Locating Unmanaged but Regulated Data on System z: CA Data Content Discovery
0 likes777 views
The document discusses CA Data Content Discovery, a solution designed to identify and mitigate data exposure risks on z systems by scanning mainframe data infrastructure. It emphasizes the importance of protecting sensitive and regulated data on mainframes and outlines challenges organizations face in data management and compliance. The presentation highlights the necessity for a proactive approach to manage data security as mainframes become more integrated with modern IT environments.
Locating Unmanaged but Regulated Data on System z: CA Data Content Discovery
- 1. Locating Unmanaged but Regulated Data on z Systems: CA Data Content Discovery Mary Ann Furno Mainframe CA Technologies Director, Software Engineering MFX25S
- 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For Informational Purposes Only Terms of this Presentation © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if- available basis. The information in this presentation is not deemed to be incorporated into any contract.
- 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract CA Data Content Discovery helps you identify data exposure risks on z Systems by scanning through the mainframe data infrastructure. By discovering where the data is located, classifying the data to determine sensitivity level, and providing comprehensive reporting on the scan results, data can be adequately protected and exposure risks can be mitigated. Mary Ann Furno CA Technologies Director, Software Engineering
- 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda CISOS, REGULATED DATA, AND THE MAINFRAME SENSITIVE DATA DEFINED DATA CONTENT DISCOVERY ON THE MAINFRAME DATA CONTENT DISCOVERY ROADMAP 1 2 3 4
- 5. CISOs, Regulated Data, and the Mainframe
- 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Mainframe has never been hacked! Mainframe data stays on the mainframe; so it is safe! Data is fluid in today’s world. Data analytics; cloud Marriage of MF data and non MF data Mainframe is well understood and covered under three lines of risk control– Operational, Compliance and Internal audit The Current State REALITYMYTH Consider: Social engineering hacks Human error as MF experts retire Mainframe is viewed as a black-box breeds complacency –compounding the risk
- 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD 71% of the world’s mission critical data is on the mainframe The mainframe acts as the enterprise IT server and has more entry and exit vectors. We must protect the mainframe and all business critical data as the strategic assets that they are, plus ensure easily confirmed regulatory compliance. Years in the making… Source: Rehabilitating the Perception of Mainframes, Enterprise systems Media, 22 July 2015
- 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What We Hear From Clients Regulated data has to be protected, regardless of what type of server it sits on or how it got there. That includes the mainframe, and existing controls may not cover all of it. We know where our sensitive, regulated data is…. It’s in our data center. Audit MF Security analystCISO The mainframe is now just another always- on server connected to all the others in our TCP/IP network. I’m not sure all the data hosted there is being managed to policy… We know the mainframe is no longer isolated from other servers in the network. We don’t know how much unmanaged regulated data now resides there… With the addition of TCP/IP via USS, mainframe data is fluid – we don’t know what we don’t know about what’s being stored there…. MF Security Director I need to exploit data’s full value proposition for my organization while controlling the risk. Chief Data Officer
- 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Impact of Data Theft Health Insurance Announced: March 2015 Records stolen: 11M Cost: To be determined. Facing a class action lawsuit as well as potential regulatory violation fines. Retail Announced: September 2014 Records stolen: 56M Cost: $43M and counting. Estimates put this as high as $10B (includes all remediation costs borne by the company and consumers) Health Systems Announced: August 2014 Records stolen: 4.5M Cost: $75M – $150M eCommerce Announced: May 2014 Records stolen: 233M Cost: $200M and counting. Retail Announced: December 2013 Records stolen: 70M Cost: $162M and counting. Recent estimates put this at well over $1B. Government Announced: May 2015 Records stolen: 22M Cost: To be determined. Likely facing a class action lawsuit as well as others.
- 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PCI DSS Data Administered by one body Payment Security Council Account Data Cardholder Data Sensitive Authentication Data Primary Account Number (PAN) Magnetic stripe data Cardholder Name CAV2/CVC2/CVV2/CID Expiration Date PINs/PIN blocks Service Code
- 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Personally Identifiable Information – PII PII Attributes Full Name Date of birth Home Address Email address National Identification Number Passport number Drivers License Number Vehicle registration Birthplace Genetic information Telephone number Login name, screen name, nickname, handle Face, fingerprints, handwriting IP Address Credit Card Numbers Digital identity First Name Last Name Country, state, postcode, city Age Gender Race Schools attended Criminal record Legislated by an large & growing number of governmental entities Multi-national: EU Data Protection Directive National: Gramm-Leach Bliley Banking Modernization Act, Canada Privacy Act Local: California SB 1386, Nevada Statute 603A, Massachusetts 201 CMR 17.00
- 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PHI Attributes Full Name Geographic subdivision Data elements Telephone number Fax number Electronic mail address SSN Medical record number Health Plan beneficiary number Account number Certificate/license number Vehicle ID/Serial number/license plate number Device identifier/serial number Biometric identifier Full face photograph or image Other unique identifying element Initially, only US, now spreading internationally Legislated by an large & growing number of governmental entities Multi-national: TBD National: US HIPAA / HITECH ACTs Local: TBD Protected Health Information - PHI
- 15. Data Content Discovery on the Mainframe
- 16. Existing mainframe content discovery tools migrate off the mainframe to PCs or other devices to scan Why locating data on a mainframe is a problem? Report writers extract production data and data exists in sequential files or JES spool Copies of sensitive production data exist Files with possible sensitive data are accidentally sent to outside parties without validation of content Once data is extracted, the target destination doesn’t match the security characteristics of source DB RESULT Organizations are neither prepared for, or confident in an audit! CHALLENGES REALITY Why locating data on a mainframe is a problem?
- 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Data Content Discovery FIND Set up the scan Initiate the scan Provide discovered results to Security Administrator CLASSIFY Review compliance results and label sensitive data Provide compliance report to Internal Auditor PROTECT Modify access based on scan results Confirm successful audit against industry regulations Security Operations Internal Auditor Security Administrator
- 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Find It: Define Scope
- 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Classify it
- 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Account Data Cardholder Data Sensitive Authentication Data Primary Account Number (PAN) Magnetic stripe data Cardholder Name CAV2/CVC2/CVV2/CID Expiration Date PINs/PIN blocks Service Code Classify It: PCI Data
- 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Classify It: PII Data PII Attributes Full Name Date of birth Home Address Email address National Identification Number Passport number Drivers License Number Vehicle registration Birthplace Genetic information Telephone number Login name, screen name, nickname, handle Face, fingerprints, handwriting IP Address Credit Card Numbers Digital identity First Name Last Name Country, state, postcode, city Age Gender Race Schools attended Criminal record C C C C C C C C C C C C C C C Custom Classifier Quick Picks
- 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Classify It: PHI Data PHI Attributes Full Name Geographic subdivision Data elements Telephone number Fax number Electronic mail address SSN Medical record number Health Plan beneficiary number Account number Certificate/license number Vehicle ID/Serial number/license plate number Device identifier/serial number Biometric identifier Full face photograph or image Other unique identifying element C Custom Classifier Quick Picks C C C C C C C C C
- 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Protect It: Who Has Access to the Sensitive Data?
- 24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Data Content Discovery Promise FIND IT CLASSIFY IT PROTECT IT For CISO, MF Security Director FOR CISO, Internal Audit, Risk Officer FOR MF Security analysts, MF Data analyst The first data-pattern scanning capability uniquely natively on mainframe in the market Simple and Modern GUI along with Flexible scheduling designed for both z and non-IBM z personnel Eliminate risky offloading- with data security right on the mainframe. Only Data security product currently on the market for mainframe to use specialty engines to reduce upgrade costs Gain quick and critical insight about the potential and magnitude of data exposure on the mainframe Prove it to auditors that controls are checked by data-types to satisfy regulations Stay in control – eliminate risk while reducing costs of data protection processes
- 25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Product / Technology Architecture Execution Policy Web GUI Control Scans Reporting Classification Engine: z/OS Data Sources VSAM DB2 PS API 3rd party 3rd party CA Compliance Event Manager PDS/ PDSE … Description of Technology Overview of Technology Data Content Discovery “scans” data, identifying data vulnerabilities and risks to compliance Lands Lightly Product has no other CA product dependencies or other prerequisites, installs in <1 day DCD Repository
- 26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Data Content Discovery – A critical part of CA’s Security and Compliance Solution CA Data Protection 3rd party DLP Solution 3rd party DLP Solution Big Data Analytics Solutions CA Compliance Event Manager IBM RACF CA Top Secret CA ACF2 CA Cleanup In Ideation: Mainframe Advanced Authentication CA Data Content Discovery CA Auditor Secure mainframe assets Capture events affecting compliance and policy Discover sensitive data Extend compliance event data to analytics solutions Enable secure data in motion across the enterprise Security Administrator Big Data AnalystAuditor Planned Available Non-CA Product
- 27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Results There is stray, unmanaged, unprotected data on your mainframe – regulated, sensitive data that will damage the enterprise if compromised Find it, classify it, protect it with DCD Summary A Few Words to Review
- 28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME Tech Talk Isn’t one authentication mechanism on z Systems™ enough? 11/18 – 4:30pm Mainframe Content Center Mainframe Theater Panel Discussion: Is Complacency Around Mainframe Security a Disaster Waiting to Happen? 11/18 – 3:45pm Mainframe Theater Tech Talk The Known Unknown – Finding lost, abandoned, and hidden regulated data on the Mainframe 11/19 – 12:15pm Mainframe Content Center MFX26S How to Increase User Accountability by Eliminating the Default User in Unix System Services 11/19 – 1:00pm Breakers I MFX47S Top 10 things you shout NOT forget when evaluating your security implementation 11/19 – 2:00pm Breakers I
- 29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Follow Conversations in the Mainframe Content Center CA Data Content Discovery CA ACF2 ™ for z/OS CA Top Secret® for z/OS CA Cleanup CA Auditor Advanced Authentication Nov 18th @ 4:30pm The Known Unknown - Nov 19th @ 12:15pm
- 30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
- 31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15