Tivoli Security Update

tunisianhomeSoftware and s/w Development

Feb 17, 2014 (3 years and 7 months ago)

90 views

© 2009 IBM Corporation

Tivoli Security Update


European IBM Tivoli Security User Group

May 14th, 2009

Joe Anthony

jca@us.ibm.com


2

© 2009 IBM Corporation

Demand for security solutions remains strong, but macroeconomic trends
and customer experience shift vendor expectations

IT spending flat to modest growth in 2009
1


Security remains a CIO top 10 priority


Consolidate vendors, harvest existing investments


Macroeconomics increase competition


Down economic environment puts high degree of
scrutiny on ROI / value buys


Opportunity to take market share by displacing
competitive point products


Changing customer expectations


Mainstream IAM customers more focused on
business issues and projects vs. technology


Strength of vendor portfolio and integration vs.
best
-
of
-
breed technology selection


Focus on high
level value
propositions with
strong economics



Deliver complete
solutions to
business problems
vs. technology
piece
-
parts

1
Source: Gartner EXP (January 2009)

3

© 2009 IBM Corporation

IBM Tivoli Security delivering on the IBM Security Strategy

Tivoli Security Solutions

Identity and Access Assurance


Reduce cost and risk by easing the
onboarding and offboarding of users, reporting
on user activity and ongoing certification

Data & Application Security


Protect business information & reputation by
safeguarding data in use or at rest

Security Management for z/OS


Improve mainframe security administration &
enable integrated mainframe & distributed
security workloads

4

© 2009 IBM Corporation

New security solutions provide greater customer value and competitive
differentiation


Addresses higher level pain points than point product sales


Provides clients greater value for the money in tough economy


Distinct competitive advantages


Simplified messaging and enablement

Identity and Access Assurance

Value
Prop

Provide efficient and
compliant access for right
people to right resources

Problems Solved


Reduce help desk OPEX


Comply with regulations


Improve user productivity


Reduce risk from privileged insiders


Respond quickly to business initiatives
(e.g. new applications, M&A,
restructuring)

Data and Application
Security

Value
Prop

Protect integrity and
confidentiality of business
data and transactions

Problems Solved


Data disclosure and privacy
compliance


Application security and agility


Secure 3
rd

party collaboration


Protect IP / data
-
in
-
use


Secure storage / data
-
at
-
rest

Security Management for z/OS

Value
Prop

Secure critical business
services with your most
trusted and resilient platform

Problems Solved


Secure critical mainframe hosted
data and transactions


Comply with regulations


Improve service availability


Enable workload consolidation
through improved, centralized
security management

5

© 2009 IBM Corporation

New Tivoli Security Solutions solve real customer challenges in three
comprehensive packages with improved value that are simple to buy and sell

Identity and
Access
Assurance

Provide efficient and
compliant access for right
people to right resources at
right time

Data and
Application
Security

Protect integrity and
confidentiality of business
data and transactions from
browser to disk

Security
Management for
z/OS

Secure and audit critical
business services with your
most trusted and resilient
platform

Leading Energy
Utility

6

© 2009 IBM Corporation

Customer Case Study: Simple, Integrated Governance

Objectives


Compliance with SOX, PCI, GLBA mandates


Management of insider threats and reduction of risk from privileged insiders


Monitoring of external threats to
generate reports/data on where to invest on perimeter defense and
to feed incident management process where service availability may be affected


Automation and operational efficiency to reduce costs in audit and compliance reporting, identity and
user entitlement administration, and application security



Challenges


World wide workforce and dealerships subject to complex regulatory requirements


Controlling access to sensitive information


Greater visibility into who has actually accessed sensitive information


Reduce administrative consoles


Identify and protect against threats


IBM Solution


Tivoli Identity Manager and Access Manager for managing users and their rights


Tivoli Access Manager manages Harley
-
Davidson Dealer Portal authorizations


Tivoli Security Information and Event Management for monitoring and reporting on user activity

