Encryption and Hashing and Keys – Oh, my! Demystifying Interoperable Encryption for the Mainframe and for the Enterprise

World®’16

EncryptionandHashingandKeys–Oh,my!DemystifyingInteroperableEncryptionfortheMainframeandfortheEnterpriseStuartMcIrvine – VP,ProductManagement- CATechnologiesJoeSturonas - ChiefTechnologyOfficer- PKWAREInc.

MFX119S

MAINFRAMEANDWORKLOADAUTOMATION

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract Increasingrisksofaccidentalandintentionalmainframedatacompromiseelevatesenterprises’interestinachievingsafeharborbyencryptingsensitiveandregulateddata.Encryptionintroducesmanynewelementsofconsiderationtoexistingworkflows,furthercomplicatedbytheneedforinteroperabilitybetweenthemainframeandotherenterpriseplatforms.Jointhissessiontolearnbestpracticesforapplyingencryptiontoprotectyourdata,evenwhileensuringyourexistingprocessesremainintact.

Topicsinclude:• Typesofcryptographicfunctions• Encryptionalgorithmselection• Sourcesofencryptionaccelerationonthemainframe• Considerationswhenencryptedmainframedatamustbeused

onotherplatforms• Encryptionkeyselection,management

StuartMcIrvineCATechnologiesVP,ProductManagement

JoeSturonasPKWARE,Inc.ChiefTechnologyOfficer


Agenda

DATAANDREGULATIONS

THREATLANDSCAPE

DEMO

MANAGINGDATAONTHEMAINFRAME

PROTECTINGDATA– ANOVERVIEW

ENCRYPTIONANDKEYMANAGEMENTONZ/OS

1

2

3

4

5

6


DataandRegulations


DataisanAsset

§ Datais businessvalue– Facebook,Google,Uber,Twitter,….

§ Industriesdependondata– Banking,Insurance,Healthcare,….

§ By2020therewillbe:– 44zettabytesofdata– Over6billionsmartphones– 50billionsmartdevices


DataisaLiability

§ Highlyregulated– Industry,State,Nationalandbeyond

§ HIPAA,GLB,CA1798,GDPR,PrivacyShield

§ Itgetspersonal,quickly!– PIImustbemanaged

§ Whoownsit?Whatareyouallowedtodowithit?Deleteitwhenrequested

§ Data- thekeystothefuture– Businessstrategy,digitalsecrets,financialposture,….


Whataboutthoseregulations?§ PCIDSS

– Protectstoredcardholderdata

– Encrypttransmissions

– MaintainInfoSecpolicy

§ SOX/HIPAA&Hi-TechAct– PolicyManagement

– AuditandLogging

– DataIntegrity

§ FIPS140-2– Makingsureit’sdoneright§ GDPR

– Provethatdataisbeingprotected

– Appointadataprotectionofficer

– Finesof4%ofannualturnover

§ EU-U.S.PrivacyShield– U.S.DepartmentofCommerce

andEuropeanCommission

– Individualchoice&control

– Security


ThreatLandscape


ThreatLandscape- Thieves,SnoopsandIdiots

Externalattackers,internalrogues

Users,Administrators,developers,vendors…basicallyeveryone:)

Serviceproviders,administrators,threeletteragencies,etc.


Thieves

§ ExternalAttackers– Competitors– ScriptKiddies– NationStates(OPMbreach)– LexisNexisBreach

§ RogueAdministrators– Snowden

§ InternalBadActors– Espionage


Snoops

§ PrivilegedAdministrators

§ Credentialcompromise

§ SonyAttackers


Idiots

§ Users– Makemistakes(losedevices)– Havepoorsecurityeducation(password=123456)

§ Developers/Vendors– Lenovo– Fortinet

§ Administrators– Sony– Dropbox


ManagingDataontheMainframe


TheImpactofDataTheftHealthInsuranceAnnounced:March2015Recordsstolen:11MCost:TBD.Facingaclass-actionlawsuit&fines.

RetailAnnounced:September2014Recordsstolen:56MCost:$43Mandcounting.Estimatesputthisashighas$10B

HealthSystemsAnnounced:August2014Recordsstolen:4.5MCost:$75M– $150M

eCommerceAnnounced:May2014Recordsstolen:233MCost:$200Mandcounting.

RetailAnnounced:December2013Recordsstolen:70MCost:$162Mandcounting.Recentestimatesputthisatwellover$1B.

GovernmentAnnounced:May2015Recordsstolen:22MCost:Tobedetermined.Likelyfacingaclassactionlawsuitaswellasothers.

“Datasecurityeventsincreasedby38%”“Intellectualpropertytheftincreased56%”2016GlobalStateofInfoSecSurveyPriceWaterhouseCooper

“$400Million– estimatedlossesfrom700millioncompromisedrecords”2015VerizonDataBreachReport


TheMainframehasneverbeenhacked!

Mainframedatastaysonthemainframe;soitissafe!

