Rarely does a week pass during which some form of cyber attack is not reported. On the heels of the WannaCry outbreak, experts now warn of hackers exploiting movie subtitles, being able to exploit 200 million streaming players. IBM and its clients have long prized the resiliency of z/OS against the threats that plague other platforms. A portion of the z/OS System Integrity Statement expresses that "IBM’s long-term commitment to System Integrity is unique in the industry, and forms the basis of z/OS’ industry leadership in system security. z/OS is designed to help you protect your system, data, transactions, and applications from accidental or malicious modification. This is one of the many reasons IBM z Systems remains the industry’s premier data server for mission-critical workloads."
As guardians of the world's most critical data, we must be ever vigilant it defending it against the never ending onslaught of attacks. As we do so, we need to focus on three key defensive practices:
- Preventing unauthorized access
- Preventing the use of stolen data
- Enabling the recovery of corrupted / destroyed data
First and foremost, we must prevent unauthorized access to our data, system processes and system resources. z/OS relentlessly enhances security across the platform, from maintaining the standards for Common Criteria level EAL4, to continually enhancing RACF. Visit https://www-03.ibm.com/systems/z/solutions/security_integrity.html to find the z/OS Security Statement, a white paper on remaining vigilante against threats, and the z/OS Security Portal. The Security Portal is intended to help you stay current with security and integrity fixes by providing current patch data and associated Common Vulnerability Scoring System (CVSS) ratings for new APARs. Security Notices are also provided to address highly publicized security concerns.
Regardless of the strength of our outer wall, we all face the risk of accidental or intentional unauthorized data access from the inside. This may be the result of data accidentally being copied to the wrong location or someone maliciously accessing private data. Building upon the strength of encryption of data at rest, IBM z/OS plans1 to deliver application transparent, policy-controlled data set encryption. This solution will enable data access to be restricted to just the Data Owners, while excluding all others. Data Managers can continue to have the appropriate access to manage data, but are restricted from accessing the data itself. Data set level encryption also prevents unauthorized outside users who steal data from having any meaningful use of the data, since it is encrypted.
Additionally, we must be prepared to recover from accidental and malicious data destruction. While the industry spends millions of dollars to synchronously/asynchronously replicate critical data to multiple regional/out-of-region locations, those replication solutions also immediately replicate all data destruction. To recover from such loss, we must maintain Point in Time (PiT) copies of our data from a time before the corruption takes place. Explore the best of practice PiT backup solutions for your enterprises' applications. For example, z/OS DB2 provides the BACKUP SYSTEM and RESTORE SYSTEM utilities. These utilities create non-disruptive PiT copies of DB2 instances that can be used to recover an entire DB2 system or individual table spaces to any point in time, while maintaining transactional consistency.
Of course, this is not all. We must constantly monitor against threats, have action plans in the ready for when an event happens, and have practiced our recovery processes.
Visit https://securityintelligence.com/, for security related insight & analysis.
1 Statement of Direction in the Announcement letter IBM United States Software Announcement 216-392, dated October 4, 2016