Page 1
World®’16
EncryptionandHashingandKeys–Oh,my!DemystifyingInteroperableEncryptionfortheMainframeandfortheEnterpriseStuartMcIrvine – VP,ProductManagement- CATechnologiesJoeSturonas - ChiefTechnologyOfficer- PKWAREInc.
MFX119S
MAINFRAMEANDWORKLOADAUTOMATION
Page 2
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
Page 3
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract Increasingrisksofaccidentalandintentionalmainframedatacompromiseelevatesenterprises’interestinachievingsafeharborbyencryptingsensitiveandregulateddata.Encryptionintroducesmanynewelementsofconsiderationtoexistingworkflows,furthercomplicatedbytheneedforinteroperabilitybetweenthemainframeandotherenterpriseplatforms.Jointhissessiontolearnbestpracticesforapplyingencryptiontoprotectyourdata,evenwhileensuringyourexistingprocessesremainintact.
Topicsinclude:• Typesofcryptographicfunctions• Encryptionalgorithmselection• Sourcesofencryptionaccelerationonthemainframe• Considerationswhenencryptedmainframedatamustbeused
onotherplatforms• Encryptionkeyselection,management
StuartMcIrvineCATechnologiesVP,ProductManagement
JoeSturonasPKWARE,Inc.ChiefTechnologyOfficer
Page 4
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
DATAANDREGULATIONS
THREATLANDSCAPE
DEMO
MANAGINGDATAONTHEMAINFRAME
PROTECTINGDATA– ANOVERVIEW
ENCRYPTIONANDKEYMANAGEMENTONZ/OS
1
2
3
4
5
6
Page 5
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DataandRegulations
Page 6
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DataisanAsset
§ Datais businessvalue– Facebook,Google,Uber,Twitter,….
§ Industriesdependondata– Banking,Insurance,Healthcare,….
§ By2020therewillbe:– 44zettabytesofdata– Over6billionsmartphones– 50billionsmartdevices
Page 7
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DataisaLiability
§ Highlyregulated– Industry,State,Nationalandbeyond
§ HIPAA,GLB,CA1798,GDPR,PrivacyShield
§ Itgetspersonal,quickly!– PIImustbemanaged
§ Whoownsit?Whatareyouallowedtodowithit?Deleteitwhenrequested
§ Data- thekeystothefuture– Businessstrategy,digitalsecrets,financialposture,….
Page 8
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whataboutthoseregulations?§ PCIDSS
– Protectstoredcardholderdata
– Encrypttransmissions
– MaintainInfoSecpolicy
§ SOX/HIPAA&Hi-TechAct– PolicyManagement
– AuditandLogging
– DataIntegrity
§ FIPS140-2– Makingsureit’sdoneright§ GDPR
– Provethatdataisbeingprotected
– Appointadataprotectionofficer
– Finesof4%ofannualturnover
§ EU-U.S.PrivacyShield– U.S.DepartmentofCommerce
andEuropeanCommission
– Individualchoice&control
– Security
Page 9
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreatLandscape
Page 10
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreatLandscape- Thieves,SnoopsandIdiots
Externalattackers,internalrogues
Users,Administrators,developers,vendors…basicallyeveryone:)
Serviceproviders,administrators,threeletteragencies,etc.
Page 11
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thieves
§ ExternalAttackers– Competitors– ScriptKiddies– NationStates(OPMbreach)– LexisNexisBreach
§ RogueAdministrators– Snowden
§ InternalBadActors– Espionage
Page 12
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Snoops
§ PrivilegedAdministrators
§ Credentialcompromise
§ SonyAttackers
Page 13
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Idiots
§ Users– Makemistakes(losedevices)– Havepoorsecurityeducation(password=123456)
§ Developers/Vendors– Lenovo– Fortinet
§ Administrators– Sony– Dropbox
Page 14
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ManagingDataontheMainframe
Page 15
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImpactofDataTheftHealthInsuranceAnnounced:March2015Recordsstolen:11MCost:TBD.Facingaclass-actionlawsuit&fines.
RetailAnnounced:September2014Recordsstolen:56MCost:$43Mandcounting.Estimatesputthisashighas$10B
HealthSystemsAnnounced:August2014Recordsstolen:4.5MCost:$75M– $150M
eCommerceAnnounced:May2014Recordsstolen:233MCost:$200Mandcounting.
RetailAnnounced:December2013Recordsstolen:70MCost:$162Mandcounting.Recentestimatesputthisatwellover$1B.
