© 2009 IBM Corporation© 2010 IBM Corporation
IBM System z
Intellinx zWatchNovember 8, 2010
22
System z Solution Edition for Security – Fraud Reference Case
• Client Scenario: State Criminal Justice System, Bullet-proof Mainframe security, Many access points
IBM Sales Team targets the CIO and CFO:“Experience has demonstrated that insider leaks may be utilized to help criminals escape prosecution or to release information about celebrities or high ranking government officials”.
“Your current IT infrastructure is exposed to these leaks which will likely result in civil and criminal penalties”
“At this very moment, policemen or detectives may be leaking information to criminals or the media. Also you are currently exposed to illegal access of sensitive information. Most alarming is that you may only become aware of such illegal access after your department has become fodder for the Tabloids. In such cases, departments have suffered high-level resignations and civil penalties
• Policemen access Driver information from portal within Police cruiser
• Detectives track case data via Cognos Analytics application
• Courts manage search warrants and court cases
Provocation:
Compliance Insight Manager
Solution Edition for Security
Mainframe Security Extended end-to-end across the Enterprise
“Joe Biden selected as
Obama’s running mate”
Wants and Warrants Database
Illegal queries
33
System z Solution Edition for Security – Secure Infrastructure
• Client Scenario: Large Healthcare Provider, Rigorous HIPAA compliance, huge patient records
IBM Sales Team targets the CIO and CFO:“Experience has demonstrated that insider leaks may be the biggest exposure to HIPAA compliance, especially when there is an opportunity to profit from disclosing patient records to third parties”
“Your current IT infrastructure is exposed to these leaks which will likely result in civil and criminal penalties”
“At this very moment, nurses, Doctors, or administrative personnel may be accessing patient records for the purpose of selling the information to a Tabloid. Such leaks are not only embarrassing and tarnish the Corporate image, they most certainly will result in substantial compliance and legal penalties, impacting the bottom-line. Failure to address this issue will expose you to negligence charges.”
• Secured access to patient medical records
• Patient records accessed by Doctors, Nurses, and Administration
• All Patient information is subject to HIPAA Compliance
Provocation:
Compliance Insight Manager
Solution Edition for Security
Mainframe Security Extended end-to-end across the Enterprise
Paris Hilton’s Patient Records
Illegal “leak”
© 2010 IBM Corporation
IBM System z Security
4
Multilevel Security
Encryption
Key Management
TS1120
Tape encryption
Common Criteria Ratings
Support for Standards
Audit, Authorization,
Authentication, and Access
Control
RACF®
IDS, Secure Communications
Communications Server
IBM Tivoli Security Compliance Insight Manager
IBM Tivoli® zSecure Suite
DB2® Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Express 3 Crypto Cards
System z SMF
LDAP
ITDS
Scalable Enterprise Directory
Network Authentication
Service
Kerberos V5 Compliant
z/OS® System SSL
SSL/TLS suite
ICSF
Services and Key Storage
for Key Material
Certificate Authority
PKI Services
DS8000®
Disk encryption
Enterprise Fraud Solutions
DKMS
DKMSTKLM
Venafi
GuardiumOptim™
Data Privacy
Compliance and Audit Extended Enterprise
Platform Infrastructure
Elements of an Enterprise Security Hub
Venafi Encryption
DirectorVenafi Encryption
Director
System z
* All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. 5
© 2008 IBM Corporation
Intellinx’s Value Propositions
Outstanding out-of-the-box value – Immediate ROI following installation (typically only a few hours), Intellinx begins capturing all cross-enterprise user activity, allowing Internal Audit, Security and Fraud teams to perform investigations with cross-platform search with complete visual replay and generate alerts on potential suspicious insider application activity.
Intellinx is the only solution on the market that captures user activity to detect/prevent internal fraud and data leakage on IBM Systems z and i.
Customers expect IBM to lead the way on these platforms
Intellinx solution can handle encrypted traffic when executed natively on z/OS. A network appliance cannot do that without changing network standards.
