ibm z security
TRANSCRIPT
IBM Z Security
—
Jose Castano –Vice President WW Sales IBM Z & [email protected]
IBM Z / Security / October 2020 / © 2020 IBM Corporation
Along with COVID-19, cybercriminals have mobilized. Since February, IBM X-Force observed a 4,300% increase in coronavirus-themed attacks.
Organizations have been caught off guard. 75% of organizations do not have an incident response planapplied consistently. And one in four organizations don’t have a plan at all.
COVID-19-related domains are 50% more likely to be malicious than other domains registered during the same time period.
Companies need to reassess their own cyber resilience, in light of current conditions. 30% more executives say they now prioritize cybersecurity as a business competency compared to before.
How has the world changed?
IBM Z / Security / October 2020 / © 2020 IBM Corporation 2
IBM Z Cyber ResiliencyAchieving high levels of resiliency is a multi faceted activity.
IBM Z Cyber Resiliency
Hardware
GDPS
Automation
DS8950, Copy Services
Clustering
Sysplex
Datasharing
Operating System
Sys. Rec. Boost
CF Config
System Mgmt.
MiddlewareSecurity
Cyber Vault
Encryption / Key Management
Data Privacy Passports
Db2
MQ
CICS/VSAM
Crypto, HSM
Application
Hyper Protect VS -on prem
Business Continuity
IMS DB / DC
IBM Z / Security / October 2020 / © 2020 IBM Corporation 3
Proactive protection of data across hybrid multicloud environments
Pervasive encryptionencryption by default for user and application data
Key managementcentralized management of encryption keys for the infrastructure
Cryptographic processors enable throughput of secure transactions at large scale
Data privacy passportssecure sensitive data as it moves throughout your enterprise and across hybrid multiclouds with data-centric protection
Across environmentsAt rest and in-flight In-useFully homomorphic encryption toolkit for Linuxaccess and perform calculations on data while it remains encrypted
Confidential computingSecure executionconfidential computing with full isolation ofapps at scale
IBM Cloud Hyper Protect Services protect sensitive data and workloads in the cloud
Quantum Safe Digital Signatures4IBM Z / Security / October 2020 / © 2020 IBM Corporation
How can banks secure data while becoming more agile?
Created an evolving security strategy that can cope with emerging cybersecurity threats and increased regulations.
We are taking every measure to protect our banking clients’ data from compromise.
Peter Winter, Manager, Middleware and Transaction Systems,
Mainframe Platform, Fiducia & GAD IT AG
Solution Components:
• IBM Z• Pervasive encryption• Multi-Factor Authentication• IBM zSecure• IBM QRadar Security Information and
Event Management
Millions of German citizens rely on banking services
supported by Fiducia & GAD IT AG.
To protect their data, Fiducia & GAD IT AG executed a
pervasive encryption strategy that takes advantage of
powerful IBM capabilities such as IBM z/OS data set
encryption and IBM Z Multi-Factor Authentication.
IBM technology helps the company to mitigate the
impact of data breaches, simplify compliance with
regulatory requirements and facilitate innovation.Read the full story
Banking
IBM Systems
www.ibm.biz/p-e-survey5
IBM Z / Security / October 2020 / © 2020 IBM Corporation
The question is not IF you will be attacked but WHEN
IBM Z / Security / October 2020 / © 2020 IBM Corporation
$3.86 Million
+ $137,000
$8 Billion
280 Days
$230 Million
Average total cost of a data breach*
Increase in data breach and incident response time costs due to remote work during COVID-19*
Estimated global cost of WannaCry attack*
Average amount of time hackers spend inside IT environments before discovery*
GDPR fine for one data breach*• Cost of a Data Breach Report 2020,
Ponemon Institute• Riensirce news May 23 2017
6
$53 BillionPredicted economic
losses of the next global cyber attack
IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation
© IBM Corporation 2019 1
Customer Focus - Financial Institution
Business challenge
The Chief Technology Officer recognized that their current high availability solution would not protect the financial institution from the risk of data
destruction through a
cyber attack.
