IBM InfoSphere Guardium for DB2 on z/OS – Technical Deep Dive

Anuncio
IBM InfoSphere Guardium for DB2 on z/OS
– Technical Deep Dive
One of a series of InfoSphere Guardium Technical Talks
Ernie Mancill – Executive IT Specialist
2014 Guardium Deep Dive
© 2014 IBM Corporation
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
2
2014 Guardium Deep Dive
© 2014 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk: Encryption is Fundamental: A technical overview of
Guardium Data Encryption
Speakers: Tim Parmenter
Date &Time: Thursday, October 9th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1pa3zlR
2014 Guardium Deep Dive
© 2014 IBM Corporation
Agenda



Guardium Datasets and DB2 Overview
Architecture Review
Integration







QRadar SIEM Alert and Log Integration Scenario
RACF Integration with zSecure and VA Scenario
Brand-x Integration with Custom Tables and
Entitlement Scenario
DB2 UET and extended Utility Tracking Scenario
Brand-x Utility Reporting Scenario
Identity Mapping with Java distributed applications
Wrap-up and Q&A
2014 Guardium Deep Dive
© 2014 IBM Corporation
IBM InfoSphere Guardium Real-time activity Monitoring
2014 Guardium Deep Dive
© 2014 IBM Corporation
STAP for DB2 on z/OS
Architecture
HTTPS
Parse
(Appliance)
TCP
ASC
Filter and
Format
DB2 IFI
IFI Format
ASC Hooks
Repository
STAP
DB2
z/OS
2014 Guardium Deep Dive
© 2014 IBM Corporation
Guardium for DB2 on z/OS
Capabilities

Database Activity Monitoring

ASC (SQL Collection via Control Block Inspection)

IFI (Instrumentation Facility – Limited Use)

Alerting

Blocking (thread termination)

Entitlement Reporting (Who has what)

Vulnerability Assessment

Configuration Test (Security related zParms)

Patch (Security related APARs)

Privilege (System and Object Authorizations)
2014 Guardium Deep Dive
© 2014 IBM Corporation
Infosphere Guardium STAP for Datasets on z/OS
Guardium S-TAP for Datasets on z/OS
Architecture
2014 Guardium Deep Dive
© 2014 IBM Corporation
Guardium for Datasets on z/OS
Capabilities

Dataset Activity Monitoring (Reporting)

SMF Traces (No extra traces needed)

SMS Control Blocks

VSAM, Sequential, Partitioned

Alerting

CICS GLUE (Global User Exit)


CICS related information for file activity
RLM (Record Level Monitoring

VSAM (KSDS and RRDS)
2014 Guardium Deep Dive
© 2014 IBM Corporation
Alert Processing and Integration
with IBM QRadar SIEM on z/OS
2014 Guardium Deep Dive
© 2014 IBM Corporation
What is an SIEM?



Many customers are using SIEM (Security
Information Event Management) solutions
QRadar is IBMs SIEM offering
Capability to provide Enterprise-wide view of
security events from:

Operating Systems

DBMS

Network

Applications
2014 Guardium Deep Dive
© 2014 IBM Corporation
Why QRadar?

Cornerstone product for Industry Leading
(according to Gartner) security offerings

Well integrated with Guardium

Easy to implement with industry standard

Gateway to move from reactive security posture into
predictive or analytic based security capability with
Big Data
2014 Guardium Deep Dive
© 2014 IBM Corporation
System z Security and Data Protection
zSecure, Guardium, AppScan & QRadar improve Security Intelligence
zSecure
z/OS
RACF
ACF2, TSS
CICS
Security Devices
Servers & Mainframes
Network/Virtual Activity
Guardium
DB2
IMS
VSAM
Database Activity
Application Activity
Configuration Info
AppScan
Web Apps
Mobile Apps
Web services
Desktop Apps
Event
Correlation
Activity Baselining &
Anomaly Detection
Offense
Identification
Threat Intelligence
User Activity
Vulnerability Information
Extensive Data Sources
+
Deep
Intelligence
=
Exceptionally Accurate and
Actionable Insight





