Safeguarding Your Mission-Critical Mainframe Data and Databases As

MAINFRAME Safeguarding Your Mission-Critical Mainframe Data and Databases as You Drive Your Business Forward Stuart McIrvine Dhananjay Joshi (DJ) Kevin Shuma Dave Ross Vice President Senior Advisor Vice President Sr. Principal Product Owner CA Technologies CA Technologies CA Technologies CA Technologies

MFX132E For Informational Purposes Only Terms of This Presentation

The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

1 THREATS TO MAINFRAME DATA – EXTERNAL AND INTERNAL

2 INSIDER THREATS AND RISKS IN DATA MANAGEMENT

3 COMPLIANCE / GDPR – RELEVANCE TO DATA MANAGEMENT

4 DATA LIFE CYCLE AND DATA PROTECTION

5 FEEDBACK – YOUR NEEDS AND HOW CAN CA HELP?

Yahoo Myspace Experian LinkedIn Equifax Anthem Dropbox Home Depot Target …

•1 Billion •360 •200 •162 •143 •80 Million •68 Million •56 Million •43 Million Million Million Million Million

Source: https://www.scmagazine.com/where-equifax-falls-among-the-top-recent-data-breaches/article/687611/

Source: https://www.scmagazine.com/patient- home-monitoring-corp-exposed-475-gb-worth- of-patient-data/article/699640/

▪ A large majority of global business data resides on the mainframe ▪ Mainframe is the most securable platform, incredibly difficult to breach ▪ Mainframe accessible to select trusted users ▪ Likelihood of insider threats less than other systems, but impact can be very severe!! (DBAs/Sysprogs/Developers have access to sensitive data)

Source: https://www.scmagazine.com/cios-believe-mainframe-secure-but-still-worry-over-insider-threats/article/666583/

▪ Threats and Risks: – More security breaches (>75%) occur through insider threats – Both accidental data loss as well as Intentional data theft – Regulatory Compliance as well as Intellectual Property ▪ Intentional: – Suspicious Access/Login attempts – Irregular pattern of data and application access, data manipulation ▪ Unintentional: – Processes: Development, Testing, Recovery, Copy, Reporting of data – Insufficient/inaccurate identification and accidental loss/compromise of sensitive data

Legislation approved by the EU Parliament and the EU Council on April 27, 2016 Effective date: May 25, 2018…190 days from today

The legislation requires enterprises worldwide to apply rigorous practices for the acquisition, management, and privacy protection of EU citizen data

▪ For EU chartered enterprises, interpretation is clear: implementation date is imminent ▪ For non-EU chartered enterprises, interpretation is less clear: ▪ How fines can be imposed? – Enterprises with EU interests or assets could have them frozen or otherwise made unavailable – Enterprises processing EU citizen data who have no direct interests of assets in the EU may still experience pressure from customers, business partners, and their local governments

Article 5 Articles 6-8 Article 15 Article 17 Article 20 Handling Citizen Right to Right To Be Right to Personal Consent Access Forgotten Data Data Article 83 Portability

Articles Articles 33 Article 35 Articles 37- Article 50 25 & 32 & 34 PenaltiesImpact 39 Data International Data Reporting Assess- Protection Companies Protection Data ments Officer Breaches

Securing and Protecting sensitive data

(e.g. data masking, data encryption, subsetting during unload/cloning, etc.) vs. Securing and Protecting every system and user that comes in contact with sensitive data

(More controls/micro-management of DBA/Sysprog access?)

• We often view the world from the edge inward - Defend from external threats

• Mainframe is usually deep within the network, under several layers of security, but vulnerable to credential theft and insider threat

• For Mainframe, it’s important to examine Security from the bottom up:

1) Start with the 3) Monitor access Data to that data

2) Understand what 4) Limit access to data might be at the minimum set of risk to theft users

Ensure Availability of Archived data Identify and Classify new Sensitive data Create/ Identify changes to Sensitive data Protection of sensitive archived data Change Non-recoverability of destroyed data Report (Data backup & recovery) (Content discovery, Schema management, Restrict/Verify Access Data loads) Archive/ Detect irregular access / Store/ Destroy consumption Copy Real-time notifications (potential Mask data at rest breach) Mask/Encrypt data in motion (Audit compliance with data/schema (Test environment/data creation, etc.) Ensure Subsetting changes, Event Management, Data (Data cloning, unload, etc.) security analytics) Share/ Use Report

Mask/Encrypt data in motion (Data extraction, unload, test data creation, etc.)

✓ Dataset security on key datasets – CXX, LXX, Code libraries ✓ Integration with external security for data access ✓ Path, Content, Metadata – access path, data content, data definitions ✓ Implementation of data protections at rest – guard against non database access (TSO, DITTO, Etc.) ✓ Presspack Strong Compression – obscures database content ✓ Built-in Encryption – encrypts data base content ✓ IBM Pervasive Encryption – encrypts non-database storage (backups, extracts)

✓ Dataset security on key datasets – Database files, Dictionary files, Journal files, Code libraries ✓ Integration with external security for data access ✓ Users, databases, tasks – access, data, data definitions, program execution

✓ Implementation of data at rest protection ✓ Presspack Custom Compression – obscures database content ✓ ASPG Encryption – encrypts data base content at record or field level ✓ IBM Pervasive Encryption – encrypts VSAM defined databases, as well as non- database storage (backups, extracts)

✓ CA RC/Extract for sub-setting as opposed to copying all data

✓ CA Model services and Utility Profile services to automate tasks required for audits such as image copies, granting access to new objects

✓ Db2 Integration with external security for data access ✓ Tables, Views, Plans, Special Privileges( SYSADM, SYSOPR, DBADM,…)

✓ IBM Pervasive Encryption – encrypts Db2 Table/Index Spaces defined databases, as well as Image Copies, Unload datasets, extracts, etc.

How are you addressing these threats?

Do you have processes and tools in place?

Are you working towards GDPR/compliance deadlines?

How can CA help?

17 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED Recommended Sessions for Db2 SESSION TITLE DATE/TIME Secrets of the Pros: Mitigate those pesky Mainframe database MFX133E NOV 13 @ 3:30pm performance problems MFX135E Analytics as a Weapon to Proactively Manage Db2 Performance NOV 14 @ 10:00am How to Get the Most out of Your Db2, Db2 Management MFX136E NOV 14 @ 11:00am and Analytics Investment Strategic Direction Session: Enhancing Data Privacy With Data- MFT13S NOV 15 @ 12:45pm Centric Security for Mainframe

MFT24T How CA-Detector for z/OS solved my BIF worries NOV 15 @ 1:45pm

MFT37T Proactive Database Management With Db2 Intelligence NOV 15 @ 3:30pm

MFT47T Insider Threat Prevention on the Mainframe NOV 15 @ 4:15pm

MFT32T Reduce Mainframe Insider Threats Through Machine Learning NOV 16 @ 4:15pm

CA Data CA CA Trusted CA Mainframe Content Compliance Access Manager Operational Discovery Event for Z Intelligence Manager Mainframe Theatre Mainframe Theatre Mainframe Theatre Mainframe Theatre Station 608/609P

CA Mainframe CA Dynamic CA Storage CA Database Databases Capacity Management Management Intelligence for Db2 for z/OS Mainframe Theatre Mainframe Theatre Mainframe Theatre Mainframe Theatre Station 614P Station 607P Station 617P Station 615P

Stay connected at communities.ca.com

For more information on Mainframe, please visit: http://cainc.to/CAW17-Mainframe