Solution
Institution established network-isolated vaults in three data centers (Europe,
AP and US) with enhanced access controls. IBM z14™ and POWER9 host
systems deployed for backup/recovery management, IBM DS8886F with SafeGuarded Copy protection, GDPS and IBM TS7760 to support mainframe
and IBM i environments.
Ensuring 300 critical services could be restored within 24 hours to ensure business continuity should a cyber attack or other data corruption occur
Focused on corruption or destruction of data whether by cyber
attack or from an internal action, whether it be accidental or
deliberate and on being able to ensure an entire system can be
restored to minimize disruption to the business
Client requirements:
Point in time copies of the entire system
Protected from network by an air gap
Ability to regularly inspect quality of data in
the isolated vault and test recovery scenarios
IBM DS8886F
IBM TS7700
“If our cyber defenses fail, and the bank’s IT becomes inoperable, how could we recover our 300 most
critical services to a consistent point within 24 hours? Without that, the bank could be out of business.”
- global bank executive7
0 30 45 60 90 2 hrs 10 hrsTier 1
Recovery
2 daysTier 2
Recovery
3 days 1 week 2 weeks
Respond PhaseDetect
Phase
Platform
recoveryPlatform
Recovery
Complete
Recover PhaseMajor Breach
IBM Cyber Vault
4
1
3
2InitialCompromise
Infrastructure
recovery
Breach
impact
Cyber Incident Timeline
Infrastructu
re recovery
complete
1
2
3
4
Corruption of data occurs - but not yet detected
Due to the Cyber Vault environment and the use of Safe
Guarded Copy Technology, data is continuously checked
and corruption is found and corrected
Without the Cyber Vault environment corruption is detected
much later and has a greater chance to spread
It takes even longer to identify all impacted data once the
corruption has spread within the enterprise
Speed recovery to significantly reduce the impact of breaches
8
Why traditional resiliency solutions won’t protect you from logical data corruption
IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation 9
You have What is required
Replication
Data is being replicated
continuously but logical errors
are also replicated
instantaneously
Scheduled point in time copies
stored in an isolated, secure location
Error DetectionImmediate detection of
system and application
outages
Regular data analytics on point in
time copies to validate data
consistency
Recovery pointsSingle recovery point that
likely will be compromisedMultiple recovery points
IsolationAll systems, storage and tape
pools participate in the same
logical system structure
Air gapped systems and storage so
that logical errors and malicious
intruders can not propagate
Recovery ScopeContinuous Availability and
Disaster Recovery
Forensic, surgical or catastrophic
recovery capabilities
IBM Z and Software
The only System with a
99.99999% availability
EAL 5+ certified Cyber Vault for
IBM Z LPAR for validation,
testing and forensics
Data monitoring, consistency
and anomaly detection
Management Software
IBM Security solutions
IBM Services
IBM GDPS provides services,
clustering technologies, and
server and storage replication
and automation.
Logical Data Corruption(LCP)
and Copy Services Manager
(CSM) enhancements manage
the entire recovery environment
IBM Lab Services risk
assessment and deployment
services
IBM Cyber Vault Solution / October 2020 / © 2020 IBM Corporation
IBM Storage
Data volumes and active copies
generated and maintained
DS8000 SafeGuarded Copy
Immutable backups
TS7700 Virtual Tape with
Encryption and/or WORM
Secure air gapped data vault
IBM Z Cyber Vault Solution
10
IBM storage provides safeguarded copy
11
• Prevent sensitive point in time copies of data
from being modified or deleted due to errors,
malicious destruction or ransomware attacks
• Create up to 500 SafeGuarded Backups for a
production volume stored in SafeGuarded
Backup Capacity, which is not accessible to any
server.
• The data is accessible only after a SafeGuarded
Backup is recovered to a separate recovery
volume.
• Recovery volumes are used with a data
recovery system for:
– Data validation
– Forensic analysis
– Restore production data
SafeGuarded backup 1
SafeGuarded backup 2
SafeGuarded backup 5
Backup Capacity
SafeGuarded backup 4
Backup
Production
SystemCyber
Vault LPAR
SafeGuarded backup 3
Production Volume
Recovery Volume
Restore
6:00 9:00 12:00 15:00 18:00
CorruptValidate
IBM storage provides safeguarded copy
12
• Prevent sensitive point in time copies of data from
being modified or deleted due to errors, malicious
destruction or ransomware attacks
• Create up to 500 SafeGuarded Backups for a
production volume stored in SafeGuarded Backup
Capacity, which is not accessible to any server.