7

© 2009 IBM Corporation

Scenario:

Enable secure collaboration via role based portals


Patient
Portals
Hospital
Website
/
Portals
Payer
Portals
Physician
Portals

Quickly roll out new applications and
services to authorized users


Enable single sign on for authentication


Issue and manage user credentials


A user’s “role” determines what they
are authorized to access


Monitor and report on user activity to
ensure proper response to abnormal
behavior and regulatory requirements

8

© 2009 IBM Corporation

Scenario:

User federation enables secure growth

User

Company C

Insurance
Provider

Employee
Travel

Company A

Stock
Options

Company B

Direct Access

Acme Business Portal


Increase user collaboration by
federating access to partners and
suppliers


Outsourcing arrangements


Ex. Acme employee can access
Company A, B or C’s data/apps. If
he leaves Acme, removing him
from Acme’s system can
simultaneously revoke his access
to Company A, B and C.


Customers can access from
multiple providers via a single
front
-
end.


Ex. Acme could offer ring tones,
games, streaming broadcast
services from a variety of partner
entities. Customer info is stored
with the primary provider.
Customer is billed by the primary
provider.


User

Partner

Third Party

Third
-
Party
Access

3
rd

Party Apps

Google Apps

Salesforce

9

© 2009 IBM Corporation

Scenario:
Manage risk of insider threat and failed audits with
access recertification, user activity monitoring and reporting

The problem:

3 of the Top 10 Threats to Enterprise Security
are insider related:


Employee error


Data stolen by partner/employee


Insider Sabotage

Insider driven fraud costs US enterprises over
$600 Billion annually

Monitor user access


Do user access rights match
responsibilities?


Are rights consistently certified?


Are there separation of duty violations?


Monitor user activity


Volume of activity


Type & location of activity


Timing of activity


Privileged user activity


Compliance Reporting


Pre
-
built reporting modules on common
regulatory mandates (SOX, PCI, Basel
II, HIPAA, etc…)


Flexible report design to match
company
-
specific audit requirements

10

© 2009 IBM Corporation

Scenario:

Reduce costs with self service and service management integration


Offering user self
-
service to manage
profile, passwords and access can reduce
help desk, IT administration and user
productivity costs


Reduce help desk calls by enabling users to
manage user name / passwords via
challenge/response questions


Accelerate user productivity by accelerating
time to access applications and sharing of
workstations/kiosks


Reduce labor required to manage and audit
application
-
specific password policies via
enterprise single sign
-
on



Integrating identity management with
incident management can reduce IT costs


Offload service desk workload with self
-
service password/profile management and
access request


Automate incident resolution within Tivoli
Service Request Manager

Tivoli Service Request Catalog

Tivoli Identity Manager

Self
-
Service

11

© 2009 IBM Corporation

IBM Tivoli Identity and Access Assurance

Single PID [
5724
-
X91]


Per user pricing
-

UVU


Minimum number of users requirement of 5,000


Part number:
D093YLL (Tivoli Identity and Access Assurance UVUs Lic + SW
S&S 12 Mo)


Included components:


TIM


base TIM included, not Host or Application Adapters


Unified Single Sign On (FIM/TAM, ESSO)


TCIM


limited use, includes server and event sources for:


Platforms/Applications on which managed users are deployed


Components of bundle


TAMOS


limited use for:


