…
We know the mainframe is no longer isolated from other servers in the network. We don’t know how much unmanaged regulated data now resides there…
With the addition of TCP/IP via USS, mainframe data is fluid – we don’t know what we don’t know about what’s being stored there….
MF Security Director
I need to exploit data’s full value proposition for my organization while controlling the risk.
Chief Data Officer
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Impact of Data Theft
Health Insurance
Announced: March 2015
Records stolen: 11M
Cost: To be determined. Facing a class action lawsuit as well as potential regulatory violation fines.
Retail
Announced: September 2014
Records stolen: 56M
Cost: $43M and counting. Estimates put this as high as $10B (includes all remediation costs borne by the company and consumers)
Health Systems
Announced: August 2014
Records stolen: 4.5M
Cost: $75M – $150M
eCommerce
Announced: May 2014
Records stolen: 233M
Cost: $200M and counting.
Retail
Announced: December 2013
Records stolen: 70M
Cost: $162M and counting. Recent estimates put this at well over $1B.
Government
Announced: May 2015
Records stolen: 22M
Cost: To be determined. Likely facing a class action lawsuit as well as others.
Sensitive Data Defined
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PCI DSS Data
Administered by one body
Payment Security Council
Account Data
Cardholder Data Sensitive Authentication Data
Primary Account Number (PAN) Magnetic stripe data
Cardholder Name CAV2/CVC2/CVV2/CID
Expiration Date PINs/PIN blocks
Service Code
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Personally Identifiable Information – PII
PII Attributes
Full Name Date of birth
Home Address Email address
National Identification Number Passport number
Drivers License Number Vehicle registration
Birthplace Genetic information
Telephone number Login name, screen name, nickname, handle
Face, fingerprints, handwriting IP Address
Credit Card Numbers Digital identity
First Name Last Name
Country, state, postcode, city Age
Gender Race
Schools attended Criminal record
Legislated by an large & growing number of governmental entities
Multi-national: EU Data Protection Directive
National: Gramm-Leach Bliley Banking Modernization Act, Canada Privacy Act
Local: California SB 1386, Nevada Statute 603A, Massachusetts 201 CMR 17.00
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PHI Attributes
Full Name Geographic subdivision
Data elements Telephone number
Fax number Electronic mail address
SSN Medical record number
Health Plan beneficiary number Account number
Certificate/license number Vehicle ID/Serial number/license plate number
Device identifier/serial number Biometric identifier
Full face photograph or image Other unique identifying element
Initially, only US, now spreading internationally
Legislated by an large & growing number of governmental entities
Multi-national: TBD
National: US HIPAA / HITECH ACTs
Local: TBD
Protected Health Information - PHI
Data Content Discovery on the Mainframe
Existing mainframe content discovery tools migrate off the mainframe to PCs or other devices to scan
Why locating data on a mainframe is a problem?
Report writers extract production data and data exists in sequential files or JES spool
Copies of sensitive production data exist
Files with possible sensitive data are accidentally sent to outside parties without validation of content
Once data is extracted, the target destination doesn’t match the security characteristics of source DB
RESULT
Organizations are neither prepared for, or confident in an audit!
CHALLENGES REALITY
Why locating data on a mainframe is a problem?
