Part
Overview of
security
fundamentals
By this point in time, Information Technology (IT) has become woven into the
very fabric of business. Few people today can afford to be without the
specialized computing and security knowledge that enables them to make sound
business decisions. In this IBM Redbook, we explain the security risks that
businesses face, and teach you the methodologies and technologies that are
available to minimize those risks.
This part of the document describes the business need for security in Information
Technology, and explains its fundamental concepts. These requirements and
concepts are independent of any hardware or software platform. Therefore, we
also discuss the mainframe technical procedures that are used to implement a
set of secure business applications.
We document how these concepts are implemented on various software
platforms and in example environments, and describe the specific elements of
security which comprise these concepts in four chapters.
Chapter 1, Security and the mainframe on page 3, defines information
security and describes the mainframe computer. It outlines the features which
differentiate the mainframe from other types of computer systems, and
compares the value of data to the cost of protecting it.
Chapter 2, The Internet Bookstore - a case study on page 13, introduces a
case study that allows you to see how security is implemented in various
corporate environments using mainframe computers.
Chapter 3, Security concepts on page 25, describes the concepts of
confidentiality, integrity, and availability in detail. It discusses the importance
of each concept, then goes on to explain the threats each one faces in todays
environment.
Chapter 4, Elements of security on page 45, defines the elements that make
up computer security concepts. Identification and authentication are
described in detail, and data classification and separation of duty are
expanded upon with examples of roles in the enterprise. We introduce
authorization with a focus on access control, and also consider encryption as
a security element.
After completing Part 1, you will have an understanding of why security is such a
concern to business enterprises. You will be able to list specific examples of
where data is at risk and the consequences of failing to secure it. You will also be
able to describe how threats are identified and risks are assessed, and list some
options that can help deal with the risks.
Chapter 1.
Objectives
After completing this chapter, you will be able to:
Address the purpose of security and explain why we use it
Explain the importance of information security in business
Understand the costs of classification of assets that security tries to offset
Describe what a mainframe is
List the major benefits delivered by the mainframe in comparison to other
platforms
Understand separation of duties
one or more disciplines, and security certifications are recognized the world over.
Staff members who are in a position to influence the surety of a completed
transaction are responsible for their part of the process.
2
S. Loveland, G. Miller, R. Prewitt, and M. Shannon: Testing z/OS: The premier operating system for
IBM's System z server, IBM Systems Journal Volume 41, Number 1, 2002
Later chapters in this book show how others in the industry endeavor to copy and
emulate the benefits delivered by the mainframe and its various operating
systems. Those with UNIX skills may see some very familiar concepts being
described. These concepts are new to UNIX systems but they have been
implemented and honed for decades on the mainframe.
To learn about the history of the mainframe, refer to the following site:
http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_intro.html
1.3 Summary
The IT security discipline is an attempt to implement the concept of business
resilience and continuity. Business resilience and continuity is the practice of
ensuring that nothing prevents a business transaction or other authorized
exchange of money or information from occurring, and ensuring that information
is protected from unauthorized access. Security should be a component of the
business plan, and it needs to be considered in every step of the business setup
process.
3
Vertical skill sets are specialized in knowledge, but apply across all customers or markets.
Horizontal skill sets are general in knowledge, and apply to specific customers or markets.
10
business continuity
business resilience
data classification
disaster recovery
risk management
security
separation of duty
virtualization
11
12
Chapter 2.
13
Objectives
After completing this chapter, you will be able to:
Describe a sample scenario in which security concepts are implemented,
such as:
Name the partners and describe their involvement
Explain the process of buying a book
Describe security risks for this process and when dealing with partners
Explain the major components of a security policy
Describe the role that audit and metrics play for IT security
14
Internet Bookstore
Customer
Courier
Bank
Figure 2-1 Case study: The Internet Bookstore and its partners
Note: The assumption here is that you want to focus on your core business
and not be directly responsible for the shipment of books to customers. So you
could maintain a stock of the most popular books, then have agreements with
at least one publisher who has other books in large quantities and a courier
service. However, to simplify the scenario we will not include a publisher here
and instead assume you have the books in stock.
To run the business, you will require direct interfaces to the most popular credit
card companies and possibly to some banks or online payment providers. Also,
15
16
Internet Bookstore
Customer
Security Policy
Policy
Browsing/Shopping
HR
Systems
Order fulfillment
Security practices
Inventory
Advertising
Tracking
Billing/Collections
Bank
Courier
Security
Security Policy
Policy
Security Policy
Audit
Billing/Collections
Freight Services
Accounting
Branch Accounts
Packaging Services
Corporate Accounts
HR
Administration
Systems
Retail Payments
Advertising
Loans
Compliance
Systems
HR
17
Internet Bookstore
Customer
Start
Windows/Linux/Mac
z/VM
Linux
z/OS
Database
End
Courier
z/VSE
z/TPF
z/OS
Database
Bank
Linux
z/VM
z/OS
Database
18
several languages if problems should arise. You also retain records for reference
in case of a dispute or other issues.
Interim processes and communication are not significant to the overall
completion of the transaction as far as the customers are concerned; they simply
happen. The customers only concern is that the correct book is paid for and
received in a timely and secure manner. End users typically do not have
documented security policies, although some might implement a de facto policy
by running anti-virus software, a personal firewall, and spyware or adware
elimination software. At the same time, they expect you to protect their private
information and identity.
19
into question. You keep in mind the legal considerations: your company
representatives might be called upon to prove that your business has sufficient
safeguards in place, has taken every reasonable precaution in common use, and
can demonstrate an evidential chain of custody.
And you also keep in mind that you owe your employees the same degree of
privacy that you provide your customers.
20
for holding their subcontractors to the same security standards as those to which
you hold them, and they are subject to audits at your discretion. You work with
the courier through the Internet with Virtual Private Network (VPN)
communications. Transactions include sending shipping orders, authorizing
customer returns, and receiving a monthly bill from the courier.
Procedure
Baseline
Definitions paraphrased from Hansche, et al., Official (ISC)2 Guide To The CISSP Exam, Auerbach,
2004, 0-8493-1707-X
21
Guideline
Your financial backers also want to know that everything is being done to
minimize the risk to their investment. They test the implementation of your
business plan by auditing results. Audit scope can range from the examination of
financial records, business processes, and controls, to the validation of highly
technical settings and parameters, as well as ethical hacking attempts.
Metrics
The means of
measuring
performance;
indicators of
improvement.
2.5 Summary
Imagine that you want to open your own Internet bookstore. You need an
agreement with at least one publisher who has a source of books in large
quantities, and a courier service. You require direct interfaces to the most
popular credit card companies, and potentially to some banks or online payment
providers. You want the customers experience to be trouble-free, so you will
handle all aspects of inventory, payment, shipment, and customer service
yourself.
Your customers need to trust your bookstore; that is, they must be assured that
your bookstore is secure. Your security policy should establish security
objectives, instruct that the program be implemented, assign responsibilities, and
require that results be measured. The policy is a directive that there must be
standards, procedures, and baselines, and possibly guidelines.
Audits and metrics related to your financial records, business processes and
controls, the validation of highly technical settings and parameters, can ensure
that everything is being done to minimize the security risk for your business.
22
Change happens, and changes must be controlled and recorded. This means
that change management is a critical component of a security architecture and
policy.
guideline
metrics
procedure
security policy
standard
2.9 Exercises
Write a high level security policy to protect your Internet Bookstores financial,
customer, transactional, and employee information. The security policy should
describe in detail what the contents of lower level procedures, standards and
guidelines contain, and indicate the scope of compliance, including who must
comply with this policy.
23
24