z systems security update
TRANSCRIPT
IBM SystemsFuture MadeFuture Made | 1IBM Systems
Esra Ufacik
z Systems Lead Architect - IBM Systems, Asia Pacific
z Systems Security Update
IBM Systems | 2
As clients embrace hybrid cloud, a new threat landscape emerges
• Asorganizationsopentheirsystemstomoredigitalchannels,theyalsoareexposingvulnerabilitiestocyberattacks.
• Cyberthreatsandattackswillcontinuetorisewiththeshifttothecloud:• Businessestodayfaceanaverageof81millionsecurityincidentsannually,accordingtoIBM
Security.• Theincidentsandthreatsareescalatingascompaniesincreaseaccessandinteractionsto
theirnetworkthroughthecloud.• Companiesmusthavetheagilitytorapidlydeploynewservicesandinteractwithcustomers
viathecloudwhileensuringcriticaldataisprotected.
IBM Systems
. . . and traditional security practices are insufficient
| 3
of security leadersexpect a major cloud provider to suffer a significant security breach in the future
44% 33%of organizations don’t test their mobile apps
of enterprises have difficultyfinding the security skills they need
Source: Enterprise Information Security in Transition, 2012 ESG Technology Brief
85 securitytoolsfrom
45 vendorsSource: IBM Client Example
83%Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com
IBM Systems
z Systems: The Most Securable Commercial Server Available
| 4
IBM Systems
IBM has been providing Security & Encryption Solutions for over 30 years…
AHistoryofEnterpriseSecurity• RACF:controlsaccesstoresourcesandapplications:1976• HardwareCryptography:1977• Keymanagementbuiltintooperatingsystem(ICSF):1991• DistributedKeyManagementSystem(DKMS)(1990’s)• IntrusionDetectionServices(IDS):2001• z/OSPKIServices:createdigitalcertificates&actasCertificateAuthority(CA)– 2002• MultilevelSecurity(MLS):2004• EncryptionFacilityforz/OS:2005• TS1120EncryptingTapeDrive:2006• LTO4EncryptingTapeDrive:2007• LicenseECCTechnologyfromCerticom:2008• TivoliEncryptionKeyLifecycleManager:2009• Self-EncryptingDiskDrives,DS8000:2009• Systemz10CPACFProtectedKeySupport:2009• CryptoExpress3CryptoCoprocessor:2009• zSystemsz196withadditionalCPACFencryptionmodes:2010• zSystemszEC12withPublicKeyCryptographyStandards– Enterprise PKCS#11:2012
IBM Systems
Where Cryptography and Security Meet – Related disciplines
| 6
• Securityfundamentals• Identification&Authentication – Knowandproveuserorprocessidentity• Authorization – userorprocesshastheauthoritytoperformagivenaction• Administration – managingtherelationshipsofusersorprocessestoprotected
resources• Auditing – recordingsecurityrelevantevents;validatingsecuritypoliciesarebeing
enforced• Centralsecurityprocessthatiseasytoapplytonewworkloadsorasuserbaseincreases
• Canhelpreducesecuritycomplexityandexpense• Tracksactivitytoaddressauditandcompliancerequirements
•SynergybetweenCryptographyandSecurityfunctionsCryptographyprovidestheprimitivestosupportsecurityfunctions
•SimilarlysecurityfunctionshelptoensureauthorizeduseofkeymaterialandcryptographicfunctionsBuiltonaplatformwithIntegrity•IntendedtopreventUnauthorizedusers,applications&subsystemsfrombypassingsystemsecuritymechanisms
Hardware
Architecture
z/OS
Networks
Data&Applications
Administration
SecurityProd
uct--RA
CF
IBM Systems
Fortified defenses for cyber security
*Fulfillmentonstatementofdirection
LeveragingzSystemscryptographiccapabilitycanhelpreduceriskandenhancethesecurityofworkloads
• SavespacewithnewRackmountedTrustedKeyEntry(TKE)
• Nextgenmulti-factorauthenticationinz/OS2.1 leveragesmobiledevicestohelpdetectattacksandabuseofzSystemsresources
• SupportstheuseofcryptographyalgorithmsandequipmentfromselectedprovidersinconjunctionwithzSystemsinspecificcountries*(RegionalCryptoEnablement)
• Secureconsoleconnectivity- ProtectsensitivedatabyusingTransportLayerSecuritysupportintheOSA-IntegratedConsoleController (OSA-ICC)
• Securelytransfermoredataacrosstheinternet
• ExtendenhancedpublickeysupportforconstraineddigitalenvironmentsusinghardwareacceleratedECC
• AvoidreformattingofdatabaseswithnewexploitationofVISAformatpreservingencryption (VFPE)forpaymentprocessing
=availableonLinuxonz
Note– greentextindicatescapabilitiesalsonewforthez13withfirmware27
IBM Systems
Multiple layers of proven security – from infrastructure to endpoint
| 8
