Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)

Rui Miguel Feio
Rui Miguel Feio

A walk through the challenges of implementing a Role-Based Access Control (RBAC) solution and Data Classification on the mainframe. A basic overview of the steps taken, the tools used, the problems encountered and the final benefits.

1 of 30
Download to read offline
Implementation of RBAC and Data Classification Steve Tresadern Rui Miguel Feio RSM Partners September 2014 v1.5
Agenda l  Introductions l  Data Classification & Ownership l  Role-Based Access Control (RBAC) l  Maintain the environment l  Results l  Q&A
Who are we? l  Steve Tresadern l  27 years mainframe experience l  Former z/OS Systems Programmer l  Experience in Cryptography, RACF, Compliance l  Rui Miguel Feio l  15 years mainframe experience l  Experience in z/OS, RACF, zSecure, Development l  Last 4 years working in Security and implementing RBAC
DATA CLASSIFICATION & OWNERSHIP
Data Classification – What is it? l  Understanding what your data is Credit Card 11% Sarbanes Oxley 36% Customer - Confidential 16% Development 23% User 14%
Data Classification – What is it? l  Who owns your data Credit Card 7% Insurance 22% HR 13% Branch 27% Systems 9% Development 14% User 8%
Data Classification – Reasons to do it l  Audit requirements l  Compliance l  Who has privileged access? l  Who is accessing confidential information? l  Reduce the risk of fraud?
Data Classification – Aims l  Every dataset and resource profile must be; l  Classified in terms of confidentiality and integrity. l  All linked to an application. l  The basic security correctly defined l  Understand who has privileged access l  All applications have a business/data owner. l  Ideally they should approve all access l  Review who has access
Sources for Data Classification RACF Database Naming Standards Access Monitor Support Teams Local Knowledge XBridge Datasniff
Sources for Data Ownership Data Ownership RACF Database Service Management Support Teams Service Database Local Knowledge
Data Classification – Challenges l  Lack of knowledge in support teams l  Development Team Processes l  Business areas cooperation l  Non-RACF based security l  Unravelling of the environment l  Service Database – Up to date?
Data Classification Benefits Reduced Risk of Fraud Who has privileged access Focused Monitoring Recertification Audit Compliance
ROLE-BASED ACCESS CONTROL (RBAC)
RBAC – Reasons to do it l  Business organisation keeps changing l  Managing the mainframe security environment l  Audit requirements l  Compliance l  Recertification l  Remove access not required
RBAC Common Challenges - I l  Historical code l  Global Access Table (GAT) l  Lack of technical knowledge l  Business areas cooperation l  Least Privilege access implementation l  DB2
RBAC Common Challenges - II l  Recertification tools l  Unravelling of the RBAC
RBAC – Define Standards and Rules Personal userid connected to one role group Role group describes the business role Role group contains all the access All role groups will have an ‘owner’ Define RBAC Rules
RBAC - Sources of data Sources HR Data RACF Business Org. Chart Phone List Global Address List Local Knowledge Access Monitor
RBAC Stages – An overview Update/Develop Processes Implement RBAC Test RBAC implementation Devise RBAC implementation plan Engage with managers and users Identify logical grouping Analyse and prepare mainframe environment
RBAC Implementation Tools l  RSM RBAC tool l  RSM DB2 RBAC Tools l  Access Monitor data l  RACF Offline l  CARLa code
RBAC Benefits – Some examples Reduced Risk Fraud Security Management Joiners Movers Leavers Recertification Audit Monitor Who is who Who does what Least Privilege Access
MAINTAINING THE ENVIRONMENT
Tools – Maintain the environment l  In-House – Security Panels l  IBM zSecure Command Verifier l  IBM zSecure z/Alert l  RSM - zMonitor l  RSM – zDashboard
Tools – RSM zMonitor
Tools – RSM zDashboard
RESULTS
Reduction in Privileged Accesses 73,669 737,468 0 200,000 400,000 600,000 800,000 After Before
Reduction in Privileged Users 4,347 12,949 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 After Before
Questions
Contact Details l  Rui Miguel Feio - ruif@rsmpartners.com l  Steve Tresadern - stevet@rsmpartners.com l  RSM Partners - www.rsmpartners.com

More Related Content

Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)

  • 1. Implementation of RBAC and Data Classification Steve Tresadern Rui Miguel Feio RSM Partners September 2014 v1.5
  • 2. Agenda l  Introductions l  Data Classification & Ownership l  Role-Based Access Control (RBAC) l  Maintain the environment l  Results l  Q&A
  • 3. Who are we? l  Steve Tresadern l  27 years mainframe experience l  Former z/OS Systems Programmer l  Experience in Cryptography, RACF, Compliance l  Rui Miguel Feio l  15 years mainframe experience l  Experience in z/OS, RACF, zSecure, Development l  Last 4 years working in Security and implementing RBAC
  • 5. Data Classification – What is it? l  Understanding what your data is Credit Card 11% Sarbanes Oxley 36% Customer - Confidential 16% Development 23% User 14%
  • 6. Data Classification – What is it? l  Who owns your data Credit Card 7% Insurance 22% HR 13% Branch 27% Systems 9% Development 14% User 8%
  • 7. Data Classification – Reasons to do it l  Audit requirements l  Compliance l  Who has privileged access? l  Who is accessing confidential information? l  Reduce the risk of fraud?
  • 8. Data Classification – Aims l  Every dataset and resource profile must be; l  Classified in terms of confidentiality and integrity. l  All linked to an application. l  The basic security correctly defined l  Understand who has privileged access l  All applications have a business/data owner. l  Ideally they should approve all access l  Review who has access
  • 9. Sources for Data Classification RACF Database Naming Standards Access Monitor Support Teams Local Knowledge XBridge Datasniff
  • 10. Sources for Data Ownership Data Ownership RACF Database Service Management Support Teams Service Database Local Knowledge
  • 11. Data Classification – Challenges l  Lack of knowledge in support teams l  Development Team Processes l  Business areas cooperation l  Non-RACF based security l  Unravelling of the environment l  Service Database – Up to date?
  • 12. Data Classification Benefits Reduced Risk of Fraud Who has privileged access Focused Monitoring Recertification Audit Compliance
  • 14. RBAC – Reasons to do it l  Business organisation keeps changing l  Managing the mainframe security environment l  Audit requirements l  Compliance l  Recertification l  Remove access not required
  • 15. RBAC Common Challenges - I l  Historical code l  Global Access Table (GAT) l  Lack of technical knowledge l  Business areas cooperation l  Least Privilege access implementation l  DB2
  • 16. RBAC Common Challenges - II l  Recertification tools l  Unravelling of the RBAC
  • 17. RBAC – Define Standards and Rules Personal userid connected to one role group Role group describes the business role Role group contains all the access All role groups will have an ‘owner’ Define RBAC Rules
  • 18. RBAC - Sources of data Sources HR Data RACF Business Org. Chart Phone List Global Address List Local Knowledge Access Monitor
  • 19. RBAC Stages – An overview Update/Develop Processes Implement RBAC Test RBAC implementation Devise RBAC implementation plan Engage with managers and users Identify logical grouping Analyse and prepare mainframe environment
  • 20. RBAC Implementation Tools l  RSM RBAC tool l  RSM DB2 RBAC Tools l  Access Monitor data l  RACF Offline l  CARLa code
  • 21. RBAC Benefits – Some examples Reduced Risk Fraud Security Management Joiners Movers Leavers Recertification Audit Monitor Who is who Who does what Least Privilege Access
  • 23. Tools – Maintain the environment l  In-House – Security Panels l  IBM zSecure Command Verifier l  IBM zSecure z/Alert l  RSM - zMonitor l  RSM – zDashboard
  • 24. Tools – RSM zMonitor
  • 25. Tools – RSM zDashboard
  • 27. Reduction in Privileged Accesses 73,669 737,468 0 200,000 400,000 600,000 800,000 After Before
  • 28. Reduction in Privileged Users 4,347 12,949 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 After Before
  • 30. Contact Details l  Rui Miguel Feio - ruif@rsmpartners.com l  Steve Tresadern - stevet@rsmpartners.com l  RSM Partners - www.rsmpartners.com