Townsend Security Data Privacy Blog

IBM System z Mainframe and Audit Logging

Posted by Patrick Townsend on Mar 1, 2016 9:11:00 AM

Because Townsend Security provides encryption for IBM System z Mainframes we often get asked about system logging for that platform. Our Alliance LogAgent solution provides system log collection for the IBM i (AS/400, iSeries) platform, so this is a natural question from Mainframe customers.

IBM z/os MainframeWe don’t have a solution for IBM Mainframe customers, but I am happy to report that our partner CorreLog does! IBM System z Mainframe users can deploy the CorreLog solution and get the same types of security event collection and SIEM integration that we provide in Alliance LogAgent. The two products are not exactly the same in terms of features, but CorreLog will give you the security event collection and SIEM integration that you need.

Like the IBM i platform the IBM Mainframe contains a lot of sources for security event information and the data must be transformed into a usable format and transmitted to a SIEM. This is a daunting task for even an experienced Mainframe developer, so this is a perfect area for a third party product. CorreLog has just the right solution to make this happen.

IBM has been enhancing the System z Mainframe to bring it into the modern Internet-connected world. This means you have more security attack points on this venerable platform, and need to deploy modern security tools to protect it. Active monitoring of security audit logs by a SIEM solution is a must-have for Mainframe shops and CorreLog has a great solution.

Infosef Myths Debunked CorreLog provides their own SIEM solution, but they also integrate with a wide variety of other SIEM vendor solution. You can deploy CorreLog to send security events to IBM Security QRadar, LogRhythm, HP ArcSight, Dell SecureWorks, RSA Envision, and many other SIEM solutions! This also means that you are not locked into any one SIEM vendor and can easily migrate to a new solution if or when you want to.

Another big bonus of the CorreLog solutions is support for File Integrity Monitoring, or FIM. FIM is an integral part of many compliance regulations such as PCI Data Security Solutions, and with CorreLog you can address that need along with the rest of you security monitoring needs. Many IBM Mainframe applications use DB2 files to store configuration information, so the FIM module really helps meet the compliance requirements.

You can get more information about CorreLog here.

Patrick

Topics: IBM z, Mainframe, logging

Mainframe Myth-Busting: File Integrity Monitoring is Only for Windows/UNIX Security Systems

Posted by Paul Taylor on Feb 16, 2016 8:41:00 AM

"This article was originally posted on CorreLog's blog. CorreLog is a high performance correlation, search and log management company and Townsend Security partner."


That’s the thing about myths: they’re only partly true.

IBM z/os MainframeYes, File Integrity Monitoring (FIM) has been part of the distributed computing landscape for a few years now. And yes, real-time enterprise security monitoring is harder to accomplish in a mainframe environment. But as attacks become more sophisticated, FIM needs to be a key component of the entire network, including your mainframe.

There’s a well-known software vendor that has an antivirus “sandbox” that is used to explode viruses in much like a police bomb squad would do with a suspicious package at a crime scene. After said software suspicious package is exploded, the software vendor adds the footprint to its database and the next time that package comes through the network, if it was clean the first time, it gets let through; if not, it’s blocked.

The tricky part of this story is that hackers are now smart enough to detect when they are about to be put into one of these sandboxes. When the A/V program starts to sandbox, the suspected virus, the virus goes into a cloaking mode to evade the sandbox. The A/V tool gives the executable a passing grade and there you have it; virus enters network.

Infosef Myths Debunked

Chances are you won’t have to worry about mainframe viruses anytime soon (though anything is possible these days). The point of the story here is the sophistication at which hackers are attempting to compromise corporate and government IP. For it is a much faster path to market to steal technology than it is to develop it. The same could be said for nation-state attackers who lack the subject matter expertise to develop their own IP, be it leading-edge technologies or schematics for nuclear reactors.

Having a Security Information & Even Management (SIEM) system with Data Loss Prevention (DLP), supported with antivirus detection and Identity/Access Management Systems (IAMS), gives you a fighting chance. Having a means for File Integrity Monitoring, especially on z/OS where the most strategic global banking and government data resides, further fortifies your security strategy and arms your information security team with another data point to determine the level of risk to your data.

FIM protocols are well established on the distributed side, but if you were to ask a mainframe sysprog (system programmer) if they have some type of FIM protocol in place for z/OS, they would look at you like you were speaking a foreign language. FIM on mainframe, or MFIM, must be addressed, at a minimum, to facilitate the Payment Card Industry Data Security Standard (PCI DSS) requirements 10.5.5; 10.6.1; 11.5; and 12.10.5. The standard and corresponding requirements can be found here, and we should note that this blog is not a review of the requirements. The takeaway in today’s blog is to understand that FIM is important to the Payment Card Industry Security Standards Council (and HIPAA, and FISMA, and IRS Pub. 1075, and others). PCI DSS lists FIM in four different requirements and it does not say “do this just on your Windows and UNIX systems.” The requirement says do this for all systems in your datacenter.

The key to MFIM is to look at the mainframe counterparts to the Microsoft Windows install folder. One of these, SYS1.PARMLIB, or the PARMLIB concatenation, is the most important set of datasets on z/OS, listing system parameter values used by nearly every component of z/OS. You can’t just take a checksum "snapshot" of these files, as a SIEM would do with distributed systems, because they’re simply too big for that to be a practical approach.

The details of tracking mainframe event messages are far too many to get into here. Essentially, you need a way of connecting the mainframe and your distributed SIEM system for notifications in real time, and you need a software tool that will convert mainframe events to a distributed event log format — RFC 3264 syslog protocol — so your SIEM system can interpret the data as actionable information.

