The document discusses securing IBM MQ environments and messages. It outlines the business need for connectivity and how an increasingly connected environment also increases security risks. It then discusses various methods for securing MQ, including authentication, authorization, auditing, and encryption. It emphasizes that securing systems is important but proving security through auditing and documentation is also critical. Finally, it recommends that readers review their MQ security policies and practices to ensure they are up to date on the latest versions and security features.
2. Agenda
The business fundamentals of why you need to secure your MQ
environment
What you need to know when securing your MQ environment
3AME4171 @LeifDavidsen @MoragHughson
3. The need for connectivity is growing
Connectivity in business
infrastructure is
increasing
• More information, more systems, more
services, deployed anywhere
Connect systems together
• Deliver timely updates of
targeted data
• Gain business insight
• Applications and data become
valuable assets, not growing
costs
New sources of data are
changing the world
• However data without
connectivity becomes a burden
not an asset
4AME4171 @LeifDavidsen @MoragHughson
4. Connectivity outside the enterprise – clouds,
mobile and more
Systems are dynamic – new applications, new
sources of data, new consumers of data
• The challenge of delivering data to meet
changing demands needs a flexible
infrastructure
Roll-your-own code in the applications
Increases cost, time and complexity, but can deliver the code
where you need it
Storing the data in a database or file
Creates a permanent record, but does nothing to provide
timely analysis
A messaging infrastructure can meet both needs
• Keeps the application simple and able to adapt to change
• Can deliver filtered information to consuming applications, and
also deliver to a permanent information store
5AME4171 @LeifDavidsen @MoragHughson
5. The realities of an increasingly connected environment
Increasing connectivity increases complexity
Complexity is not just defining, building, operating environments but complexity in
security as well
What is a secure environment for an IT system?
Connected systems are almost the definition of an insecure environment
Every system represents a point of attack/risk
Adding multiple security layers across multiple systems is likely to create an
unusable environment
Not to mention huge performance implications
66AME4171 @LeifDavidsen @MoragHughson
6. What are the costs of security risks
Figures used in this presentation: 2014 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: https://ibm.biz/BdE5qP
77AME4171 @LeifDavidsen @MoragHughson
7. Pressures deflecting from security
Challenge over Complex IT systems
Simpler approach required
Speed essential
Performance of systems
Time taken to achieve desired
outcome
Pressure on skills and resources
More generalists
Fewer specialists
8
• Differences between systems
• Different rules and regulations for different countries
• Varying audit requirements between business divisions
• Security seen as burden rather than a business asset
• Focus on IT/Resource spend on positive outcomes
8AME4171 @LeifDavidsen @MoragHughson
8. Cost per record of data breach (per industry)
99AME4171 @LeifDavidsen @MoragHughson
9. Can you afford to take risks?
Your IT environment is becoming hyper-connected.
You need to secure your systems
You need to understand the risks if you don’t secure them
You need to understand the risks if you secure them inefficiently
External threats to your business
Targeted attempts
‘Mass-market’ attempts
Internal threats
Disaffected employees
Errors or poor processes
Regulatory compliance
Industry, legal or other types of rules/regulations
Business directives
Corporate directives to be met
1010AME4171 @LeifDavidsen @MoragHughson
10. Breakdown of the risks
Can’t simply focus on protecting from hacking – need robust processes
and end to end security approaches
1111AME4171 @LeifDavidsen @MoragHughson
11. Risks with an external breach
Exposure and loss of corporate data
Loss of internal and external trust in the business
Loss of reputation
Compromise of business systems and data can put at risk existing
products, and future developments
Exposure of customer information
Potential for damages
Penalties in market and from regulators
Potential for legal action if due care was not taken to protect systems
1212AME4171 @LeifDavidsen @MoragHughson
12. Costs to your business with a security breach
The costs of cleaning up a security breach are likely to outweigh the
costs of implementing a strong security policy
1313AME4171 @LeifDavidsen @MoragHughson
13. Risks with an internal breach
Were processes followed?
Was it deliberate or accidental?
What data has been exposed?
If a retailer breached, has customer data, especially payment data, been
exposed?
If a healthcare provider breached, has patient or clinical data been
affected
If a manufacturing company breached, have confidential designs or
other materials been released?
Life sciences…Aerospace….Investment bank…
1414AME4171 @LeifDavidsen @MoragHughson
14. The burden of proof
Being secure is not enough – you need to prove it
The most secure system in the world is nothing without being able to
pass an audit
Security is more than just authentication, authorization and encryption
Process
Logging
Records
Every step from initial configuration, through to removal of access must
be verifiable
1515AME4171 @LeifDavidsen @MoragHughson
15. Implications of applying security
Adds complexity to configuration, operation, maintenance
Who manages security?
What other access do they have?
Is security done globally, locally, by system?
Authentication
System specific, repository
Authorisation
Users, roles, groups?
Encryption
Data in flight? Data at rest?
Logging, auditing
Prove to yourself
Prove to auditor
1616AME4171 @LeifDavidsen @MoragHughson
16. Connecting your enterprise with MQ
Provides messaging services to applications and Web
services that need to exchange data and events with:
Universally supported by multiple platforms 20 years
leading in transactional message delivery
• Inherent reliable delivery and transaction control
• Native, high-speed handling of any type of message
or file
• Native lightweight capabilities for supporting remote
devices & sensors
• End-to-end advanced security
• Single point of control, visibility, and management for
all data movement
• Applications become more flexible and data movement becomes
more reliable
• Capabilities like the Coupling Facility in System z provide unique
strengths
• Extensive support through years of development, skills and
partner ecosystem extensions
• Comprehensive single solution reduces complexity of deployment
and operation
Message
Q Manager
Q Manager
Application Z
Application A
Channels
Pervasive
Device
Sensor
e.g. RFID
Regional
Office
Mobile
Phone
Petrol
Forecourt
Refinery
Branch
Office
Retail
Store
zEnterprise
Financial
Services
& Banking Manufacturing
GovernmentRetail
17AME4171 @LeifDavidsen @MoragHughson
17. Moving data using files is risky too
Process Risk
Delays in transferring files impacts
collaboration with customers/partners
Integration files that are delayed impact
SLAs
Failure of file delivery impacts the
processes themselves
Security Risk
Data encryption and governance of
sensitive information transmitted in files
Inability to apply corporate security
policies to person-initiated file transfers
No visibility over the type and sensitivity
of the data being transferred
No ability to support audit requirements
18AME4171 @LeifDavidsen @MoragHughson
18. Authentication
Digital Certificates
Mutual or queue manager only authentication
Encrypt and tamper proof your traffic
User ID and Password Validation
New in IBM MQ V8
Use of MQ Light is gated by password validation
SSL/TLS Password Validation IP Filtering
8 8 8 8 8 8 MQ (z & Dist)
8 8 MessageSight
8 8 8 8Restricted
network
MQ Light
(S/O & Bluemix Service)
8 DataPower
8 8 8 MQ Appliance
IP filtering
In MQ you longer need exits, MQ V7.1 provides
CHLAUTH
The MQ Light Service in Bluemix is on a restricted
network that only the users bound to that Bluemix
instance can connect to.
19AME4171 @LeifDavidsen @MoragHughson
19. Authorization
Machine specific External repository
8 8
@
MQ (z & Dist)
8 Demos only 8 MessageSight
N/A
(Single User)
8
(Bluemix Instance)
MQ Light
(S/O & Bluemix Service)
DataPower
8 Demos only 8 MQ Appliance
Granular access control
Covers operations by applications (e.g. put and get) and administrative tasks (e.g. alter and start)
OAM on distributed MQ; SAF on z/OS MQ
MQ utilises machine specific user IDs (OS IDs)
Appliances can use machine specific user IDs for demo purposes, or for production expect use of
centralized repository of user IDs (LDAP)
MQ Light only allows Bluemix users that are bound to that instance to have any access to the MQ
resources, but those users have no administration access.