GovernmentAnnounced:May2015Recordsstolen:22MCost:Tobedetermined.Likelyfacingaclassactionlawsuitaswellasothers.
“Datasecurityeventsincreasedby38%”“Intellectualpropertytheftincreased56%”2016GlobalStateofInfoSecSurveyPriceWaterhouseCooper
“$400Million– estimatedlossesfrom700millioncompromisedrecords”2015VerizonDataBreachReport
Page 16
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheMainframehasneverbeenhacked!
Mainframedatastaysonthemainframe;soitissafe!
Dataisfluidintoday’sworld.Dataanalytics;cloud
MarriageofMFdataandnonMFdata
Mainframeiswellunderstoodandcoveredunderthreelinesofriskcontrol– Operational,ComplianceandInternalaudit
DataontheMainframe
REALITYMYTH
Consider:Socialengineeringhacks
HumanerrorasMFexpertsretire
Mainframeisviewedasablack-boxbreedscomplacency–compoundingtherisk
Page 17
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DealingWiththeThreat
Information
Applications
Devices
Networks
Advanced Persistent Threat Detection
Intrusion Detection
Access Control
ApplicationFirewalls
Security Gateways
VPNAntivirus
Mobile Device Management
Firewalls
Stateful Pocket Inspection
Mobile Application Management
Data LeakagePrevention Full Disk
Encryption
Antimalware
Network Access Control
Endpoint DLP
Access Brokers
DNS Security
Incident & Event Management
Intrusion Detection
Identity & Access Management
DATA CENTRIC
PROTECTION
§ Defenseindepth
§ Data-centricprotection
Page 18
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Basedonregulationororganizationalsensitivity
Dataremainsonthez/OSplatform
Regulatedandsensitivedatainyourmainframedatastores
Protect
Data-CentricProtection
TheAppEconomycreatesnewrisksofcatastrophicdatacompromise“Withbreachesinthenewseveryday,beingabletofindwhereregulateddataresides- orrulingoutthe
existenceofsensitivedata- isacriticalfirststepinprotectingyourbusiness.”
X 70% oftheworldmissioncriticaldatatransactsonthemainframe.
Find ProtectClassify
Page 19
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Public/PrivateKeyManagementonz/OS
Page 20
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Public/PrivateKeyPairs
§ PublicKey– EncryptingData– AuthenticatingData
§ PrivateKey– DecryptingData– SigningData
Page 21
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SymmetricEncryption
Page 22
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AsymmetricEncryption
Page 23
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DigitalSigning
Page 24
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticatingData
Page 25
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticatingData
Page 26
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EncryptionandKeyManagementonz/OS
Page 27
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
z/OSCryptoFacilities
Page 28
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IBMHardwareCrypto
Machine z1962817
z1142818
zEC122827
zBC122828
z13 2964
Algorithm Supported
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
DES3DES
AES 128,192, 256
CryptoHardware
CPACFCEX3C
CPACFCEX3C
CPACFCEX3CCEX4C
CPACFCEX3CCEX4C
CPACFCEX4CCEX5C
Page 29
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyExposures
Page 30
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 31
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 32
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 33
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 34
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 35
35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo
Page 36
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BatchJobToCreateEncryptedZIPFile//ZIP1 EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SUPPORT.SZ150R05.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //JASOUT DD DSN=JAS.TEXT.LIB.ZIP,DISP=(NEW,CATLG,DELETE), // UNIT=SYSDA,SPACE=(CYL,(1,1)), // DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ENCRYPTION_METHOD(AES256)-PWD(PKWARE)-INCLUDE_CMD(JAS.MVS810.PROFILE(LDAP2)) -RECIPIENT(LDAP:[email protected] ,R) -DATA_TYPE(TEXT) -ARCHIVE_OUTFILE(JASOUT) -ACTION(ADD) -VERBOSE -ZIPPED_DSN(JAS.TEXT.LIB(CRC),crc.txt) -ZIPPED_DSN(JAS.TEXT.LIB(EBCDIC),ebcdic.txt)JAS.TEXT.LIB
Page 37
