IBM Security Solutions, System z Solution Edition for Security, & Other Recent Updates © 2010 2009 IBM Corporation Agenda Introducing IBM Security Solutions System z Solution Editions Overview Solution Edition for Security Highlights Solution Edition for Security Offerings Tivoli Security Management for z/OS update Tivoli Key Lifecycle Manager Summary 2 © 2010 IBM Corporation Introducing IBM Security Solutions Is the smarter planet secure? The planet is getting more Instrumented, Interconnected and Intelligent. New possibilities. New risks... Pervasive instrumentation creates vast amounts of data New services built using that data, raises Privacy and Security concerns… Critical physical and IT infrastructure 3 Sensitive information protection New denial of service attacks Increasing risks of fraud © 2010 IBM Corporation Introducing IBM Security Solutions Security challenges in a smarter planet Key drivers for security projects Increasing Complexity Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things” Rising Costs Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billion in 2010 Ensuring Compliance The cost of a data breach increased to $204 per compromised customer record Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html 4 © 2010 IBM Corporation Introducing IBM Security Solutions Cost, complexity and compliance Emerging technology Data and information explosion People are becoming more and more reliant on security Death by point products Rising Costs: Do more with less Compliance fatigue 5 IBM believes that security is progressively viewed as every individual’s right © 2010 IBM Corporation Elements of an Enterprise Security Hub Crypto Express 3 Crypto Cards Tape encryption Venafi Encryption Director DKMS Encryption DS8000® Data Privacy DKMS TKLM Venafi IBM Tivoli Security Compliance Insight Manager IBM Tivoli® zSecure Suite Guardium Key Management Multilevel Security TS1120 System z SMF Disk encryption Optim™ PKI Services Certificate Authority Compliance and Audit Venafi Encryption Director Enterprise Fraud Solutions Tivoli Identity Manager Extended Enterprise DB2® Audit Management Expert Tivoli Federated Identity Mgr Platform Infrastructure RACF® ICSF ITDS LDAP Common Criteria Ratings Support for Standards 6 Audit, Authorization, Authentication, and Access Control Services and Key Storage for Key Material Scalable Enterprise Directory Network Authentication Service Kerberos V5 Compliant z/OS® System SSL Communications Server SSL/TLS suite IDS, Secure Communications © 2010 IBM Corporation Introducing IBM Security Solutions In addition to the foundational elements, the Framework identifies five security focus areas as starting points GRC GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE Design, and deploy a strong foundation for security & privacy PEOPLE AND IDENTITY Mitigate the risks associated with user access to corporate resources DATA AND INFORMATION Understand, deploy, and properly test controls for access to and usage of sensitive data APPLICATION AND PROCESS Keep applications secure, protected from malicious or fraudulent use, and hardened against failure NETWORK, SERVER AND END POINT Optimize service availability by mitigating risks to network components PHYSICAL INFRASTRUCTURE Provide actionable intelligence on the desired state of physical infrastructure security and make improvements Click 7 9 for more information © 2010 IBM Corporation Introducing IBM Security Solutions IBM Security portfolio Security Governance and Compliance GRC = Services = Products Identity and Access Management Data Security E-mail Security Identity Management Access Management Data Loss Prevention Encryption and Key Lifecycle Management Messaging Security Database Monitoring and Protection Data Masking SIEM App Vulnerability Scanning Application Security App Source Code Scanning Access and Entitlement Management Threat Assessment, Mitigation, and Management Vulnerability Assessment Web Application Firewall and Log Mgmt SOA Security Mainframe Security Web/URL Filtering Security Events and Logs Click 8 8 for more information Virtual System Security Intrusion Prevention System Physical Security © 2010 IBM Corporation System z Solution Editions Unmatched value, competitively priced Special package pricing for our most popular new workloads Enterprise Linux Data Warehousing – z10 hardware (standalone footprint or isolated LPAR) SAP – Prepaid hardware maintenance WebSphere – Comprehensive middleware stack GDPS® – Services and Storage (as needed) Security Legendary mainframe quality Chordiant – Security, availability and scale ACI – Integration of applications with corporate data Cloud Computing – Industry leading virtualization, systems management and resource provisioning Application Development – Unparallel investment protection © 2010 IBM Corporation Solution Edition for Security Ultimate protection for the enterprise at a lower price Customer Pain Point Customer Value