You can learn more about MFIM and its relevance to PCI DSS from CorreLog’s complementary whitepaper titled “InfoSec Myths Debunked: FIM is only for Windows/UNIX.”

Topics: IBM z, File Integrity Monitoring (FIM), Mainframe

Three Things to Know about PGP Encryption & the IBM z

Posted by Michelle Larson on Apr 24, 2015 6:10:00 AM

Pretty Good Privacy (PGP) Encryption is a solid path to provable and defensible security, and PGP Command Line sets the standard for IBM enterprise customers.

Pretty Good Privacy (PGP) encryption is one of the most widely deployed whole file encryption technologies that has stood the test of time among the world’s largest financial, medical, industrial, and services companies. Download the PGP z podcast It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets and file exchange. PGP is also well recognized and accepted across a broad number of compliance regulations as a secure way to protect sensitive data as it is in transit to your trading partners. PGP encryption can help businesses meet PCI-DSS, HIPAA/HITECH, SOX, and FISMA compliance regulations.

Here are three key things to know about PGP encryption for your IBM System z Mainframe, and how to discuss them with your technology providers:

1) Always encrypt and decrypt sensitive data on the platform where it is created. This is the only way to satisfy regulatory security and privacy notification requirements.

Moving data to a PC for encryption and decryption tasks greatly increases the chances of loss and puts your most sensitive data at risk.  In order not to defeat your data security goals it is important to encrypt and decrypt data directly on the platform.

2) The best PGP encryption solutions manage PGP keys directly on the platform without the need for an external PC system, or key generation on a PC.

Using a PC to generate or manage PGP keys exposes the keys on the most vulnerable system. The loss of PGP keys may trigger expensive and time-consuming privacy notification requirements and force the change of PGP keys with all of your trading partners.

3) The best data security solutions will provide you with automation tools that help minimize additional programming and meet your integration requirements.

Most Enterprise customers find that the cost of the software for an encryption solution is small compared to the cost of integrating the solution into their business applications. Data must be extracted from business applications, encrypted using PGP, transmitted to a trading partner, archived for future access, and tracked for regulatory audit. When receiving an encrypted file from a trading partner the file must be decrypted, transferred to an IBM z library, and processed into the business application. All of these operations have to be automated to avoid expensive and time-consuming manual intervention.

While the IBM System z Mainframe has always had a well-earned reputation for security, recently IBM modernized and extended their high-end enterprise server, the IBM System z Mainframe with the new z13 model. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

For over a decade Townsend Security has been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

With the commercial PGP implementation from Symantec comes full support for OpenPGP standard, which really make a difference for enterprise businesses. Here are just a few of the things we’ve done with PGP to embrace the IBM System z Mainframe architecture:

    • Native z/OS Batch operation
    • Support for USS operation
    • Text mode enhancements for z/OS datasets
    • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
    • Simplified IBM System z machine and partition licensing
    • Support for self-decrypting archives targeting Windows, Mac, and Linux!
    • A rich set of working JCL samples
    • As always we offer a free 30-day PGP evaluation on your own IBM Mainframe

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less. When you base your company reputation on something mission-critical like PGP encryption, you deserve the comfort of knowing that there’s a support team there ready to stand behind you.

Listen to the podcast for more in-depth information and a discussion on how PGP meets compliance regulations, and how Townsend Security, the only Symantec partner on the IBM i (AS/400) platform as well as the IBM z mainframe providing PGP Command Line 9, can help IBM enterprise customers with defensible data security!

 

Download the Podcast for PGP z


Topics: Data Security, PGP Encryption, IBM z, Podcast

PGP on IBM System z Mainframes

Posted by Patrick Townsend on Feb 10, 2015 7:38:00 AM

With the new z13 model, IBM announced another round of enhancements and improvements to the venerable IBM System z Mainframe. Focusing on mobile and social media integration, IBM is yet again modernizing and extending this high-end enterprise server.

PGP Encryption Trial IBM i While the IBM System z Mainframe has a well-earned reputation for security, how do Mainframe customers protect their data as they move towards more open, internet-based mobile and social media integration?

Pretty Good Privacy (PGP) is one path to provable and defensible security, and PGP Command Line is the de facto standard for enterprise customers.

PGP is one of the most commonly accepted and widely deployed whole file encryption technologies that has stood the test of time. It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets. And it runs on the IBM System z Mainframe!

For about a decade we at Townsend Security have been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

Incorporating the OpenPGP standard, PGP Command Line from Townsend Security and backed by Symantec, is compatible with a variety of open source PGP encryption solutions, while adding features to warm the heart of the IBM Mainframe customers. And this is the same PGP whose underlying PGP SDK has been through multiple FIPS 140-2 validations and which is FIPS 140-2 compliant today.

While retaining the core functions of PGP and the standards-based approach to encryption, we’ve been busy extending PGP specifically for the IBM Mainframe customer. Here are just a few of the things we’ve done with PGP to embrace the IBM Mainframe architecture:

  • Native z/OS Batch operation
  • Support for USS operation
  • Text mode enhancements for z/OS datasets
  • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
  • Simplified IBM System z machine and partition licensing
  • Support for self-decrypting archives targeting Windows, Mac, and Linux!
  • A rich set of working JCL samples
  • Free evaluation on your own IBM Mainframe

IBM Mainframe customers never have to transfer data to a Windows or Linux server to perform encryption, and in the process exposing data to loss on those platforms. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less.

Patrick

PGP Encryption for IBM

Topics: IBM z, Mainframe, PGP