The document discusses securing IBM MQ environments and messages. It outlines the business need for connectivity and how an increasingly connected environment also increases security risks. It then discusses various methods for securing MQ, including authentication, authorization, auditing, and encryption. It emphasizes that securing systems is important but proving security through auditing and documentation is also critical. Finally, it recommends that readers review their MQ security policies and practices to ensure they are up to date on the latest versions and security features.

1. © 2015 IBM Corporation
The bits, bytes and business benefits
of securing your MQ environment
and messages
Morag Hughson - hughson@uk.ibm.com
Leif Davidsen – Leif_Davidsen@uk.ibm.com
IBM Hursley - UK

2. Agenda
 The business fundamentals of why you need to secure your MQ
environment
 What you need to know when securing your MQ environment
3AME4171 @LeifDavidsen @MoragHughson

3. The need for connectivity is growing
Connectivity in business
infrastructure is
increasing
• More information, more systems, more
services, deployed anywhere
Connect systems together
• Deliver timely updates of
targeted data
• Gain business insight
• Applications and data become
valuable assets, not growing
costs
New sources of data are
changing the world
• However data without
connectivity becomes a burden
not an asset
4AME4171 @LeifDavidsen @MoragHughson

4. Connectivity outside the enterprise – clouds,
mobile and more
Systems are dynamic – new applications, new
sources of data, new consumers of data
• The challenge of delivering data to meet
changing demands needs a flexible
infrastructure
Roll-your-own code in the applications
Increases cost, time and complexity, but can deliver the code
where you need it
Storing the data in a database or file
Creates a permanent record, but does nothing to provide
timely analysis
A messaging infrastructure can meet both needs
• Keeps the application simple and able to adapt to change
• Can deliver filtered information to consuming applications, and
also deliver to a permanent information store
5AME4171 @LeifDavidsen @MoragHughson

5. The realities of an increasingly connected environment
Increasing connectivity increases complexity
Complexity is not just defining, building, operating environments but complexity in
security as well
What is a secure environment for an IT system?
Connected systems are almost the definition of an insecure environment
Every system represents a point of attack/risk
Adding multiple security layers across multiple systems is likely to create an
unusable environment
Not to mention huge performance implications
66AME4171 @LeifDavidsen @MoragHughson

6. What are the costs of security risks
Figures used in this presentation: 2014 Cost of Data Breach Study from Ponemon Institute and IBM –See it here: https://ibm.biz/BdE5qP
77AME4171 @LeifDavidsen @MoragHughson

7. Pressures deflecting from security
Challenge over Complex IT systems
Simpler approach required
Speed essential
Performance of systems
Time taken to achieve desired
outcome
Pressure on skills and resources
More generalists
Fewer specialists
8
• Differences between systems
• Different rules and regulations for different countries
• Varying audit requirements between business divisions
• Security seen as burden rather than a business asset
• Focus on IT/Resource spend on positive outcomes
8AME4171 @LeifDavidsen @MoragHughson

8. Cost per record of data breach (per industry)
99AME4171 @LeifDavidsen @MoragHughson

9. Can you afford to take risks?
Your IT environment is becoming hyper-connected.
You need to secure your systems
You need to understand the risks if you don’t secure them
You need to understand the risks if you secure them inefficiently
External threats to your business
Targeted attempts
‘Mass-market’ attempts
Internal threats
Disaffected employees
Errors or poor processes
Regulatory compliance
Industry, legal or other types of rules/regulations
Business directives
Corporate directives to be met
1010AME4171 @LeifDavidsen @MoragHughson

10. Breakdown of the risks
Can’t simply focus on protecting from hacking – need robust processes
and end to end security approaches
1111AME4171 @LeifDavidsen @MoragHughson

11. Risks with an external breach
Exposure and loss of corporate data
Loss of internal and external trust in the business
Loss of reputation
Compromise of business systems and data can put at risk existing
products, and future developments
Exposure of customer information
Potential for damages
Penalties in market and from regulators
Potential for legal action if due care was not taken to protect systems
1212AME4171 @LeifDavidsen @MoragHughson

12. Costs to your business with a security breach
The costs of cleaning up a security breach are likely to outweigh the
costs of implementing a strong security policy
1313AME4171 @LeifDavidsen @MoragHughson

13. Risks with an internal breach
Were processes followed?
Was it deliberate or accidental?
What data has been exposed?
If a retailer breached, has customer data, especially payment data, been
exposed?
If a healthcare provider breached, has patient or clinical data been
affected
If a manufacturing company breached, have confidential designs or
other materials been released?
Life sciences…Aerospace….Investment bank…
1414AME4171 @LeifDavidsen @MoragHughson

14. The burden of proof
Being secure is not enough – you need to prove it
The most secure system in the world is nothing without being able to
pass an audit
Security is more than just authentication, authorization and encryption
Process
Logging
Records
Every step from initial configuration, through to removal of access must
be verifiable
1515AME4171 @LeifDavidsen @MoragHughson