Dataisfluidintoday’sworld.Dataanalytics;cloud

MarriageofMFdataandnonMFdata

Mainframeiswellunderstoodandcoveredunderthreelinesofriskcontrol– Operational,ComplianceandInternalaudit

DataontheMainframe

REALITYMYTH

Consider:Socialengineeringhacks

HumanerrorasMFexpertsretire

Mainframeisviewedasablack-boxbreedscomplacency–compoundingtherisk


DealingWiththeThreat

Information

Applications

Devices

Networks

Advanced Persistent Threat Detection

Intrusion Detection

Access Control

ApplicationFirewalls

Security Gateways

VPNAntivirus

Mobile Device Management

Firewalls

Stateful Pocket Inspection

Mobile Application Management

Data LeakagePrevention Full Disk

Encryption

Antimalware

Network Access Control

Endpoint DLP

Access Brokers

DNS Security

Incident & Event Management

Intrusion Detection

Identity & Access Management

DATA CENTRIC

PROTECTION

§ Defenseindepth

§ Data-centricprotection


Basedonregulationororganizationalsensitivity

Dataremainsonthez/OSplatform

Regulatedandsensitivedatainyourmainframedatastores

Protect

Data-CentricProtection

TheAppEconomycreatesnewrisksofcatastrophicdatacompromise“Withbreachesinthenewseveryday,beingabletofindwhereregulateddataresides- orrulingoutthe

existenceofsensitivedata- isacriticalfirststepinprotectingyourbusiness.”

X 70% oftheworldmissioncriticaldatatransactsonthemainframe.

Find ProtectClassify


Public/PrivateKeyManagementonz/OS


Public/PrivateKeyPairs

§ PublicKey– EncryptingData– AuthenticatingData

§ PrivateKey– DecryptingData– SigningData


SymmetricEncryption


AsymmetricEncryption


DigitalSigning


AuthenticatingData


AuthenticatingData


EncryptionandKeyManagementonz/OS


z/OSCryptoFacilities


IBMHardwareCrypto

Machine z1962817

z1142818

zEC122827

zBC122828

z13 2964

Algorithm Supported

DES3DES

AES 128,192, 256

DES3DES

AES 128,192, 256

DES3DES

AES 128,192, 256

DES3DES

AES 128,192, 256

DES3DES

AES 128,192, 256

CryptoHardware

CPACFCEX3C

CPACFCEX3C

CPACFCEX3CCEX4C

CPACFCEX3CCEX4C

CPACFCEX4CCEX5C


KeyExposures


Demo


Demo


Demo


Demo


Demo


Demo


BatchJobToCreateEncryptedZIPFile//ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256)-PWD(PKWARE)-INCLUDE_CMD(JAS.MVS810.PROFILE(LDAP2)) -RECIPIENT(LDAP:[email protected],R) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt)JAS.TEXT.LIB


BatchJobToEmailEncryptedZIPFile//TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP//SYSTSIN DD * %XMITIP [email protected] +

CC ( [email protected] ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' +SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM [email protected] + FILEDD DD1 + Format (BIN) + Filename jas.zip


OutputFromBatchJobJ E S 2 J O B L O G -- S Y S T E M P K W 1 -- N

15.54.04 JOB39394 ---- FRIDAY, 16 SEP 2016 ----15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS ------

16 SEP 2015 JOB EXECUTION DATE 38 CARDS READ

855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS


OutputFromBatchJob- PKWARE Inc.

-- Program Name SECZIP hh:mm:ss.th- Step Name ZIP1 Elapsed Time 01.46- Procedure Step TCB CPU Time 00.15- Return Code 00 SRB CPU Time 00.02- Total I/O 686 Total CPU Time 00.17- I/O Cost $ 0.68 CPU Cost $ 0.04- Service Units 1154 -

- PKWARE Inc. -- Program Name IKJEFT1B hh:mm:ss.th- Step Name TSOB Elapsed Time 00.73 - Procedure Step TCB CPU Time 00.24 - Return Code 00 SRB CPU Time 00.01 - Total I/O 499 Total CPU Time 00.25 - I/O Cost $ 0.49 CPU Cost $ 0.06 - Service Units 1870


OutputFromBatchJobZPEN309I z/Architecture Hardware Available -zBC12 ZPEN313I CSNBSYE System Capable with ICSF when available. ZPEN313C AES is available. DES/3DES is available. ZPEN313C CPACF Protected Keys are available. ZPEN334I PKA callable services are enabled. ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12 ZPEN310I CP Assist For Cryptographic Functions Available ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHOZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGenZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File JAS.TEXT.LIB(CRC) ZPAM254I as crc.txtZPAM255I (DEFLATED 57%/56%) Smartcrypt(tm) AES256 ; DATA SIZE 1,600; ZIP SIZE ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC) ZPAM254I as ebcdic.txtZPAM255I (DEFLATED 34%/32%) Smartcrypt(tm) AES256 ; DATA SIZE 480; ZIP SIZE 32ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key );ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED


Demo- Mobile


Demo- Mobile


Demo- Mobile


Demo- Mobile


Demo- Mobile


Demo- Mobile


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

MFX118SHowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis

11/16/2016at3:00pm

MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData

11/17/2016at12:45pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm


MustSeeDemos

Real-TimeDataSecurity&Compliance

CADataContentDiscoveryMainframeTheatre

MainframeSecuritySmartBar

CATopSecret®MainframeTheatre

Real-TimeDataSecurity&Compliance

CAComplianceEventManagerMainframeTheatre

MainframeSecuritySmartBar

CAACF2™MainframeTheatre


Stayconnectedatcommunities.ca.com

Thankyou.


MainframeandWorkloadAutomation

FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI