• No results found

Compliance Assessment and Reporting Tool PowerSC Tools for IBM i

N/A
N/A
Protected

Academic year: 2021

Share "Compliance Assessment and Reporting Tool PowerSC Tools for IBM i"

Copied!
40
0
0

Loading.... (view fulltext now)

Full text

(1)

Compliance Assessment and Reporting Tool

PowerSC Tools for IBM i

© 2014 IBM Corporation

Security Services Delivery Team

(2)

“Some organizations will be a

target

regardless

of what they do,

but most become a target

because

but most become a target

because

(3)

IT Security Compliance – Why ?

© 2014 IBM Corporation

(4)

IT Security Compliance – Why ?

(5)

IT Security Compliance – Why ?

Data Loss (

Data Breach

) Prevention

Mitigate internal and external threats due to the costly and harmful impact to

reputation and business when customer data is exposed and must be

publicly reported due to compliance regulations

Data Assurance and Integrity

© 2014 IBM Corporation

Prevent unauthorized access and changes to sensitive data by privileged

and non privileged users

Probably a number of reasons, but that isn’t the point of this

presentation. However, so no one walks away without something to

contemplate, we offer the following for your consideration…

(6)
(7)

IT Security Compliance – Why ?

© 2014 IBM Corporation

7

(8)

IT Security Compliance – Why ?

Data is the key target for security breaches…..

and Database Servers Are The Primary Source of Breached Data

“Because that’s where

the money is.”

- Willie Sutton

Database servers contain your client’s most

Source:http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Database servers contain your client’s most

valuable information

Financial records

Customer information

Credit card and other account records

Personally identifiable information

Patient records

High volumes of structured data

Easy to access

W

H

Y

(9)

IT Security Compliance – Why ?

What Data are the Criminals After?

© 2014 IBM Corporation 9 Source: http://www.verizonbusiness.com/resources/report s/rp_data-breach-investigations-report-2012_en_xg.pdf

(10)

IT Security Compliance – Who Should Care?

Business and Information Owners

– must be assured that the

information and brand reputation of the business is protected

Chief Security Officer (CSO)

– as custodian of the business and

information owners, must answer for risks present on the system and that

they are being managed to an acceptable level

Security Administrators

– must insure that access is implemented

appropriately as designed

Compliance Officer

– must insure that the IT operations comply to

Compliance Officer

– must insure that the IT operations comply to

corporate rules and regulations as well as industry and government

regulations

Operations Managers

– must insure the correct policies/standards are in

place and being followed

Application Developers

– must insure applications are being designed

and placed in production correctly with sufficient controls to prevent

inappropriate access

(11)

IT Security Compliance – Inhibitors

For many IBM i IT departments, security is performed by an individual with multiple

responsibilities – operations, administration, programming, etc.

Security implementation “how to” is often not understood, is neglected or not

monitored due to time constraints.

Security setup inherited from the past - previous owners / application designers no

longer are available

Security policies/standards often do not exist. If they do, monitoring of compliance

to the policy is not done or understood and deviation from the policies/standards

© 2014 IBM Corporation

to the policy is not done or understood and deviation from the policies/standards

across the enterprise is unknown.

How do you measure security? What are Key Risk Indicators (KRI) ? How do I

prove due diligence to security monitoring?

Gathering of security information is time consuming and scattered in multiple

places on the system. The analysis of this data or monitoring of security changes

is often dated by the time it is read.

Is my data safe?

Is my brand and/or reputation safe?

(12)

IT Security Compliance – Measuring Security

“If you can’t measure it, how can you improve or fix it ?”

Provide evidence that risk is being managed according to enterprise defined risk

thresholds empowering Senior Management to make informed risk management

decisions on where best to allocate resource.

REQUIREMENTS

:

Centralized view of Security Compliance status across the enterprise

• No access to remote machines required

• Maintain segregation of duties

• Maintain segregation of duties

• Provide management visibility, meaningful reports that drive action

Customizable Control Tests

• Measurable Results

• Ability to define Key Risk Indicators (KRI’s)

• Traceability back to Security Standards and Company Policies

Dashboard Style Reporting

• Red, Yellow (Amber), Green (RAG) Metrics

• ‘Clickable’ reports – to drill down to the issue

(13)

“I just want to arrive in the morning, get a cup of coffee, and have a view of what systems

are in compliance and which are not.”

