Transcript Securing the Cloud from The z/OS Perspective

Securing the Cloud
from The z/OS Perspective
• Introduction
• The history of The Cloud
• How virtualization allows for Cloud
computing
• The Cloud Security Exposures
• Data in Transit from the Mainframe to
the Cloud
• Management of Users and Identity
provisioning
• Universal Key Management
• How to mitigate Cloud Risk and keeping
your Mainframe data Secure
• Maintaining control of your data
• Cloud Security summary
Introduction
•
•
•
•
•
SSH z Product and Channel Manager
In the industry since 1982 (anyone
remember a 1419 check sorter?)
Distinguished Career has included Fidelity
Investments and CA Technologies
Involved in Mainframe Security Space since
1990
At SSH since 2006 1st as Sales engineer
then as Product and Channel Manager
The Cloud: Concept
Conceptually "cloud" allows applications
and infrastructure to be hosted by
external organizations without
boundaries. Users and appliances can
save and store data without adding any
internal hardware. Users can also share
information between multiple systems
and with other users.
Mainframe and the Cloud: A Wiki
definition
•
The role of mainframes has changed from an
isolated standalone computer to an integral
and highly exposed component of the
organization’s distributed IT infrastructure still
holding up to 80% of enterprises’ critical data.
The Why, What, and How of Managed File Transfer in Business
Source: Ziff Davis
The Cloud: One definition
The idea of the "cloud" simplifies the
many network connections and
computer systems involved in online
services. In fact, many network diagrams
use the image of a cloud to represent
the Internet. This symbolizes the
Internet's broad reach, while simplifying
its complexity. Any user with an Internet
connection can access the cloud and the
services it provides. Since these services
are often connected, users can share
information between multiple systems
and with other users.
With the advent of VMWare and
other LINUX, Unix and Windows
virtualization tools Cloud providers
can add applications and capacity
to a customer in a speedy manner.
Issues created by stamping out
copies of Servers and applications
Include coping unlicensed vendor
software, repeating security
vulnerabilities and copying
identities to machines that are
insecure.
BIG Box lots of little Machines
•z/VM – wasn’t it dead?
•IBM LINUX for z
Red Hat
SUSE
•USS – what is there?
Fully POSIX compatible file system
TCP/IP
FTP
SSH
Firewall
RACF, ACF-2 and Top Secret LDAP
Biggest Cloud Security Concerns
•Preventing Data Loss
•Preventing Outages caused
internally and externally to
the organization
•Keeping Security Up To date
Your Data In Transit
 While Data is secure at
rest on the Mainframe
you lose control once it
leaves.
 If data being transferred
is in clear it is akin to
leaving your wallet
lying on a bar
 If there is no
authentication or
validation of Host how
do know who your
communicating with?
FTP Today
 Been around since 1971 (before TCP and
IP protocols – very aged protocol)
 Millions of critical files and data
exchanged by corporations daily
 Few Managers realize the Security and
Management Risks with the prevalent use
of FTP
 FTP has not “evolved” over the years and
is rife with Security Exposures
FTP in the Workplace
 Most Computers have the ability to exchange
data (Users desktop)
 Embedded in services of TCP/IP
 Business to Business FTP transfers are
uncontrolled and insecure
 Critical Lynchpin in Business to Business
Communications
 Facility used for file transfers between diverse
computing platforms
 The manner in which the way FTP is
implemented by Business needs attention
 FTP activity is Rampant. Do you really know
what is happening ?
12
1. PCI-DSS
1. Any time credit card information is sent it must abide by the PCI-DSS compliance
standards for security and confidentiality.
2. HIPAA, SOX, GLBA, FISMA & Others
1. HIPAA - The HIPAA Security Rule mandates health plan providers, healthcare clearing
houses, and other organizations processing health information to take reasonable and
appropriate precautions to protect health information.
2. SOX - Section 404 of SOX requires top management to establish an adequate internal
control structure and include an assessment of its effectiveness in the annual report.
Additionally, an external auditor needs to verify the management assertions.
3. GLBA - The Safeguards Rule issued by the Federal Trade Commission (FTC) is established
standards for financial institutions to develop, implement, and maintain administrative,
technical, and physical safeguards to protect security, confidentiality, and integrity of
customer information
4. FISMA - FIPS 140-2 requires certified cryptographic modules to meet the compliance
requirements for government agencies and certain contractors
5. California SB 1386, Basel II, Massachusetts Privacy Law
13
Risks associated with FTP
 Anyone with READ access, also has
“Transfer Out” access
 Read Clear Text Exposure
 Password interception
 Eavesdropping
 Hijacking
 “Man in the middle”
 Connection “hijack”
 Spyware
 Wireless Connectivity
 Can open portal behind firewall
FTP Packet Trace Example
FTP Passwords in Clear text
Passwords are in the CLEAR
16
What Are The Options To Secure Your FTP?
Firewalls / VPN
FTPS /SFTP/ Vendor Solutions /IBM Ported Tools
FTP Server Off M/F
PGP
17
File Transfer Infrastructure
 What are some alternatives
 Why or why not use the methods and tools
 When is a good time to use the solution
FTP (File Transfer Protocol)
 FTP
FTPS (FTP over SSL)
 FTP
 FTPS
FTP over SSH Tunnel
 FTP
 FTPS
 FTP over SSH Tunnel
SFTP (SSH Secure FTP)
 FTP
 FTPS
 FTP over SSH Tunnel
 SFTP
FTP/SFTP Hybrid
 FTP
 FTPS
 FTP over SSH Tunnel
 SFTP
 FTP to SFTP
VPN (Virtual Private Network)
 FTP
 FTPS
 FTP over SSH Tunnel
 SFTP
 FTP to SFTP
 VPN
PGP (Data at rest)
 FTP
 FTPS
 FTP over SSH Tunnel




SFTP
FTP to SFTP
VPN
PGP
FTP
 Pros
 Ubiquitous
 Common knowledge
 Included in base OS
 Cons
 Very little security
 Not firewall friendly