Reduced brand image and risk of financial loss resulting from internal and external Fraud In memory fraud detection, forensics supporting real time prevention not possible on distributed platforms Need to support escalating security priorities due to security breaches, identity theft, and increasing compliance requirements Complexity of monitoring security exposures due to an expanding list of identities Need for more encryption and reduced complexity of management to protect sensitive information throughout the enterprise Complexity of implementing security policies across multiple IT initiatives such as server consolidation, green IT, virtualization, TCO Centralized Identity and Access Management to simplify security administration, auditing, reporting and compliance. Solution Edition for Security Simplified Encryption and Key Management to protect data at rest, data in flight and data on removable media A robust set of capabilities that have been integrated within hardware and software for over 30 years Reduced complexity and easier management with the highest levels of security certification and a full suite of services available in a single server Delivering trust and confidence to directly impact your bottom line © 2010 IBM Corporation A deeper view into the Solution Edition for Security What it is • A comprehensive list of recommended rich Security products for each solution! Offering Solutions: Enterprise Fraud Analysis – Record and playback of insider actions, forensic analysis tools, real time prevention workflow applied to distributed and mainframe operations – Discover relationships via analytics • Flexibility to choose the products you need! Centralized Identity & Access Management • Accelerated solution deployment with the implementation services provided! Enterprise Encryption and Key Management – Cross platform user provisioning and management; Web 2.0 and cross platform authentication services – Protecting personally identifiable data; enterprise encryption management services: Discover, audit and monitor encryption keys Securing Virtualization: z/VM®, Linux • Competitively priced to meet your budget expectations! – Easily secure applications; security lifecycle management of server images running in Linux for System z server Compliance / Risk Mitigation / Secure Infrastructure: z/OS – Audit and Alerts processing, Simplified management operations, Data anonymization for development and test processes © 2010 IBM Corporation Enterprise Fraud Analysis Solution Customer Challenges • Internal and external fraud cost billions of dollars in losses • Reduction in brand equity and substantial financial losses • Executives face personal fines, penalties and legal repercussions Solution Capabilities • Provides automated policy enforcement, centralized reporting and analysis, centralized auditing controls, risk mitigation • Record and playback insider actions • Forensic analysis tools, real time prevention workflow • Discover relationships via analytics Solution Components • IBM Tivoli zSecure Manager for RACF z/VM • RACF ® Security Server feature for z/VM • z/VM ® V5 • z/VM V5 DirMaintTM Feature • ISPF V3 for VM • Optional: Intellinx zWatch 12 © 2010 IBM Corporation Enterprise Encryption and Key Management Solution Customer Challenges Encryption can be complex to implement and manage Without encrypted data, companies face great exposure risks Many PKI solutions from third parties can be costly Solution Capabilities Provides encryption capabilities Uses auditable granular access controls Provides auditing and monitoring of encryption keys Protects integrity and confidentiality of data and transactions Low cost digital certificates and PKI infrastructure Solution Components z/OS ® V1 includes: z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 ® for z/OS V9 OptimTM Data Privacy Solution Encryption Facility for z/OS V1 Data Encryption for IMS and DB2 Databases V1 Crypto Express3 Features TKE Workstation OSA Cards Tivoli® Key Lifecycle Manager (TKLM) IBM System Services Runtime Environment for z/OS 13 Optional: IBM Distributed Key Management System (DKMS) Venafi Encryption Director © 2010 IBM Corporation Centralized Identity and Access Management Customer Challenges Increased complexity of security administration and monitoring More security exposures and an expanding list of identities and access controls increases complexity Business portals increase need to better manage and monitor identities Cost of management and administration is too high Solution Capabilities Provides reduced infrastructure, simplified security management More efficient centralized identity lifecycle and access management Centralized auditing controls, and improved ability to meet compliance needs Cross platform user provisioning and authentication Solution Components z/OS version includes: 14 z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 for z/OS V9 WebSphere for z/OS V7 IBM