• The data is accessible only after a SafeGuarded
Backup is recovered to a separate recovery
volume.
• Recovery volumes are used with a data recovery
system for:
– Data validation
– Forensic analysis
– Restore production data
SafeGuarded backup 1
SafeGuarded backup 2
SafeGuarded backup 5
Backup Capacity
SafeGuarded backup 4
Backup
Production
SystemCyber
Vault LPAR
SafeGuarded backup 3
Production Volume
Recovery Volume
Restore
6:00 9:00 12:00 15:00 18:00
Validate
Corrupt
IBM storage provides safeguarded copy
13
• Prevent sensitive point in time copies of data
from being modified or deleted due to errors,
malicious destruction or ransomware attacks
• Create up to 500 SafeGuarded Backups for a
production volume stored in SafeGuarded
Backup Capacity, which is not accessible to any
server.
• The data is accessible only after a SafeGuarded
Backup is recovered to a separate recovery
volume.
• Recovery volumes are used with a data recovery
system for:
– Data validation
– Forensic analysis
– Restore production data
SafeGuarded backup 1
SafeGuarded backup 2
SafeGuarded backup 5
Backup Capacity
SafeGuarded backup 4
Backup
Production
SystemCyber
Vault LPAR
SafeGuarded backup 3
Production Volume
Recovery Volume
Restore
6:00 9:00 12:00 15:00 18:00
Validate
Good copyRecover
Deployment services for the Cyber Vault for IBM Z solution
Discovery and
Architecture Workshop
• Validate Cyber Vault use
case & understanding
• Design technical solution
• Create inputs to produce
customized
implementation services
scope and size
Cyber Vault Installation
and Configuration
Cyber Vault Data
Recovery System
Validation
• Install Cyber Vault
solution components
• Validate installation
completeness
• Basic CV knowledge
transfer
• Validate selected system
component copy restore
capability and use
• Understand operational
processes required for
CV operation
• Prepare for Cyber Event
Usage
DRS forensics and recovery assistance can be provided in support of Cyber Incidents on a time & materials basis
Co-requisite services
14
An open hybrid strategy unleashes the full potential of your estate.
2.5X more value than a public-only strategy.
Business acceleration
Infrastructure cost efficiency
Strategic optionality
Regulatory and risk
Architecture development methodproductivity
Sources of value
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 15
Substantial workload shift to cloud environments Private Cloud a strong focus for on- and off-premises solutions
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 16
TODAY
27%On-Premises
Non-Cloud
8%Off-PremisesNon-Cloud
31%On-PremisesPrivate Cloud
9%HostedPrivate Cloud
8%Iaas
8%PaasPaas
10%Saas
TWO YEARS
21%
7%
31%
10%
9%
10%
11%
IBM Confidential
IDEAL STATE
21%
8%
29%
11%
10%
11%
11%
PUBLICCLOUD
NON-CLOUD
PRIVATECLOUD
Source: IDC’s Cloud Pulse Q120, March 2020, n=2000
50% of ideal state workloads will still be on-premises
30% in public cloud
17
Matching the right cloud to the right workload
Transform andCloud Enable
Private Cloud
PublicCloud
Highly customized
applications
Not yet virtualized
applications
Applications with
complex processes
and transactions
Workloads needing
low latency to back ends
Existing database workloads
Applications with
sensitive data
Regulation-intensive
applications
Information-intensive
applications
Batch processing
Backup & archive
ERP
Big data & analytics
Front office/desktop
Risk & compliance
services
Web applications/ e-commerce
Digital experience solutions
Customer service
Enterprise social solutions
Third-party applications
Mobile applications
Non-core business processes
Development and
test workloads
Enterprise transformation
required for cloud adoption
DevOps | Governance | Integration
Security | Architecture | Culture
Data sovereignty /
residency
Designing for zero trust?
