ibm z security

IBM Z Security

—

Jose Castano –Vice President WW Sales IBM Z & [email protected]

IBM Z / Security / October 2020 / © 2020 IBM Corporation

mailto:[email protected]

Along with COVID-19, cybercriminals have mobilized. Since February, IBM X-Force observed a 4,300% increase in coronavirus-themed attacks.

Organizations have been caught off guard. 75% of organizations do not have an incident response planapplied consistently. And one in four organizations don’t have a plan at all.

COVID-19-related domains are 50% more likely to be malicious than other domains registered during the same time period.

Companies need to reassess their own cyber resilience, in light of current conditions. 30% more executives say they now prioritize cybersecurity as a business competency compared to before.

How has the world changed?

IBM Z / Security / October 2020 / © 2020 IBM Corporation 2

IBM Z Cyber ResiliencyAchieving high levels of resiliency is a multi faceted activity.

IBM Z Cyber Resiliency

Hardware

GDPS

Automation

DS8950, Copy Services

Clustering

Sysplex

Datasharing

Operating System

Sys. Rec. Boost

CF Config

System Mgmt.

MiddlewareSecurity

Cyber Vault

Encryption / Key Management

Data Privacy Passports

Db2

MQ

CICS/VSAM

Crypto, HSM

Application

Hyper Protect VS -on prem

Business Continuity

IMS DB / DC


Proactive protection of data across hybrid multicloud environments

Pervasive encryptionencryption by default for user and application data

Key managementcentralized management of encryption keys for the infrastructure

Cryptographic processors enable throughput of secure transactions at large scale

Data privacy passportssecure sensitive data as it moves throughout your enterprise and across hybrid multiclouds with data-centric protection

Across environmentsAt rest and in-flight In-useFully homomorphic encryption toolkit for Linuxaccess and perform calculations on data while it remains encrypted

Confidential computingSecure executionconfidential computing with full isolation ofapps at scale

IBM Cloud Hyper Protect Services protect sensitive data and workloads in the cloud

Quantum Safe Digital Signatures4IBM Z / Security / October 2020 / © 2020 IBM Corporation

How can banks secure data while becoming more agile?

Created an evolving security strategy that can cope with emerging cybersecurity threats and increased regulations.

We are taking every measure to protect our banking clients’ data from compromise.

Peter Winter, Manager, Middleware and Transaction Systems,

Mainframe Platform, Fiducia & GAD IT AG

Solution Components:

• IBM Z• Pervasive encryption• Multi-Factor Authentication• IBM zSecure• IBM QRadar Security Information and

Event Management

Millions of German citizens rely on banking services

supported by Fiducia & GAD IT AG.

To protect their data, Fiducia & GAD IT AG executed a

pervasive encryption strategy that takes advantage of

powerful IBM capabilities such as IBM z/OS data set

encryption and IBM Z Multi-Factor Authentication.

IBM technology helps the company to mitigate the

impact of data breaches, simplify compliance with

regulatory requirements and facilitate innovation.Read the full story

Banking

IBM Systems

www.ibm.biz/p-e-survey5


https://www.ibm.com/case-studies/fiducia-gad-systems-hardware-z-security

http://www.ibm.biz/p-e-survey

The question is not IF you will be attacked but WHEN


$3.86 Million

+ $137,000

$8 Billion

280 Days

$230 Million

Average total cost of a data breach*

Increase in data breach and incident response time costs due to remote work during COVID-19*

Estimated global cost of WannaCry attack*

Average amount of time hackers spend inside IT environments before discovery*

GDPR fine for one data breach*• Cost of a Data Breach Report 2020,

Ponemon Institute• Riensirce news May 23 2017

6

$53 BillionPredicted economic

losses of the next global cyber attack

IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation

© IBM Corporation 2019 1

Customer Focus - Financial Institution

Business challenge

The Chief Technology Officer recognized that their current high availability solution would not protect the financial institution from the risk of data

destruction through a

cyber attack.