PrivilegedIdentityManagementGovern,protect,andaudituserswithelevatedprivilegestopreventunauthorizedaccesstosensitivedatabyrogue
insidersorexternalattackersusingcompromisedadministratorcredentials
SensitiveDataProtectionDefendandprotectcriticalassetswithunrivaled
encryptionandintelligentdatamonitoring–allwithoutcompromisingtransactionalthroughputorresponse
time
IntegratedSecurityIntelligenceCorrelatehugeamountsofsecuritydatatouncoverpatternsofunusualactivity,usereal-timealertstoimmediatelyfocus
oncriticalsecuritythreatsthatmatterthemosttothebusiness
IBMMulti-FactorAuthenticationforz/OS
IBMSecurityIdentityGovernanceandIntelligence
IBMRACF
IBMzSystemsIntegratedCryptographicHardware
IBMSecurityGuardium
IBMSecurityKeyLifecycleManager
IBMzSystemsCyberSecurityAnalyticsServicesBeta
IBMSecurityzSecure
IBMSecurityQRadar
IBM Systems
Privileged Identity Management
| 9
IBM Systems
Privileged Identity ManagementGovern, protect, and audit users with elevated privileges to prevent unauthorized access to sensitive data by rogue insiders or external attackers using compromised administrator credentials
| 10
IBM Systems
IBM Security Identity Governance and Intelligence
| 11
Delivering actionable identity intelligence§ Align Auditors, LoB and IT perspectives in one
consolidated Governance and Administration offering
§ Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement
§ Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping
§ In-depth SAP and RACF Governance with Segregation of Duties (SoD), access risk and fine-grained entitlements reviews
§ Easy to deploy virtual appliances for multiple customer adoptions –Standalone Identity Governance– Integrate and modernize legacy Identity management
with integrated governance and administration
CommonIntegrationAdapters
Identity Governanceand Administration Platform
VIRTUALAPPLIANCE
IT SecurityTeam
Auditors /Risk
Managers
LoB Managers /Employees
CloudComputing
Mobile Applications DesktopandServer
Data Mainframe
AccessFulfillmentSelfServicePortal
Risk/AccessVisibility
AccessCertification
11
IBM Systems
Multi-factor Authentication
| 12
§ Multi-factor Authentication on z/OS provides a way to raise the assurance level of OS and applications / hosting environments by extending RACF to authenticate users with multiple authentication factors.
§ Authentication Factors:- Something you know
• A password / PIN Code- Something you have
• ID badge or a cryptographic key- Something you are
• Fingerprint or other biometric data
§ Today on z/OS, users can authentication with: § Passwords, Password phrases, PassTickets, Digital Certificates, or via Kerberos
§ Today’s problem:§ 2014 Verizon Data Breach Investigations Report said 2 out of 3 breaches involved attackers using stolen or misused credentials. § In the case of an attempted breach using comprised credentials, the extra protection that MFA provides can make the difference
between having a secured vs. compromised system.§ Breaches impact clients financially, their customers, and their reputations
12
IBM Systems
IBM Multi-Factor Authentication for z/OSHigher assurance authentication for IBM z/OS systems that use RACF
| 13
Fast, flexible, deeply integrated, easy to
deploy, easy to manage, and easy to use.
Achieve regulatory compliance, reduce risk
to critical applications and data
Architecture supports multiple third-party
authentication systems at the same time
• IBMMulti-FactorAuthenticationonz/OSprovidesawaytoraisetheassurancelevelofOSandapplications/hostingenvironmentsbyextendingRACFtoauthenticateindividualusers:
• Supportforthird-partyauthenticationsystems• RSA®SecurID®Tokens(hardware&softwarebased)• DirectiontosupporttheIBMTouchToken – TimedOnetimeusePassword(TOTP)generator
token• DirectiontosupportPIV/CACcards
• CommonlyusedtoauthenticateinthePublicSectorenterprises
• TightlyintegratedwithSAF&RACF• RACFprovidestheconfigurationpointtodescribemulti-factorauthenticationrequirements
downtoaperUserIDbasis• DeepRACFintegrationforconfigurationandprovisioningdatastoredinRACFdatabase
allowingseamlessback-upandrecoveryTypicalClientUseCases:• Enablehigher-securityuserloginsonIBMz/OSsystemsthatuseRACFforsecurity• EnablestrongauthenticationforemployeesthatcarryiOSdevicesorRSASecurID tokens
becamegenerallyavailableMarch25,
2016!
