layered security for ibm i - rt-partnermedia.rt-partner.se/2018/06/layered-security.pdf · layered...
TRANSCRIPT
Security 101: Layered Security
Security 101: Layered Security FundamentalsLayered Security Fundamental #1
Assume Vulnerability, Not Impregnability
Layered Security: The Swiss Cheese Model
James T. Reason, University of Manchester, 1990
We Assume There Are Holes, We Can’t Plug All Of Them
The Goal Is Not To Plug All The Holes
Security 101: Layered Security Fundamentals
The Goal is to Prevent a Breach
Security 101: Layered Security Fundamentals
Layered Security for IBM i
• Where are the critical
assets on IBM i?
• How can you get to
them?
The GDPR Regulation
• The GDPR is structured in 173 ‘recitals’ and 99 articles. • Of these, 14 recitals and 11 articles mention or imply the need
for data protection technologies, which can be grouped into the following categories:
• Protection of Data• Privacy and Confidentiality of Data• Integrity of Data• Encryption and Pseudonymization• Access Control, Malicious and
Accidental Damage
• Compliance to Regulations• Risk Assessment• Logging and Auditing• Security Settings and Policy
Object Level Security:
• Traditional way of securing on IBM i• Powerful capability but complex• Must have someone on staff with working knowledge of IBM i security
schemas • Many application packages implement Full Access to everyone• Object level security does not differentiate between internal and external
access to the file • How do you check your settings remain as you set them - assure object level
security stays in place
Protection of Data
File Level Security:
• Object Level Security is an extremely powerful tool
• However, it can be bypassed/neutralized by users with powerful user profiles (of which there are too many in most organizations)
• Organizations therefore are looking for full role based access to sensitive DB2 Files to control privileged users
• IBM offers an exit point but you have to write program
• Management infrastructure is needed to optimally use it
Protection of Data
TCP/IP Security:• The OS/400, now IBM i was architected before the advent of PC
connectivity• A user is able to access the IBM i through the network, change or
delete data he wants without being detected
• A person with a user profile and password is restricted in the interactive environment by menus
• TCP/IP Back Door: With the same user name and password through TCP/IP tools this user can bypass menu security and get to resources the menus would not allow him to access interactively
17
Integrity of Data
TCP/IP Security:
Exit Points - WRKREGINF
- Tools like FTP, ODBC, RMTCMD, IFS etc.
- Need structure to manage the exit programs – role based, layered
Integrity of Data
IFS QSYS.LIB
data
OTHERS
CLI QSQSRVR PHP, XML Service, …
QSQPRCED XDA, XDN, …
Sockets Socket programs
Open SourceNode.js, Python, Ruby
GCC, GIT, Orion, Perl…
IFS QSYS.LIB
data
NO Exit Points for 3rd Party and SSh etc…
Integrity of Data
Encryption and Pseudonymization
Different requirements based on regulations (Like PCI DSS, GDPR and HIPAA) to assure sensitive data is not seen by unauthorized eyes
Ensure blocking read of data independent of the means of access
Data at Rest (as opposed to in motion)
Threat – Non Credential User
• Database Encryption –Encryption Card
• Back-up (Tape or Save File) Encryption
Threat – Credentialed User
• Field Encryption (Masking/Scrambling/Security)
• File Encryption
Evolution within IBM I – OS Level Support
IBM i 7.1: Field Procedure
• Called at database levelAdvantages
• Control on almost everything related to the field:
• encryption/decryption
• Masking
• Scrambling
• Field Audit
• Field SecurityDisadvantage
• CPU intensive
IBM i 7.2: RCAC (Row Column Access Control)
• Pure IBM internal DB functionality
• Different masking views fieldsand records for different users
• Regulates access by data in the row according to user authorityAdvantage
• Good and fast performance
Disadvantages
• No Encryption
• No Scrambling
• No Field Auditing
Before IBM i 7.1
Needed to make changes on applications, especially on the decrypt
Command Security & Monitoring• Security exposure of everyone having access to commands.
• Monitoring of commands is possible in QAUDJRN but at User level
• Individual users need to be configured for *CMD auditing with CHGUSRAUD command.
• Limit access to command line (FTP command line still bypasses, powerful user)
• Another option is to use the exit point IBM provides - allows you to have role based management infrastructure as well as an audit trail
Access Control, Malicious and Accidental Damage
CALL QSYS.QCMDEXC (‘dspsysval qdate', 0000000015.00000)
cl:dspsysval qdate
SBMRMTCMD CMD('dspsysval qdate') DDMFILE(library/DDMfile)
dspsysval qdate
Rmtcmd //system dspsysval qdate
RUNRMTCMD CMD('dspsysval qdate')
RMTLOCNAME(system *IP) RMTUSER(user) RMTPWD( )
5250
FTP ServerQuote Rcmd dspsysval qdate
REXEC
IBM i Access for Windows
ODBC / DRDA
System i Navigator
DDM
db2 "call qcmdexc ('dspsysval qdate')"PuTTY
ALWLMTUSR(*NO)
Remote commands & parameter « Limit capabilities »
Auditing:• OS contains many journals and logs that contain a wealth of information
• Challenge is to present this information in a user friendly and comprehensive way
• Example File Journal – information is spread out over various screens
• File Journal- file information, but what about read data events?