Centralized view of mainframe and distributed network security incidents, activities and trends
Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure
S-TAP feeds routed to QRadar via Guardium Central Policy Manager
SMF data set feeds with zSecure Audit and Alert
Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign
incident priorities and surface meaningful activity from noise
 Creates automatic alerts for newly discovered vulnerabilities experiencing active ‘Attack Paths’
 Produces increase accuracy of risk levels and offense scores, and simplified compliance reporting
13
© 2014 IBM Corporation
SYSLOG Alert feed to QRadar SIEM
Parsing and
repository insert
What is collected
What is stored
Criteria for Exceptions
Policy
Exception criteria
-application-
TCP
Events meeting
collection criteria
SYSLOG process
to UDP
Inspection
DB2
STAP
z/OS
2014 Guardium Deep Dive
(Guardium Appliance) UDP
SIEM
(QRadar)
© 2014 IBM Corporation
2014 Guardium Deep Dive
© 2014 IBM Corporation
Real Time Data Leak Prevention with IBM
Infosphere Guardium for DB2 on z/OS
2014 Guardium Deep Dive
© 2014 IBM Corporation
Real-Time Alerting vs Action
(Data Leak Prevention)





Traditional SMF or Log based activity monitoring
latency measured in many hours (even days)
Alerting with Guardium is in real-time and
immediate.
But, then with the alert surfaced…..Watcha gonna
do ‘bout it…..call “Guardium Thread Busters”
Exception based thread termination
Latency between exception detection and thread
termination is somewhere around 1 second (policy
evaluation is done on appliance and thread
termination request is signaled to the STAP)
2014 Guardium Deep Dive
© 2014 IBM Corporation
2014 Guardium Deep Dive
© 2014 IBM Corporation
Vulnerability Assessment and and
Entitlement Integration with zSecure for
RACF
2014 Guardium Deep Dive
© 2014 IBM Corporation



With DB2 Grant Revoke…..

Security is handled by DB2

Privileges are bestowed with the DB2 GRANT statement

Privileges are typically controlled by the DBA

Authorization and entitlement information is reflected in the DB2 Catalog

RACF or DB2
Grant/Revoke…..who
Security is handled
by RACF (via a DB2 exit routine) cares?

Privileges are bestowed using the RACF PERMIT command

Privileges are typically controlled by the RACF administrator

Authorization and entitlement information is stored in the RACF database
With RACF based Security
When RACF is used the impact on Guardium is:

Entitlement reporting is inaccurate

Vulnerability testing is inaccurate (except when using zSecure Audit feed)

Authorization information for Group administration is unavailable
2014 Guardium Deep Dive
© 2014 IBM Corporation
DB2 Grant/Revoke Authorization Process
Process with SQL Request
Control of Access within DB2
Primary ID
DB2 Catalog
DB2 Authorization Checking Allowed
using
Secondary ID
native DB2 Authority
SQL
Role
DB2 Object
Or
Authority
SYSIBM.SYS…AUTH
SYSIBM.SYS…AUTH
SQL ID
Auth Check
SYSIBM.SYS…AUTH
Denied
- 551
DB2 Authorization Tables
2014 Guardium Deep Dive
© 2014 IBM Corporation
DB2 External Security Authorization Process
SQL
Role
Control of Access within RACF
Secondary
DSNX@XAC
Process with SQL Request
Primary
DB2 Catalog
OK
DB2 Object Checking
DB2 Authorization
Or
Not Used
Authority
using RACF
SYSIBM.SYS…AUTH
SQL ID
nie
e
D
SYSIBM.SYS…AUTH
SYSIBM.SYS…AUTH
d
DB2 Authorization Tables
RACHECK
- 551
RACF
Database
2014 Guardium Deep Dive
© 2014 IBM Corporation
Entitlement
Reports
Guardium Appliance
VA
Reports
JDBC
DB2
JDBC
GDDMONITOR
zSecure
RACF
ACF2
2014 Guardium Deep Dive
z/OS
© 2014 IBM Corporation
RACF Database
DB2 Authorization
Tables
SDSNEXIT
DSN3@ATH
CKAJVA99
“Stage 2”
Merged Entitlement Info
“Load Format”
GDDMONITOR Tables
2014 Guardium Deep Dive
© 2014 IBM Corporation
2014 Guardium Deep Dive
© 2014 IBM Corporation
BUT ERNIE………
I don’t use RACF, I use TOG* security!!!!
*TOG – (The Other Guys) a.k.a CA-ACF2® or CA-Top Secret®
2014 Guardium Deep Dive
© 2014 IBM Corporation
Approach for TOG Support