IBM Systems
RACF & MFA Services and Related Support
| 14
§ RACF MFA support introduces extensions to a variety of components of RACF− User related commands
• Allow the provisioning and definition of the acceptable MFA tokens for a user• Definition of authentication token types
− Extensions to SAF programming interfaces • Allows supported tokens to be specified during user authentication requests
› Enables applications that are MFA aware to allow the specification of factors in addition to RACF password/password phrases
− Auditing extensions • Tracks which factors used during the authentication process for a given user
− Utilities• RACF Database unload non-sensitive fields added to the RACF database used by MFA processing• SMF Unload – unloads additional relocate sections added to SMF records
› Related to the tokens used on a specific authentication event
§ z/OS MFA Services started task − z/OS MFA address space which tracks state for user authentication events − Provides an anchor for communications for factors such as RSA SecurID
IBM Systems
MFA Components
| 15
§ MFA Manager Web Interface− WebSphere application or webserver CGI− User Interface – supports factors such as smartphone apps and serves webpages for
registration – depending on factor type.
§ MFA ISPF panels for management of authentication tokens
§ MFA Manager Services− Provides MFA main logic− Register MFA Factor Data for a z/OS user− Validates a user provided factor against RACF MFA Data− Accesses MFA Data via SAF/RACF via callable services − Common MFA processing− SMF Auditing
§ Translation Layer− Allows Java/C language components to invoke RACF callable services
• “Wraps” SAF/RACF Cache APIs• “Wrap” SAF/RACF Data base access APIs
z/OS MFA Manager
TOTP
PCRoutine
MFA
Fra
mew
ork
RSA
SAFRACF
TranslationLayer
Web ServerISPF Panels
15
IBM Systems
Architectural Overview
| 16
RACF DB
RACF
SAF
IBM MFA for z/OS
Application, Subsystem
TOTP
SAF
Authentication dialogue
RACF
PC
RSA SecurID Server
PC Routine
MFA
Fra
mew
ork
RSA
In band with RSA SecurID:• User logs on with User ID & RSA SecurID Token and PIN• RACF determines if the user is an MFA user & calls the MFA Services • MFA Services calls RACF to retrieve user's MFA factor details• MFA Server validates the users authentication factors and calls RSA
Server • RACF uses MFA Services RCs to allow or deny the logon
In band with IBM Touch Token (Future Support):• User logs on with User ID & TouchToken generated on
provisioned iOS device • RACF Determines if the user is an MFA user & calls MFA
Services • MFA Server calls RACF to retrieve user's MFA factor details• MFA Server validates the users authentication factors in this case
the IBM TouchToken code • RACF uses MFA Services RCs to allow or deny the logon
IBM Systems
IBM Systems
Sensitive Data Protection
| 18
IBM Systems
Sensitive Data ProtectionDefend and protect critical assets with unrivaled encryption and intelligent data monitoring – all without compromising transactional throughput or response time
| 19
IBM Systems
Overview – HW Crypto support in z Systems (z13)
| 20
CPCDrawer
SmartCards
CryptoExpress5S
SmartCardReaders
PUSCMEachPUiscapableofhavingtheCPACFfunction
PCIeI/Odrawers
TrustedKeyEntry(TKE)
TKEisrequiredformanagement
ofCryptoExpress5SinEP11mode
IBM Systems
IBM z Systems Hardware Based Cryptography
| 21
Exploited by Java, DB2/IMS encryption tool, DB2® built in encryption z/OS Communication Server, IPsec/IKE/AT-TLS, z/OS System SSL, z/OS, z/OS Encryption Facility, Linux on z Systems and more…
CP Assist For Cryptographic Functions (CPACF)− Provides a set of symmetric cryptographic and hashing functions for:
• Data privacy and confidentiality• Data integrity
− Enhances the encryption/decryption performance of clear-key operations for SSL, VPN, Data storing applications
− Protected key support for additional security of cryptographic key− Available on every Processor Unit defined as a CP, IFL, zAAP and zIIP
Crypto Express5S CoprocessorHardware protected secure key cryptography
− Secure key transactions to protect your most sensitive information.− Designed to meet the security requirements of Federal Information Processing
Standard (FIPS) 140 -2 Level 4 for applications with the most stringent security requirements.
− Hardware optimized for Transport Layer Security (TLS) acceleration and clear key RSA operations allowing savings of CPU by offloading CPU intensive cryptographic algorithms.
