Let's just recap : IBM provides a comprehensive set of information protection capabilities for IBM hardware platforms that help organizations discover which data needs to be protected, secure access to it, provide encryption of the data, and ensure that privacy controls are in place throughout the information life cycle. In addition, IBM provides organizations with powerful and flexible analysis, real-time auditing, and reporting tools.
Figure 1. IBM provides organizations with a comprehensive set of information protection capabilities
Information protection for IBM System z
It's estimated that 95 percent of Fortune 1000 companies store business data on IBM System z®. Its business-focused capabilities—advanced business continuity features, security, transaction integrity, scalability, dynamic workload balancing capabilities, and powerful tools for access control and protection—make the System z platform an excellent choice for storing and processing business-critical information.
However, organizations must demonstrate accountability by complying with industry, financial and regulatory guidelines and be able to answer the who, what, when, where and how questions when it comes to data access. Regulations exist at the worldwide level, in addition to the country- and state-specific laws and regulations that must be followed. The Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Basel II and U.S. Senate Bill 1396 are just a few examples of the regulations with which organizations must comply. Research shows that the perceived quality of a company's corporate governance can influence its share price, as well as the cost of raising capital.
Let's take a closer look at information protection on the System z platform, focusing this time on Audit and compliance on z/OS.
Auditing and IBM data servers on z/OS
RACF is the industry-leading security product for z/OS and does an excellent job in protecting access to secured assets on data servers for z/OS. However, it does little in the way of access and activity reporting. Audit mechanisms need to collect and report on activity performed in data servers for z/OS with relatively low overhead. Auditing does not enforce security policies. Therefore, a robust security implementation requires both RACF-based protections and auditing support. The purpose of auditing is to ensure that the appropriate controls are in place to identify inappropriate access and use of production data. Although auditing does not enforce access patterns or implement security, it provides the forensic information used to analyze the activities of users after access occurs. The key point to remember is that auditing solutions do nothing to protect access to data or other database resources.
The privileged user conundrum
To ensure the continued health and well-being of any database management system (DBMS), including DB2 and IMS on z/OS, many activities must be performed on a regular basis by system and database administrators. While these activities can be well controlled by external security processes such as RACF, they are pervasive in effect and can be used in ways that are contrary to security policies. To cite one possible scenario, there is sensitive data residing on a DB2 table, and the applications that access this table - such as IMS or IBM CICS® - are well protected by RACF. The database administrator does not have RACF authority to execute the CICS application, but has database administration authority (DBADM) to administer the table. The database administrator runs an UNLOAD utility against the table, extracting all of the data contained in the table. He or she can then transfer that data through any number of mechanisms to an outside entity (FTP, Flash/USB, CSV to spreadsheet, etc.).Since the user has special privileges against the table, there will be no evidence of a security violation that would be reported by RACF.
If, on the other hand, the environment were protected by an auditing solution, there could be mechanisms that would report on this authorized, but questionable, use of special privileges. One recommendation for audit collection is to monitor any SQL or utility access for privileged users. Conversely, one might elect to monitor each utility event or combine looking for one or both classes of events within a time interval. So, while it might be acceptable for the database administrator to access the audited tables during normal business hours, auditing parameters might be set up to look for unusual access patterns outside of normal business hours. The conundrum in all of this is that the nature of these authorities gives the privileged user capabilities to access DB2 and IMS resources and data by means outside the use of the well-protected application environment. This has the effect of providing unlimited access to the data, and circumventing normal transaction-level RACF protection. In a DBMS environment where privileged user authorities have been granted, there must be some mechanism to track and record activities that are performed under the control of these privileged user identifiers.
Figure 2. Guardium provides scalable auditing, access control, and monitoring capabilities across heterogeneous environments
Separation of roles
Any mechanism used to audit activities of trusted users must be implemented in such a way as to prevent the privileged user from interfering with the collection of, or contaminating the source of, the audit data. Audit mechanisms against data servers for z/OS must maintain the necessary separation of duties, resulting in assurance of audit data integrity and more accurate reports. This allows database administrators to perform their own job duties and allows auditors to run audit reports independently of the database administrators, which results in easier and more accurate audits. Auditors need to have the ability to adhere to published industry standards and external auditing without relying on the assistance of the personnel being monitored.
Guardium for z
Auditors using Guardium for z do not need to go to a large number of sources to access data, nor do they need user IDs for DB2 or the operating system. They simply log in to Guardium to gain complete visibility of all auditable objects.An auditor can display collected data for all DB2 instances, or just the DB2 instances of interest, all from the central repository. A centralized repository creates a single source for reporting, institutional controls, and summarizing of data, including high-level trending of audit anomalies and drill-down capability (one layer at a time), as well as a robust level of reporting events controlled by the auditor without database administrator involvement. Secure audit data is in a locked-down, tamper-proof audit repository that cannot be modified by anyone, including database administrators and other privileged users, thereby supporting separation of duties and addressing a key audit requirement. When audit data resides in a hardened environment like Guardium for z, organizations can better control access and protect audit data.
For many organizations, a comprehensive auditing environment requires much more than just collecting, storing, and providing reporting mechanisms. Most customers today require support for heterogeneous DBMS environments,spread across different hardware, operating system and database managers. Effective auditing calls for data from these disparate environments to be combined on a single-pane view. Guardium, as part of a larger heterogeneous implementation,provides additional support, which satisfies many of the common auditing and reporting requirements as well as providing significantly more robust functionality. Guardium helps to satisfy a wide range of requirements for monitoring and alerting - without impacting SLAs and performance, and without requiring changes to databases or applications:
- Streamline compliance processes with workflow automation that automatically distributes compliance reports to oversight teams for electronic sign-offs, escalations andcomments.
- Provide a scalable, multi-tier architecture that easily grows to handle increased workloads and additional applications and data center locations.
- Prevent unauthorized changes to database schemas and data.
- Allow for implementation of automated change control reconciliation by comparing approved change tickets with actual changes implemented by database administrators.
- Provide a best-practices library of hundreds of preconfigured reports and policies for regulations and standards such as SOX, PCI and HIPAA, as well as an easy-to-use, drag-and-drop "builder"- for creating custom reports and policies.
Being alerted in near real time to potential threats enables an organization to stay one step ahead. Why be reactive when you can be proactive with Guardium for z?
IBM Information Management information protection solutions for z/OS offer comprehensive end-to-end capabilities to help manage business risk and reduce the threat of data breaches and security exposures- wherever your data is, whoever is using it, whenever it is being used. IBM can help you find ways to take back control and be S.A.F.E.R.
- Learn how IBM Information Management information protection solutions for z/OS can help you reduce the threat of data breaches and security exposures.
- "IMS at 40: Stronger than Ever", IBM Database, October 2008.
- "A Board Culture of Corporate Governance", Corporate Governance International Journal, Vol 6, Issue 3, July 2003.
- Learn more about the IBM System z cryptographic function.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools as well as IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.