15. Implications of applying security
Adds complexity to configuration, operation, maintenance
Who manages security?
What other access do they have?
Is security done globally, locally, by system?
Authentication
System specific, repository
Authorisation
Users, roles, groups?
Encryption
Data in flight? Data at rest?
Logging, auditing
Prove to yourself
Prove to auditor
1616AME4171 @LeifDavidsen @MoragHughson

16. Connecting your enterprise with MQ
Provides messaging services to applications and Web
services that need to exchange data and events with:
Universally supported by multiple platforms 20 years
leading in transactional message delivery
• Inherent reliable delivery and transaction control
• Native, high-speed handling of any type of message
or file
• Native lightweight capabilities for supporting remote
devices & sensors
• End-to-end advanced security
• Single point of control, visibility, and management for
all data movement
• Applications become more flexible and data movement becomes
more reliable
• Capabilities like the Coupling Facility in System z provide unique
strengths
• Extensive support through years of development, skills and
partner ecosystem extensions
• Comprehensive single solution reduces complexity of deployment
and operation
Message
Q Manager
Q Manager
Application Z
Application A
Channels
Pervasive
Device
Sensor
e.g. RFID
Regional
Office
Mobile
Phone
Petrol
Forecourt
Refinery
Branch
Office
Retail
Store
zEnterprise
Financial
Services
& Banking Manufacturing
GovernmentRetail
17AME4171 @LeifDavidsen @MoragHughson

17. Moving data using files is risky too
Process Risk
 Delays in transferring files impacts
collaboration with customers/partners
 Integration files that are delayed impact
SLAs
 Failure of file delivery impacts the
processes themselves
Security Risk
 Data encryption and governance of
sensitive information transmitted in files
 Inability to apply corporate security
policies to person-initiated file transfers
 No visibility over the type and sensitivity
of the data being transferred
 No ability to support audit requirements
18AME4171 @LeifDavidsen @MoragHughson

18. Authentication
 Digital Certificates
 Mutual or queue manager only authentication
 Encrypt and tamper proof your traffic
 User ID and Password Validation
 New in IBM MQ V8
 Use of MQ Light is gated by password validation
SSL/TLS Password Validation IP Filtering
8 8 8 8 8 8 MQ (z & Dist)
8 8 MessageSight
8 8 8 8Restricted
network
MQ Light
(S/O & Bluemix Service)
8 DataPower
8 8 8 MQ Appliance
 IP filtering
 In MQ you longer need exits, MQ V7.1 provides
CHLAUTH
 The MQ Light Service in Bluemix is on a restricted
network that only the users bound to that Bluemix
instance can connect to.
19AME4171 @LeifDavidsen @MoragHughson

19. Authorization
Machine specific External repository
8 8
@
MQ (z & Dist)
8 Demos only 8 MessageSight
N/A
(Single User)
8
(Bluemix Instance)
MQ Light
(S/O & Bluemix Service)
DataPower
8 Demos only 8 MQ Appliance
 Granular access control
 Covers operations by applications (e.g. put and get) and administrative tasks (e.g. alter and start)
 OAM on distributed MQ; SAF on z/OS MQ
 MQ utilises machine specific user IDs (OS IDs)
 Appliances can use machine specific user IDs for demo purposes, or for production expect use of
centralized repository of user IDs (LDAP)
 MQ Light only allows Bluemix users that are bound to that instance to have any access to the MQ
resources, but those users have no administration access.
21AME4171 @LeifDavidsen @MoragHughson

20. Auditing
 Keep track of who does what
 Security failures are reported to provide an audit trail
 MQ Event messages
 MessageSight log files
 MQ Light is self-service so no admin role, e.g. queues are automatically created on
first use
Security Failures Commands Issued Configuration Changes
8 via SAF 8 8 8 8 8 MQ (z & Dist)
8 8 8 MessageSight
N/A N/A N/A MQ Light
(S/O & Bluemix Service)
DataPower
8 8 8 MQ Appliance
23AME4171 @LeifDavidsen @MoragHughson

21. Encryption
 Hiding your valuable data from prying eyes
 Link-level encryption from SSL/TLS protocols
 End-to-end encryption from AMS
Link-level End-to-end
8 8 8 8 MQ (z & Dist)
8 MessageSight
8 MQ Light
(S/O & Bluemix Service)
8 DataPower
8 8 MQ Appliance
25AME4171 @LeifDavidsen @MoragHughson

22. What now?
Review your systems for currency
Are you using the latest MQ versions with the most robust features?
Are you up to date on fixpacks?
Have you applied the latest OS/firmware updates?
Do you have an end-to-end security policy
Protecting your systems
Implementing built-in MQ security features?
Protecting your messages
Implementing MQ AMS?
Do you know how to review your logs?
Work with your audit teams to ensure they are happy with your policy, process and
implementation
2727AME4171 @LeifDavidsen @MoragHughson

23. Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any
form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed
for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no
responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN
NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF
DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms
and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or
other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or
services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the
views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal
or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to
the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions
the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or
products will ensure that the customer is in compliance with any law.
28

24. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business
Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,
OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®,
PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-
Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

25. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.