IBM InfoSphere Guardium for DB2 on z/OS – Technical Deep Dive One of a series of InfoSphere Guardium Technical Talks Ernie Mancill – Executive IT Specialist 2014 Guardium Deep Dive © 2014 IBM Corporation Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat 2 2014 Guardium Deep Dive © 2014 IBM Corporation Reminder: Guardium Tech Talks Next tech talk: Encryption is Fundamental: A technical overview of Guardium Data Encryption Speakers: Tim Parmenter Date &Time: Thursday, October 9th, 2014 11:30 AM Eastern Time (60 minutes) Register here: http://bit.ly/1pa3zlR 2014 Guardium Deep Dive © 2014 IBM Corporation Agenda Guardium Datasets and DB2 Overview Architecture Review Integration QRadar SIEM Alert and Log Integration Scenario RACF Integration with zSecure and VA Scenario Brand-x Integration with Custom Tables and Entitlement Scenario DB2 UET and extended Utility Tracking Scenario Brand-x Utility Reporting Scenario Identity Mapping with Java distributed applications Wrap-up and Q&A 2014 Guardium Deep Dive © 2014 IBM Corporation IBM InfoSphere Guardium Real-time activity Monitoring 2014 Guardium Deep Dive © 2014 IBM Corporation STAP for DB2 on z/OS Architecture HTTPS Parse (Appliance) TCP ASC Filter and Format DB2 IFI IFI Format ASC Hooks Repository STAP DB2 z/OS 2014 Guardium Deep Dive © 2014 IBM Corporation Guardium for DB2 on z/OS Capabilities Database Activity Monitoring ASC (SQL Collection via Control Block Inspection) IFI (Instrumentation Facility – Limited Use) Alerting Blocking (thread termination) Entitlement Reporting (Who has what) Vulnerability Assessment Configuration Test (Security related zParms) Patch (Security related APARs) Privilege (System and Object Authorizations) 2014 Guardium Deep Dive © 2014 IBM Corporation Infosphere Guardium STAP for Datasets on z/OS Guardium S-TAP for Datasets on z/OS Architecture 2014 Guardium Deep Dive © 2014 IBM Corporation Guardium for Datasets on z/OS Capabilities Dataset Activity Monitoring (Reporting) SMF Traces (No extra traces needed) SMS Control Blocks VSAM, Sequential, Partitioned Alerting CICS GLUE (Global User Exit) CICS related information for file activity RLM (Record Level Monitoring VSAM (KSDS and RRDS) 2014 Guardium Deep Dive © 2014 IBM Corporation Alert Processing and Integration with IBM QRadar SIEM on z/OS 2014 Guardium Deep Dive © 2014 IBM Corporation What is an SIEM? Many customers are using SIEM (Security Information Event Management) solutions QRadar is IBMs SIEM offering Capability to provide Enterprise-wide view of security events from: Operating Systems DBMS Network Applications 2014 Guardium Deep Dive © 2014 IBM Corporation Why QRadar? Cornerstone product for Industry Leading (according to Gartner) security offerings Well integrated with Guardium Easy to implement with industry standard Gateway to move from reactive security posture into predictive or analytic based security capability with Big Data 2014 Guardium Deep Dive © 2014 IBM Corporation System z Security and Data Protection zSecure, Guardium, AppScan & QRadar improve Security Intelligence zSecure z/OS RACF ACF2, TSS CICS Security Devices Servers & Mainframes Network/Virtual Activity Guardium DB2 IMS VSAM Database Activity Application Activity Configuration Info AppScan Web Apps Mobile Apps Web services Desktop Apps Event Correlation Activity Baselining & Anomaly Detection Offense Identification Threat Intelligence User Activity Vulnerability Information Extensive Data Sources + Deep Intelligence = Exceptionally Accurate and Actionable Insight Centralized view of mainframe and distributed network security incidents, activities and trends Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure S-TAP feeds routed to QRadar via Guardium Central Policy Manager SMF data set feeds with zSecure Audit and Alert Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign incident priorities and