securing the cloud from the z/os perspective. introduction the history of the cloud how...
Post on 24-Dec-2015
216 Views
Preview:
TRANSCRIPT
Securing the Cloudfrom The z/OS Perspective
Agenda
• Introduction• The history of The Cloud• How virtualization allows for Cloud
computing• The Cloud Security Exposures• Data in Transit from the Mainframe to
the Cloud• Management of Users and Identity
provisioning• Universal Key Management• How to mitigate Cloud Risk and keeping
your Mainframe data Secure• Maintaining control of your data• Cloud Security summary
• SSH z Product and Channel Manager• In the industry since 1982 (anyone
remember a 1419 check sorter?)• Distinguished Career has included Fidelity
Investments and CA Technologies• Involved in Mainframe Security Space since
1990• At SSH since 2006 1st as Sales engineer then
as Product and Channel Manager
Introduction
History Of The Cloud
The Cloud: Concept
Conceptually "cloud" allows applications and infrastructure to be hosted by external organizations without boundaries. Users and appliances can save and store data without adding any internal hardware. Users can also share information between multiple systems and with other users.
• The role of mainframes has changed from an isolated standalone computer to an integral and highly exposed component of the organization’s distributed IT infrastructure still holding up to 80% of enterprises’ critical data.
History Of The Cloud
The Why, What, and How of Managed File Transfer in BusinessSource: Ziff Davis
Mainframe and the Cloud: A Wiki definition
So what is “The Cloud?”
The Cloud: One definition
The idea of the "cloud" simplifies the many network connections and computer systems involved in online services. In fact, many network diagrams use the image of a cloud to represent the Internet. This symbolizes the Internet's broad reach, while simplifying its complexity. Any user with an Internet connection can access the cloud and the services it provides. Since these services are often connected, users can share information between multiple systems and with other users.
The Cloud and Virtualization
With the advent of VMWare and other LINUX, Unix and Windows virtualization tools Cloud providers can add applications and capacity to a customer in a speedy manner.
Issues created by stamping out copies of Servers and applications Include coping unlicensed vendor software, repeating security vulnerabilities and copying identities to machines that are insecure.
Virtualization and The Mainframe
BIG Box lots of little Machines
•z/VM – wasn’t it dead?•IBM LINUX for z
Red Hat SUSE
•USS – what is there?Fully POSIX compatible file systemTCP/IPFTP SSHFirewallRACF, ACF-2 and Top Secret LDAP
Cloud Security Exposures
Biggest Cloud Security Concerns
•Preventing Data Loss•Preventing Outages caused internally and externally to the organization•Keeping Security Up To date
Your Data In Transit
While Data is secure at rest on the Mainframe you lose control once it leaves.
If data being transferred is in clear it is akin to leaving your wallet lying on a bar
If there is no authentication or validation of Host how do know who your communicating with?
FTP Today
Been around since 1971 (before TCP and IP protocols – very aged protocol)
Millions of critical files and data exchanged by corporations daily
Few Managers realize the Security and Management Risks with the prevalent use of FTP
FTP has not “evolved” over the years and is rife with Security Exposures
12
FTP in the Workplace
Most Computers have the ability to exchange data (Users desktop)
Embedded in services of TCP/IP Business to Business FTP transfers are
uncontrolled and insecure Critical Lynchpin in Business to Business
Communications Facility used for file transfers between diverse
computing platforms The manner in which the way FTP is
implemented by Business needs attention FTP activity is Rampant. Do you really know
what is happening ?
13
FTP and Compliance
1. PCI-DSS1. Any time credit card information is sent it must abide by the PCI-DSS compliance
standards for security and confidentiality.
2. HIPAA, SOX, GLBA, FISMA & Others1. HIPAA - The HIPAA Security Rule mandates health plan providers, healthcare clearing
houses, and other organizations processing health information to take reasonable and appropriate precautions to protect health information.
2. SOX - Section 404 of SOX requires top management to establish an adequate internal control structure and include an assessment of its effectiveness in the annual report. Additionally, an external auditor needs to verify the management assertions.
3. GLBA - The Safeguards Rule issued by the Federal Trade Commission (FTC) is established standards for financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect security, confidentiality, and integrity of customer information
4. FISMA - FIPS 140-2 requires certified cryptographic modules to meet the compliance requirements for government agencies and certain contractors
5. California SB 1386, Basel II, Massachusetts Privacy Law
Risks associated with FTP
Anyone with READ access, also has “Transfer Out” access
Read Clear Text Exposure Password interception Eavesdropping Hijacking “Man in the middle” Connection “hijack” Spyware Wireless Connectivity Can open portal behind firewall
FTP Packet Trace Example
16
Passwords are in the CLEAR
FTP Passwords in Clear text
17
What Are The Options To Secure Your FTP?
Firewalls / VPN
FTPS /SFTP/ Vendor Solutions /IBM
Ported Tools
FTP Server Off M/F
PGP
File Transfer Infrastructure
What are some alternatives Why or why not use the methods and tools When is a good time to use the solution
FTP (File Transfer Protocol)
FTP
FTPS (FTP over SSL)
FTP FTPS
FTP over SSH Tunnel
FTP FTPS FTP over SSH Tunnel
SFTP (SSH Secure FTP)
FTP FTPS FTP over SSH Tunnel
SFTP
FTP/SFTP Hybrid
FTP FTPS FTP over SSH Tunnel
SFTP FTP to SFTP
VPN (Virtual Private Network)
FTP FTPS FTP over SSH Tunnel
SFTP FTP to SFTP VPN
PGP (Data at rest)
FTP FTPS FTP over SSH Tunnel
SFTP FTP to SFTP VPN PGP
FTP
Pros Ubiquitous Common knowledge Included in base OS
Cons Very little security Not firewall friendly
top related