• SQL – running this log without management
• tools is setting up for performance problems
• SQL – problem with ??? in SQL Statements
Logging and Auditing
• No indication of the PC that accessed the file
• No indication of the SQL statement
• No separation of field values
• No display of non-character fields
• No indication that this was breach rather than legitimate update
Logging and Auditing - Example
Challenge of Maintaining a Record:
• Amounts of Data
• Journal Receivers need to be taken offline, restoring them for forensics needs can be at cross purposes with operational needs.
• Storage on a Production Server – SIEM (Security Information & Event Management)
Logging and Auditing
Security Areas
SYSTEM
AUDITINGDATABASE
AUDITING
ACCESS
CONTROLELEVATED
AUTHORITY
ENCRYPTION
MASKINGANONYMI-
ZATION
SIEM
INTEGRA-
TION
MULTI-
FACTOR
AUTHENTI-
CATION
SECURITY
AND
RISK
ASSESS-
MENT
GUI
Cilasoft Compliance and Security Suite ModulesAuditing & Compliance
QJRN/400
• Reports and alerts on system events and database changes• System examiner
CONTROLER
Global Access Control
• ODBC, JDBC, OLE DB • FTP, DDM, DRDA, NetServer• Jobs, Sockets• File open, SQL engine• Commands
Elevated Authority Manager
ELEVATED AUTHORITY MANAGER• Grant additional authorities on an as-needed basis • Audit and log activities of elevated profiles
FREE JOB LOG EXPLORER
• Analyzes any job log using several powerful filters that will saveyou significant time when troubleshooting job-related issues on your IBM i
Utilities
• Reports and Alerts• MSGQ, Menus, profiles• Running a command over a resulting file
POST FILE
Data Consolidation and Distribution
• Consolidate any Db2 file from multiple remote sites• Deploy any Db2 file from a central site • Run commands simultaneously on remote sites
CENTRAL
Interface
• IBM QRadar• ArcSight• Splunk
SIEM• LogRhythm• Netwrix• LogPoint
39
Enforcive Security Product
ESEnterprise Security
CPACross-Platform Audit
CPC Cross-Platform Compliance
PSSPassword Self Service
AIXSecurity
Host Based Security, Audit & Compliance for IBM i
Log Management & Database Activity Monitoring
GRC (Governance, Risk Management, and Compliance)
Security and Auditing for IBM AIX
For use with:• Base ES Product• Exit Point Security• System Monitoring• Alerting• Reporting• Admin Tools
• Firewall Manager
• File Encryption• Policy Compliance Manager• Data Provider• Password Self Service• Accelerator Package
For use with:• Windows• Unix (AIX & Solaris)• Linux• IBM i (OS400 & DB2)• z/OS• MS SQL Server• Oracle• DB2• Sybase• MySQL• Progress• Syslog• Flat File Format
For use with:• Windows• AIX• IBM i (OS400 & DB2)• MS SQL Server• Oracle• Linux
For use with:• IBM i (OS400 & DB2)• Windows Active
Directory• Linux• AIX• Open LDAP
For use with:• Base AIX Product• Access Control• File Protection• System Audit• Event Auditing
Cross Platform Password Management
Security Risk Assessment Tool
Mainframe Security
Masking for Sensitive/Personal IBM i data
Real-time anonymization
• Masking, scrambling for data such as credit card numbers
• Important for GDPR readiness
• Graphical settings - pick the fields you need
• Key consistency
• IBM i native
Trader’s Security Product
41
Syncsort’s Future Security Product Line
SYSTEM
AUDITING
Cilasoft
DATABASE
AUDITING
Cilasoft Cilasoft
ACCESS
CONTROLELEVATED
AUTHORITY
Cilasoft
ENCRYPTION
MASKING
Townsend
Enforcive Trader’s
ANONYMI-
ZATION
Cilasoft
SIEM
INTEGRA-
TION
Ironstream
Cilasoft
MULTI-
FACTOR
AUTHENTI-
CATION
Enforcive
SECURITY
AND
RISK
ASSESS-
MENT
CODE
FOUNDATION
MODULES
INTERFACE
FEATURES
Graphical, Web-Based UI (VSP)
GDPR White Paper