260 likes | 475 Views
Securing the Cloud from The z/OS Perspective. Agenda. Introduction The history of The Cloud How virtualization allows for Cloud computing The Cloud Security Exposures Data in Transit from the Mainframe to the Cloud Management of Users and Identity provisioning Universal Key Management
E N D
Agenda Introduction The history of The Cloud How virtualization allows for Cloud computing The Cloud Security Exposures Data in Transit from the Mainframe to the Cloud Management of Users and Identity provisioning Universal Key Management How to mitigate Cloud Risk and keeping your Mainframe data Secure Maintaining control of your data Cloud Security summary
Introduction SSH z Product and Channel Manager In the industry since 1982 (anyone remember a 1419 check sorter?) Distinguished Career has included Fidelity Investments and CA Technologies Involved in Mainframe Security Space since 1990 At SSH since 2006 1st as Sales engineer then as Product and Channel Manager
History Of The Cloud The Cloud: Concept Conceptually "cloud" allows applications and infrastructure to be hosted by external organizations without boundaries. Users and appliances can save and store data without adding any internal hardware. Users can also share information between multiple systems and with other users.
History Of The Cloud Mainframe and the Cloud: A Wiki definition • The role of mainframes has changed from an isolated standalone computer to an integral and highly exposed component of the organization’s distributed IT infrastructure still holding up to 80% of enterprises’ critical data. The Why, What, and How of Managed File Transfer in Business Source: Ziff Davis
So what is “The Cloud?” The Cloud: One definition The idea of the "cloud" simplifies the many network connections and computer systems involved in online services. In fact, many network diagrams use the image of a cloud to represent the Internet. This symbolizes the Internet's broad reach, while simplifying its complexity. Any user with an Internet connection can access the cloud and the services it provides. Since these services are often connected, users can share information between multiple systems and with other users.
The Cloud and Virtualization With the advent of VMWare and other LINUX, Unix and Windows virtualization tools Cloud providers can add applications and capacity to a customer in a speedy manner. Issues created by stamping out copies of Servers and applications Include coping unlicensed vendor software, repeating security vulnerabilities and copying identities to machines that are insecure.
Virtualization and The Mainframe BIG Box lots of little Machines • z/VM – wasn’t it dead? • IBM LINUX for z • Red Hat • SUSE • USS – what is there? • Fully POSIX compatible file system • TCP/IP • FTP • SSH • Firewall • RACF, ACF-2 and Top Secret LDAP
Cloud Security Exposures Biggest Cloud Security Concerns • Preventing Data Loss • Preventing Outages caused internally and externally to the organization • Keeping Security Up To date
Your Data In Transit • While Data is secure at rest on the Mainframe you lose control once it leaves. • If data being transferred is in clear it is akin to leaving your wallet lying on a bar • If there is no authentication or validation of Host how do know who your communicating with?
FTP Today • Been around since 1971 (before TCP and IP protocols – very aged protocol) • Millions of critical files and data exchanged by corporations daily • Few Managers realize the Security and Management Risks with the prevalent use of FTP • FTP has not “evolved” over the years and is rife with Security Exposures
FTP in the Workplace • Most Computers have the ability to exchange data (Users desktop) • Embedded in services of TCP/IP • Business to Business FTP transfers are uncontrolled and insecure • Critical Lynchpin in Business to Business Communications • Facility used for file transfers between diverse computing platforms • The manner in which the way FTP is implemented by Business needs attention • FTP activity is Rampant. Do you really know what is happening ?
FTP and Compliance • PCI-DSS • Any time credit card information is sent it must abide by the PCI-DSS compliance standards for security and confidentiality. • HIPAA, SOX, GLBA, FISMA & Others • HIPAA - The HIPAA Security Rule mandates health plan providers, healthcare clearing houses, and other organizations processing health information to take reasonable and appropriate precautions to protect health information. • SOX - Section 404 of SOX requires top management to establish an adequate internal control structure and include an assessment of its effectiveness in the annual report. Additionally, an external auditor needs to verify the management assertions. • GLBA - The Safeguards Rule issued by the Federal Trade Commission (FTC) is established standards for financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect security, confidentiality, and integrity of customer information • FISMA - FIPS 140-2 requires certified cryptographic modules to meet the compliance requirements for government agencies and certain contractors • California SB 1386, Basel II, Massachusetts Privacy Law
Risks associated with FTP • Anyone with READ access, also has “Transfer Out” access • Read Clear Text Exposure • Password interception • Eavesdropping • Hijacking • “Man in the middle” • Connection “hijack” • Spyware • Wireless Connectivity • Can open portal behind firewall
Passwords are in the CLEAR FTP Passwords in Clear text
File Transfer Infrastructure • What are some alternatives • Why or why not use the methods and tools • When is a good time to use the solution