− Supports open industry standard cryptography services − Simplification of porting PKCS#11 applications to z Systems
• Random number generation• Message authentication
Enhanced performance over zBC12:
2X Encryption3.5X Hashing
Performance Results:
2x performance improvement
over CEX4
Industry leading FIPS 140-2 Level 4 Certification
Design
Rack-Mounted Trusted Key Entry– Domain Cloning for easier and faster administration of
Crypto Adapters– Enhanced password security for the console and host
password protection– Save/Restore customized data feature– Launch coordinated master key role directly fro the Trusted
Key Entry Workstation
IBM Systems
z13 CPACF Performance Enhancements
| 22
CP Assist for Cryptographic Function Co-processor redesigned from "ground up“
Enhanced performance over zEC12− Does not include overhead for COP start/end and cache effects− Enhanced performance for large blocks of data
• AES: 2x throughput vs. zEC12 • TDES: 2x throughput vs. zEC12 • SHA: 3.5x throughput vs. zEC12
Exploiters of the CPACF benefit from the throughputimprovements of z13's CPACF such as:
− DB2/IMS encryption tool− DB2® built in encryption− z/OS Communication Server: IPsec/IKE/AT-TLS− z/OS System SSL− z/OS Network Authentication Service (Kerberos)− DFDSS Volume encryption− z/OS Java SDK− z/OS Encryption Facility− Linux on z Systems; kernel, openssl, openCryptoki, GSKIT
IBM Systems
Crypto Express5S
| 23
ThreeconfigurationoptionsforthePCIe adapter
§Onlyoneconfigurationoptioncanbechosenatanygiventime
§AllcardsecretsareerasedwhenswitchingtoorfromEP11Coprocessormode
§ OnePCIe adapterperfeature− Initialorder– twofeatures
§ DesignedtobeFIPS140-2Level4
§ InstalledinthePCIe I/Odrawer
§ Upto16featuresperserver
§ Prerequisite:CPACF(#3863)
§ Designedfor2XperformanceincreaseoverCryptoExpress4S
Accelerator CCACoprocessor EP11Coprocessor
SecureKeycryptooperations
SecureKeycryptooperations
Clear KeyRSAoperations andSSL
acceleration
TKE N/A
CPACF NO
UDX N/A
CDU YES(SEG3)
TKE OPTIONAL
CPACF REQUIRED
UDX YES
CDU YES(SEG3)
TKE REQUIRED
CPACF REQUIRED
UDX NO
CDU NO
Business Value§ High speed advanced cryptography; intelligent encryption of sensitive data that executes off processor saving costs§ PIN transactions, EMV transactions for integrated circuit based credit cards(chip and pin), and general-purpose cryptographic
applications using symmetric key, hashing, and public key algorithms, VISA format preserving encryption(VFPE), and simplification of cryptographic key management.
§ Designed to be FIPS 140-2 Level 4 certification to meet regulations and compliance for PCI standards
IBM Systems
CEX5S Cryptographic Units
| 24
§ DES/TDES w DES/TDES MAC/CMAC§ AES, AESKW, AES GMAC, AES GCM, AES XTS mode, CMAC§ MD5, SHA-1, SHA-2 (224,256,384,512), HMAC§ VISA Format Preserving Encryption (VFPE)§ RSA (512, 1024, 2048, 4096)§ ECDSA (192, 224, 256, 384, 521 Prime/NIST)§ ECDSA (160, 192, 224, 256, 320, 384, 512 BrainPool)§ ECDH (192, 224, 256, 384, 521 Prime/NIST)§ ECDH (160, 192, 224, 256, 320, 384, 512 BrainPool)§ Montgomery Modular Math Engine § RNG (Random Number Generator)§ PNG (Prime Number Generator)§ Clear Key Fast Path (Symmetric and Asymmetric)
PerformanceImprovements
New
New
IBM Systems
CCA Enhancement: >16 Domain Support
| 25
Description&Value
z13hassupportforupto85logicalpartitions(LPARs)forEnterpriseClassmachinesand40LPARsforz13smachines.ThezSystemscryptoarchitecturewasdesignedtosupport16domains(whichmatchedtheLPARmaximumatthetime).IncurrentcustomerenvironmentswherethenumberofLPARsislargerthan16,cryptoworkloadseparationcanbecomplex.ThesecustomershavetomapalargesetofLPARstoasmallsetofcryptodomains.
