© 2003 IBM Corporation http://w3.ibm.com/ibm/presentations Tivoli Security Tivoli Access Manager for Operating Systems (AMOS) <Business Partner> Sales Presentation IBM Software Group
Mar 26, 2015
© 2003 IBM CorporationTivoli Security
Tivoli Access Manager for Operating Systems (AMOS)
<Business Partner> Sales Presentation
IBM Software Group
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Agenda
• Tivoli security
• Customer pains and fixes
• Product overview
• Competitive positioning
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
IBM Tivoli Software Portfolio
Performance & Availability
Configuration & Operations
Storage Management
SecurityManagement
Storage Management
Performance & Availability
Configuration& Operations
BusinessImpact
Management
Core Services
Security Management• Reduce overhead
• Improve efficiency
• Increase productivity
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Customers Plagued by Multiple Security Challenges
Provisioning Users • “45% of accounts are invalid”
Managing Access Control
• # 1 security threat results from inadequate controls on employees
Protecting Privacy • “No systemic method of complying with customers’ privacy concerns”
• “Large amounts of redundant, inaccurate, data clogs infrastructure”
Synchronizing Information
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Security Remains Key Priority in 2003Emerging recognition that OS is linchpin to bulletproof security
0
10
20
30
40
50
60
70
Business Priorities for 2003
ReducingOperational Costs
ImprovingCustomer Service
Build / MaintainSecurity & PrivacyPolicies
ImprovingProductivity
OptimizingBusinessProcesses
Top Priorities for Business
0
10
20
30
40
50
60
IT Budget Priorities for 2003
Security
OS
Disaster Recovery
Database Mgmt
EAI
Storage Mgmt
Enterprise Apps
Top Priorities for IT
Source: VARBusiness, April 28, 2003
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Customer Pains…and Fixes
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Internal Threats are the Greatest Threats…
Wed • May 14,2003 Current temp: 75 • Weather • Traffic ajc.com
AccessAtlanta
ajc services Archives Today's paper Obituaries Advertising Tickets Subscribe Teacher aids Customer service
May 14, 2003
HACKER MAY SIT IN NEXT CUBICLE by BILL HUSTED
The computer hacker wasn't a devious competitor or some brainy teenager sitting at his home PC.
Instead, it was a Coca-Cola employee who slipped into the company's computer system without authorization and downloaded salary information and Social Security numbers of about 450 co-workers.
A recent computer scare at the world's largest soft-drink maker worried it enough to send an e-mail advising employees to check bank accounts and credit card balances…
Computer break-ins by insiders often do more damage than…remote hackers. "They know what to take; they know what is important." Gray said.
“The hacker who just stole your records is just as likely to be an insider as an outsider…
“There's the notoriety, bad press and Wall Street doesn't like it,’
“Some computer systems simply allow users too much freedom to roam.”
Case Study
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Identity Theft ring stole $2.7M
• Employees received $60 per report
• 30,000 reports were stolen over three years
• Identity Theft costs US $5B and is growing at over 100% annually
“A lot of companies have gone to a lot of effort to protect themselves from being hacked, but it’s a lot harder to stop a rogue employee.”
—James Vaules,
National Fraud Center
E-MAIL NEWSLETTERS | ARCHIVES
SEARCH: New s
Search Options
News Home Page Nation World Metro Business Portfolio Market News Economy Policy - Product Safety - Communications - Disaster Aid - Energy Trade - Highway Safety - Labor - Securities Company Research Mutual Funds Personal Finance I ndustries Columnists Special Reports Live Online Business Index Technology Sports Style Education Travel Health Real Estate Home & Garden Food Opinion Weather Weekly Sections News Digest Classifieds Print Edition Archives
Quick Quotes Look Up Tables | Portfolio | Index
Identity Theft More Often an Inside Job Old Precautions Less Likely to Avert Costly Crime, Experts Say
_ _ _ _ _Related FTC Articles_ _ _ _ _ • FTC Sues Weight-Loss Firm Over Ads (Associated Press, Dec 6, 2002) • FTC Finds Diet Ads Hard to Swallow (The Washington Post, Dec 6, 2002) • Canada Telemarketers to Refund $1M to U.S. (Associated Press, Dec 5, 2002) • More FTC News
_ _ _ _ _About the FTC_ _ _ _ _ • Mission • Who's in Charge?
