IBM Tivoli zsecurity Management

Transkript

1 IBM Software Group IBM Tivoli zsecurity Management Compliance und Auditing mit der IBM Tivoli zsecure Suite September 08 Carsten Hinz, System z Tivoli Technical Sales

2 Themen zsecure Compliance Produkt Überblick Benefits, weitere Infos 2

3 IBM Software Group Compliance September 08 Carsten Hinz, System z Tivoli Technical Sales

4 Der Begriff Compliance Compliance bezeichnet die Einhaltung von Gesetzen und Richtlinien im Unternehmen Security - Compliance: Konformität zu Datenschutzbestimmungen und internen Vorschriften 4

5 Compliance ein Hype Thema? 5

6 Compliance Aspekte Die Lücken aufspüren: Eine genaue Analyse der vorhandenen Systeme und Umgebungen zeigt die Lücken auf. Policies entwickeln: Um Compliance-Vorgaben zu erfüllen, muss eine Strategie entwickelt werden, die die Regeln in technische Maßnahmen überträgt. Policies implementieren: Wer ist wann für was verantwortlich? Zuständigkeiten schaffen Transparenz und Verlässlichkeit. Tools benutzen: Die richtige Software hilft, Compliance-Prozesse zu automatisieren und zu standardisieren. Konsequenz zeigen: Policies müssen immer wieder überprüft und gegebenenfalls an veränderte Verhältnisse angepasst werden. 6

7 Compliance Aspekte: PCI DSS The PCI Security Standards Council (PCI SSC) is made up of all major credit card issuers: Visa MasterCard Discover JCB Diner s Club American Express PCI SSC governs security standards for the payment card industry Most recent PCI Data Security Standard (PCI DSS) v1.1 Provides clarification to certain requirements Gives flexibility for compensating controls for complex requirements such as data encryption Added requirements to address emerging threats to application security Upcoming deadline for compliance was September 30, 2007 for Level 1 merchants 7

8 PCI Requirements The Digital Dozen Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 8 PCI DSS Ver. 1.1

9 Fragen eines PCI Audits Is access to payment card account numbers restricted for users on a needto-know basis? Is all access to cardholder data, including root/administration access, logged? Do access control logs contain successful and unsuccessful login attempts and access to audit logs? Are all critical system clocks and times synchronized, and do logs include date and time stamp? Are the firewall, router, wireless access points, and authentication server logs regularly reviewed for unauthorized traffic? Are audit logs regularly backed up, secured, and retained for at least three months online and one-year offline for all critical systems? Are information security policies, including policies for access control formally documented? When an employee leaves the company, are that employee s user accounts and passwords immediately revoked? Are security alerts from IDS/IPS s continuously monitored, and are the latest IDS/IPS signatures installed? yes yes yes yes yes yes yes yes yes no no no no no no no no no 9

10 EuroSOX IBM Software Group Tivoli software Die Bundesregierung hat die 8. EU-Richtlinie zum 29.Juni 2008 in geltendes nationales Recht umgesetzt. EuroSOX ist die Umschreibung für Richtlinien der EU, die an die USamerikanische SOX-Gesetzgebung angelehnt sind. Harmonisierung des Prüfwesens für den europäischen Markt Deutschland Spanien 0:1 Es geht um Vorgaben für nationale Gesetze über Aktionärssicherheit sowie unabhängige Rechnungs- und Abschlussprüfung von Unternehmen bestimmter Rechtsformen. Kapitalgesellschaften oder Unternehmen von öffentlichem Interesse Ab ca. 90 Mio Bilanzsumme Es betrifft auch die Dokumentation der IT-Infrastruktur und deren Sicherheit, da Störungen in der IT zu erheblichen Unternehmensschäden führen können und somit für Aktionäre ein wichtiges Kriterium sind. Bereitstellung regelkonformer Systeme durch IT Durchsetzen der Compliance Regeln nur mit IT Unterstützung Quelle: Compliance Magazin, Computerwoche, Wikipedia 10