Platforms on which managed users are deployed


Components of bundle


12

© 2009 IBM Corporation

Getting started with Identity and Access Assurance

Single Sign
On

& Password
Management

User Provisioning / Role Management

Access Attestation

Security log management & reporting

Cisco
Secure
ACS
Cisco
Secure
ACS
Business
Applications
Authoritative
Identity Source
(Human Resources,
Customer Master, etc.)
TIM Trusted
Identity
Store
Accounts
jcd0895
jdoe03
doej
John C. Doe
Sarah K. Smith
smiths17
Sarah_s4
ackerh05
nbody
Sarah

s Manager
Recertification
Request
Access
Revalidated and
Audited
1
1
2
2
3
3
4
4
5
5
Tivoli Identity Manager
Identity
change
(add/del/mod)
HR Systems/
Identity Stores
Approvals
gathered
Accounts
updated
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Databases
Operating
Systems
Databases
Databases
Operating
Systems
Operating
Systems
Applications
Applications
Networks &
Physical Access
Access
policy
evaluated
Detect and correct local privilege settings
Tivoli Identity Manager
Identity
change
(add/del/mod)
HR Systems/
Identity Stores
Approvals
gathered
Approvals
gathered
Accounts
updated
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Databases
Operating
Systems
Databases
Databases
Operating
Systems
Operating
Systems
Applications
Applications
Networks &
Physical Access
Accounts
updated
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Databases
Operating
Systems
Databases
Databases
Operating
Systems
Operating
Systems
Applications
Applications
Accounts
updated
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Accounts on 70 different
types of systems managed.
Plus, In
-
House Systems &
portals
Databases
Databases
Operating
Systems
Operating
Systems
Databases
Databases
Operating
Systems
Operating
Systems
Applications
Applications
Networks &
Physical Access
Access
policy
evaluated
Detect and correct local privilege settings
Access
policy
evaluated
Access
policy
evaluated
Detect and correct local privilege settings
Detect and correct local privilege settings
ID stores

13

© 2009 IBM Corporation

New Tivoli Security Solutions solve real customer challenges in three
comprehensive, simple to buy, and simple to sell packages

Identity and
Access
Assurance

Provide efficient and
compliant access for right
people to right resources at
right time

Data and
Application
Security

Protect integrity and
confidentiality of business
data and transactions from
browser to disk

Security
Management for
z/OS

Secure and audit critical
business services with your
most trusted and resilient
platform

Leading Energy
Utility

14

© 2009 IBM Corporation

Customer Case Study: Securing a Smarter Grid

Background


Deploy 3.4M smart meters to residential/non
-
residential by 2012


Transform web portal to access meters & customer information


Challenges


Centralize security policy governance critical in a distributed environment


Protect data store and web portal against unauthorized access


Address NERC/FERC and privacy data compliance needs


Reduce cost of managing web services security and administration across multiple data
centers


IBM Solution


Tivoli Security for IAM, Security Policy and Compliance Management


WebSphere DataPower SOA appliance for XML firewall


WebSphere Service Registry & Repository for services store


3
rd

party ESB and WebSphere DataPower ESB for routing


Global business services leading the process transformation

Leading Energy
Utility

15

© 2009 IBM Corporation

Use case 1:

Improve services & collaboration with secure data sharing


Collaborate on a projects with
business sensitive data


Example: A big pharmaceutical
company needs to collaborate with
researchers, doctors and clinicians as
well even competing researchers on a
joint clinical trial



Secure expansion of web
services deployment in SOA


Example: A public utility deploying
smart meters needs to protect
customer information on their
transformed web portal



Audit and reporting data usage


Example: A financial services company
needs to monitor, audit, report access
to key databases, business intelligence
and content management portals

Expand Services

Sharing Data

Centralized, fine
-
grained access control to information

Inter
-
organization data collaboration

16

© 2009 IBM Corporation

Use case 2:
Manage risk of data disclosure and access to business services


Manage unintended access to
data
-
in use access within
SharePoint and Portal
deployments


e.g. Credit card number, SSN,
Patient records, etc



Manage unintended access to
data
-
at rest access within file
-
systems on Windows platform



Eliminate the risk of data loss
with lost backup tapes, laptops


Encrypted
Disks &
Archive
Tapes with

Key
Management

Data
-
level
access
control with
Entitlement
Management

Centralized, fine
-
grained access control to information

Inter
-
organization data collaboration

17

© 2009 IBM Corporation

Use Case 3:
Reduce cost of siloed controls with centralized security management


Reduce redundant security logic
development and leverage
common security service for
central administration and
enforcement