Solution

Institution established network-isolated vaults in three data centers (Europe,

AP and US) with enhanced access controls. IBM z14™ and POWER9 host

systems deployed for backup/recovery management, IBM DS8886F with SafeGuarded Copy protection, GDPS and IBM TS7760 to support mainframe

and IBM i environments.

Ensuring 300 critical services could be restored within 24 hours to ensure business continuity should a cyber attack or other data corruption occur

Focused on corruption or destruction of data whether by cyber

attack or from an internal action, whether it be accidental or

deliberate and on being able to ensure an entire system can be

restored to minimize disruption to the business

Client requirements:

Point in time copies of the entire system

Protected from network by an air gap

Ability to regularly inspect quality of data in

the isolated vault and test recovery scenarios

IBM DS8886F

IBM TS7700

“If our cyber defenses fail, and the bank’s IT becomes inoperable, how could we recover our 300 most

critical services to a consistent point within 24 hours? Without that, the bank could be out of business.”

- global bank executive7

0 30 45 60 90 2 hrs 10 hrsTier 1

Recovery

2 daysTier 2

Recovery

3 days 1 week 2 weeks

Respond PhaseDetect

Phase

Platform

recoveryPlatform

Recovery

Complete

Recover PhaseMajor Breach

IBM Cyber Vault

4

1

3

2InitialCompromise

Infrastructure

recovery

Breach

impact

Cyber Incident Timeline

Infrastructu

re recovery

complete

1

2

3

4

Corruption of data occurs - but not yet detected

Due to the Cyber Vault environment and the use of Safe

Guarded Copy Technology, data is continuously checked

and corruption is found and corrected

Without the Cyber Vault environment corruption is detected

much later and has a greater chance to spread

It takes even longer to identify all impacted data once the

corruption has spread within the enterprise

Speed recovery to significantly reduce the impact of breaches

8

Why traditional resiliency solutions won’t protect you from logical data corruption

IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation 9

You have What is required

Replication

Data is being replicated

continuously but logical errors

are also replicated

instantaneously

Scheduled point in time copies

stored in an isolated, secure location

Error DetectionImmediate detection of

system and application

outages

Regular data analytics on point in

time copies to validate data

consistency

Recovery pointsSingle recovery point that

likely will be compromisedMultiple recovery points

IsolationAll systems, storage and tape

pools participate in the same

logical system structure

Air gapped systems and storage so

that logical errors and malicious

intruders can not propagate

Recovery ScopeContinuous Availability and

Disaster Recovery

Forensic, surgical or catastrophic

recovery capabilities

IBM Z and Software

The only System with a

99.99999% availability

EAL 5+ certified Cyber Vault for

IBM Z LPAR for validation,

testing and forensics

Data monitoring, consistency

and anomaly detection

Management Software

IBM Security solutions

IBM Services

IBM GDPS provides services,

clustering technologies, and

server and storage replication

and automation.

Logical Data Corruption(LCP)

and Copy Services Manager

(CSM) enhancements manage

the entire recovery environment

IBM Lab Services risk

assessment and deployment

services

IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation

IBM Storage

Data volumes and active copies

generated and maintained

DS8000 SafeGuarded Copy

Immutable backups

TS7700 Virtual Tape with

Encryption and/or WORM

Secure air gapped data vault

IBM Z Cyber Vault Solution

10

IBM storage provides safeguarded copy

11

• Prevent sensitive point in time copies of data

from being modified or deleted due to errors,

malicious destruction or ransomware attacks

• Create up to 500 SafeGuarded Backups for a

production volume stored in SafeGuarded

Backup Capacity, which is not accessible to any

server.

• The data is accessible only after a SafeGuarded

Backup is recovered to a separate recovery

volume.

• Recovery volumes are used with a data

recovery system for:

– Data validation

– Forensic analysis

– Restore production data

SafeGuarded backup 1



Backup Capacity


Backup

Production

SystemCyber

Vault LPAR


Production Volume

Recovery Volume

Restore

6:00 9:00 12:00 15:00 18:00

CorruptValidate


12

• Prevent sensitive point in time copies of data from

being modified or deleted due to errors, malicious

destruction or ransomware attacks


production volume stored in SafeGuarded Backup

Capacity, which is not accessible to any server.



volume.