Compliance Assessment and Reporting Tool

© 2014 IBM Corporation

(14)

Compliance Assessment and Reporting Tool

Provides quick and easy check of system for major security exposures

Profile Analysis:

 Special Authorities / Inherited Privileges

 Group Profiles / Ambiguous Profiles

 Default Passwords / Password Expiration

 Inactive Accounts

Administration / Configuration:

 System Values / Audit Control Settings

 Invalid Signon attempts

 *PUBLICLY Authorized Profiles

 Privately Authorized Profiles

 Initial Programs, Menus, and Attention Programs

 Command Line Access

 DDM Password Requirements

 Registered Exit Points / Exit Programs

 Invalid Signon attempts

 Work Management Analysis

 Service Tools (SST) Security

Network Settings:

 Network attributes / Time Server

 NetServer Configuration

 TCP/IP servers / Autostart values

 Digital Certificate Expiration

 SSH / SSL Configuration

 Registered Exit Points / Exit Programs

 Function Usage

 Library Analysis / *ALLOBJ Inheritance

 Listening ports / Network Encryption

 IP Datagram Forwarding

 IP Source Routing

 APPN Configuration (yes – for many it is still there)

(15)

High Level Architecture

DFFTCA 3P 0 DFRTBB 5A DFRTTB 5A DFMNTI 1A DFTG1B 1A DFTG2B 1A DFTG3B 1A DFTG4B 1A DFMNEE 25A DFMNEF 11P 2 DFRERP 11P 2 DFWELF 11P 2 DFWILF 11P 2 DFWILR 11P 2 DFWILS 11P 2 DFWILT 11P 2 DFQI1W 5A DFQ2IW 3A DFTRES 10A DFYT1LL 45A DFYT1LO 12A DFYT1LR 12A DFRRWA 5A DF6TYHA 1A DFTIIPQ 1P 0 DFDRTF 6P 0 DFDRTG 6P 0 DFDRTH 6P 0 DFTPPL 1P 0 DFTINM 3P 0 DFTIR2 30A DFTIGL 12A DFTTDT 6P 0 DFTTED 6P 0 DFHHIJ 4P 2 DFHHIK 4P 2 DFTYHI 5P 2 DFTYIA 1A DFTYKN 1A DFTTWK 1A DFTGHA 1A T00032P DSFTCA 3P 0 DSRTBB 5A DSRTTB 5A DSMNTI 1A DSVB1B 1A DSVB2B 1A DSYT1LO 50A DSYT1LR 12A DSRRWA 5A DS6TYHA 1A DSTIIPQ 3P 0 DSDRTF 6P 0 DSVBHA 1A DSVBSS 2A DSVBPE 3A DSVBYI 5P 2 DSMNTI 25A DSVR2B 25A DSVR3B 25A DSYT2WL 12A DSYTWLT 12A DSRRYUQ 6A T01045P KSFTCA 3P 0 KSGSBB 5A KSGDMB 5A KSMARI 1A KSYT3LA 50A KSYT3LE 6P 0 KSRRWA 5A KS6TYHA 1A KSTIIPQ 9P 0 KSDGSF 6P 0 KSVYHA 2A KSVFSS 2A KSVGTE 3P 0 KSVUYI 5P 2 KSMPTI 2A KSVR2B 2A KSVR3B 2A KSYTBEL 10A KSYTPIT 10A KSRQAU1 5A T01046P AGFRCA 3P 0 AGAC3EE 6P 0 AGRRWA 5A AG6RYHA 1A AGR22PQ 9P 0 AGDGSF 6P 0 AGVYHA 14A AGVFSS 12A AGVGRE 3P 0 AGVUY2 5P 2 AGMPR2 2A AGVR2B 2A AGVR3B 2A AGACBEE 1A AGACP2R 10A AGRQAU1 5A AGGSBB 1A AGGDMB 8A AGMAR2 1A AGAC3EA 50A AG6TTHA 1A AGRSAPQ 6P 0 AGHISF 6P 0 R02126P TLFTCA 3P 0 TLRTBB 5A TLRTTB 5A TLTNT3 1A TLKB1B 1A TLKB2B 1A TLTNT3 25A TLKR2B 25A TLKR3B 25A TLPT2WL 12A TLPTWLT 12A TLRRPUQ 6A T03140P FPPTWLT 12A FPLLPUQ 6A FPFTCA 1P 0 FPLTTB 5A FPTNTP 1A FPYB1B 1A FPTNTP 25A FPYL2B 1P 0 FPYLPB 25A T05001P ETL Processto Load Data Mart on Central System DAILY SUMMARY TABLE