Centralize key lifecycle
management across large
number of tapes and disks



Eliminate server and database
-
level security control with
centralized policy and compliance
management


Google Apps

Salesforce

On
-
premise

Apps & Portal

Data Centers

(Servers, Tapes, Disks)

Open

Enterprise

Legacy Apps & DBs

Centralized, fine
-
grained access control to information

Inter
-
organization data collaboration

18

© 2009 IBM Corporation

IBM Tivoli Data and Application Security

Single PID [
5724
-
X90]


Install [part number: D093VLL]


Includes all core software components


Run
-
time service Value Units (RVUs) [part number: D094NLL]


Application Entitlement enforcement point


Terabyte (TB) Resource Value Units (RVUs) [part number: D095ILL]


Storage capacity licensed by bundle



Included components:


TSPM for Application Entitlements


Policy manager and local RTSS


TKLM


Basic server


TCIM


limited use, includes server and event sources for:


Run
-
time services licensed by bundle


Systems whose storage capacity is licensed by bundle


Components of bundle


TAMOS


limited use for:


Run
-
time services licensed by bundle


Systems whose storage capacity is licensed by bundle


Components of bundle


TFIM


Limited use for:


Run
-
time services licensed by bundle including 1 BP federation


Components of bundle

19

© 2009 IBM Corporation

Getting started with Data and Application Security

Encrypted
Disks &
Archive Tapes
with

Key
Management

Portal Security and Federation

SharePoint / DataPower management

Security log management & reporting

LOB
(Apps)
Competitor
(Project
Collaboration)
Healthcare
Partner
Services
Outsourced
Services
Third
Party
Access
User
Portal


XS40/XI50
XML Security
Gateway
Data
Repository
Suppliers
Suppliers
Partners
Partners
Users
Users
Federated
Identity
Manager
Security
Policy
Manager
20

© 2009 IBM Corporation

New Tivoli Security Solutions solve real customer challenges in three
comprehensive packages with improved value that are simple to buy and sell

Identity and
Access
Assurance

Provide efficient and
compliant access for right
people to right resources at
right time

Data and
Application
Security

Protect integrity and
confidentiality of business
data and transactions from
browser to disk

Security
Management for
z/OS

Secure and audit critical
business services with your
most trusted and resilient
platform

Leading Energy
Utility

21

© 2009 IBM Corporation

Industry:
Insurance

Profile:

Norwich Union is part of
the Aviva group, a leading
provider of life and pension
products in Europe and one of
the largest insurance groups in
the world.

Client requirements


Norwich Union needed to facilitate compliance with identity and
access management initiatives by implementing preventative,
detective and corrective controls within its IT environment


With several RACF tools to maintain various RACF databases


most homegrown, Norwich Union needed a strategic, robust
solution to keep up with high demand for security and audit
reports, and with often
-
complex security requests

Solution
:


IBM Tivoli zSecure Admin, which enables efficient RACF
administration with fewer resources


IBM Tivoli zSecure Audit for RACF and ACF2, which
automatically analyses and reports on security events and
exposures


IBM Tivoli zSecure Alert for RACF to enable quick response to
RACF and z/OS events through real
-
time alerting

Benefits


Simplifies mainframe security administration tasks, improving
efficiency and reducing errors


Enables quick, proactive response to security events


Supports robust audit and compliance reporting


Helps maintain high levels of security automation for system
security management


Provides a consistent and uniform approach to security
management across the System z environment

z Security Management Success Story: Aviva


Norwich Union

“IBM Tivoli zSecure software gives us
a simple, powerful way to comply with
identity and access management
initiatives, and to assure auditors that
preventative, detective and corrective
controls are installed.”