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BatchJobToEmailEncryptedZIPFile//TSOB EXEC PGM=IKJEFT1B //SYSEXEC DD DISP=SHR,DSN=USER.CLIST //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //DD1 DD DISP=SHR,DSN=JAS.TEXT.LIB.ZIP//SYSTSIN DD * %XMITIP [email protected] +
CC ( [email protected] ) + MSGT 'THIS ATTACHMENT WAS ENCRYPTED WITH SecureZIP' +SUBJECT 'SENT FROM A ZBC12 FROM A BATCH JOB' + FROM [email protected] + FILEDD DD1 + Format (BIN) + Filename jas.zip
Page 38
38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJobJ E S 2 J O B L O G -- S Y S T E M P K W 1 -- N
15.54.04 JOB39394 ---- FRIDAY, 16 SEP 2016 ----15.54.04 JOB39394 IRR010I USERID JAS IS ASSIGNED TO THIS JOB. 15.54.04 JOB39394 ICH70001I JAS LAST ACCESS AT 15:52:02 ON FRIDAY, SEPTEMB15.54.04 JOB39394 $HASP373 JASA STARTED - INIT 1 - CLASS A - SYS 15.54.05 JOB39394 HTRT01I CPU (Total) 15.54.05 JOB39394 HTRT02I Program Stepname ProcStep RC I/O hh:mm:ss.th15.54.05 JOB39394 HTRT03I SECZIP ZIP1 00 686 00.17 15.54.06 JOB39394 HTRT03I IKJEFT1B TSOB 00 499 00.25 15.54.06 JOB39394 HTRT06I 15.54.06 JOB39394 HTRT04I JASA Job Service Totals 1185 00.42 15.54.06 JOB39394 HTRT07I CPU Cost $ 0.10 IO Cost $ 1.18 15.54.06 JOB39394 $HASP395 JASA ENDED ------ JES2 JOB STATISTICS ------
16 SEP 2015 JOB EXECUTION DATE 38 CARDS READ
855 SYSOUT PRINT RECORDS 0 SYSOUT PUNCH RECORDS
Page 39
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJob- PKWARE Inc.
-- Program Name SECZIP hh:mm:ss.th- Step Name ZIP1 Elapsed Time 01.46- Procedure Step TCB CPU Time 00.15- Return Code 00 SRB CPU Time 00.02- Total I/O 686 Total CPU Time 00.17- I/O Cost $ 0.68 CPU Cost $ 0.04- Service Units 1154 -
- PKWARE Inc. -- Program Name IKJEFT1B hh:mm:ss.th- Step Name TSOB Elapsed Time 00.73 - Procedure Step TCB CPU Time 00.24 - Return Code 00 SRB CPU Time 00.01 - Total I/O 499 Total CPU Time 00.25 - I/O Cost $ 0.49 CPU Cost $ 0.06 - Service Units 1870
Page 40
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutputFromBatchJobZPEN309I z/Architecture Hardware Available -zBC12 ZPEN313I CSNBSYE System Capable with ICSF when available. ZPEN313C AES is available. DES/3DES is available. ZPEN313C CPACF Protected Keys are available. ZPEN334I PKA callable services are enabled. ZPEN315I AES(128, 192, 256) Clear Key Hardware Available -zBC12 ZPEN310I CP Assist For Cryptographic Functions Available ZPEN205I Cryptographic facility {IBMHardware } is selected for ENCRYPTION_METHOZPEN205I Cryptographic facility {IBMHardware } is selected for PseudoRandGenZPCM017I A total of 1 ADD/UPDATE candidate data sets were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File JAS.TEXT.LIB(CRC) ZPAM254I as crc.txtZPAM255I (DEFLATED 57%/56%) Smartcrypt(tm) AES256 ; DATA SIZE 1,600; ZIP SIZE ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 20 / 20); Encrypt(Password-Key ZPAM253I ADDED File JAS.TEXT.LIB(EBCDIC) ZPAM254I as ebcdic.txtZPAM255I (DEFLATED 34%/32%) Smartcrypt(tm) AES256 ; DATA SIZE 480; ZIP SIZE 32ZPAM255C . DEFLATE32; Text ; PDS ; Recs_In/Out( 6 / 6); Encrypt(Password-Key );ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED
Page 41
41 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 42
42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 43
43 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 44
44 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 45
45 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 46
46 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo- Mobile
Page 47
47 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
Page 48
48 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX118SHowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis
11/16/2016at3:00pm
MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData
11/17/2016at12:45pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
Page 49
49 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecret®MainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2™MainframeTheatre
Page 50
50 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Stayconnectedatcommunities.ca.com
Thankyou.
Page 51
51 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MainframeandWorkloadAutomation
FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI