Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
©
Page1
© 2017, Greg Boyd, Stuart Henderson
Tutorial:Cryptoonz/OSSystemsforCIOsandtheRestof
USGregBoyd([email protected])
StuHenderson ([email protected])
©
Page2
Abstract
ThissessionisforCIOs,securityadministrators,systemprogrammers,andauditorswhohaveheardaboutCryptography(bothhardwareandtheICSFsoftwarewithz/OS),knowit’simportant,butdon’treallyunderstandit.
Youmayhavefeltthatothercryptographypresentationswentoveryourhead.
Inthissession,GregandStutellyoujustwhatyouneedtoknow,insimple,understandableterms.You’lllearntocutexpenseswhileimprovingsecurity.
Mainframe Crypto for CIOs and the Rest of Us
©
Page3
Agenda
1. Introduction
2. TheEasy,No-BrainerSteps
3. TheNecessaryHardPart
4. SummaryandCalltoAction
Mainframe Crypto for CIOs and the Rest of Us
©
Page4
Cryptography is
Thepractice…oftechniquesforsecurecommunicationinthepresenceofthirdparties.(fromWikipediahttps://en.wikipedia.org/wiki/Cryptography)
Itreliesonmathematicalalgorithmsandauniquenumber,calledakey.
Therecipientcanreversetheprocesstorecovertheoriginaldata(aslongasthekeyissecure).
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page5
Cryptography canprovide
• Protectionofdata
• Dataintegrity
• Authentication(provesomeone’sidentity)
• Non-repudiation(provewhoamessagecamefrom,andthatithasn’tbeenaltered)
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page6
Alongtimeago
Eachapplicationtriedtowriteitsownencryptionroutines,oftenwithoutmathematicalrigor.
Resultswereoften:inconsistent,vulnerable,costly,inefficient,difficulttoadminister,difficulttomaintain.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page7
Thennewregulationsandnewtechnologycamealong,makingithardertokeepup.
SoIBMofferedus IBM’sCryptoInfrastructureonz/OSSystems(CryptohardwareplustheICSFsoftware).Thisoffersasingle,integratedwaytodocryptography,rigorousandefficientsecurityandintegrityforourdata.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page8
WhatYouNeedtoKnow
Cryptography canbedoneinhardwareorsoftware
Anyprogram(product,componentorapplication)canleveragethecryptoinfrastructuretosecureyourdata.
Eachshopneedstoenabletheinfrastructureandimplementtheproducts,componentsorapplicationstoleveragethatinfrastructure.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page9
Cryptography
Isgoingtoberequiredinmoreandmoreapplications
Thecostcanbesignificant,ifnotmanaged
Theadministrativeoverheadcanbesignificant,ifnotmanaged
YouneedbothcryptohardwareandICSFsoftware toprovideeffectivesecurityandintegrityonz/OSwithminimumcostandminimumoverhead
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page10
Twobigtypesofchange
makeitimportanttocentralizeadministrationforencryption:
Technology (newalgorithms,policybasedencryption,newhardware,newpasswordcrypto)
Regulatory change(What’shappeninginEurope,inUS)
Pluscentralizedkeymanagementandconsistency
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page11
ThreeKeyRisks:
Ifyoulosethekeys,you’velostthedataforever.
Anyonewhocanseethekeysandaccesstheencrypteddatacandecryptthedata.
Applicationscanstartencryptionwithoutdocumentation,backup,CPUtuning
Effect:Noonewantsthisresponsibility
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page12
TheMainRisk:
Withoutformal,centralizedcontroloverkeys,yourisk:lossofessentialknowledgeanddata,duplicationofeffort,unnecessarycosts.
You’llmisstechnologyandregulatorychanges.
Youcan’texpectsomesysprog tomanagethisalone.TheCIOneedstodedicatetheresourcesandenforcementtohavekeymanagementdonesimplyandreliably.
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page13
SomeDrivingFactors
• NewYorkState,EUGDPR(GeneralDataProtectionRegulations),PCI,CMS,NIST,andOthersimplementingnewregulationsandstandards
• Policybasedencryption(fordatasets)
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page14
InstructiveStoriesFromOtherShops
• Theshopwithhardwarediskencryption• TheshopwhereCPUusageescalatedsuddenly• Theshopwheretheylostthemasterkey• Theshopwherethekeyswereexposed• TheshopwheretheDBAtoldDB2tostartencrypting
• Theshopthatpaidtoomuchforsoftwarelicensing• Theshopthatcouldn’ttelltheauditorswhatwasbeingencrypted
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page15
TheEssentialTake-Away
Youneedformalkeymanagement,nomatterwhattheplatform,withadequate:enforcement,resources,writtenprocedures,andinvolvementfromseveralkeydisciplines.