Using a similar approach to zSecure

Create z/OS DB2 table(s) to store CA security
elements

Populate these with data from CA security products

Use Guardium Custom Table Support do define
“clone” of table on G-Machine

Use “Upload Data” on Custom Query to move data
into G-Machine

Use Guardium Custom Query to build report….
2014 Guardium Deep Dive
© 2014 IBM Corporation
Custom
Reports
Guard
Group
DB2
Guardium Appliance
JDBC
Custom Table
TSS
Extract
TSS
Database
2014 Guardium Deep Dive
© 2014 IBM Corporation
2014 Guardium Deep Dive
© 2014 IBM Corporation
End User Attribution with Guardium
for DB2 on z/OS
2014 Guardium Deep Dive
© 2014 IBM Corporation
End User Attribution - Challenges




Distributed application server issuing DB
connections using AS credentials, not client – end
user.
CICS Attach Applications where the CICS/DB2
interface definitions are coded to not use USERID
as a result the CICS Region ID shows as DBUser.
CICS File Control requests show the File Domain
user (the CICS Region RACF ID)
JDBC/ODBC connections to the DB server show
incorrect credentials
2014 Guardium Deep Dive
© 2014 IBM Corporation
Solutions

WAS Server configurations to propagate credentials

DB2 10 and Identity Propagation

Java Properties

Extended User Properties


DB2 Supplied Stored Procedure

SQLESETI
Infosphere Guardium STAP for Datasets – CICS
GLUE
2014 Guardium Deep Dive
© 2014 IBM Corporation
2014 Guardium Deep Dive
© 2014 IBM Corporation
Bringing it all Together
2014 Guardium Deep Dive
© 2014 IBM Corporation
Threats to DB2 Data on z/OS

Privileged User access to DB2 Data from outside of DB2.


Privileged User access to DB2 Data via SQL


Abuse of privilege without business Need to Know
Threats to DB2 Data
External Threats


Access to Linear VSAM datasets
SQL Injection (Hacking)
Movement of data outside of DB2

Unloads

Clones

Test Data

Replication
2014 Guardium Deep Dive
© 2014 IBM Corporation
Layered Protection Approach - Elements





First Layer - Encryption (this forces only access to clear text data
must be in the form of an SQL statement)
Second Layer - Database Activity Monitoring (this ensures each
SQL statement is inspected, audited, and subject to security policy
control)
Third Layer - Audit access to VSAM linear datasets
Fourth Layer - Implement business need to know control for critical
Defense
in Depth
data (this reduces
abuse of privilege
access)of DB2 Data
Fifth Layer - Protect the use of unloads and extracts for the purpose
of:
 Test data management and generation
 Unloaded data for batch processes
 Extracts for external uses
 Replicated data
 Backup and Recovery assets
2014 Guardium Deep Dive
© 2014 IBM Corporation
Layered Approach - Capabilities





Encryption of Data at Rest with Infosphere Encryption Tool for DB2
and IMS Databases
Fine-Grain Database Activity Monitoring with Infosphere Guardium
for DB2
VSAM Activity Monitoring with Infosphere Guardium STAP for
Datasets
Review - Capabilities
Business “Need to Know” controls on specific tables with DB2 10
and Row filters / Column masking
Control of Data moved outside of DB2:

Infosphere Guardium Encryption Expert for MP

Optim Test Data Management and Data Privacy Solution

z/OS Encryption Facility

Infosphere Guardium Encryption Tool for DB2 and IMS Databases

Infosphere Guardium Database Activity Monitoring
2014 Guardium Deep Dive
© 2014 IBM Corporation
Information, training, and community

InfoSphere Guardium web site at ibm.com/guardium

InfoSphere Guardium YouTube Channel – includes overviews and technical demos

developerWorks forum (very active)

Guardium DAM User Group on Linked-In (very active)


Community on developerWorks (includes content and links to a myriad of sources,
articles, etc)
Guardium Knowledge Center
InfoSphere Guardium Virtual User Group.
Open, technical discussions with other users.
Send a note to [email protected] if
interested.
2014 Guardium Deep Dive
© 2014 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk: Encryption is Fundamental: A technical overview of
Guardium Data Encryption
Speakers: Tim Parmenter
Date &Time: Thursday, October 9th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1pa3zlR
2014 Guardium Deep Dive
© 2014 IBM Corporation
Descargar