Reduce Internal Fraud Losses by detecting potential fraud via real-time preventive / detective controls
Deter potential fraudulent users just by knowing that all their actions may be recorded Improve internal audit effectiveness by alerting on detection of suspicious behavior and
providing full visibility for audit Enforce corporate security policies by detecting security breaches, incidents and
exceptions Improve compliance with privacy regulations by creating a full audit trail of all end-user
activity including queries and provide accurate data for Basel II and S-Ox Risk Control Assessments
System z
* All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. 6
© 2008 IBM Corporation
Intellinx Architecture
Switch
3270 / 5250
IntellinxSensor
Analyzer IntellinxIntellinx
Session Analyzer
Queue
Screen/Message
Recording
Session Reconstruction
REPLAY
Actions
Event Analyzer
BacklogEvents Repository
Business Event
IntellinxReports
MQSeries
Files
Host
1
2
34
5
System z
* All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. 7
© 2008 IBM Corporation
Intellinx Architecture
Switch
3270 / 5250
IntellinxSensor
Analyzer IntellinxIntellinx
Session Analyzer
Queue
Screen/Message
Recording
Session Reconstruction
REPLAY
Actions
Event Analyzer
BacklogEvents
Repository
Business Event
IntellinxReports
MQSeries
Files
Host
1
z/OS
z/OS solution:
SW only install98% zAAP eligible
Doesn’t add to existing SW charges
Sysplex awareHigh volume, low CPU %Can handle non-z/OS trafficOperates across VPN
No other solution doesEliminates network distribution of SSL private keys for z/OS workloads
Reduces riskReduced complexity of deployment/orderingReduced overhead & latency for real time analyticsLeverages Mainframe security and audit of DB’s
zW
atch
uni
que
© 2010 IBM Corporation
IBM System z Security
8 8
Deployment choices toward a Fraud & Forensic Clearing House on System z
Switch
3270 / 5250 / MQ / HTTP
IntellinxSensor
Analyzer IntellinxIntellinxSession Analyzer
Queue
Screen/Message Recording
Session Reconstruction
REPLAY
Actions
Event Analyzer
BacklogEvents Repository
Business Event
IntellinxReports
MQSeries
Files
Host
1
2
3 4
5
z/OS Business Goals
– A User activity monitor for forensic and fraud prevention
– Non-invasively capture activities from a wide variety of protocols and systems
– Stealthfully deploy, where possible Intellinx in Action
– Identified thefts from Dormant bank accounts– Eliminated RYO audit tools for major Police Dept– Stopped leakage of personally identifiable
information Bladecenter deployment
– Over 200 blades to meet needs of large financial institution with the five distinct solution points of control
– Weeks to configure and deploy software– Environmental and FTE costs are highest– Coordination across security, network and server
admin teams Linux on System z deployment
– Multiple Linux server instances to cover the five distinct solution points of control
– Common hardware reduces environmentals and FTEs
– Network connections must be established to capture traffic
z/OS zWatch edition deployment
– Installation in under an hour, software only
– zIIP and zAAP eligible for 98% of processing keeps software pricing minimal
– High volume, low CPU utilization
– TCA and TCO are less than alternatives
– zWatch unique capability to handle network encrypted traffic
– With zBX, zWatch can handle non-z traffic with network admin assistance and simplify operations
– Reduced overhead and latency for real time analytics
© 2010 IBM Corporation
IBM System z
9
Intellinx™ zWatch™
• Tracks all business transactions performed on the mainframe, generate a detailed audit trail and detect suspicious activity in real-time.
• Creates a forensic database that can be used for detecting and preventing fraud and data leakage and for managing investigations.
• Compliments other compliance related tools, such as IBM’s Tivoli Compliance Insight Manager, to dramatically reduce the incidents of fraud within a business.
• Provides a cross platform enterprise hub for managing forensics and fraud, and can reduce deployment costs.
• Provides recording available for playback of all corporate data transactions.
• Provides an audit trail enabling compliance with government regulations, such as FACTA Identity Theft Red-Flags, PCI-DSS, Sarbanes-Oxley, Basel II, GLBA and HIPAA.
• Runs natively on the mainframe, sniffing all inbound and outbound network transmissions and recording all end-user screens and keystrokes as well as application transactions.
• Profiles user and account activity and generates alerts on anomalies in real-time.
• Provides a one of a kind visual replay of user activities – by screen and keystroke.
• Provides Google-like search of screen content stored by the system, enabling security officers and internal auditors to search, for example for all users who accessed a specific customer account and replay the specific user activity.
Additional information on Intellinx™ zWatch™: http://www.intellinx-sw.com/company_news_item.asp?ID=44Client Reference: http://www.intellinx-sw.com/customers_recommend.asp
© 2010 IBM Corporation
IBM System z Security
10 10
Application Architecture: The Complexity of DistributedBusiness Objectives A bank has four basic transactions
– Credit, Debit, Transfer, Inquiry And they have a variety of choices for front end interface
– ATM, Branch Terminal, Kiosk, Web browser, PDA, Cellphone Customer uses a Bladecenter to drive multi channel
transformation The back end processing remains the same regardless of the
presentation deviceFully Distributed Model (if deployed) Each application becomes a cluster of server images and must be
individually authenticated and managed Each line is a separate network connection, requiring high
bandwidth and protection Data is replicated across enterprise to meet scalability Customer deploys/builds automation processes to facilitate
system recovery with additional software – this is not trivial and requires additional software and unique development
High environmental needs and full time employees to manage infrastructure
Management Considerations for an enterprise
AuthenticationAlert processingFirewallsVirtual Private Networks
Network BandwidthEncryption of dataAudit Records/ReportsProvisioning Users/Work
Disaster Recovery plansStorage ManagementData TransformationsApplication Deployment
How does the Virtualization Manager improve these?