Operational
Assurance “I will not access your data”
Technical
Assurance “I cannot access your data”
Confidential computing is one of the central elements to delivering technical assurance
IBM Z / Security / October 2020 / © 2020 IBM Corporation 18
IBM Cloud Hyper Protect services
Data services
Key-management services
Compute services
Buildservices
IBM Z / Security / October 2020 / © 2020 IBM Corporation 19
Blueprint for secure hybrid cloud
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 20
Services helps customers build
modernization roadmaps and
prioritize quick wins
App Modernization
Portfolio Transformation
Red Hat OpenShift lets you
build once, run anywhere,
creating the common foundation
Red Hat
OpenShift
IBM LinuxONE servers
consolidate and protect, with
the best security and TCO in
the market
LinuxONE
Security at Scale
+
+
Current State: A sprawling, unmanageable cost center
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 21
Public Cloud On-Premises
Complex.
Expensive.
Inefficient.
Secure?
Interim State: Journey to hybrid cloud
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation 22
• Confidential
Computing
• Simpler
• Lower cost.
• Greater efficiency.
On-Premises+ Multicloud ManagerHybrid Cloud
Target State: Secure hybrid cloud with IBM LinuxONE
Unleash the potential of hybrid cloud with IBM LinuxONE / October, 2020 / © 2020 IBM Corporation
LinuxONE
Ora
cle
on
Lin
ux
Mo
ng
oD
B
Po
stg
reS
QL
Clo
ud
Pa
k f
or
Ap
ps
Clo
ud
Pa
k
for
Inte
gra
tio
nHyper
Protect
Secure• Enabled for Confidential Computing, for the
most secure at-scale Linux environment
• Data vault approach for sensitive data with LinuxONE pervasive security
Simple• Radically simplified operational model that helps
standardize skills on and off premises
• Mission-critical Linux workloads consolidated to an operationally resilient platform
Cost-effective• Huge reduction in costs for per core software licenses
and greater efficiency
Agile• Apps and data can seamlessly connect with
IBM Cloud Hyper Protect Services both on & off premises
23
Confidential Computing Platform
Backup
“Facing constant growth in demand, and increasing regulatory pressure around security capabilities, Emidwanted to upgrade its infrastructure to take advantage of the most secure and reliable platform available.”
Resilient and secure banking leveraging pervasive encryption on IBM Z
IBM LinuxONE and IBM Secure Service Container for IBM Cloud Private to support their new digital asset management platform
Fiducia & GAD IT AG adopted a pervasive encryption strategy involving IBM security features such as IBM z/OS® data set encryption and IBM Z®
Multi-Factor Authentication to ramp up data protection.
Helps companies secure blockchain innovation with end-to-end pervasive encryption features.
Hex Trust’s custody platform, Hex Safe™, was specifically engineered leveraging IBM Hyper Protect Virtual Servers and IBM LinuxONE to enable trusted cryptographic transactions and to deliver the highest level of security and scalability.
LinuxONE success stories
IBM Z / Security / October 2020 / © 2020 IBM Corporation 25
Phoenix Systems
26
1“The Real Costs Of Planned And Unplanned Downtime”, Forrester Consulting, August 2019 . Forrester Opportunity Snapshot: A Custom Study Commissioned by IBM
Disruptions Remain CostlyIn 2020 IBM commissioned a study of 100 IT directors in large US enterprises to understand the reality of downtime at their organization. These IT Directors faced the following challenges:
High Cost$5.6 M estimated cost of planned downtime in the last year.
Service
Availability
Cost of downtime per year
100,000 $/hr 500,000 $/hr 1,000,000 $/hr
99.99999 % $ 88 $438 $877
99.999% $ 8,766 $43,830 $87,660
99.99% $ 87,660 $438,300 $876,600
99.9% $ 876,600 $4,383,000 $8,766,000
99% $ 8,766,000 $43,830,000 $87,660,000
Business continuity & resiliency
Cost of DowntimeThe average hourly cost of downtime are immense86% of businesses lose $300,000+ per hour……and 34% lose $1,000,000+ per hour. (ITIC)
IBM Z / Security / October 2020 / © 2020 IBM Corporation