11 ITIL Delivery Support Security Management Ziel des Security Management: Verwaltung und Weiterentwicklung eines definierten Sicherheitsstandards für IT Services und Informationen Information Security Incidents sind Vorfälle, bei denen Aufgaben: die Vertraulichkeit (C Confidentiality) die Integrität (Vollständigkeit und Richtigkeit, I Integrity) die Verfügbarkeit (A Availability) der Information beschädigt werden. Planung: Erarbeiten von SLA s, UC s, OLA s, policy statements Implementierung: Bewußsein fördern, Personnel -, Physical-, Technical Security, Kontrolle und Verwaltung der Zugangsrechte, etc. Bewertung: vermeiden von Phantomsicherheit, interne/externe Audits, Security Incidents auswerten Betrieb: Erfahrungen sammeln, Verbesserungen in nächste Planung/Implementierung einbringen Die Kosten für ein Security Management können selten exakt qualifiziert werden, die bei nicht ausreichender Sicherheit dafür umso deutlicher!! SLA service level agreement, UC underpinning contract, OLA operational level agreement 11

12 IBM Software Group IBM Tivoli zsecure Suite ein Überblick September 08 Carsten Hinz, System z Tivoli Technical Sales

13 IBM Tivoli zsecure Suite Note: ACF2 and Top Secret are either registered trademarks or trademarks of CA, Inc. or one of its subsidiaries. 13

14 zsecure Admin Enables more efficient and effective RACF administration, using significantly less resources Highlights: Automate routine tasks to simplify administration Identify and analyze problems to minimize threats Merge databases quickly and efficiently Display data from the active (live) RACF database Integrates smoothly with IBM Tivoli zsecure Audit Store non-racf data to reduce organizational costs 14

15 RACF LISTUSER (LU) command output 15

16 RACF Administration Tivoli zsecure Admin 16

17 Tivoli zsecure Admin Details, user overview Panels haben ggf. mehr als 80 Stellen links, rechts blättern Abkürzungen zwecks Platzeinsparung Anzeige der Action Commands mit / z.b. CO add connect für diese ID 17

18 IBM Tivoli zsecure Visual Reduces the need for scarce, RACF-trained expertise through a Microsoft Windows based GUI for RACF administration Highlights: Decentralize RACF administration to optimize resources Scope Down Administrative Capabilities Avoid need for TSO/ISPF rollouts Administer from a live RACF database Easy Cloning of user templates 18

19 RACF Administration Tivoli zsecure Visual 19

20 IBM Tivoli zsecure CICS Toolkit Allows you to perform mainframe administrative tasks from a CICS environment, freeing up native-racf resources Highlights: RACF administration from a CICS interface Web-enablement CICS-RACF API Customize screens Perform resource access checks Support security of legacy applications 20

21 IBM Tivoli zsecure Audit Compliance and audit solution that enables you to automatically analyze and report on security events and detect security exposures Highlights: Live analysis of critical information Beyond just z/os and RACF analysis Customize reports to meet specific needs with flexible report and alert language Analyze SMF log files to create a comprehensive audit trail Analyze RACF profiles and ACF2 entries to get fast answers Detect system changes and integrity breaches to minimize security risks Track and monitor baseline changes for RACF and ACF2 Integrated remediation with Tivoli zsecure Admin Seamless links to enterprise audit and compliance 21

22 IBM Software Group Tivoli Software RACF Compliance zsecure Audit Stichworte: Orange Book TCSEC Trusted Computer System Evaluation Criteria Hierarchie: A D A: höchste Sicherheit D: kein Schutz zsecure: zw. B1 u. C2 22

23 RACF Compliance zsecure Audit Orange Book TCSEC Trusted Computer System Evaluation Criteria Hierarchie: A D, A: höchste Sicherheit, D: kein Schutz Relativ neuer Standard: CC Common Criteria 23

24 RACF Compliance zsecure Audit 24

25 RACF Compliance zsecure Audit Priorität: ECHO: Exposure Concern Housekeeping issue Ok E = >39 C = H = O = 0 9 (incl. Warnings) 25

26 RACF Compliance zsecure Audit 26

27 RACF Compliance zsecure Audit 27

28 IBM Tivoli zsecure Alert Real-time mainframe threat monitoring allowing you to monitor intruders and identify mis-configurations that could hamper your compliance efforts Highlights: Threat knowledge base with parameters from your active configurations Broad range of monitoring capabilities, including monitoring sensitive data for misuse on: - z/os - IBM RACF - CA ACF2 and - z/os UNIX subsystems. Easily send critical alerts to enterprise audit, compliance and monitoring solutions Integrated remediation with Tivoli zsecure Admin 28

