IBM InfoSphere Guardium for DB2 on z/os Technical Deep Dive One of a series of InfoSphere Guardium Technical Talks Ernie Mancill Executive IT Specialist
Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We ll try to answer questions in the chat or address them at speaker s discretion. If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: We ll go through existing questions in the chat 2
Reminder: Guardium Tech Talks Next tech talk: Encryption is Fundamental: A technical overview of Guardium Data Encryption Speakers: Tim Parmenter Date &Time: Thursday, October 9th, 2014 11:30 AM Eastern Time (60 minutes) Register here: http://bit.ly/1pa3zlr
Agenda Guardium Datasets and DB2 Overview Architecture Review Integration QRadar SIEM Alert and Log Integration Scenario RACF Integration with zsecure and VA Scenario Brand-x Integration with Custom Tables and Entitlement Scenario DB2 UET and extended Utility Tracking Scenario Brand-x Utility Reporting Scenario Identity Mapping with Java distributed applications Wrap-up and Q&A
IBM InfoSphere Guardium Real-time activity Monitoring
HTTPS STAP for DB2 on z/os Architecture Repository Parse (Appliance) TCP STAP ASC Filter and Format ASC Hooks IFI Format DB2 IFI DB2 z/os
Guardium for DB2 on z/os Capabilities Database Activity Monitoring Alerting ASC (SQL Collection via Control Block Inspection) IFI (Instrumentation Facility Limited Use) Blocking (thread termination) Entitlement Reporting (Who has what) Vulnerability Assessment Configuration Test (Security related zparms) Patch (Security related APARs) Privilege (System and Object Authorizations)
Infosphere Guardium STAP for Datasets on z/os Guardium S-TAP for Datasets on z/os Architecture
Guardium for Datasets on z/os Capabilities Dataset Activity Monitoring (Reporting) Alerting SMF Traces (No extra traces needed) SMS Control Blocks VSAM, Sequential, Partitioned CICS GLUE (Global User Exit) CICS related information for file activity RLM (Record Level Monitoring VSAM (KSDS and RRDS)
Alert Processing and Integration with IBM QRadar SIEM on z/os
What is an SIEM? Many customers are using SIEM (Security Information Event Management) solutions QRadar is IBMs SIEM offering Capability to provide Enterprise-wide view of security events from: Operating Systems DBMS Network Applications
Why QRadar? Cornerstone product for Industry Leading (according to Gartner) security offerings Well integrated with Guardium Easy to implement with industry standard Gateway to move from reactive security posture into predictive or analytic based security capability with Big Data
System z Security and Data Protection zsecure, Guardium, AppScan & QRadar improve Security Intelligence zsecure z/os RACF ACF2, TSS CICS Guardium DB2 IMS VSAM AppScan Web Apps Mobile Apps Web services Desktop Apps Security Devices Servers & Mainframes Network/Virtual Activity Database Activity Application Activity Configuration Info Threat Intelligence User Activity Vulnerability Information Event Correlation Activity Baselining & Anomaly Detection Offense Identification Extensive Data Sources Deep Intelligence + = Exceptionally Accurate and Actionable Insight Centralized view of mainframe and distributed network security incidents, activities and trends Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zsecure S-TAP feeds routed to QRadar via Guardium Central Policy Manager SMF data set feeds with zsecure Audit and Alert Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign incident priorities and surface meaningful activity from noise Creates automatic alerts for newly discovered vulnerabilities experiencing active Attack Paths Produces increase accuracy of risk levels and offense scores, and simplified compliance reporting 13
SYSLOG Alert feed to QRadar SIEM What is collected What is stored Criteria for Exceptions Parsing and repository insert Policy TCP Events meeting collection criteria Exception criteria -application- SYSLOG process to UDP Inspection STAP DB2 (Guardium Appliance) UDP SIEM (QRadar) z/os
Real Time Data Leak Prevention with IBM Infosphere Guardium for DB2 on z/os
Real-Time Alerting vs Action (Data Leak Prevention) Traditional SMF or Log based activity monitoring latency measured in many hours (even days) Alerting with Guardium is in real-time and immediate. But, then with the alert surfaced..watcha gonna do bout it..call Guardium Thread Busters Exception based thread termination Latency between exception detection and thread termination is somewhere around 1 second (policy evaluation is done on appliance and thread termination request is signaled to the STAP)
Vulnerability Assessment and and Entitlement Integration with zsecure for RACF
