IBM Lab Services Helps Clients Stay Vigilant Against Data Hackers

In July 2015, an operator noticed some heavy UNIX* System Service (USS) activity that seemed highly suspicious. Some scripts were sending spam messages all over the world from the client’s mainframe.

The client called IBM Systems Lab Services for z Systems* and LinuxONE*, and the Lab Services team sprang into action. The team of highly skilled specialists has deep technical knowledge in a number of different areas, including network, storage and security for z/OS* and Linux* for z Systems. After performing a forensic search on the client’s system, Lab Services determined that the hackers had made a miscalculation. They thought they’d hacked a Linux system—and hadn’t figured out they were on a mainframe and could access customer data. The hackers had used the system as a spamming machine without digging further. If they’d discovered that the client was managing a large amount of its customers’ personal data, the resulting leak would have been a disaster.

It was a close call. By and large, cyber thieves are more wily and sophisticated. With many types of data bringing in billions of dollars on the black market, they’re devoting all of their time trying to outwit organizations’ data-protection strategies. For them, hacking is a full-time job. But system administrators can rarely dedicate all of a staffer’s hours to monitoring illicit activity on their systems.

In fixing leaks and reinforcing data safety, Lab Services team members know the headaches and indigestion administrators are dealing with, and they make use of the numerous security tools in the IBM toolbox. They also know what z Systems administrators will have to confront in the future. New global data privacy standards will require organizations to add new layers of protection to the data they store.

Firefighters, Physicians and Teachers

Lab Services works on other z Systems issues besides security, but with hackers working full time to find ways to evade the latest data-protection measures, security keeps Lab Services staff notably busy. Didier Andre, a mainframe consultant for Lab Services who focuses on z Systems, describes the department as “a team of firefighters,” putting out fires.

“But usually, our consulting service is about prevention,” Andre adds. “People tend to say or to think that mainframe is the most secure platform. That’s not 100 percent true—it’s the most securable. And we’re providing services to help our clients to make it the most secure.”

Because preventive measures are a major part of their work, another way to think of Andre and his Lab Services colleagues is as physicians. For IBM clients that request their help, they conduct what they call security “health checks” on the entire system. That starts with IBM’s RACF* software, which provides basic security for the mainframe. But that’s just the start of helping clients ensure their systems are as secure as possible.

“We’re looking holistically at how you’re protecting the data—when you have it, when you receive it, and when you send it off,” says Craig Johnston, a Lab Services consultant specializing in mainframe security. “That’s especially important for PCI DSS, because those systems are just part of the bigger picture—including how you’re protecting the data from a merchant, through the card issuer, the reconciliation of the bills and so on.”

PCI DSS applies to companies of any size that process credit card data and it mandates cryptographic use, because organizations that accept such payments must store, process and transmit cardholder data. For hackers, that data is pure gold, and organizations must guard that treasure on a PCI-compliant system. PCI DSS is a set of requirements designed to secure and protect customer payment data. Not following the PCI DSS standards puts an organization’s customers’ credit data at risk.

A breach could cost that organization millions in repairs, reparations to customers or potential loss of reputation and business.

In helping clients keep their customers’ data safe, Lab Services pays particular attention to cryptography (i.e., crypto). Crypto covers all technologies used to convert plain text into scrambled text so that outsiders can’t access or “read” it.

“A lot of that has to do with the encryption of the data to protect the data on the system,” Johnston says. “We look at the actual installation to determine if the encryption is being done only half way—if at all. We then help clients fine-tune the encryption.” Lab Services helps clients update crypto for devices, databases and applications, as well as entire systems.

Lab Services examines and uses several tools when working with clients to fortify the walls around their important data. Crucial elements of the protection strategy are encryption keys—code that scrambles “plaintext” into “ciphertext” that outsiders can’t read. Encryption keys are designed with algorithms intended to ensure that every key is unpredictable and unique. Without an encryption key, ciphertext can’t be unwound back to plaintext.

The z Systems servers also have dedicated CryptoCards. These tools are managed primarily by the Integrated Cryptographic Services Facility, a software element of z/OS that works with Security Server RACF and other cryptographic features to produce high-speed cryptographic services. Lab Services can configure the software around CryptoCards and help clients create different encryption keys.

IBM also has a product called Enterprise Key Management Foundation (EKMF), developed by IBM’s Crypto Competency Center in Copenhagen, Denmark. EKMF provides centralized key management on z Systems, notably useful for meeting PCI requirements. In addition, Lab Services also helps with the deployment of IBM Security Guardium* Data Encryption for DB2* and IMS* databases, which is used to prevent leaks from data databases, data warehouses and big data environments. Guardium incorporates a key to encrypt data stored on DB2 databases.

Another important consideration is that clients using encryption keys to protect their data will also need to protect the keys themselves. Otherwise, Johnston says, “the data might as well not be encrypted.” This is where IBM’s Security Key Lifecycle Manager (SKLM) can help. The SKLM product, which centralizes and automates the encryption key management, also can encrypt the keys themselves, whether they’re stored on physical tape or IBM storage media such as XIV* or DS8000*.

“Lab Services can help the client configure its DS8000 or the full-disk encryption of that drive,” Johnston says. Lab Services also works with z Systems clients to set up IBM’s Trusted Key Entry workstation, which manages the master keys that protect those operation keys through CryptoCards.

Now Lab Services is beginning work to help z Systems clients be prepared for new regulations and rules that will require them to further fortify their system’s security systems and practices.

What’s Next

One new regulation is PCI DSS 3.2, an update to the PCI standard. Perhaps the biggest change that PCI DSS 3.2 incorporates is the use of multifactor authentication (MFA) for administrators to access cardholder data. Compliance with 3.2’s MFA requirement will become mandatory Feb. 1, 2018. As Andre notes, had this requirement been in place a couple of years ago, it would have prevented the July 2015 USS hack. “Even with a user password, the hacker would have been denied any access without the second form of authentication provided by MFA,” he says.

To help clients meet the DSS 3.2 MFA standard, IBM is developing a mainframe solution implementation service. Lab Services is one of the teams being trained to deliver this service. It expects to be conducting deployments with customers by the end of this year.

Also on Lab Services’ security agenda this year: helping clients upgrade their mainframe environments to meet the upcoming European Union’s General Data Protection Regulation (GDPR). This new data-protection standard extends the region’s data-protection law to all foreign companies processing data of EU residents. Scheduled to go into effect in May 2018, the GDPR will put in place stringent rules not only for data protection, but also for reporting data breaches to EU authorities. Organizations that don’t comply with the GDPR could be liable for fines in the tens of millions of euros.

According to Johnston, Lab Services is developing focus on the major requirements and sub-requirements; it’s developing the same process for GDPR. “We’ll come up with a list of issues to look at and show clients where their system is deficient,” Johnston says. “We’ll be coming up with alert desk checks for z Systems, and we’ll have assessments on that.”

For z Systems clients with cardholder data to protect, that’s good news. Hackers never rest. Lab Services, however, is helping the organizations it serves to be prepared and protected.

.

---