Thisdoesn’tworkunlessitcomesfromtheCIO
Mainframe Crypto for CIOs and the Rest of Us1. Introduction
©
Page16
Hardware:Twodevices• CPACF (CPAssistforCryptographicFunction)-alreadythereonyoursystem,addsinstructionstoCPU,speedsprocessingbyfactorof1000ormore
• CEXn (CryptoExpress)- separatedevices,separateprice;tamperresistant;useslessCPUtime,morewallclocktime(Think“MissionImpossible”)
Software• ICSForIntegratedCryptologicServicesFacility(startedtaskroutescryptorequests;centralcontrolpoint)
ThreeComponents
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
©
Page17
ICSFStartedTask
z/OS
CKDS PKDS TKDS
ICSFLocalApp
Product
Component
CPACF
ICSF APIs
CEXMKs
CEXMKs
CEXMKs
CEXMKs&
wrappingkey
CKDS PKDS TKDS
ICSFOptions
ISPFTKE
Data Spaces
ROUTER
WrappingKey
SAF
Console
2. Easy, No-Brainer Steps Mainframe Crypto for CIOs and the Rest of Us
©
Page18
ICSFisrequired:
• TousetheCryptoExpresscards(securityforkeymaterial,performanceforTLS/SSLoperations)
• Toperformkeymanagement,includingsecurityandintegrityofkeymaterial
• Tosupportfuturepolicybasedencryptionofdataatrest
• Manyotherproducts,suchastheInfosphere Guardium DataEncryptionToolforDB2andIMSortheEncryptionFacilityforz/OS
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
©
Page19Mainframe Crypto for CIOs and the Rest of Us
CICSLDAPWebSphereMQ SeriesTivoli Access Manager forBusiness Integration Host EditionPolicy DirectorAuthorization Services
Secure TN3270IMSPKI ServicesEIMSendmailSecure FTPIPSECIBM HTTP Server
SSL/AT-TLSExploiters
2. Easy, No-Brainer Steps
©
Page20
• IBMplanstodeliverapplicationtransparent,policy-controlleddatasetencryption inIBMz/OS.IBMDB2forz/OSandIBMInformationManagementSystem(IMS)intendtoexploitz/OSdatasetencryption.
• z/OSV2.3planstoreplaceapplicationdevelopmenteffortswithtransparent,policy-baseddatasetencryption:
• Planningenhanceddataprotectionforz/OSdatasets,zFS filesystems,andCouplingFacilitystructurestogiveuserstheabilitytoencryptdatawithoutneedingtomakecostlyapplicationprogramchanges.
• Designingnewz/OSpolicycontrolstomakeitpossibletousepervasiveencryptiontoprotectuserdataandsimplifythetaskofcompliance.
• z/OSCommunicationsServerwillbedesignedtoincludeencryptionreadinesstechnologytoenablez/OSadministratorstodeterminewhichTCPandEnterpriseExtendertrafficpatternstoandfromtheirz/OSsystemsmeetapprovedencryptioncriteriaandwhichdonot.
IBMAnnouncements216-391&217-085
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
©
Page21
• MultipleFileTypes• BSAM/QSAM• VSAMExtendedFormat
• CouplingFacility• Encrypteddatasets
• Keylabelssuppliedatallocation• RACFdatasetprofile,DFPsegment• JCL,DynamicAllocation,TSO• SMSDataClass• IDCAMS
PervasiveEncryption
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
©
Page22
• z196/z114orhigherwithCEXcard• z/OS2.2,z/OS2.3
• z/OS2.1withmaintenancecanread/writeencrypteddatasets,butcan’tcreateanencrypteddataset
• ICSFHCR77C0orHCR77A0-HCR77B1withOA50450• SYMCPACFRET(YES)
• ExtendedFormatdatasets
PervasiveEncryption- PreReqs
Mainframe Crypto for CIOs and the Rest of Us2. Easy, No-Brainer Steps
©
Page23
Youalreadyhavethefirsthardwaredeviceforfree:• CPACF (CPAssistforCryptographicFunction)
Youalreadyhavethesoftwareforfree:• ICSForIntegratedCryptologicServicesFacility
TheCryptoExpresscardisatougherdecision,butyou’reprobablygoingtoneeditsoonerorlater
TheEasy,No-BrainerSteps
Mainframe Crypto for CIOs and the Rest of Us
©
Page24
OrganizationalIssues
•Manypartsoftheorganizationneedtobeinvolvedindefiningthecryptoenvironment:
• Legal,regulatory,compliance,audit,riskmanagement
• Applicationownersanddesigners• Marketing
•Whenthedemandcomesfromregulators,auditors,themarketplace,youneedtobeready
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
©
Page25
WhatCIOsNeedtoKnowandDo:
• TakeownershipofencryptionacrosstheEnterprise• Identify&Prioritizethecryptoresourcesthatrequireprotection(Networkcommunications?Databases?Filesbeingsenttoapartner?)Whatcomplianceregs orauditsareyoutryingtopass?
• Definethesecuritystrengthsrequired(AESvsTDES;RSA,ECCorboth?Keylengths,KeyRotationpolicy)
• Identifykeymanagers• Inventory/purchasethetoolsavailabletomeetthoserequirements
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
©
Page26
• Configurehardwareforredundancyandrecoverability
• Setupstartedtask(Coordinatewithsecurityadministrator)
• Setupkeydatasets• Installandimplementthetoolstoprotectthecorporateresourcesthatneedtobeprotected
WhatSysprogs NeedtoKnowandDo
Mainframe Crypto for CIOs and the Rest of Us
©
Page27
WhatSecurityAdminsNeedtoKnowandDo• Defineuserid forstartedtask
• Keystoreaccess• USSsecurityimplicationsforTCP/IP
• Developkeylabelingconventions(usedtosecurethekey)• DefineCryptoResourceRules
• Protectthefunctions• Protectthekeys• Definekeystorepolicies
• Identifyowner(whoapprovestherules)• Documentapprovals,Annualre-certification,Maintaintherules
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
©
Page28
• MasterKeys• Understandtheprocessforloadingandchangingmasterkeymaterial
• Ensurethesecurityofmasterkeymaterialthatmustbeavailableforrecoverypurposes
• OperationalKeys• UseKeyGenerationUtilityProgramtodefinesymmetrickeys
• UseRACDCERT(orequivalent)todefinepublic/privatekeymaterial
Executekeychangepolicies
WhatKeyAdminsNeedtoKnowandDo
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
©
Page29
WhatAuditorsAreGoingtoExpect• Reviewriskassessment:whodecides(whoisresponsiblefor)decidingwhenandhowtoencrypt
• Reviewprocedurestomakeithappen
• Reviewassignmentofresponsibility,policy,baselines,
• Comparesecuritysoftwarerulestoapprovals
• Concludehowwellriskismanaged
Mainframe Crypto for CIOs and the Rest of Us3. Necessary, Hard Part
©
Page30
• Theneedformainframecryptographyisunavoidable.
• IfitisnotmanagedfromtheCIOdown,theoddsoffailuregoup.
• Youcanstartwiththeeasysteps,andthendedicateresourcestothehardones.
SummaryandCalltoAction
Mainframe Crypto for CIOs and the Rest of Us
©
Page31
SummaryandCalltoActionWe’vetalkedaboutthecryptoinfrastructure,andwhyit’simportant,bothtosavemoneyandtoprovideeffectivesecurity.
Noonepersoncangetitproperlyimplemented;severalkeyplayershaveimportantroles.
Ifthesefunctionsaren’thappeninginyourshop,whoneedstobeinvolvedtomakeitbetter?
Ifnotyou,thenwho?Thanksforyourkindattention
Mainframe Crypto for CIOs and the Rest of Us4. Summary
©
Page32
OtherInfoSources
• Greg’snewsletter,articles…• http://www.mainframecrypto.com/articles/
• Stu’snewsletters,articles• http://www.stuhenderson.com/Newsletters-Archive.html
• IBMCryptoEducation• https://www.ibm.com/developerworks/community/groups/community/crypto
Mainframe Crypto for CIOs and the Rest of Us
©
Page33Mainframe Crypto for CIOs and the Rest of Us