Details
Withtheadjunctprocessor(AP)extendedaddressing(APXA)facilityinstalled,thezSystemscryptoarchitecturecansupportupto256domainsinanAP.So,theCryptoExpresscardswillbeenhancedtohandle256domainsandthezSystemfirmwarewillexposeupto85domainsforz13,orupto40domainsforz13stocustomers(tomatchthecurrentLPARmaximum).CustomerswillhavetheflexibilityofmappingindividualLPARstouniquecryptodomainsorcontinuingtosharecryptodomainsacrossLPARs.
Customersinterestedinthisfunction
SystemadministratorsexploitingCryptoExpresscardsonzSystemCPCswithmultipleLPARs.
HW/SWrequirements
§HardwareRequirements:z13sorz13withthefollowingCCASupporton:−CryptoExpress5S withCCA5.0firmware
§SoftwareRequirements:−z/OSV2.1withtheCryptographicSupportforz/OSV1R13-z/OSV2R1webdeliverable(FMIDHCR77B0)−z/OSV1.13withtheCryptographicSupportforz/OSV1R13-z/OSV2R1webdeliverable(FMIDHCR77B0)−AlsoavailablewithHCR7780,HCR7790,HCR77A0,HCR77A1(previousWDswithPTFs)−z/VM V6.2 andV6.3 withPTFsforguestexploitation
IBM Systems
User Defined Extensions (UDX)
§ UDX support available for Crypto Express5S features defined as CCA coprocessors
§ Allows additional functions to the CCA API, which execute inside the secure crypto feature
§ Standard CCA functions plus UDX enhancements available§ Tied to specific versions of the CCA code and the related host code§ Must be rebuilt each time these IBM code modules change§ Note: Installation of a UDX is a disruptive (non-concurrent) operation on z
Systems
| 26
IBM Systems
Regional Crypto Enablement (RCE)
§ IBM will enable geo-specific cryptographic support that will be supplied by IBM approved vendors.
§ China is the first geography to exploit this support to meet the cryptography requirements of Chinese clients that are required to comply with the People's Bank of China Financial IC Card Specifications (PBOC 3.0) for payment card processing.
§ When ordered, the Regional Crypto Enablement support will reserve the I/O slot(s) for the IBM approved vendor-supplied cryptographic card(s).
§ Clients will need to directly contact the IBM approved vendor for purchasing information.
§ Only for z13s and z13 GA2§ Requires PTF for APAR VM65577, z/VM V6.2 and V6.3 or later§ Requires z/OS V2.2 or later
| 27
IBM Systems
CCA Enhancement: VISA Format Preserving Encryption (VFPE)
| 28
Description&Value
FormatPreservingEncryption(VFPE)referstoamethodofencryptionwheretheresultingciphertexthasthesameformastheinputcleartext.Theformofthetextcanvaryaccordingtouseandapplication.Oneoftheclassicexamplesisa16digitcreditcardnumber.AfterusingVFPE toencryptacreditcardnumber,theresultingciphertextwillbeanother16digitnumber.Thishelpsallowlegacydatabasestocontainencrypteddataofsensitivefieldswithouthavingtorestructurethedatabaseorapplications.
Details
VFPE allowscustomerstoaddencryptiontotheirapplicationsinsuchawaythattheencrypteddatacanflowthroughtheirsystemswithoutrequiringmassiveredesignoftheirapplication.Intheaboveexample– ifthecreditcardnumberisVFPE encryptedatthepointofentry– theciphertextstillbehaveslikeacreditcardnumberandcanflowthroughbusinesslogicuntilitmeetsthatbackendtransactionserverwhichcanVFPE decryptittogettheoriginalcreditcardnumbertoprocessthetransaction.
Customersinterestedinthisfunction
FinancialinstitutionsthatwanttoexploittheVISAformatpreservingencryptionalgorithmstoprotectcardholderdata.Applicationprogrammersthatwanttoprovidefield/celllevelencryptiontotheirdatabase.
