crypto for cios mastcopy v1 - new era · without formal, centralized control over keys, you risk:...
TRANSCRIPT
![Page 1: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/1.jpg)
©
Page1
© 2017, Greg Boyd, Stuart Henderson
Tutorial:Cryptoonz/OSSystemsforCIOsandtheRestof
USGregBoyd([email protected])
StuHenderson ([email protected])
![Page 2: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/2.jpg)
©
Page2
Abstract
ThissessionisforCIOs,securityadministrators,systemprogrammers,andauditorswhohaveheardaboutCryptography(bothhardwareandtheICSFsoftwarewithz/OS),knowit’simportant,butdon’treallyunderstandit.
Youmayhavefeltthatothercryptographypresentationswentoveryourhead.
Inthissession,GregandStutellyoujustwhatyouneedtoknow,insimple,understandableterms.You’lllearntocutexpenseswhileimprovingsecurity.
Mainframe Crypto for CIOs and the Rest of Us
![Page 3: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/3.jpg)
©
Page3
Agenda
1. Introduction
2. TheEasy,No-BrainerSteps
3. TheNecessaryHardPart
4. SummaryandCalltoAction
Mainframe Crypto for CIOs and the Rest of Us
![Page 4: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/4.jpg)
©
Page4
Cryptography is
Thepractice…oftechniquesforsecurecommunicationinthepresenceofthirdparties.(fromWikipediahttps://en.wikipedia.org/wiki/Cryptography)
Itreliesonmathematicalalgorithmsandauniquenumber,calledakey.
Therecipientcanreversetheprocesstorecovertheoriginaldata(aslongasthekeyissecure).
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 5: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/5.jpg)
©
Page5
Cryptography canprovide
• Protectionofdata
• Dataintegrity
• Authentication(provesomeone’sidentity)
• Non-repudiation(provewhoamessagecamefrom,andthatithasn’tbeenaltered)
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 6: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/6.jpg)
©
Page6
Alongtimeago
Eachapplicationtriedtowriteitsownencryptionroutines,oftenwithoutmathematicalrigor.
Resultswereoften:inconsistent,vulnerable,costly,inefficient,difficulttoadminister,difficulttomaintain.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 7: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/7.jpg)
©
Page7
Thennewregulationsandnewtechnologycamealong,makingithardertokeepup.
SoIBMofferedus IBM’sCryptoInfrastructureonz/OSSystems(CryptohardwareplustheICSFsoftware).Thisoffersasingle,integratedwaytodocryptography,rigorousandefficientsecurityandintegrityforourdata.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 8: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/8.jpg)
©
Page8
WhatYouNeedtoKnow
Cryptography canbedoneinhardwareorsoftware
Anyprogram(product,componentorapplication)canleveragethecryptoinfrastructuretosecureyourdata.
Eachshopneedstoenabletheinfrastructureandimplementtheproducts,componentsorapplicationstoleveragethatinfrastructure.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 9: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/9.jpg)
©
Page9
Cryptography
Isgoingtoberequiredinmoreandmoreapplications
Thecostcanbesignificant,ifnotmanaged
Theadministrativeoverheadcanbesignificant,ifnotmanaged
YouneedbothcryptohardwareandICSFsoftware toprovideeffectivesecurityandintegrityonz/OSwithminimumcostandminimumoverhead
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 10: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/10.jpg)
©
Page10
Twobigtypesofchange
makeitimportanttocentralizeadministrationforencryption:
Technology (newalgorithms,policybasedencryption,newhardware,newpasswordcrypto)
Regulatory change(What’shappeninginEurope,inUS)
Pluscentralizedkeymanagementandconsistency
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 11: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/11.jpg)
©
Page11
ThreeKeyRisks:
Ifyoulosethekeys,you’velostthedataforever.
Anyonewhocanseethekeysandaccesstheencrypteddatacandecryptthedata.
Applicationscanstartencryptionwithoutdocumentation,backup,CPUtuning
Effect:Noonewantsthisresponsibility
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 12: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/12.jpg)
©
Page12
TheMainRisk:
Withoutformal,centralizedcontroloverkeys,yourisk:lossofessentialknowledgeanddata,duplicationofeffort,unnecessarycosts.
You’llmisstechnologyandregulatorychanges.
Youcan’texpectsomesysprog tomanagethisalone.TheCIOneedstodedicatetheresourcesandenforcementtohavekeymanagementdonesimplyandreliably.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 13: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/13.jpg)
©
Page13
SomeDrivingFactors
• NewYorkState,EUGDPR(GeneralDataProtectionRegulations),PCI,CMS,NIST,andOthersimplementingnewregulationsandstandards
• Policybasedencryption(fordatasets)
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 14: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/14.jpg)
©
Page14
InstructiveStoriesFromOtherShops
• Theshopwithhardwarediskencryption• TheshopwhereCPUusageescalatedsuddenly• Theshopwheretheylostthemasterkey• Theshopwherethekeyswereexposed• TheshopwheretheDBAtoldDB2tostartencrypting
• Theshopthatpaidtoomuchforsoftwarelicensing• Theshopthatcouldn’ttelltheauditorswhatwasbeingencrypted
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 15: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/15.jpg)
©
Page15
TheEssentialTake-Away
Youneedformalkeymanagement,nomatterwhattheplatform,withadequate:enforcement,resources,writtenprocedures,andinvolvementfromseveralkeydisciplines.
Thisdoesn’tworkunlessitcomesfromtheCIO
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
![Page 16: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/16.jpg)
©
Page16
Hardware:Twodevices• CPACF (CPAssistforCryptographicFunction)-alreadythereonyoursystem,addsinstructionstoCPU,speedsprocessingbyfactorof1000ormore
• CEXn (CryptoExpress)- separatedevices,separateprice;tamperresistant;useslessCPUtime,morewallclocktime(Think“MissionImpossible”)
Software• ICSForIntegratedCryptologicServicesFacility(startedtaskroutescryptorequests;centralcontrolpoint)
ThreeComponents
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
![Page 17: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/17.jpg)
©
Page17
ICSFStartedTask
z/OS
CKDS PKDS TKDS
ICSFLocalApp
Product
Component
CPACF
ICSF APIs
CEXMKs
CEXMKs
CEXMKs
CEXMKs&
wrappingkey
CKDS PKDS TKDS
ICSFOptions
ISPFTKE
Data Spaces
ROUTER
WrappingKey
SAF
Console
2. Easy, No-Brainer Steps Mainframe Crypto for CIOs and the Rest of Us
![Page 18: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/18.jpg)
©
Page18
ICSFisrequired:
• TousetheCryptoExpresscards(securityforkeymaterial,performanceforTLS/SSLoperations)
• Toperformkeymanagement,includingsecurityandintegrityofkeymaterial
• Tosupportfuturepolicybasedencryptionofdataatrest
• Manyotherproducts,suchastheInfosphere Guardium DataEncryptionToolforDB2andIMSortheEncryptionFacilityforz/OS
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
![Page 19: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/19.jpg)
©
Page19Mainframe Crypto for CIOs and the Rest of Us
CICSLDAPWebSphereMQ SeriesTivoli Access Manager forBusiness Integration Host EditionPolicy DirectorAuthorization Services
Secure TN3270IMSPKI ServicesEIMSendmailSecure FTPIPSECIBM HTTP Server
SSL/AT-TLSExploiters
2. Easy, No-Brainer Steps
![Page 20: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/20.jpg)
©
Page20
• IBMplanstodeliverapplicationtransparent,policy-controlleddatasetencryption inIBMz/OS.IBMDB2forz/OSandIBMInformationManagementSystem(IMS)intendtoexploitz/OSdatasetencryption.
• z/OSV2.3planstoreplaceapplicationdevelopmenteffortswithtransparent,policy-baseddatasetencryption:
• Planningenhanceddataprotectionforz/OSdatasets,zFS filesystems,andCouplingFacilitystructurestogiveuserstheabilitytoencryptdatawithoutneedingtomakecostlyapplicationprogramchanges.
• Designingnewz/OSpolicycontrolstomakeitpossibletousepervasiveencryptiontoprotectuserdataandsimplifythetaskofcompliance.
• z/OSCommunicationsServerwillbedesignedtoincludeencryptionreadinesstechnologytoenablez/OSadministratorstodeterminewhichTCPandEnterpriseExtendertrafficpatternstoandfromtheirz/OSsystemsmeetapprovedencryptioncriteriaandwhichdonot.
IBMAnnouncements216-391&217-085
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
![Page 21: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/21.jpg)
©
Page21
• MultipleFileTypes• BSAM/QSAM• VSAMExtendedFormat
• CouplingFacility• Encrypteddatasets
• Keylabelssuppliedatallocation• RACFdatasetprofile,DFPsegment• JCL,DynamicAllocation,TSO• SMSDataClass• IDCAMS
PervasiveEncryption
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
![Page 22: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/22.jpg)
©
Page22
• z196/z114orhigherwithCEXcard• z/OS2.2,z/OS2.3
• z/OS2.1withmaintenancecanread/writeencrypteddatasets,butcan’tcreateanencrypteddataset
• ICSFHCR77C0orHCR77A0-HCR77B1withOA50450• SYMCPACFRET(YES)
• ExtendedFormatdatasets
PervasiveEncryption- PreReqs
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
![Page 23: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/23.jpg)
©
Page23
Youalreadyhavethefirsthardwaredeviceforfree:• CPACF (CPAssistforCryptographicFunction)
Youalreadyhavethesoftwareforfree:• ICSForIntegratedCryptologicServicesFacility
TheCryptoExpresscardisatougherdecision,butyou’reprobablygoingtoneeditsoonerorlater
TheEasy,No-BrainerSteps
Mainframe Crypto for CIOs and the Rest of Us
![Page 24: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/24.jpg)
©
Page24
OrganizationalIssues
•Manypartsoftheorganizationneedtobeinvolvedindefiningthecryptoenvironment:
• Legal,regulatory,compliance,audit,riskmanagement
• Applicationownersanddesigners• Marketing
•Whenthedemandcomesfromregulators,auditors,themarketplace,youneedtobeready
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
![Page 25: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/25.jpg)
©
Page25
WhatCIOsNeedtoKnowandDo:
• TakeownershipofencryptionacrosstheEnterprise• Identify&Prioritizethecryptoresourcesthatrequireprotection(Networkcommunications?Databases?Filesbeingsenttoapartner?)Whatcomplianceregs orauditsareyoutryingtopass?
• Definethesecuritystrengthsrequired(AESvsTDES;RSA,ECCorboth?Keylengths,KeyRotationpolicy)
• Identifykeymanagers• Inventory/purchasethetoolsavailabletomeetthoserequirements
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
![Page 26: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/26.jpg)
©
Page26
• Configurehardwareforredundancyandrecoverability
• Setupstartedtask(Coordinatewithsecurityadministrator)
• Setupkeydatasets• Installandimplementthetoolstoprotectthecorporateresourcesthatneedtobeprotected
WhatSysprogs NeedtoKnowandDo
Mainframe Crypto for CIOs and the Rest of Us
![Page 27: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/27.jpg)
©
Page27
WhatSecurityAdminsNeedtoKnowandDo• Defineuserid forstartedtask
• Keystoreaccess• USSsecurityimplicationsforTCP/IP
• Developkeylabelingconventions(usedtosecurethekey)• DefineCryptoResourceRules
• Protectthefunctions• Protectthekeys• Definekeystorepolicies
• Identifyowner(whoapprovestherules)• Documentapprovals,Annualre-certification,Maintaintherules
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
![Page 28: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/28.jpg)
©
Page28
• MasterKeys• Understandtheprocessforloadingandchangingmasterkeymaterial
• Ensurethesecurityofmasterkeymaterialthatmustbeavailableforrecoverypurposes
• OperationalKeys• UseKeyGenerationUtilityProgramtodefinesymmetrickeys
• UseRACDCERT(orequivalent)todefinepublic/privatekeymaterial
Executekeychangepolicies
WhatKeyAdminsNeedtoKnowandDo
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
![Page 29: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/29.jpg)
©
Page29
WhatAuditorsAreGoingtoExpect• Reviewriskassessment:whodecides(whoisresponsiblefor)decidingwhenandhowtoencrypt
• Reviewprocedurestomakeithappen
• Reviewassignmentofresponsibility,policy,baselines,
• Comparesecuritysoftwarerulestoapprovals
• Concludehowwellriskismanaged
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
![Page 30: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/30.jpg)
©
Page30
• Theneedformainframecryptographyisunavoidable.
• IfitisnotmanagedfromtheCIOdown,theoddsoffailuregoup.
• Youcanstartwiththeeasysteps,andthendedicateresourcestothehardones.
SummaryandCalltoAction
Mainframe Crypto for CIOs and the Rest of Us
![Page 31: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/31.jpg)
©
Page31
SummaryandCalltoActionWe’vetalkedaboutthecryptoinfrastructure,andwhyit’simportant,bothtosavemoneyandtoprovideeffectivesecurity.
Noonepersoncangetitproperlyimplemented;severalkeyplayershaveimportantroles.
Ifthesefunctionsaren’thappeninginyourshop,whoneedstobeinvolvedtomakeitbetter?
Ifnotyou,thenwho?Thanksforyourkindattention
Mainframe Crypto for CIOs and the Rest of Us4. Summary
![Page 32: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/32.jpg)
©
Page32
OtherInfoSources
• Greg’snewsletter,articles…• http://www.mainframecrypto.com/articles/
• Stu’snewsletters,articles• http://www.stuhenderson.com/Newsletters-Archive.html
• IBMCryptoEducation• https://www.ibm.com/developerworks/community/groups/community/crypto
Mainframe Crypto for CIOs and the Rest of Us
![Page 33: Crypto For CIOs MastCopy v1 - New Era · Without formal, centralized control over keys, you risk: loss of essential knowledge and data, duplication of effort, unnecessary costs. You’ll](https://reader035.vdocuments.us/reader035/viewer/2022063011/5fc49180173880416e05b982/html5/thumbnails/33.jpg)
©
Page33Mainframe Crypto for CIOs and the Rest of Us