Pre-Con Ed: Reduce Security Cost and Effort with CA Cleanup and Role Based Access Control
0 likes760 views
This document discusses how CA Cleanup and CA Identity Governance can help organizations reduce the cost and effort of mainframe security. It provides an overview of how CA Cleanup automates the process of identifying and removing unused and unnecessary access entitlements from the mainframe security database. Implementing CA Cleanup as part of a phased approach is recommended to continuously clean up access rights over time. Role-based access control best practices are also discussed to further streamline access management after an initial cleanup.
Pre-Con Ed: Reduce Security Cost and Effort with CA Cleanup and Role Based Access Control
- 2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
- 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The financial benefit for this risk mitigation approach is to avoid the cost of a data breach, which averages $5.9 million for a class action law suit settlement (Target settled at $39M, Sony Playstation $171M, Sony Entertainment $100M, Anthem BCBS $100M and still growing). Key Benefits: § Protect against both external and internal threats § Enable compliance for access across the Mainframe environment § Reduce costs and improve efficiency through automated security controls Securing employee and customer data and access to the Mainframe is key for protecting brand and reputation. Discovering and managing access is a starting point toward securing the Mainframe environment. A consolidated solution with preventive and detective controls to reduce the likelihood of unauthorized access is key to ensure security as well as streamlining the administration and auditing of all Mainframe access. Mitigate the risks of external attacks, insider threat and lateral movement within the Mainframe environment. Key drivers: § Highly publicized security breaches (e.g., Sony, Anthem, Target, Fed Govt OPM), mostly a result of privileged user account compromise, driving broad demand § Regulation and compliance driven needs are expanding with latest mandates § Threat surface is expanding with transition to evolving technology stack § Lack of automated capabilities to discover access and entitlements and limited visibility into user activities on the mainframe. Business Challenges What do you want to do? CHALLENGE BENEFITSSOLUTION
- 8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Quick Assessment REDUCE RISK OF OVER-PRIVILEGED USERS § Do I have Segregation of Duties violations right now? § Do all my users have the correct access for their role(s)? AUTOMATE IDENTITY PROCESSES § Are my processes too manual? Are they inefficient? § Do I have inconsistent security policies due to human error? § Can I reduce the time & effort it takes to submit audit reports? § Can I easily show “who has access to what”? SIMPLIFY COMPLIANCE AUDITS IMPROVE EMPLOYEE PRODUCTIVITY § How much time do my managers spend in access certifications? § How long does it take a new employee to have ALL their access and accounts available? INCREASE USER PARTICIPATION § Can I provide a one-stop-shop where my users can easily access all identity services in one place? § Can I reduce the need of IT to manage identity processes? PROVIDE OUTSTANDING USER EXPERIENCE § Can the system interact with my users with Business terms that they understand? § Can I improve my user productivity and satisfaction?
- 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Cleanup for z/OS & CA Identity Governance A winning combination… - IT Specialist, Fortune 500 Banking Company “CA Mainframe Security solutions provide us with a high level of confidence that access to sensitive data is secured and properly managed.” Source: TechValidate., TVID: C58 – OCD – C5E
- 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Governing Access on the Mainframe (CA Cleanup + CA Identity Governance) Reduce time and cost of compliance, mitigate risk and support the business 50%+ of mainframe security databases contain orphaned, obsolete or redundant identities and entitlements. Automated removal of wrong entitlements and access groups Restrict privileged access rights to minimum requirements Gain rapid insight - Who has access to what Identify exposures - wrong entitlements, inactive accounts, etc Continuously monitor system usage over time Automate and streamline compliance processes and establish detective controls Consolidate Entitlements Repeatable Processes Cleanup Access
- 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Cleanup for z/OS How It All Works Tracking Database Security Database Report and Command Generator Report File Command Files DBRPTCMD CA ACF2, CA Top Secret Or IBM RACF Database Load Utility CA Cleanup Started Task
- 14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Cleanup unreferenced summary report (ACF2) Typical use case: +50% unused Record Type Total Unreferenced --------------- --------- ------------ USER 15,865 7,637 48% DSN Rule Sets 9,031 4,605 50% DSN Rule Lines 103,308 79,177 76% RATX Rule Sets 1 1 100% RATX Rule Lines 2 2 100% RBBM Rule Sets 1 1 100% RBBM Rule Lines 1 1 100% RBCM Rule Sets 55 33 60% RBCM Rule Lines 209 178 85% RBJT Rule Sets 1 1 100% RBJT Rule Lines 3 3 100% RCAC Rule Sets 10 10 100% RCAC Rule Lines 79 79 100% RCAT Rule Sets 13 10 76% RCAT Rule Lines 77 69 89% RCBI Rule Sets 1 1 100% RCBI Rule Lines 2 2 100% RCCM Rule Sets 55 44 80% RCCM Rule Lines 209 194 92% RCKC Rule Sets 1 1 100% RCKC Rule Lines 1 1 100% RCKP Rule Sets 6 6 100% RCKP Rule Lines 6 6 100% RCKZ Rule Sets 18 18 100% RCKZ Rule Lines 21 21 100% RCMN Rule Sets 265 154 58% RCMN Rule Lines 1,195 764 63% RCP1 Rule Sets 2 2 100% RCP1 Rule Lines 127 127 100% RCSM Rule Sets 1 1 100% RDTA Rule Sets 4 4 100% RDTA Rule Lines 199 199 100% RDTR Rule Sets 53 53 100% RDTR Rule Lines 144 144 100% RECM Rule Sets 55 36 65% RECM Rule Lines 209 182 87% REJB Rule Sets 1 1 100% REJB Rule Lines 1 1 100% RESP Rule Sets 4 0 0% RESP Rule Lines 341 250 73% RFAC Rule Sets 15 12 80% RFAC Rule Lines 66 63 95% --------------- --------- ------------ ---- Totals 131,658 94,094 71%
- 15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Phased Clean-up Steps § Run DBRPT unref=999 § Review summary report § Start with 100% non-use § Run DBRPTC with selected resource types* *ACF2 = OPTION(commentaccessnone) § Review output § Schedule cleanup cycle § Execute deletes via batch § Maintain delete/recovery command files as GDG(s) § Consider update ‘reload’ job to run nightly (off-hours)
- 16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Phased Clean-up Steps § Re-run DBRPT unref=999 § Review summary report § Now with 80-99% non-use § Run DBRPTC with selected resource types* *ACF2 = OPTION(commentaccessnone) § Review output § Schedule cleanup cycle § Execute deletes via batch § Maintain delete/recovery command files as GDG(s) § Consider update ‘reload’ job to run nightly (off-hours)
- 17. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD On-going Cleanup § Run DBRPT or DBRPTC weekly to meet SLA for account/entitlement removals – Best practice = 400 days § Execute deletes via batch § Maintain delete/recovery command files via GDG Time Level of privilege Employee is hired and ID is provisioned Not all entitlements are removed ~ This creates a security risk! Orphan Accounts & Entitlements New entitlements Employee leaves and ID is de-provisioned
- 18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Case Study: Large Retailer Streamlining Mainframe access CONTRACTORS Fragmented entitlements § lack of visibility of access § un-optimized group access § orphan accounts § overlapping access Manual entitlement reviews No standardized role definitions PARTNERS EMPLOYEES Proven highly scalable solution Analyzed 250,000 accounts, 66 million access rights and discovered 200 roles within 3 minutes “CA Identity Governance provided the most rapid TTV of any IAM product I’ve ever used…” - VP of IT Challenges:
- 19. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD “Who has access to what?” Example assessment Email Mainframe Customer Database Directory HR UNIX Corporate Network Sally Brown Finance Bob Thomas Payments Hiroki Shimada IT Harold Fletcher Finance Jane Coors Payments Morgan Smith IT Carlos Bayez IT Laura Dempsey Payments 1,000,000’s Entitlements15,000+ People 100’s Applications Finance ü 1,123 combinations of UID string values, minus the LID. ü 443 refer to only 1 LID, 76 refer to 2, 42 refer to 3, 32 refer to 4 and 29 refer to 5. ü 662 unique combinations, or a little more than half, refer to 5 or less LIDs.
- 20. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Typical Findings/Recommendations Sensitive Data Discovery Phased Cleanup Compliance Monitoring § Leverage CA Identity Governance role mining recommendations and attestation § Steps: - Determine acceptable level of role matching via surveys - Identity SoD violation - Identify where people fall outside the normal access structure - Definition of Role groupings in ESM Role survey / RBAC § Phased implementation - Define everyone based on new role - Migrate based on business tolerance 6-8 weeks 1-2 weeks 4-6 weeks 12+ weeks § Findings: - Reporting is cluttered due to excessive security data that is obsolete • Steps: - Purge obsolete rule lines - Leverage ACFRULCU (ACF2 only) - Rule nextkey consolidation (ACF2 only) - Ongoing cleanup § Findings: - Difficult to identify sensitive data with 100% certainty - Reporting process is cluttered due to excessive inclusion • Steps: - Implement CA Data Content Discovery to identify sensitive data - Implement CA Compliance Event Manager for on-going real time alerts § Findings: - Need more detailed data on current entitlement reports - Ongoing entitlement certification process could be enhanced - Integrity monitoring not in place • Steps: - Explore Compliance Information Analysis (CIA) as part of base prodcut (ACF2 & Top Secret only)
- 23. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME/ROOM MFX119S Encryption and Hashing and Keys – Oh, my! 11/16/2016 at 1:45pm Jasmine E MFX118S How is Buying a Home Like Justifying Data Security Investments? Developing Return on Security Investment (ROSI) Analysis 11/16/2016 at 3:00pm Jasmine E MFX173S The Importance of Mainframe Security Education 11/16/2016 3:45pm Jasmine E MFX172S The Key to Complying With New Regulations and Standards: Comprehensive Mainframe Security 11/16/2016 at 4:30pm Jasmine E MFT174S Mainframe Security Strategy and Roadmap: Best Practices for Protecting Mission Essential Data 11/17/2016 12:45pm Mainframe Theater MFT175S Gaps in Your Defense: Hacking the Mainframe 11/17/2016 3:00pm Mainframe Theater
- 24. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Tech Talks and Demos – Expo Floor MFT53T How Can Mainframe Security be Made Easier? 11/16/2016 @ 12:45pm Mainframe Theater Mainframe Security and Enterprise Security Demos SCT38T SCX05E PAM Threat Analytics 11/17/2016 @ 4:00pm Security Theater Governing Your Privileged Users 11/16/2016 @ 3:45pm Security Theater
- 26. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Thank you. Stay connected at communities.ca.com
- 27. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Summary § Protects against both external and internal threats § Enables compliance for privileged identity and administrative access across the Mainframe § Reduces costs and improve efficiency through automated security controls § Leverage existing negotiated rates on license for aggressive discounts and product value § Offers the most comprehensive solution, providing both preventive & detective controls § Provides defense in depth for privileged account management: – Comprehensive credential management – Least-privilege, policy-based SSO access control with command filtering – Privileged session monitoring and recording – Fine-grained server access controls § Rated Best-of-breed solution by leading industry analysts § Proven scalability in some of the largest and most complex IT environments in the world THE VALUE WHY CA TECHNOLOGIES