29 RACF Compliance zsecure Alert capturing SMF data before it is written to the SMF log capturing WTO s notifying you within seconds to minutes about dubious goings on Notifications can be sent in the form of: - an - as a text message to your pager or cell phone (through an based relay) - as a WTO (which can be used to trigger your automated operations package) - or an SNMP trap which can be picked up (e.g. Tivoli Compliance Insight Manager) 29

30 RACF Compliance zsecure Alert IBM Tivoli zsecure Alert consists of two components: - A long-living address space (a started task) - capturing, correlation and alert generation An ISPF interface - to specify which events are to be reported and - which format(s)ibm Tivoli zsecure Alert comes with predefined alerts available specify your own alerts using the most flexible Common Auditing and Reporting Language - CARLa 30

31 RACF Compliance zsecure Alert 31

32 IBM Tivoli zsecure Command Verifier Policy enforcement solution that enforces compliance to company and regulatory policies by preventing erroneous commands Highlights: Prevent noncompliant administrative command execution Supports policy definitions to provide mandatory and default values for which RACF does not provide appropriate defaults Command Audit Trail feature stores changes to profiles in the RACF database Easy independent installation for use on all systems for which policies must be enforced Grant users granular access to specific commands they would normally be unable to access 32

33 RACF Compliance Tivoli zsecure Command Verifier Control points for RACF commands Insert commands before execution Change command contents Insert commands after execution Refuse command Enforces installation standards Limit what system special can do Naming conventions Separation of groups Additional control over command execution Additional logging to SMF 33

34 RACF Compliance Tivoli zsecure Command Verifier Against the creation of default passwords Against the creation of wrong usernames 34

35 Tivoli zsecure Konzept CKFREEZE CKRCARLa 35

36 Tivoli zsecure - Datenquellen Datenquellen: CKFREEZE Source primary live RACF database backup live RACF database Unloaded RACF data (kann mit zsecure erstellt werden) A copy of a RACF database, or an active RACF database from another system. 36

37 IBM Tivoli zsecure Compliance Insight Manager Enabler for z/os Integration des Mainframes in das TCIM Enterprise Compliance Dashboard W7 Patent Pending Analysis Engine PUMA (Privileged User Monitoring and Audit) PCI 37

38 Integration with Tivoli Compliance Insight Manager 38

39 Benefits TCIM Brings to the Mainframe Broad analysis of activity and audit records gathered from multiple platforms Includes z/os events in the enterprise dashboard! z/os, RACF, CA-ACF2, CA-Top Secret, DB2, TCPIP, z/os UNIX Tivoli Compliance Insight Manager can make mainframe data easier to audit MVS jargon translated into TCIM s compliance language Auditors no longer need z/os expertise to monitor activities SMF Record types (mainframe logs) gathered 0, 2, 3, 4, 5, 6, 8, 10, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 28, 30, 31, 32, 33, 34, 35, 36, 27, 39, 40, 41, 42, 43, 45, 47, 48, 49, 50, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79 80, 81 (RACF) 82 (ICSF Integrated Cryptographic Services Facility) 83 (Security Events) 84, 85, 88, 91, 92, 94, 96, 99, 100, 101, 103, 108, 109, 115, 116, 118, 119,

40 Weitere Informationen, Unterstützung Informationen Unterstützung System z Tivoli Technical Sales, Carsten Hinz, , carsten.hinz@de.ibm.com Eine Demoumgebung der zsecure Suite steht zur Verfügung 40

41 IBM Software Group Tivoli software A cornerstone for Tivoli s z/os Security Strategy IBM Tivoli zsecure Suite * Also available for ACF2 and TopSecret ** Also available for ACF2 Enterprise Security Monitoring and Audit Reporting Tivoli Compliance Insight Manager (TCIM) 41 Enterprise Identity and Access Management Tivoli Security Operations Manager (TSOM) Tivoli Identity Manager (TIM) for z/os Tivoli Federated Identity Manager for z/os Tivoli Directory Server for z/os Tivoli Directory Integrator (TDI) for z/os

42 Vielen Dank für Ihre Aufmerksamkeit! Fragen? Carsten Hinz Diplom-Ingenieur System z Tivoli Software IBM Deutschland GmbH Beim Strohhause Hamburg Tel Mobil Carsten.Hinz@de.ibm.com 42