HW/SWrequirements
§CCA5.2− AvailableonCryptoExpress5S
§SoftwareRequirements:−z/OSV2.1withtheCryptographicSupportforz/OSV1R13-z/OSV2R1webdeliverable(FMIDHCR77B0)−z/OSV1.13withtheCryptographicSupportforz/OSV1R13-z/OSV2R1webdeliverable(FMIDHCR77B0)−z/VM V6.2 andV6.3 withPTFsforguestexploitation
IBM Systems
Achieve PCI DSS Compliance with efficiency with z Systems
| 29
IBM Systems
z Systems Security Certifications
| 30
z/OS z/VM
Linux Linux Linux
Virtualizationwithpartitions
Cryptography
§ CommonCriteriaEAL4+− withCAPPandLSPP− z/OSV1.7à V1.10 +RACF− z/OSV1.11 +RACF (OSPP)− z/OSV1.12,z/OSV1.13,− z/OSV2R1(OSPP)
§ CommonCriteriaEAL5+− RACFV1R12(OSPP)− RACF V1R13 (OSPP)− RACF V2R1 OSPP)inprocess
§ z/OS1.10IPv6 CertificationbyJITC§ IdenTrust™certificationforz/OSPKI Services§ FIPS 140-2
− SystemSSL z/OSV1.10à V1.13− z/OSICSF PKCS#11 Services
• z/OSV1.11à z/OSV1.13§ StatementofIntegrity
z/OS
§ zEC12 andzBC12− CommonCriteriaEAL5+withspecifictargetofEvaluation– LPAR:Logicalpartitions
§ IBMz13− CommonCriteriaEAL5+withspecifictargetofevaluation-- LPAR:Logicalpartitions
• CommonCriteriaevaluation§ Crypto Express2Coprocessor,CryptoExpress3&CryptoExpress4s
− FIPS140-2level4HardwareEvaluation− ApprovedbyGermanDK(DeutscheKreditwirtschaft)− CryptoExpress5S isdesignedforFIPS140-2Certification.
§ CPAssist− FIPS197(AES)− FIPS46-3(TDES)− FIPS180-3(SecureHash)
§ CommonCriteria− z/VM6.3iscertifiedEAL4+levelforOSPPandFIPSatthe140-2level
§ StatementofIntegrity
§ CommonCriteria− SUSESLES11SP2certifiedatEAL4+withOSPP
− RedHatEL6.2EAL4+withCAPPandLSPP
§ OpenSSL- FIPS140-2Level1Validated
§ CPAssist- SHA-1validatedforFIPS180-1- DES&TDESvalidatedforFIPS46-3
LinuxonzSystems
TheIBMz13sisdesignedforCommonCriteriaEvaluationAssuranceLevel5+certificationforsecurityoflogicalpartitions.
TheCommonCriteriaprogramestablishesanorganizationalandtechnicalframeworktoevaluatethetrustworthinessofITProductsandprotectionprofiles
IBM Systems
IBM z Systems Crypto Stack (z/OS)
| 31
z/OSSoftware• ICSF• RACF• RMF• z/OSPKIServices• SystemSSL• JavaPKCS#11Provider• CommunicationsServer
• Websphere
PKCS#11Services
CCADeviceDriver
CryptoExpress5S(CEX5C)
PKCS#11DeviceDriver
ICSF
CCAServices
CPACF SoftwareCrypto
IPSecIKE PKI EF
TKE
SystemSSL
CPACFSW
CryptoExpress5S(CEX5P)
Java
CPACFSW
DB2
CPACF
RACF
SW
CKDS PKDSTKDS
SecureKeyMaterial
ClearKeyMaterial
TrustedKeyEntry
CCA|PKCS11
Requestrouting
CryptoDeviceDriver
CCAVerbs
Requestrouting
CryptoDeviceDriver
PKCS#11Verbs
IBM Systems
IBM z Systems Crypto Stack (Linux)
| 32
IBM Systems
Additional z Systems Operating Systems with Crypto Support
| 33
§ z/VM
− z/VM Guest Support for Crypto Express5S in Accelerator mode
− CCA Coprocessor mode and EP11 Coprocessor mode§ z/VSE
− Supports Crypto Express5S in Accelerator mode and CCA Coprocessor mode
− CPACF support− OpenSSL Support− Encryption Facility support (w/ OpenPGP)
IBM Systems
Ensuring data privacy with IBM Optim Data Masking
| 34
IBM Systems
Pervasive Encryption in the Enterprise
Encryptionchoices– whyshouldencryptionbebuiltintostorageandotherendpoints?
– Performance– cryptographycanbecomputationallyintensive
– Efficiency- encrypteddataisnotabletobecompressedorde-duplicated
– Security-- Dataintransitshouldusetemporarykeys,dataatrestshouldhavelongtermretentionandrobustmanagement
– Scalability– besttodistributecryptographyacrossmanydevices
IBMstartedwithencryptingtapesystems,encryptingstoragearrays,withthegoaltoextendtotherestoftheinfrastructure
DiskStorageArray
EnterpriseTapeLibrary
3592
SAN
Switchencryption
FilesystemencryptionDatabaseencryption
Encryption Encryption
Encryption
EncryptionKey
Management
EncryptionKeyProvisioning
IBM Systems
IBM Enterprise Key Management Foundation (EKMF)
| 36
The IBM Enterprise Key Management Foundation provides real-time securemanagement of keys and certificates in an enterprise with a variety of cryptographic devices and key stores.
