Securing the Cloudfrom The z/OS Perspective

Agenda

• Introduction• The history of The Cloud• How virtualization allows for Cloud

computing• The Cloud Security Exposures• Data in Transit from the Mainframe to

the Cloud• Management of Users and Identity

provisioning• Universal Key Management• How to mitigate Cloud Risk and keeping

your Mainframe data Secure• Maintaining control of your data• Cloud Security summary

• SSH z Product and Channel Manager• In the industry since 1982 (anyone

remember a 1419 check sorter?)• Distinguished Career has included Fidelity

Investments and CA Technologies• Involved in Mainframe Security Space since

1990• At SSH since 2006 1st as Sales engineer then

as Product and Channel Manager

Introduction

History Of The Cloud

The Cloud: Concept

Conceptually "cloud" allows applications and infrastructure to be hosted by external organizations without boundaries. Users and appliances can save and store data without adding any internal hardware. Users can also share information between multiple systems and with other users.

• The role of mainframes has changed from an isolated standalone computer to an integral and highly exposed component of the organization’s distributed IT infrastructure still holding up to 80% of enterprises’ critical data.

History Of The Cloud

The Why, What, and How of Managed File Transfer in BusinessSource: Ziff Davis

Mainframe and the Cloud: A Wiki definition

So what is “The Cloud?”

The Cloud: One definition

The idea of the "cloud" simplifies the many network connections and computer systems involved in online services. In fact, many network diagrams use the image of a cloud to represent the Internet. This symbolizes the Internet's broad reach, while simplifying its complexity. Any user with an Internet connection can access the cloud and the services it provides. Since these services are often connected, users can share information between multiple systems and with other users.

The Cloud and Virtualization

With the advent of VMWare and other LINUX, Unix and Windows virtualization tools Cloud providers can add applications and capacity to a customer in a speedy manner.

Issues created by stamping out copies of Servers and applications Include coping unlicensed vendor software, repeating security vulnerabilities and copying identities to machines that are insecure.

Virtualization and The Mainframe

BIG Box lots of little Machines

•z/VM – wasn’t it dead?•IBM LINUX for z

Red Hat SUSE

•USS – what is there?Fully POSIX compatible file systemTCP/IPFTP SSHFirewallRACF, ACF-2 and Top Secret LDAP

Cloud Security Exposures

Biggest Cloud Security Concerns

•Preventing Data Loss•Preventing Outages caused internally and externally to the organization•Keeping Security Up To date

Your Data In Transit

While Data is secure at rest on the Mainframe you lose control once it leaves.

If data being transferred is in clear it is akin to leaving your wallet lying on a bar

If there is no authentication or validation of Host how do know who your communicating with?

FTP Today

Been around since 1971 (before TCP and IP protocols – very aged protocol)

Millions of critical files and data exchanged by corporations daily

Few Managers realize the Security and Management Risks with the prevalent use of FTP

FTP has not “evolved” over the years and is rife with Security Exposures

12

FTP in the Workplace

Most Computers have the ability to exchange data (Users desktop)

Embedded in services of TCP/IP Business to Business FTP transfers are

uncontrolled and insecure Critical Lynchpin in Business to Business

Communications Facility used for file transfers between diverse

computing platforms The manner in which the way FTP is

implemented by Business needs attention FTP activity is Rampant. Do you really know

what is happening ?

13

FTP and Compliance

1. PCI-DSS1. Any time credit card information is sent it must abide by the PCI-DSS compliance

standards for security and confidentiality.

2. HIPAA, SOX, GLBA, FISMA & Others1. HIPAA - The HIPAA Security Rule mandates health plan providers, healthcare clearing

houses, and other organizations processing health information to take reasonable and appropriate precautions to protect health information.

2. SOX - Section 404 of SOX requires top management to establish an adequate internal control structure and include an assessment of its effectiveness in the annual report. Additionally, an external auditor needs to verify the management assertions.

3. GLBA - The Safeguards Rule issued by the Federal Trade Commission (FTC) is established standards for financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect security, confidentiality, and integrity of customer information

4. FISMA - FIPS 140-2 requires certified cryptographic modules to meet the compliance requirements for government agencies and certain contractors

5. California SB 1386, Basel II, Massachusetts Privacy Law

Risks associated with FTP

Anyone with READ access, also has “Transfer Out” access

Read Clear Text Exposure Password interception Eavesdropping Hijacking “Man in the middle” Connection “hijack” Spyware Wireless Connectivity Can open portal behind firewall

FTP Packet Trace Example

16

Passwords are in the CLEAR

FTP Passwords in Clear text

17

What Are The Options To Secure Your FTP?

Firewalls / VPN

FTPS /SFTP/ Vendor Solutions /IBM

Ported Tools

FTP Server Off M/F

PGP

File Transfer Infrastructure

What are some alternatives Why or why not use the methods and tools When is a good time to use the solution

FTP (File Transfer Protocol)

FTP

FTPS (FTP over SSL)

FTP FTPS

FTP over SSH Tunnel

FTP FTPS FTP over SSH Tunnel

SFTP (SSH Secure FTP)

FTP FTPS FTP over SSH Tunnel

SFTP

FTP/SFTP Hybrid

FTP FTPS FTP over SSH Tunnel

SFTP FTP to SFTP

VPN (Virtual Private Network)

FTP FTPS FTP over SSH Tunnel

SFTP FTP to SFTP VPN

PGP (Data at rest)

FTP FTPS FTP over SSH Tunnel

SFTP FTP to SFTP VPN PGP

FTP

Pros Ubiquitous Common knowledge Included in base OS

Cons Very little security Not firewall friendly