21AME4171 @LeifDavidsen @MoragHughson
20. Auditing
Keep track of who does what
Security failures are reported to provide an audit trail
MQ Event messages
MessageSight log files
MQ Light is self-service so no admin role, e.g. queues are automatically created on
first use
Security Failures Commands Issued Configuration Changes
8 via SAF 8 8 8 8 8 MQ (z & Dist)
8 8 8 MessageSight
N/A N/A N/A MQ Light
(S/O & Bluemix Service)
DataPower
8 8 8 MQ Appliance
23AME4171 @LeifDavidsen @MoragHughson
21. Encryption
Hiding your valuable data from prying eyes
Link-level encryption from SSL/TLS protocols
End-to-end encryption from AMS
Link-level End-to-end
8 8 8 8 MQ (z & Dist)
8 MessageSight
8 MQ Light
(S/O & Bluemix Service)
8 DataPower
8 8 MQ Appliance
25AME4171 @LeifDavidsen @MoragHughson
22. What now?
Review your systems for currency
Are you using the latest MQ versions with the most robust features?
Are you up to date on fixpacks?
Have you applied the latest OS/firmware updates?
Do you have an end-to-end security policy
Protecting your systems
Implementing built-in MQ security features?
Protecting your messages
Implementing MQ AMS?
Do you know how to review your logs?
Work with your audit teams to ensure they are happy with your policy, process and
implementation
2727AME4171 @LeifDavidsen @MoragHughson
24. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business
Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,
OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®,
PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-
Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
25. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.
Notes de l'éditeur
Every client we talk to today is looking to do more. Now in many cases a lot of it will be doing more with less – but always there is a need to do more – and at the heart of everything is connectivity. Connecting systems, connecting services – and essentially what they are looking to do is to connect sources of information. There are new information sources springing up everywhere – and it is these new sources of data that are changing the world – creating new data to bring value to businesses – but unless this data is moved from where it is created to where it can be consumed to add value to the business then it is simply a burden to the business.
So what is really important is that our clients need to connect systems together, ensuring newly created data is delivered to where it can provide value – and that is likely to be as soon as possible – just when it is created – that will create timely business insight to deliver value to the business – and then all this new data is no longer a burden, but instead it is a valuable asset.
So – for all this data to be created and consumed – what needs to happen. Especially given that just as new sources of data spring up quickly – so do the systems that consume them – and these are also likely to change – grow – and even disappear. So what is the best way to move this data, to deliver the value, but without overly burdening the infrastructure and application teams. Because if we try to move the data in the application, through even simply custom coding, then it will slow the coders down, add complexity and errors, increases costs for development and maintenance. So although you might end up with a solution – it is a solution you will need to keep changing – and the coders better have catered for all the possible failure scenarios for the movement of data.
Maybe it is simpler to just dump it to disk – maybe a file or database – but that will slow things down – won’t deliver it as it is created to an application and adds to the problem of data without adding value.
A better solution is to use a messaging infrastructure – a common set of APIs for the application to use to package and move the data – data which can be deliver to consuming applications quickly, simply, reliably and securely – even based on filters, and distribution mechanisms like publish subscribe which can ensure the right information can be delivered to the right consumer – helping to reduce the burden of processing all the data – and delivering more data faster.
As we just covered MQ provides guaranteed, assured messaging that provides transactional integrity with the speed and security that any enterprise will need for mission critical applications. E.g., transactions at a bank, money movement in finance sector, retailer processing of payment card or purchase details, border security and immigration processing, moving data through factories and in and out of ERP systems
MQ enables you to connect applications and services together with valuable qualities-of-service.
Applications can exchange information without tying themselves up – just like email where people communication a-synchronously.
MQ has been doing all this for years – we have 10000+ customers who have built their businesses around it – and rely on it not just every day – but every second.
It helps their businesses be more flexible, more reliable and more secure. Deployments on platforms like System z with its coupling facility helps customers to be robust and recover from failures without interrupting their processing – and we have hundreds if not thousands of partners and skilled practioners to support these deployments – as well as big teams in IBM enhancing the product and delivering major new updates – such as the new IBM MQ V8.
What we are therefore talking about with file transfers is in fact risk – the risk to your business process, the security risk, and the fundamental risk to your business when you use FTP to move your data without effective controls in place and without it being well integrated and controlled as part of your business, linked to your applications, linked to your business processes, and linked to your management controls and dashboards.
To avoid or at least to manage and reduce these risks, IBM has a Managed File Transfer solution to help you address these risks – to help you better provide your processes with the right data at the right time. And also to ensure the security of your data doesn’t compromised your business and your customer’s trust in you to handle their data securely.