Phil Secker, Security Support
Manager, Norwich Union

22

© 2009 IBM Corporation

Scenario:

Support compliance initiatives


Employee
Travel

Company A

Healthcare
Provider

Company D

Stock
Options

Company B


Comprehensive security policies
with consistent enforcement for
RACF


Better insight into compliance
issues and priorities for z/OS


Automated compliance reporting
and audit management


Single point for defining and
auditing user identities and


their mainframe access within
RACF


Optional best practice or
standards specific reporting



How Big is the Gap In
Your Organization?

23

© 2009 IBM Corporation

Scenario:

Reduce costs through repeatable and sustainable tasks



Reduce mainframe security administration
costs


Through simplified RACF administration


Improve user productivity


Through faster access to information


Through compliance with SLAs


Enhance z/OS security


Through automation of security policy
enforcement


Through stronger z/OS and RACF
security change monitoring


Improve z/OS audit and tracking


Through central security event analysis


Through efficient user access tracking


Develop operational efficiencies to enable a
dynamic infrastructure

The problem:

3 of the Top 10 Threats to Enterprise
Security are insider related:


Employee error


Data stolen by partner/employee


Insider Sabotage

Insider driven fraud costs US enterprises
over $600 Billion annually

24

© 2009 IBM Corporation

Scenario:
Contain risk and failed audits with user activity
monitoring, audit and reporting


Monitor RACF accounts


Can they be mapped to users?


Do rights match responsibilities?


Are there any segregation of duties issues?



Monitor z/OS security configuration changes


Who changed configuration parameters?


When were they changed?



Monitor mainframe user activity


Clearly see detailed information:


About users


Access granted


Who gave the access


Detailed activity information for who
accessed what data


Privileged user activity reporting





RACF policy enforcement



Extend auditability best practices
to the mainframe environment,
improving security posture

25

© 2009 IBM Corporation

Policy enforcement solution
that enforces compliance to
company and regulatory
policies by preventing
erroneous commands

Real
-
time mainframe threat
monitoring allowing you to
monitor intruders and
identify mis
-
configurations
that could hamper your
compliance efforts

Compliance and audit solution that
enables you to automatically analyze
and report on security events and
detect security exposures

Enables more efficient and
effective RACF administration,
using significantly less
resources

Reduces the need for scarce,
RACF
-
trained expertise through
a Microsoft Windows

based
GUI for RACF administration

Allows you to perform
mainframe administrative
tasks from a CICS
environment, freeing up
native
-
RACF resources

Note:
ACF2 and Top Secret are either registered trademarks or trademarks of CA, Inc. or one of its subsidiaries.

Combined audit and
administration for RACF in the
VM environment

IBM Tivoli zSecure Suite

26

© 2009 IBM Corporation

Getting started with Tivoli Security Management for z/OS

z/OS Event Details

RACF database cleanup

Mainframe Audit Risks easily interpreted

z/OS


Modify Audit Policy Detail

27

© 2009 IBM Corporation

Tivoli Enterprise Security Hub Overview

Security Provisioning

& Administration

Tivoli Federated
Identity Manager

Tivoli Identity
Manager

Tivoli Access
Manager Family

Tivoli Directory
Integrator

Tivoli Directory
Server

Tivoli Identity Manager

Tivoli zSecure Family

Tivoli Key Lifecycle
Manager

Tape Encryption

Crypto
Accelerator

Tivoli zSecure Family

Tivoli Security Information and Event Manager

Identity, Access,
Authorization, &
Single Sign
-
On

Security &

Compliance Reporting

Information &

Data Security

RACF

PKI Services

28

© 2009 IBM Corporation

Tivoli Security Management for z/OS


Components:


IBM Tivoli zSecure Admin


IBM Tivoli zSecure Audit


IBM Tivoli zSecure Command Verifier


IBM Tivoli Compliance Insight Manager

29

© 2009 IBM Corporation