DB2 for i Reporting Data Mart

Compliance Assessment and Reporting Tool

DAILY

HISTORY

Remote systems

Data Mart system

© 2014 IBM Corporation 15 DFTGHA 1A DFTGSS 2A DFTGPE 3A DFTGYI 5P 2 Central System

DB2 Web QueryMeta Data DAILY SUMMARY TABLE

Created by Quick Security CheckCollection Tool

(One for every LPAR)

DB2 Web Query

(16)

Data Mart Tables

DFFTCA 3P 0 DFRTBB 5A DFRTTB 5A DFMNTI 1A DFTG1B 1A DFTG2B 1A DFTG3B 1A DFTG4B 1A DFMNEE 25A DFMNEF 11P 2 DFRERP 11P 2 DFWELF 11P 2 DFWILF 11P 2 DFWILR 11P 2 DFWILS 11P 2 DFWILT 11P 2 DFQI1W 5A DFQ2IW 3A DFTRES 10A DFYT1LL 45A DFYT1LO 12A DFYT1LR 12A DFRRWA 5A DF6TYHA 1A DFTIIPQ 1P 0 DFDRTF 6P 0 DFDRTG 6P 0 DFDRTH 6P 0 DFTPPL 1P 0 DFTINM 3P 0 DFTIR2 30A DFTIGL 12A DFTTDT 6P 0 DFTTED 6P 0 DFHHIJ 4P 2 DFHHIK 4P 2 DFTYHI 5P 2 DFTYIA 1A DFTYKN 1A DFTTWK 1A DFTGHA 1A DFTGSS 2A DFTGPE 3A DFTGYI 5P 2 T00032P DSFTCA 3P 0 DSRTBB 5A DSRTTB 5A DSMNTI 1A DSVB1B 1A DSVB2B 1A DSYT1LO 50A DSYT1LR 12A DSRRWA 5A DS6TYHA 1A DSTIIPQ 3P 0 DSDRTF 6P 0 DSVBHA 1A DSVBSS 2A DSVBPE 3A DSVBYI 5P 2 DSMNTI 25A DSVR2B 25A DSVR3B 25A DSYT2WL 12A DSYTWLT 12A DSRRYUQ 6A T01045P KSFTCA 3P 0 KSGSBB 5A KSGDMB 5A KSMARI 1A KSYT3LA 50A KSYT3LE 6P 0 KSRRWA 5A KS6TYHA 1A KSTIIPQ 9P 0 KSDGSF 6P 0 KSVYHA 2A KSVFSS 2A KSVGTE 3P 0 KSVUYI 5P 2 KSMPTI 2A KSVR2B 2A KSVR3B 2A KSYTBEL 10A KSYTPIT 10A KSRQAU1 5A T01046P AGFRCA 3P 0 AGAC3EE 6P 0 AGRRWA 5A AG6RYHA 1A AGR22PQ 9P 0 AGDGSF 6P 0 AGVYHA 14A AGVFSS 12A AGVGRE 3P 0 AGVUY2 5P 2 AGMPR2 2A AGVR2B 2A AGVR3B 2A AGACBEE 1A AGACP2R 10A AGRQAU1 5A AGGSBB 1A AGGDMB 8A AGMAR2 1A AGAC3EA 50A AG6TTHA 1A AGRSAPQ 6P 0 AGHISF 6P 0 R02126P TLFTCA 3P 0 TLRTBB 5A TLRTTB 5A TLTNT3 1A TLKB1B 1A TLKB2B 1A TLTNT3 25A TLKR2B 25A TLKR3B 25A TLPT2WL 12A TLPTWLT 12A TLRRPUQ 6A T03140P FPPTWLT 12A FPLLPUQ 6A FPFTCA 1P 0 FPLTTB 5A FPTNTP 1A FPYB1B 1A FPTNTP 25A FPYL2B 1P 0 FPYLPB 25A T05001P

DB2 for i Reporting Data Mart

Compliance Assessment and Reporting Tool

Security

Collection

Details

Policy

Grading

Info

System

Info

ETL

Log

Detailed history of

system security grading - Best Practice - Policy - Policy Exception

How current is

the data I am

viewing?

Logging of success or failure of scheduled ETL processes with remote systems

How do I wish to

filter on and

view the data?

System descriptive information such as location, usage, VRM level, etc.