surface meaningful activity from noise Creates automatic alerts for newly discovered vulnerabilities experiencing active ‘Attack Paths’ Produces increase accuracy of risk levels and offense scores, and simplified compliance reporting 13 © 2014 IBM Corporation SYSLOG Alert feed to QRadar SIEM Parsing and repository insert What is collected What is stored Criteria for Exceptions Policy Exception criteria -application- TCP Events meeting collection criteria SYSLOG process to UDP Inspection DB2 STAP z/OS 2014 Guardium Deep Dive (Guardium Appliance) UDP SIEM (QRadar) © 2014 IBM Corporation 2014 Guardium Deep Dive © 2014 IBM Corporation Real Time Data Leak Prevention with IBM Infosphere Guardium for DB2 on z/OS 2014 Guardium Deep Dive © 2014 IBM Corporation Real-Time Alerting vs Action (Data Leak Prevention) Traditional SMF or Log based activity monitoring latency measured in many hours (even days) Alerting with Guardium is in real-time and immediate. But, then with the alert surfaced…..Watcha gonna do ‘bout it…..call “Guardium Thread Busters” Exception based thread termination Latency between exception detection and thread termination is somewhere around 1 second (policy evaluation is done on appliance and thread termination request is signaled to the STAP) 2014 Guardium Deep Dive © 2014 IBM Corporation 2014 Guardium Deep Dive © 2014 IBM Corporation Vulnerability Assessment and and Entitlement Integration with zSecure for RACF 2014 Guardium Deep Dive © 2014 IBM Corporation With DB2 Grant Revoke….. Security is handled by DB2 Privileges are bestowed with the DB2 GRANT statement Privileges are typically controlled by the DBA Authorization and entitlement information is reflected in the DB2 Catalog RACF or DB2 Grant/Revoke…..who Security is handled by RACF (via a DB2 exit routine) cares? Privileges are bestowed using the RACF PERMIT command Privileges are typically controlled by the RACF administrator Authorization and entitlement information is stored in the RACF database With RACF based Security When RACF is used the impact on Guardium is: Entitlement reporting is inaccurate Vulnerability testing is inaccurate (except when using zSecure Audit feed) Authorization information for Group administration is unavailable 2014 Guardium Deep Dive © 2014 IBM Corporation DB2 Grant/Revoke Authorization Process Process with SQL Request Control of Access within DB2 Primary ID DB2 Catalog DB2 Authorization Checking Allowed using Secondary ID native DB2 Authority SQL Role DB2 Object Or Authority SYSIBM.SYS…AUTH SYSIBM.SYS…AUTH SQL ID Auth Check SYSIBM.SYS…AUTH Denied - 551 DB2 Authorization Tables 2014 Guardium Deep Dive © 2014 IBM Corporation DB2 External Security Authorization Process SQL Role Control of Access within RACF Secondary DSNX@XAC Process with SQL Request Primary DB2 Catalog OK DB2 Object Checking DB2 Authorization Or Not Used Authority using RACF SYSIBM.SYS…AUTH SQL ID nie e D SYSIBM.SYS…AUTH SYSIBM.SYS…AUTH d DB2 Authorization Tables RACHECK - 551 RACF Database 2014 Guardium Deep Dive © 2014 IBM Corporation Entitlement Reports Guardium Appliance VA Reports JDBC DB2 JDBC GDDMONITOR zSecure RACF ACF2 2014 Guardium Deep Dive z/OS © 2014 IBM Corporation RACF Database DB2 Authorization Tables SDSNEXIT DSN3@ATH CKAJVA99 “Stage 2” Merged Entitlement Info “Load Format” GDDMONITOR Tables 2014 Guardium Deep Dive © 2014 IBM Corporation 2014 Guardium Deep Dive © 2014 IBM Corporation BUT ERNIE……… I don’t use RACF, I use TOG* security!!!! *TOG – (The Other Guys) a.k.a CA-ACF2® or CA-Top Secret® 2014 Guardium Deep Dive © 2014 IBM Corporation Approach for TOG Support Using a similar approach to zSecure Create z/OS DB2 table(s) to store CA security elements Populate these with data from CA security products Use Guardium Custom Table Support do define “clone” of table on G-Machine Use “Upload Data” on Custom Query to move data into G-Machine Use Guardium Custom Query to build report…. 