__ Regulatory News By Agency __
Select an Agency
By Brooke A. Masters and Caroline E. Mayer Washington Post Staff Writers Tuesday, December 3, 2002; Page A01
You can take all the steps you want to protect yourself against identity theft: Guard your wallet, shred your personal financial papers before throwing them in the trash, monitor your credit reports.
But no matter how careful you are, you may not be able to avoid having your identity assumed by someone who wants to go on a buying spree, using your credit card, bank account, Social Security number or other personal data.
That's because the nature of identity theft has changed and the threat today is more likely than ever to come from insiders -- employees with access to large financial databases who can loot personal accounts -- than from a thief stealing a wallet or pilfering your mail. Banks, companies that take credit cards and credit-rating bureaus themselves don't do enough to protect consumers, critics say.
"You can spend a lot of time and money trying to protect yourself," obtaining copies of your credit reports every three to six months, buying a credit-monitoring service to alert you when someone is making inquiries about your account or even buying identity-theft insurance, said Robert Gellman, a D.C. privacy consultant. "You can do as much as you can do, but it won't stop you from being a victim. There's nothing I'm aware of that will guarantee you not become a victim."
That fact was underscored last week when federal prosecutors announced that they had arrested and charged three people in connection with a scheme to steal the personal financial information of 30,000 Americans by downloading data from a computer and selling it to scam artists. The prosecutors said it was the largest case of identity fraud ever detected.
And Identity Theft is Powerful Incentive Case Study
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Security Threats and SpendingS/390AS/400
UNIXNT
Core Network
SecurityManagement
CertificateAuthority
Firewall
Customers
Mission-Critical Servers
SuppliersDistributors
Perimeter Network
Access Network
Mobile Employees
Business Partners
PC Security
ActiveContent
VPN Single Sign-on
BackupRestore
Intrusion Detection
SecurityAuditing
E-MailFiltering
Web Servers
Proxy-ServerWorkload
Management
Internet Access
PC Anti-Virus
MerchantServer
The majority of abuse comes from within
Core 25%
Perimeter 31%
Access Network 44%
% of
Security Events
% of
Security Spend55%
45%
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Customer Scenario—Fortune 300 BankRapid deployment. Passed audit.
Need • Responding to failed security audit
• Needed to audit and control access by individual, function and resource
• Needed to securely scale to over 200 UNIX servers
• Push out policy changes to hundreds of servers from a central console
Solution • IBM Tivoli Access Manager for Operating Systems
• IBM Tivoli Identity Manager
Result • Phase I
—Over 170 UNIX servers secured in 8 weeks
—Customer verified that control, audit and scalability requirements had been met
• Phase II
—Audit of password history and user self-care
—Provisioning through Identity Manager
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Customer Scenario—Large TelecommHighly customized security policy
Need • Enforce compliance to security standards on mid-range UNIX servers
• Meet external audit commitments
• Provide a resilient and effective security infrastructure that centrally administers, enforces and audits security policy
Solution • IBM Tivoli Access Manager for Operating Systems, v3.7
• IBM Tivoli Access Manager for Operating Systems, v3.8
Result • Deployed to over 75 HP and Sun servers• Audit trail for access to critical OS resources• Complete enforcement and easy management of Root access controls• Phase II
—Rollout to 200 additional servers
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
IBM TivoliAccess Manager for Operating Systems
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
What is Access Manager for Operating Systems?
AMOS is a “firewall” for applications and the operating system • A highly secure authorization engine
• Addresses the #1 security threat
• Provides mainframe-class security
It secures a wide variety of platforms • UNIX—AIX, Solaris, HP-UX• Linux—SuSE, Red Hat• Hardware—x-, i-, p-, and zSeries; Sun; HP
Recent enhancements have made AMOS• Light weight and standalone • Easier to configure• More powerful
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Value Proposition
IBM Tivoli Access Manager for Operating Systems secures operating systems and applications against the #1 threat afflicting enterprises today: information theft by internal users.
Relying on an award-winning architecture and the industry’s leading access control engine, IBM Tivoli Access Manager for Operating Systems restricts access to files, resources and systems on a need-to-know basis. Both external hackers and internal users are prevented from accessing the sensitive information of customers, employees and business partners.
IBM Tivoli Access Manager for Operating Systems’ mainframe-class security permits administrators to efficiently demonstrate compliance with the increasing demands of auditors and regulators. This frees time for administrators to focus on the demands of the marketplace, and assures everyone that confidential and private information will remain confidential and private.