§ EKMFworkstationisonlinewithallmainframesinthesystem– ManagesthekeysinICSFkeystores– Supportforotherplatformsaswell– Supportforseveralworkstations
§ OneLPARishostingtheEKMFkeyrepository– Containingkeysandmetadata– Easybackupandrecovery
§ Secureworkstationforallkeymanagementtasks– Centralizedkeymanagement– Securehardware– IBM4765– Twofactorauthentication,dualcontrol,grouplogon,splitknowledge,auditlogging
§ Database(Repository)– Configuration– Keysandmetadata– Auditlog– Availableonz/OS,Windows,Linux,AIX
§ KeyStores– Distribution– Pushmechanism– ICSF,CCA,RACF,Websphere DataPower,Thales,SSL,PKCS#11
EKMF
On-linemanagementofkeysandcertificatesforWebSphereDataPower
DB2databasedeployedonserver
On-linemanagementofkeysinICSFandRACF
IBM Systems
Security Key Lifecycle Manager
| 37
BroadeningFootprint
IBM Systems
IBM Security Key Lifecycle Manager (ISKLM)
| 38
IBM Security Key Lifecycle Manager for z/OS manages encryption keys for storage. It integrates with encrypting storage devices with hardware encryption for performance, Resource Access Control Facility (RACF), Integrated Cryptographic Service Facility (ICSF) and IBM Enterprise Key Management Foundation (EKMF).
z/OS
DB2ISKLM
Keystore
3.ISKLMlooksupinfoaboutthedeviceandthekeys
4.ISKLMretrievesthekeyfromthekeystore
2.Devicerequestsanencrypting/decryptingkeyfromISKLM,ifitdoesn’talreadyhaveit
5.ISKLMdistributesthekeytothedevice
StorageDevice
Application
1.Applicationsendswrite/readrequesttodevice
6.Deviceusesthekeytoencrypt/decryptthisandfuturewrite/readrequests
IBM Systems
IBM Advanced Crypto Service Provider (ACSP)
| 39
ACSP is a remote crypto services solution that enables distributed clients to access IBM cryptographic hardware on z Systems and System x over the network.
• ACSPclientplatforms– AIX,IBMi,Linux,Windows,z/OS,Linux
onz– PureSystems– Inreality,anyJavaplatform• ACSPclientAPIs– RESTusingHTTPmethods– CCAinJavaandC– PKCS#11
• Transportnetwork– IP– SSL/TLSprotected
(client/serverauth)
• ACSPserverplatforms– zSystems:z/OS(CEX3/4/5)– Systemp:AIX(4765)– x86:SLES,RHEL(4765)– IBMPureSystems
IBM Systems
Integrated Security Intelligence
| 40
IBM Systems
Integrated Security IntelligenceCorrelate huge amounts of security data to uncover patterns of unusual activity, use real-time alertsto immediately focus on critical security threats that matter the most to the business
| 41
IBM Systems
Integrated Security Intelligence with IBM z
| 42
Prioritized incidents
Automated offense identificationReal-time correlation and analytics
Anomaly detectionIndustry and geo trending
Network and virtual activity
Configuration information
Security devices
Vulnerabilities and threats
Global threat intelligence
Servers and mainframes
Data activity
Application activity
Servers and mainframes
Data activity
Application activity
IBM Security QRadarEmbedded Intelligence
Infrastructure
IBMSecurity zSecure§z/OS,RACF§Identity Gov.
§ACF2,TSS§CICS,MQ
Dataactivity
IBMSecurity Guardium§DB2§IMS
§VSAM
Applicationactivity
IBMSecurityAppScan§Webapps§Mobileapps
§Web services§Desktopapps
Users and identitiesUsersandidentities
IBM Systems
IBM Security zSecure suite
| 43
IBM Systems
IBM Security Guardium
| 44
ANALYZE. PROTECT. ADAPT.
Highly optimized for z Systems to meet the aggressive transactional throughput and SLAs of enterprise applications
Discovery,classification,vulnerabilityassessment,entitlementmanagement
Encryption,masking,andredaction
Dataandfileactivitymonitoring
Dynamicblockingandmasking,alerts,andquarantine
Complianceautomationandauditing
ANALYTICS
IBM Systems
IBM Security QradarAn integrated, unified security intelligence architecture in a single web-based console
| 45
IBM Systems
IBM z Systems Cyber Security Analytics Beta
| 46
A cognitive solution, developed by IBM research, which learns user behavior over time. By establishing a baseline of normal user activity, the solution can automatically identify anomalies and identify possible threats posed by rogue insiders or attackers using compromised administrator credentials.