How is Green,

Amber, and Red

defined?

User defined thresholds for aggregate security attribute grading.

(17)

Data Mart Views

Compliance Assessment and Reporting Tool

Security

Collection

Details

Policy Grading Info System Info ETL Log

DB2 Views

Views over all the base data mart tables, PLUS:

© 2014 IBM Corporation

The last ETL

entries for each

remote system

Summary grading

information for the last

successful collection for

each remote system

Summary grading

information for each

remote system for all

collected history

Detailed grading

information for each

remote system for all

collected history

Detailed grading

information for the last

successful collection for

each remote system

History of all ETL

entries for each

remote system

(18)

DB2 Web Query Reports

Compliance Assessment and Reporting Tool

How current is the information?

- Which systems have not reported in the last two weeks? - How old is the data for System x?

- What problems are preventing successful data collection from System y?

- How long has there been a problem with collection of information from System z?

What is summary view of the last collected status for my enterprise ?

- Based on IBM Best Practices? - Based on my company’s policies?

- Based on (expiring) exceptions granted to company policy? - Based on some System value or attribute?

- System Name - System Name

- Location (hierarchy) - Version/Release level

- System Usage (development, test, QA, production, etc.) - Ownership, Administration responsibility

- Priority - Other?

What systems and areas need attention and speedy resolution?

- What are the details for each system in the enterprise?

- How is success measured? Adherence to company policy or policy exceptions, IBM Best Practice? - Which system attributes are being tracked and graded?

- What is the Priority of each item? High, Medium, and Low Prioritization - What is the grade for each item? Green, Amber or Red grading

(19)

Regional Review

(Drill down to overall grading and details)

Compliance Assessment and Reporting Tool

(20)

Overall System Status

(by Age, Policy Type and various system criteria)

Compliance Assessment and Reporting Tool

(21)

System Attribute Details

(By Age, Policy Type and System Name)

COLLECTION_DETAILS_LAST

Compliance Assessment and Reporting Tool

(22)

Last Reported Event Log

(Status by Age, System, Region, Data Center,

System Name)

(23)

Event Log Report

Shows status of most recent attempt to collect security data for each system

- Can be filtered by Region, Data Center, and System Name

Compliance Assessment and Reporting Tool

© 2014 IBM Corporation 1.4.1. Current Event Log Status by System - Active Report

(24)

Delinquency Reports

Systems that have not successfully reported in the over xx days

- Can be filtered by Region, Data Center, and System Name

Compliance Assessment and Reporting Tool

(25)

Enterprise Dashboard

- Summary of Overall System Status of all systems in the enterprise by various system attributes.

- Information is based on last successful collection for each system.

Compliance Assessment and Reporting Tool

(26)

System Dashboard

Key System and data collection information

- Status of last collection attempt – Success or Fail

- Key System attributes – VRM, Location, etc.

- Overall and detailed system grading based upon last successful collection.

(27)

Application to Provide Customization

Compliance Assessment and Reporting Tool

(28)

Application to Provide Customization – Dashboard Threshold

(29)

Application to Provide Scoring

Compliance Assessment and Reporting Tool

(30)

Application to Provide Scoring – Customer Policy

(31)

Application to Provide Scoring – Customer Policy

Compliance Assessment and Reporting Tool

(32)

Application to Provide Scoring – Customer Defined

(33)

APPENDIX

© 2014 IBM Corporation

(34)

Standard vs. Enterprise

Compliance Assessment and Reporting Tool

Feature

Standard Enterprise

Automated individual LPAR reporting   Enterprise LPAR dashboard / reporting 

Best Practice Scoring  

Customer Policy / Exception Scoring 

Customer Policy / Exception Scoring 

User Defined Items Scoring 

Policy definition, scoring training and customization  Web Query training, ETL customization 

(35)

Prerequisites – Central Server

IBM i operating system version 7.1 or above

– Option 1 - Extended Base Support

– Option 2 - Online Information

– Option 3 - Extended Base Directory Support

– Option 12 - Host Servers

– Option 13 - System Openness Includes

– Option 14- GDDM

– Option 26 - DB2 Symmetric Multiprocessing (OPTIONAL)

– Option 29 - Integrated Server Support

– Option 30 - QSHELL

Compliance Assessment and Reporting Tool

© 2014 IBM Corporation – Option 30 - QSHELL

– Option 31 - Domain Name System

– Option 33 - PASE

– Option 34 - Digital Certificate Manager

– Option 39 - International Components for Unicode

5733WQE - DB2 Web Query Express v2.1

(Standard edition preferred - 5733WQS)