With DB2 Grant Revoke.. Security is handled by DB2 Privileges are bestowed with the DB2 GRANT statement Privileges are typically controlled by the DBA Authorization and entitlement information is reflected in the DB2 Catalog With RACF based Security RACF or DB2 Grant/Revoke..who cares? Security is handled by RACF (via a DB2 exit routine) Privileges are bestowed using the RACF PERMIT command Privileges are typically controlled by the RACF administrator Authorization and entitlement information is stored in the RACF database When RACF is used the impact on Guardium is: Entitlement reporting is inaccurate Vulnerability testing is inaccurate (except when using zsecure Audit feed) Authorization information for Group administration is unavailable
DB2 Grant/Revoke Authorization Process Process with SQL Request SQL Primary ID Secondary ID Role SQL ID Control of Access within DB2 DB2 Catalog DB2 Authorization Checking Allowed using native DB2 Authority Auth Check SYSIBM.SYS AUTH SYSIBM.SYS AUTH SYSIBM.SYS AUTH Denied DB2 Object Or Authority - 551 DB2 Authorization Tables
DB2 External Security Authorization Process Process with SQL Request SQL Primary Secondary Role SQL ID DSNX@XAC Control of Access within RACF OK DB2 Catalog DB2 Authorization DB2 Object Checking Or Not Used using RACF Authority Denied SYSIBM.SYS AUTH SYSIBM.SYS AUTH SYSIBM.SYS AUTH DB2 Authorization Tables RACHECK - 551 RACF Database
Entitlement Reports VA Reports Guardium Appliance JDBC JDBC DB2 GDDMONITOR zsecure RACF ACF2 z/os
RACF Database DB2 Authorization Tables SDSNEXIT DSN3@ATH CKAJVA99 Stage 2 Merged Entitlement Info Load Format GDDMONITOR Tables
BUT ERNIE I don t use RACF, I use TOG* security!!!! *TOG (The Other Guys) a.k.a CA-ACF2 or CA-Top Secret
Approach for TOG Support Using a similar approach to zsecure Create z/os DB2 table(s) to store CA security elements Populate these with data from CA security products Use Guardium Custom Table Support do define clone of table on G-Machine Use Upload Data on Custom Query to move data into G-Machine Use Guardium Custom Query to build report.
Custom Reports Guard Group DB2 Guardium Appliance JDBC Custom Table TSS Extract TSS Database
End User Attribution with Guardium for DB2 on z/os
End User Attribution - Challenges Distributed application server issuing DB connections using AS credentials, not client end user. CICS Attach Applications where the CICS/DB2 interface definitions are coded to not use USERID as a result the CICS Region ID shows as DBUser. CICS File Control requests show the File Domain user (the CICS Region RACF ID) JDBC/ODBC connections to the DB server show incorrect credentials
Solutions WAS Server configurations to propagate credentials DB2 10 and Identity Propagation Java Properties Extended User Properties DB2 Supplied Stored Procedure SQLESETI Infosphere Guardium STAP for Datasets CICS GLUE
Bringing it all Together
Threats to DB2 Data on z/os Privileged User access to DB2 Data from outside of DB2. Access to Linear VSAM datasets Privileged User access to DB2 Data via SQL Abuse of privilege without business Need to Know External Threats SQL Injection (Hacking) Threats to DB2 Data Movement of data outside of DB2 Unloads Clones Test Data Replication
First Layer - Encryption (this forces only access to clear text data must be in the form of an SQL statement) Second Layer - Database Activity Monitoring (this ensures each SQL statement is inspected, audited, and subject to security policy control) Third Layer - Audit access to VSAM linear datasets Fourth Layer - Implement business need to know control for critical data (this reduces Defense abuse of privilege in Depth access) of DB2 Data Fifth Layer - Protect the use of unloads and extracts for the purpose of: Layered Protection Approach - Elements Test data management and generation Unloaded data for batch processes Extracts for external uses Replicated data Backup and Recovery assets
Layered Approach - Capabilities Encryption of Data at Rest with Infosphere Encryption Tool for DB2 and IMS Databases Fine-Grain Database Activity Monitoring with Infosphere Guardium for DB2 VSAM Activity Monitoring with Infosphere Guardium STAP for Datasets Review - Capabilities Business Need to Know controls on specific tables with DB2 10 and Row filters / Column masking Control of Data moved outside of DB2: Infosphere Guardium Encryption Expert for MP Optim Test Data Management and Data Privacy Solution z/os Encryption Facility Infosphere Guardium Encryption Tool for DB2 and IMS Databases Infosphere Guardium Database Activity Monitoring
Information, training, and community InfoSphere Guardium web site at ibm.com/guardium InfoSphere Guardium YouTube Channel includes overviews and technical demos developerworks forum (very active) Guardium DAM User Group on Linked-In (very active) Community on developerworks (includes content and links to a myriad of sources, articles, etc) Guardium Knowledge Center InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to bamealm@us.ibm.com if interested.
Reminder: Guardium Tech Talks Next tech talk: Encryption is Fundamental: A technical overview of Guardium Data Encryption Speakers: Tim Parmenter Date &Time: Thursday, October 9th, 2014 11:30 AM Eastern Time (60 minutes) Register here: http://bit.ly/1pa3zlr