Application Server
WebSphere®
Service PlatformDatabase
Connectors
SQLJ
Service
MessageServlet
Loan Applic.
Bank Teller
GeneralLedger
Credit CardProcessing
Risk AnalysisService
Service
Con
nectors/Ap
pliances
CurrentAccounts
BatchPrograms
Bill PaymentDatabase
SQLJ
CurrencyExchange
Temp data toElectronic Data Warehouse
Batch Process
RMI/IIOP
EJB
WAS
BillPayment
EJBs
AuthenticationServer
M
gt
M
gt
M
gt
M
gt
M
gt
Mg
t
M
gt
M
gt
Mg
t
Mg
tMg
t
Mg
t
Mg
t
© 2010 IBM Corporation
IBM System z Security
11 11
Application Architecture: A Large EnterpriseEnd User –
Hosted Client
Application Server
Service Platform
Desktop Framework
Devices
Websphere
Service PlatformDatabase
Conn
ectors
SQLJ
Service
MessageServlet
Loan Applic.
Bank Teller
GeneralLedger
Credit CardProcessing
Risk Analysis Service
Service
Con
nectors
CurrentAccounts
Banking Portal
Device Apps.
XML over HTTP(S)
Middleware Services
BatchPrograms
Bill PaymentDatabase
SQLJ
Desktop Framework Services
Personalization
Service Systems& Databases
MQ
CurrencyExchange
Temp data toElectronic Data Warehouse
Batch Process
RMI/IIOP
EJB
WASBillPayment
EJBs
AuthenticationServer
System zNext
Potential advantages of consolidating your application and data serving Security Fewer points of intrusion Resilience Fewer Points of Failure Performance Avoid Network Latency Operations Fewer parts to manage Environmentals Less Hardware Capacity Management On Demand additions/deletions
With IFL With zAAP
& zIIP Utilization Efficient use of resources Scalability Batch and Transaction Processing Auditability Consistent identity Simplification Problem Determination/diagnosis Transaction Integrity Automatic recovery/rollback
Security Fewer points of intrusion Connectivity Improved throughput Simplification Problem Determination/Monitoring Development Consistent, cross platform tools
With zBX
zNext Combinations – reducing control points Assumes the Bladecenter for the multi
channel transformation Can leverage Websphere on either Linux for
System z or z/OS The Bladecenter functionality can be
migrated to zBX in the future TCA and TCO advantages over distributed It’s the very same programming model in a
different container that provides a superior operations model
© 2010 IBM Corporation
IBM System z
12
Compliance / Risk Mitigation / Secure Infrastructure: z/OS
Customer Challenges Security breaches, identity theft are growing Companies face large financial losses PCI and HIPAA compliance are required by law Many environments are plagued by viruses and a continued cycle of patches
Solution Capabilities Security certifications (z/OS EAL 4+, LPAR EAL 5, FIPS 140-2 Level 4), System z/OS integrity statement Centralized security controls, auditing and administration Anonymous data for development and test
Solution Components z/OS V1 including: z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 for z/OS V9 WebSphere for z/OS V7 Optim Data Privacy Solution Encryption Facility for z/OS V1 Data Encryption for IMS and DB2 Databases V1 Crypto Express3 Features TKE Workstation OSA Cards IBM Tivoli Security Management for z/OS
Tivoli® Key Lifecycle Manager (TKLM) IBM System Services Runtime Environment for z/OS IMS Audit Management Expert for z/OS DB2 Audit Management Expert for z/OS
Optional: IBM Distributed Key Management System (DKMS) Intellinx zWatch Venafi Encryption Director
© 2010 IBM Corporation
IBM System z
13
Enterprise Fraud Analysis Solution
Customer Challenges Internal and external fraud cost billions of dollars in losses Reduction in brand equity and substantial financial losses Executives face personal fines, penalties and legal repercussions
Solution Capabilities Provides automated policy enforcement, centralized reporting and analysis, centralized auditing controls, risk mitigation
Record and playback insider actions Forensic analysis tools, real time prevention workflow Discover relationships via analytics
Solution Components IBM Tivoli zSecure Manager for RACF z/VM RACF ® Security Server feature for z/VM z/VM ® V5 z/VM V5 DirMaintTM Feature ISPF V3 for VM Optional: Intellinx zWatch