• Recovery volumes are used with a data recovery

system for:

– Data validation






Backup Capacity


Backup

Production

SystemCyber

Vault LPAR


Production Volume

Recovery Volume

Restore

6:00 9:00 12:00 15:00 18:00

Validate

Corrupt


13

• Prevent sensitive point in time copies of data

from being modified or deleted due to errors,

malicious destruction or ransomware attacks


production volume stored in SafeGuarded

Backup Capacity, which is not accessible to any

server.



volume.

• Recovery volumes are used with a data recovery

system for:

– Data validation






Backup Capacity


Backup

Production

SystemCyber

Vault LPAR


Production Volume

Recovery Volume

Restore

6:00 9:00 12:00 15:00 18:00

Validate

Good copyRecover

Deployment services for the Cyber Vault for IBM Z solution

Discovery and

Architecture Workshop

• Validate Cyber Vault use

case & understanding

• Design technical solution

• Create inputs to produce

customized

implementation services

scope and size

Cyber Vault Installation

and Configuration

Cyber Vault Data

Recovery System

Validation

• Install Cyber Vault

solution components

• Validate installation

completeness

• Basic CV knowledge

transfer

• Validate selected system

component copy restore

capability and use

• Understand operational

processes required for

CV operation

• Prepare for Cyber Event

Usage

DRS forensics and recovery assistance can be provided in support of Cyber Incidents on a time & materials basis

Co-requisite services

14

An open hybrid strategy unleashes the full potential of your estate.

2.5X more value than a public-only strategy.

Business acceleration

Infrastructure cost efficiency

Strategic optionality

Regulatory and risk

Architecture development methodproductivity

Sources of value

Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 15

Substantial workload shift to cloud environments Private Cloud a strong focus for on- and off-premises solutions


TODAY

27%On-Premises

Non-Cloud

8%Off-PremisesNon-Cloud

31%On-PremisesPrivate Cloud

9%HostedPrivate Cloud

8%Iaas

8%PaasPaas

10%Saas

TWO YEARS

21%

7%

31%

10%

9%

10%

11%

IBM Confidential

IDEAL STATE

21%

8%

29%

11%

10%

11%

11%

PUBLICCLOUD

NON-CLOUD

PRIVATECLOUD

Source: IDC’s Cloud Pulse Q120, March 2020, n=2000

50% of ideal state workloads will still be on-premises

30% in public cloud

17

Matching the right cloud to the right workload

Transform andCloud Enable

Private Cloud

PublicCloud

Highly customized

applications

Not yet virtualized

applications

Applications with

complex processes

and transactions

Workloads needing

low latency to back ends

Existing database workloads

Applications with

sensitive data

Regulation-intensive

applications

Information-intensive

applications

Batch processing

Backup & archive

ERP

Big data & analytics

Front office/desktop

Risk & compliance

services

Web applications/ e-commerce

Digital experience solutions

Customer service

Enterprise social solutions

Third-party applications

Mobile applications

Non-core business processes

Development and

test workloads

Enterprise transformation

required for cloud adoption

DevOps | Governance | Integration

Security | Architecture | Culture

Data sovereignty /

residency

Designing for zero trust?

Operational

Assurance “I will not access your data”

Technical

Assurance “I cannot access your data”

Confidential computing is one of the central elements to delivering technical assurance


IBM Cloud Hyper Protect services

Data services

Key-management services

Compute services

Buildservices


Blueprint for secure hybrid cloud


Services helps customers build

modernization roadmaps and

prioritize quick wins

App Modernization

Portfolio Transformation

Red Hat OpenShift lets you

build once, run anywhere,

creating the common foundation

Red Hat

OpenShift

IBM LinuxONE servers

consolidate and protect, with

the best security and TCO in

the market

LinuxONE

Security at Scale

+

+

Current State: A sprawling, unmanageable cost center


Public Cloud On-Premises

Complex.

Expensive.

Inefficient.

Secure?

Interim State: Journey to hybrid cloud


• Confidential

Computing

• Simpler

• Lower cost.

• Greater efficiency.

On-Premises+ Multicloud ManagerHybrid Cloud

Target State: Secure hybrid cloud with IBM LinuxONE

Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation

LinuxONE

Ora

cle

on

Lin

ux

Mo

ng

oD

B

Po

stg

reS

QL

Clo

ud

Pa

k f

or

Ap

ps

Clo

ud

Pa

k

for

Inte

gra

tio

nHyper

Protect

Secure• Enabled for Confidential Computing, for the

most secure at-scale Linux environment

• Data vault approach for sensitive data with LinuxONE pervasive security

Simple• Radically simplified operational model that helps

standardize skills on and off premises

• Mission-critical Linux workloads consolidated to an operationally resilient platform

Cost-effective• Huge reduction in costs for per core software licenses

and greater efficiency

Agile• Apps and data can seamlessly connect with

IBM Cloud Hyper Protect Services both on & off premises

23

Confidential Computing Platform

Backup

“Facing constant growth in demand, and increasing regulatory pressure around security capabilities, Emidwanted to upgrade its infrastructure to take advantage of the most secure and reliable platform available.”

Resilient and secure banking leveraging pervasive encryption on IBM Z

IBM LinuxONE and IBM Secure Service Container for IBM Cloud Private to support their new digital asset management platform

Fiducia & GAD IT AG adopted a pervasive encryption strategy involving IBM security features such as IBM z/OS® data set encryption and IBM Z®

Multi-Factor Authentication to ramp up data protection.

Helps companies secure blockchain innovation with end-to-end pervasive encryption features.

Hex Trust’s custody platform, Hex Safe™, was specifically engineered leveraging IBM Hyper Protect Virtual Servers and IBM LinuxONE to enable trusted cryptographic transactions and to deliver the highest level of security and scalability.

LinuxONE success stories


Phoenix Systems

https://www.ibm.com/cloud/hyper-protect-virtual-servers#:~:text=Built%20on%20the%20security%20and,and%20backup%2C%20without%20sacrificing%20security.

https://www.ibm.com/it-infrastructure/linuxone?p1=Search&p4=43700050386850354&p5=e&cm_mmc=Search_Google-_-1S_1S-_-WW_NA-_-ibm%20linuxone_e&cm_mmca7=71700000060915452&cm_mmca8=kwd-342163145402&cm_mmca9=EAIaIQobChMI_sn_2aGn6gIVB4TICh1eog4IEAAYASAAEgLb5vD_BwE&cm_mmca10=431267068962&cm_mmca11=e&gclid=EAIaIQobChMI_sn_2aGn6gIVB4TICh1eog4IEAAYASAAEgLb5vD_BwE&gclsrc=aw.ds

https://www.ibm.com/case-studies/banco-bradesco-systems-hardware-z-storage

26

1“The Real Costs Of Planned And Unplanned Downtime”, Forrester Consulting, August 2019 . Forrester Opportunity Snapshot: A Custom Study Commissioned by IBM

Disruptions Remain CostlyIn 2020 IBM commissioned a study of 100 IT directors in large US enterprises to understand the reality of downtime at their organization. These IT Directors faced the following challenges:

High Cost$5.6 M estimated cost of planned downtime in the last year.

Service

Availability

Cost of downtime per year

100,000 $/hr 500,000 $/hr 1,000,000 $/hr

99.99999 % $ 88 $438 $877

99.999% $ 8,766 $43,830 $87,660

99.99% $ 87,660 $438,300 $876,600

99.9% $ 876,600 $4,383,000 $8,766,000

99% $ 8,766,000 $43,830,000 $87,660,000

Business continuity & resiliency

Cost of DowntimeThe average hourly cost of downtime are immense86% of businesses lose $300,000+ per hour……and 34% lose $1,000,000+ per hour. (ITIC)


ibm z security

Documents