– Minimum 1 core license (for *Base and Option 1)

– 2 Licensed users (Option 4) – see Notes page – One Workbench License (Option 5)

(36)

Prerequisites – Central Server

(continued)

Compliance Assessment and Reporting Tool - Enterprise Component

Pre-requisite program products:

– 5770DG1 - IBM HTTP Server for i

– 5761JV1 - IBM Developer Kit for Java (*BASE and options 8 through 13)

– 5770NAE - IBM Network Authentication Enablement for i

– 5733SC1 - IBM Portable Utilities for i (*BASE and OpenSSH, OpenSSL, zlib)

– 5770TC1 - IBM TCP/IP Connectivity Utilities for i

Compliance Assessment and Reporting Tool

Pre-requisite PTFs

(as of January 8th, 2014):

– SF99710 Level 13298 or later – Cumulative PTF Package

– SF99709 Level 100 or later – Group HIPER

– SF99708 Level 30 or later – Security Group

– SF99707 Level 7 or later – Technology Refresh

– SF99701 Level 26 or later – DB2 Group

– SF99647 Level 6 or later – DB2 Web Query Hot Fix

– SF99572 Level 15 or later – Java Group

– SF99368 Level 24 or later – HTTP Group

(37)

Prerequisites – Remote Systems

IBM i operating system version 5.4 or above

Compliance Assessment and Reporting Tool - Remote Agent

Compliance Assessment and Reporting Tool

© 2014 IBM Corporation

(38)

For more information …

Terry Ford

, Team Leader

Security Services Delivery

507-253-7241

[email protected]

Doug Mack

, Business Programs Manager

DB2 for i Center of Excellence

360-481-1271

Compliance Assessment and Reporting Tool

360-481-1271

[email protected]

Mark Even

Mike Gordon

Opportunity Manager

Opportunity Manager

507-253-1313

507-253-3477

[email protected]

[email protected]

(39)

Our Mission and Profile

IBM Systems Lab Services and Training

 Support the IBM Systems Agenda and accelerate the adoption of new products and solutions

 Maximize performance of our clients’ existing IBM systems

 Deliver technical training, conferences, and other services tailored to meet client needs

 Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and our IBM Business Partners)

Our Competitive Advantage

 Leverage relationships with the IBM development labs to build deep

Mainframe Systems

Power Systems

System x & Bladecenter

System Storage

© 2014 IBM Corporation

39

Successful Worldwide History

 18 years in Americas

 10 years in Europe/Middle East/Africa

 6 years in Asia Pacific

 Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers

 Combined expertise of Lab Services and the Training for Systems team

 Skills can be deployed worldwide to assure client requests can be met

www.ibm.com/systems/services/labservices [email protected]

IT Infrastructure Optimization

Data Center Services

(40)

Leverage the skills and expertise of IBM's technical consultants to

implement projects that achieve faster business value

IBM Systems Lab Services and Training

Ensure a smooth upgrade

Improve your availability

Design for efficient virtualization

Reduce management complexity

Assess your system security

Optimize database performance

How to contact us

 email us at [email protected]

 Follow us at@IBMSLST

 Learn moreibm.com/systems/services/labservices

Optimize database performance

Modernize applications for iPad

www.ibm.com/systems/services/labservices @IBMSLST

References

Related documents

To gain further information on your lung health, another group of tests your physician may order as part of pulmonary function testing are Lung Volumes.. Below are brief descriptions

6.1 The Sport Tourism Destination Service Quality Model 80 9.1 Sport and tourism policy interactions 123 10.1 Overview of the RWC 1999 study method 145 10.2 RWC 1999: economic

Négliger cette interaction dans les recherches sur le mode d’action des thérapies manuelles serait un oubli difficilement acceptable dans un concept de médecine basée sur des

The MMRS document #2002 SAAS Security Information Report by Security Group lists the existing security groups and the documents and/or tables within each group.. This report

Product System Product System Statutory Reporting Compliance Reporting Management Reporting Operations System Excel Army Enterprise Data Warehouse ERP or HR System Operational

• Linked Actions can remain open even when the Incident Report is closed. Actions are created, assigned and closed in the same way as Incident

Monetary policy pursued by the Fed, more specifically low interest rates, must be modified in order to keep the American economy stable in the future.. The destructive nature