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Data Content Discovery
FINDSet up the scan
Initiate the scan
Provide discovered results to Security Administrator
CLASSIFYReview compliance results and label sensitive data
Provide compliance report to Internal Auditor
PROTECTModify access based on scan results
Confirm successful audit against industry regulations
Security Operations Internal Auditor Security Administrator
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Find It: Define Scope
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Classify it
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Account Data
Cardholder Data Sensitive Authentication Data
Primary Account Number (PAN) Magnetic stripe data
Cardholder Name CAV2/CVC2/CVV2/CID
Expiration Date PINs/PIN blocks
Service Code
Classify It: PCI Data
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Classify It: PII Data
PII AttributesFull Name Date of birth
Home Address Email address
National Identification Number Passport number
Drivers License Number Vehicle registration
Birthplace Genetic information
Telephone number Login name, screen name, nickname, handle
Face, fingerprints, handwriting IP Address
Credit Card Numbers Digital identity
First Name Last Name
Country, state, postcode, city Age
Gender Race
Schools attended Criminal record
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
Custom Classifier
Quick Picks
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Classify It: PHI Data
PHI Attributes
Full Name Geographic subdivision
Data elements Telephone number
Fax number Electronic mail address
SSN Medical record number
Health Plan beneficiary number Account number
Certificate/license number Vehicle ID/Serial number/license plate number
Device identifier/serial number Biometric identifier
Full face photograph or image Other unique identifying element
C
Custom Classifier
Quick Picks
C
C
C
C
C
C
C
C
C
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Protect It: Who Has Access to the Sensitive Data?
24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Data Content Discovery Promise
FIND IT CLASSIFY IT PROTECT IT
For CISO, MF Security Director FOR CISO, Internal Audit, Risk OfficerFOR MF Security analysts, MF Data
analyst
The first data-pattern scanning
capability uniquely natively on
mainframe in the market
Simple and Modern GUI along with
Flexible scheduling designed for
both z and non-IBM z personnel
Eliminate risky offloading- with data
security right on the mainframe.
Only Data security product currently
on the market for mainframe to use
specialty engines to reduce upgrade
costs
Gain quick and critical insight about
the potential and magnitude of data
exposure on the mainframe
Prove it to auditors that controls are
checked by data-types to satisfy
regulations
Stay in control – eliminate risk while
reducing costs of data protection
processes
25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Product / Technology Architecture
Execution Policy
Web GUI Control ScansReporting
ClassificationEngine:
z/OSData Sources
VSAM
DB2
PS
API
3rd party 3rd party
CA ComplianceEvent Manager
PDS/PDSE
…
Description of Technology
Overview of Technology
Data Content Discovery “scans” data, identifying data vulnerabilities and risks to compliance
Lands Lightly
Product has no other CA product dependencies or other prerequisites, installs in <1 day
DCD Repository
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Data Content Discovery – A critical part of CA’s Security and Compliance Solution
CA Data Protection
3rd party DLP Solution
3rd party DLP Solution
Big Data AnalyticsSolutions
CA Compliance Event Manager
IBM RACF
CA Top Secret
CA ACF2
CA Cleanup
In Ideation: Mainframe Advanced
Authentication
CA Data Content
Discovery
CA Auditor
Secure mainframe assetsCapture events affecting compliance and policyDiscover sensitive data
Extend compliance event data to analytics solutionsEnable secure data in motion across the enterprise
Security Administrator
Big Data AnalystAuditor
Planned
Available
Non-CA Product
27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Results
There is stray, unmanaged, unprotected data on your mainframe – regulated, sensitive data that will damage the enterprise if compromised
Find it, classify it, protect it with DCD
SummaryA Few Words to Review
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
Tech TalkIsn’t one authentication mechanism on z Systems™
enough?
11/18 – 4:30pm
Mainframe Content Center
Mainframe
Theater
Panel Discussion: Is Complacency Around Mainframe
Security a Disaster Waiting to Happen?
11/18 – 3:45pm
Mainframe Theater
Tech Talk The Known Unknown – Finding lost, abandoned, and
hidden regulated data on the Mainframe
11/19 – 12:15pm
Mainframe Content Center
MFX26SHow to Increase User Accountability by Eliminating the
Default User in Unix System Services
11/19 – 1:00pm
Breakers I
MFX47STop 10 things you shout NOT forget when evaluating
your security implementation
11/19 – 2:00pm
Breakers I
29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow Conversations in the Mainframe Content Center
CA Data Content Discovery
CA ACF2 ™ for z/OS CA Top Secret® for z/OS CA Cleanup CA Auditor
Advanced Authentication Nov 18th @ 4:30pm
The Known Unknown -Nov 19th @ 12:15pm
30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15