Currently in beta, this offering will be delivered to a limited set of z13 and z13s customers as a service§ Customers collect and send 3-4 months of SMF / Access Monitor data to IBM§ IBM Research will run the data through the analytics engine§ Analysis and reports will be reviewed with the client, highlighting any anomalies that should be investigated
Sign-up:https://www.ibm.com/marketing/iwm/dre/signup?source=stg-web&S_PKG=ov44344
IBM Systems
Ecosystem News
| 47
IBM Systems
Expanding strategic security partnerships for z Systems
| 48
IBM Systems
Mainframe Security Controls Review
§ Guided maturity self-assessment of security controls IBM sees the most focus on at our customers.
§ Perfect for an organization looking to mature their security practices, to provide a rapid checkpoint against the top focus controls in the industry, or to provide a baseline review for a new CISO or other security leaders.
§ The controls covered include: − Collect, Normalize, Correlate, Analyze,
Report & Monitor Security Information − Real-Time Analysis − Authentication and Access Management − Identity & Access Governance − Privileged Identity Management− Data Activity Monitoring − Encryption − Key Management − Data Obfuscation − Static Source Code Analysis − Vulnerability Management
| 49
LINKtoflyer
IBM Systems
z Systems Security Portal Registration
§ If you are an IBM z Systems customer (or their authorized representative), follow the steps described on this page to obtain access to the z Systems Security Portal for z Systems Security/Integrity APAR information (currently z/OS and z/VM).
§ The z Systems Security Portal is intended to help you stay current with security and system integrity fixes by providing current patch data and associated Common Vulnerability Scoring System (CVSS) ratings for new APARs. Security Notices are also provided to address highly publicized security concerns.
§ To obtain access to the z Systems Security Portal, send us an email by pressing the following button and provide the customer name, your name and Resource Link ID
§ http://www-03.ibm.com/systems/z/solutions/security_subintegrity.html
| 50
IBM SystemsFuture MadeFuture Made | 51IBM Systems
Thank You
| 51
IBM Systems
References
§ Reduce Risk and Improve Security on IBM Mainframes: Volume 1 Architecture and Platform Security
§ Securing the IBM Mainframe§ Ultimate Security with the IBM z13§ Consolidated security management for mainframe clouds§ IBM Multi-Factor Authentication for z/OS Solution Brief§ IBM z13 Cryptographic Performance§ Introduction to IBM z Systems Cryptography And the Ecosystem around z
Systems Cryptography z13 / CEX5S
IBM Systems
Acronyms
§ CA: Certificate Authority§ CCA: Common Cryptographic Architecture§ CPACF: CP Assist For Cryptographic Function§ DES: Data Encryption Standard§ DKMS: Distributed Key Management System§ DSS: Data Security Standard§ ICSF: Integrated Cryptographic Services Facility§ IDS: Intrusion Detection Services§ MFA: Multi Factor Authentication§ MLS: Multilevel Security§ PCI: Payment Card Industry§ PKCS: Public Key Cryptography Standards§ PKI: Public Key Infrastructure§ RACF: Resource Access Control Facility
| 53
IBM Systems
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Windows Server and the Windows logo are trademarks of the Microsoft group of countries.ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Trademarks
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.This information provides only general descriptions of the types and portions of workloads that are eligible for execution on Specialty Engines (e.g, zIIPs, zAAPs, and IFLs) ("SEs"). IBM authorizes customers to use IBM SE only to execute the processing of Eligible Workloads of specific Programs expressly authorized by IBM as specified in the “Authorized Use Table for IBM Machines” provided at www.ibm.com/systems/support/machine_warranties/machine_code/aut.html (“AUT”). No other workload processing is authorized for execution on an SE. IBM offers SE at a lower price than General Processors/Central Processors because customers are authorized to use SEs only to process certain types and/or amounts of workloads as specified by IBM in the AUT.
* Registered trademarks of IBM CorporationThe following are trademarks or registered trademarks of other companies.
* Other product and service names might be trademarks of IBM or other companies.
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.AIX*BlueMixBigInsightsCICS*Cognos*DB2*
Domino*DS8000*ECKDFileNet*FlashSystemGDPS*
GPFSHiperSocketsIBM*Ibm.comIBM (logo)*IMS
Informix*InfoSphereLinuxONE EmperorLinixONE RockhopperMaximo*MQ*
POWER*POWER*8*PR/SMRACF*Spectrum Scale*SPSS*
Storwize*System z9* Systemz10*Tivoli*WebSphere*XIV*
z13z13szEnterprise*z/OS*
zSystemsz/VSE*z/VM*