2014 Guardium Deep Dive © 2014 IBM Corporation Custom Reports Guard Group DB2 Guardium Appliance JDBC Custom Table TSS Extract TSS Database 2014 Guardium Deep Dive © 2014 IBM Corporation 2014 Guardium Deep Dive © 2014 IBM Corporation End User Attribution with Guardium for DB2 on z/OS 2014 Guardium Deep Dive © 2014 IBM Corporation End User Attribution - Challenges Distributed application server issuing DB connections using AS credentials, not client – end user. CICS Attach Applications where the CICS/DB2 interface definitions are coded to not use USERID as a result the CICS Region ID shows as DBUser. CICS File Control requests show the File Domain user (the CICS Region RACF ID) JDBC/ODBC connections to the DB server show incorrect credentials 2014 Guardium Deep Dive © 2014 IBM Corporation Solutions WAS Server configurations to propagate credentials DB2 10 and Identity Propagation Java Properties Extended User Properties DB2 Supplied Stored Procedure SQLESETI Infosphere Guardium STAP for Datasets – CICS GLUE 2014 Guardium Deep Dive © 2014 IBM Corporation 2014 Guardium Deep Dive © 2014 IBM Corporation Bringing it all Together 2014 Guardium Deep Dive © 2014 IBM Corporation Threats to DB2 Data on z/OS Privileged User access to DB2 Data from outside of DB2. Privileged User access to DB2 Data via SQL Abuse of privilege without business Need to Know Threats to DB2 Data External Threats Access to Linear VSAM datasets SQL Injection (Hacking) Movement of data outside of DB2 Unloads Clones Test Data Replication 2014 Guardium Deep Dive © 2014 IBM Corporation Layered Protection Approach - Elements First Layer - Encryption (this forces only access to clear text data must be in the form of an SQL statement) Second Layer - Database Activity Monitoring (this ensures each SQL statement is inspected, audited, and subject to security policy control) Third Layer - Audit access to VSAM linear datasets Fourth Layer - Implement business need to know control for critical Defense in Depth data (this reduces abuse of privilege access)of DB2 Data Fifth Layer - Protect the use of unloads and extracts for the purpose of: Test data management and generation Unloaded data for batch processes Extracts for external uses Replicated data Backup and Recovery assets 2014 Guardium Deep Dive © 2014 IBM Corporation Layered Approach - Capabilities Encryption of Data at Rest with Infosphere Encryption Tool for DB2 and IMS Databases Fine-Grain Database Activity Monitoring with Infosphere Guardium for DB2 VSAM Activity Monitoring with Infosphere Guardium STAP for Datasets Review - Capabilities Business “Need to Know” controls on specific tables with DB2 10 and Row filters / Column masking Control of Data moved outside of DB2: Infosphere Guardium Encryption Expert for MP Optim Test Data Management and Data Privacy Solution z/OS Encryption Facility Infosphere Guardium Encryption Tool for DB2 and IMS Databases Infosphere Guardium Database Activity Monitoring 2014 Guardium Deep Dive © 2014 IBM Corporation Information, training, and community InfoSphere Guardium web site at ibm.com/guardium InfoSphere Guardium YouTube Channel – includes overviews and technical demos developerWorks forum (very active) Guardium DAM User Group on Linked-In (very active) Community on developerWorks (includes content and links to a myriad of sources, articles, etc) Guardium Knowledge Center InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to bamealm@us.ibm.com if interested. 2014 Guardium Deep Dive © 2014 IBM Corporation Reminder: Guardium Tech Talks Next tech talk: Encryption is Fundamental: A technical overview of Guardium Data Encryption Speakers: Tim Parmenter Date &Time: Thursday, October 9th, 2014 11:30 AM Eastern Time (60 minutes) Register here: http://bit.ly/1pa3zlR 2014 Guardium Deep Dive © 2014 IBM Corporation