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Do You Need AMOS?
Do you run business critical applications?
Do you operate in a security sensitive industry?
Do you have extensive partner networks or e-business applications?
Are you being audited by corporate, partner, or government auditors?
How many UNIX boxes do you have?
• How many different types of UNIX?
Do you have one security policy, or multiple policies?
• Is it easily enforceable and manageable across your system?
How many people officially have the ‘Root’ password?
• How many people have it ‘unofficially’ ?
Can users delete files or audit logs?
• How do you audit ‘root’ access?
Typical Customer
Typical Pains
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
AMOS Addresses Several Customer Concerns
“Delegation of Root access is ‘necessary evil’”
“My UNIX systems always fail security audits”
“Managing one security policy across multiple systems is just too difficult”
“There’s no RACF for zLinux”
Secures application environment
Protects data
Meets auditing requirements
Reduces administration costs
Runs on zLinux
Customer Concerns AMOS Value
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
AMOS Relies on Simple Architecture
Access ManagerManagement ServerCentralized server containing
• Policy database• User IDs
Security Agent• Intercepts system call• Make access decision• Writes audit record
SSL connection
Security Agent
Management Server maintains policy
Security Agent enforces policy
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
real_open()
pdos_open()real_open
AMOS Kernel
Interceptor
open
setuid
brk
pdos_open
pdos_setuid
real_brk
Intervention Point
UNIX Kernel
General Scenario: Joe Administrator
joe UID 1032
root UID 0
Action In UNIX
Joe logs in
•Access = R, W
•Resource = /etc/passwd
•joe UID 1032
•Writes to audit log
In AMOS
•joe UID 1032
•joe UID 1032•Writes to audit log
su to root
vi/etc/passwd INTERCEPTED!!!
• Tracks original login ID• Audits at all times• Applies control to each action
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
AMOS Security Policy is Robust
Compulsory Control
Omnipresent Operation
Customizable Policy
Persistent Auditing
AMOS
Threat Environment
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Competitive Positioning
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Speed and Performance is a Key Differentiator
Source: IBM internal performance benchmarking
Access Control Decision Making Performance—on Solaris
7
9
103
201
0 100 200 300
1
4
Pro
cess
ors
Test Runs per Hour
Slow Performance
• Slows down applications
• Prevents auditing
• Requires shut down during system back up
AMOS leads the UNIX/Linux market in scalability
AMOS is the market’s only multi-threaded solution
IBMLeading Competitor
KEY22X
15X
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Competitive Comparisons
Products which modify the OS are of limited use
• Positioned as a super secure server products
– Tend to focus on niche segments
• More complex to implement – significant level of kernel modification
• Impacts standard applications
Products which rely on single-threaded, decentralized architectures perform poorly
• Performance impact to the OS stated as averaging 5-10%
– AMOS is significantly better– Prevents auditing
• Decentralized policy management increases administrative overhead
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Summary of Competitive Differences
Key Criteria Customer Impact
Ease-of-use • Fast Start Policy Modules are best-practice, pre-defined policies• “Inheritance” is the ability to set policy globally, locally and specifically
as necessary• Both of these allow customers to implement and deploy policy quickly
and accurately while maintaining high performance
Non-intrusive design • AMOS is not a customized kernel—its an interception layer• Allows applications to run smoothly and confidently• Minimal impact to mission critical applications
Multi-thread design • Greatly improves performance• Ensures around-the-clock security• Allows extensive auditing• Doesn’t impact applications
Reduced Administration & Centralized Control
• Policy management and enforcement is #1 method of ensuring security• Ensures security policy is always enforced—everywhere• Reduces administrative burden
Integration • Tivoli offers market-leading suite of security software• Identity Manager, Access Management for e-business and Privacy
Manager are powerful and highly economic complements• Administrative, training and user costs are substantially reduced
IBM Software Group | Tivoli software
Access Manager for Operating Systems customer presentation © 2003 IBM Corporation
Where to Find More Information
Tivoli Web site – security pagehttp://www-3.ibm.com/software/tivoli/products/access-mgr-operating-sys/
Tivoli Knowledge Centerhttp://www3.ibm.com/software/tivoli/partners/public.jsp?
tab=comarket&content=index&rightnav=security
PartnerWorld for Softwarehttp://www-100.ibm.com/partnerworld/software/pwswzone.nsf/web/ASOA-5JMLJB?
opendocument&s=3&cat=mr&subcat=marketingmaterials