Tivoli Security Management for z/OS Tivoli Federated Identity Manager Tivoli Identity Manager Linux version includes: IBM Tivoli zSecure Manager for RACF z/VM RACF Security Server Feature for z/VM z/VM v5 z/VM v5 Dirmaint Feature ISPF V3 for z/VM IBM Tivoli Identity and Access Assurance V1 © 2010 IBM Corporation Securing Virtualization: z/VM®, Linux® on System z® Customer Challenges Secured virtualized environment needed both for traditional and virtualized environments Virtualization offers compelling TCO but needs to be secure as well Customers are considering secured private cloud environments Cost effective security management is needed to avoid air gapped solutions Solution Capabilities Proven secured virtualization for decades Common criteria ratings Centralized Auditing and Reporting Workload isolation, common criteria, architecture design Easily to secure new workloads Solution Components 15 IBM Tivoli Secure Manager for RACF z/VM RACF Security Server Feature for z/VM zVM v5 zVM v5 Dirmaint Feature ISPF V3 for VM IBM Tivoli Identity and Access Assurance V1 © 2010 IBM Corporation Compliance / Risk Mitigation / Secure Infrastructure: z/OS Customer Challenges Security breaches, identity theft are growing Companies face large financial losses PCI and HIPAA compliance are required by law Many environments are plagued by viruses and a continued cycle of patches Solution Capabilities Security certifications (z/OS EAL 4+, LPAR EAL 5, FIPS 140-2 Level 4), System z/OS integrity statement Centralized security controls, auditing and administration Anonymous data for development and test Solution Components 16 z/OS V1 including: z/OS Security Server RACF, DFSMS, DFSORT, RMF, SDSF DB2 for z/OS V9 WebSphere for z/OS V7 Optim Data Privacy Solution Encryption Facility for z/OS V1 Data Encryption for IMS and DB2 Databases V1 Crypto Express3 Features TKE Workstation OSA Cards IBM Tivoli Security Management for z/OS Tivoli® Key Lifecycle Manager (TKLM) IBM System Services Runtime Environment for z/OS IMS Audit Management Expert for z/OS DB2 Audit Management Expert for z/OS Optional: IBM Distributed Key Management System (DKMS) Intellinx zWatch Venafi Encryption Director © 2010 IBM Corporation Tivoli Security Management for z/OS Offers the capability to: – Administer your mainframe security & reduce administration time, effort, and costs – Monitor for threats by auditing security changes that affect z/OS, RACF & DB2 – Audit usage of resources – Monitor and audit security configurations – Enforce policy compliance – Capture comprehensive log data – Increase capabilities in analyzing data from the mainframe for z/OS, RACF& DB2 – Interpret log data through sophisticated log analysis – Efficient auditing, streamlined for enterprise-wide audit & compliance reporting 17 © 2010 IBM Corporation IBM Tivoli Key Lifecycle Manager Focused on device key serving • IBM encrypting tape – TS1120, TS1130, LTO gen 4 • IBM encrypting disk – DS8000 Lifecycle functions • Notification of certificate expiry • Automated rotation of certificates • Automated rotation of groups of keys Platforms for V1 – z/OS 1.9, 1.10, 1.11 – AIX 5.3, 6.1 or later – Red Hat Enterprise Linux 4.0 and 5.0 – SuSE Linux 9 and 10 – Solaris 9, 10 Sparc – Windows Server 2003 and 2008 Designed to be Easy to use Provide a Graphical User Interface Initial configuration wizards Easy backup and restore of TKLM files – TKLM backup, DB2 backup, Key backup – Simple to clone instances Installer to simplify installation experience – Simple to use install, can be silent 18 18 © 2010 IBM Corporation The Ideal platform for new workloads and consolidation: System z: unmatched value, superior quality A Strategy for clients to expand their usage of the System z platform: – Deliver greater value for clients as they grow existing workloads – A new proposition that enables new application adoption – A new class of offering to deliver dedicated enterprise Linux servers at unprecedented low cost The Future Runs on System z © 2010 IBM Corporation IBM Security Solutions – SC Magazine's Best Security Company http://www-03.ibm.com/security/awards/ Al Zollar, General Manager, IBM 20 © 2010 IBM Corporation Trademarks The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. IBM* IBM eServer IBM (logo)* ibm.com* AIX* Cognos* DB2* GDPS* Geographically Dispersed Parallel Sysplex HyperSwap* InfoSphere Rational* System p* System Storage System x System z* System z10 System z10 Business Class Tivoli* WebSphere* z/OS* z/VM* 10 BC z10 EC z9* zSeries* * Registered trademarks of IBM Corporation Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. INFINIBAND, InfiniBand Trade Association and the INFINIBAND design marks are trademarks and/or service marks of the INFINIBAND Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. The following are trademarks or registered trademarks of other companies. * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. © 2010 IBM Corporation