WIXLIB

MFA for z/OS asviewed fromMainframeMyths:Lessons Learned

Security on System z: Reducing risk for the EnterpriseBasic InsurancePolicy 100,000 LiabilityRider: Excessreplacement forvaluable itemsRider: Excessmedical coverageRider: Unlimitedvehicle towingRider: Excessliability insurance 3,000,000 2018 Rocket Software Inc. All rights reserved.Basic Security:System zRACFData EncryptionservicesEnterprise Key mgtIdentityManagementComplianceReportingFraud Prevention,Forensics andAnalytics2

IT Organization Wars – at a business near you?Distributed Business UnitArchitectsDistributed Business UnitArchitect and OperationsCentralized Glass HouseOperationsSilos of computing are the worse thing for security (and resilience) 2018 Rocket Software Inc. All rights reserved.3

Myths – try not to propagate them¡ The mainframe has never been hacked Not true. There has been a case where a poorly managed IT infrastructure wasdeployed that didn’t keep software up to date for known system integrity issuesand an outsider got in. There are also cases where insiders have sabotaged the system. Is that a hack?Depends on the definition. It should be considered a breachØCould it have been prevented. Probably with some additional analytics deployed. There have been several cases where PC’s and mobile devices have beencompromised.ØØØFrom those devices, sign on to the mainframe was done and trusted.That might not be a hack either, but results in data theft.It can also be prevented.¡ Collaboration of IT operations across systems is critical to driving end toend security 2018 Rocket Software Inc. All rights reserved.4

What is Security from a customer view?Security is not all about technology!¡¡¡¡¡¡¡¡¡¡¡¡¡It's really all about people.PolicyCorporate DirectiveRegulatory Compliance (e.g. HIPAA, Sarbanes-Oxley, GDPR)Technology (e.g. RACF, ACF2, TSS)Infrastructure (e.g. IBM, Vanguard, CA, Beta)Components (e.g. firewalls)Preventative (e.g. anti-virus, intrusion defense)Business workflow (e.g. Analytics, audit)Physical (e.g. Badge Access, Biometrics)Multi-media (e.g. Video cameras, voice analysis)Executive Position (e.g. CISO, CPO)Skill specialty (e.g. CISSP)Department (e.g. Info Assurance, IT Security)¡¡¡¡¡¡RedundantBureaucraticToo SensitiveExpensiveUnresponsiveBig Brother¡ Many timesimplemented in silo’s.¡ Each server domainhas its own securityauthority¡ Typically, it’s not à a Solution Leverage Security to make solutions better 2018 Rocket Software Inc. All rights reserved.5

6Irrelevant facts – not myths, but not always helpful¡ The mainframe is hacker resistant with security built in. That’s true. However, security is about People, Process andTechnology. The best technology can easily be circumvented by poorprocesses, human error and insider theft. Security is also only as good as the weakest link. The weakest link istypically the end user device which is usually a PC or mobile device.ØIf that device is not secure or compromised, then all systems that the deviceaccesses can be compromised as well. Collaboration of IT operations across systems is critical to driving endto end security 2018 Rocket Software Inc. All rights reserved.6

Why should I care?What’s at risk?What’s at stake?Breach cost? Disclosure of sensitive data Customer trust Research and recovery Service interruption Reputation and Brand Notify customers Privacy Lost customer business Integrity of Information Problem remediation Legal and RegulatoryAction Claims from trustedvendors and businesspartners Corruption of operational data Fraud and ID Theft Theft of services Competitive Advantage Damage to brand image 2018 Rocket Software Inc. All rights reserved.7

Real Customer ProblemPoint ofSalePoint ofSaleWireless ?Bank?HQ 2018 Rocket Software Inc. All rights reserved.?Hacker Store uses WEP wireless for Point ofSale devices POS processes cards with banks Security patches not applied to storesystems Hacker plugs in and gets copies ofall transactions Problem detected and store systemsare getting fixed. Mainframe folks are happy they arebullet proof Hypothesis: Mainframe could helpsecure stores if they use goodprocedures Store managers run inventorytransactions to mainframe No encryption on sign inCommon password on all storesystemsNo audit records analyzed8

9Real World Customer Problems¡ That problem could never happen at my business Wrong – this problem can occur anywhere there is a change in security administrative control¡ The weakest link in an enterprise is typically the end user interface Viruses, worms, Trojan Horses enable someone to hijack the end user interfaceIn turn, that hijacked desktop can be used to log into any other serverØ Is it “really the authorized end user”? Perhaps not.o That’s a large risk to a business.¡ Outsourcers and mainframe IT operations have SLA’s that protect the data they host on theirsystems.¡ Do their customers and end users have SLA’s that specify minimum desktop security? Do theymanage desktops and mainframes together? Typically not – as a result, there is a major risk that a compromised end user interface can result in compromisedmainframe access.¡ Our Goal is to look at security management across these domains 2018 Rocket Software Inc. All rights reserved.9

Examples of End to End SecurityPoint ofSaleWireless BusinessInfrastructureStoreManager?Point ofSale?HackerOrInsiderqMainframe Userid andPassword EncryptionqMultiFactor AuthenticationqVirtual Private Networkencryption (which exploits thezIIP)qAudit and anomaly detectionqFraud Forensics, Analysis andPreventionqLAN encryption via WPA2 whichexploits z/OS PKIqz/OS PKI deploymentqPKI managementqData Encryption?BankDistributioncenter?HQ 2018 Rocket Software Inc. All rights reserved. 10 2009 IBM Corporation10

The Trust model requires Hybrid solutions¡ Who initiates a transaction and where has changed. Employee à Agent à Consumer à Device à ?¡ User Authentication must combat fraud Userid/Password à Card Swipe à Chip/PIN à Two Factor Authentication with inanimate object à Multi FactorAuthentication using biometrics and other Insight¡ Authentication call out from System of Record Engagement: Point of Sale/ATM/VPN/Desktop/Mobile Record: Calls out to MFA service for authentication Insight: Is object/phone cloned? Is this really that person?Consistency of Authentication across Engagement systems is critical todriving end to end security 2018 Rocket Software Inc. All rights reserved.11

12Myths – try not to propagate them¡ Everything can be consolidated to run on System z Not True: No Mobile or Desktop Systems run on the mainframe The terms Consolidation and Centralization need to evolve:ØMainframe “advocates” would use them to direct physical consolidation of otherarchitectures onto System zo In some camps, this makes mainframe IT orgs the “enemy” of distributed organizationsØInstead, the term should apply to Operations.o A sharing of policies and IT resources for end to end solution valueo Leverage the best of each server technologyo The Integration of Systems of Engagement, Record and InsightCollaboration of IT operations across systems is critical 2018 Rocket Software Inc. All rights reserved.12

Will the End to End solution be protected and resilient?Systems of EngagementTheftLossVirusTrojan HorseMisuseOutsourcedor BranchOffice PCs,Call CentersDeveloperDesktopsRemote /LaptopUsersMobileconsumersandemployees 2018 Rocket Software Inc. All rights reserved.Systems of RecordSystems of InsightShared StorageData may be at risk.Are you managing end to end?13

Mobile and Desktop share operational characteristics¡Security DeviceØ ContentØ ØProvide secure hosting for consumers, partners and suppliersEngagements ¡Instrument applications with security protectionIdentify vulnerabilities in new, existing and purchased appsTransactionØ¡Secure sharing across devices and between employeesApplication DeploymentØ BYOD, Secure e-mail, Document sharingDiffering users (consumer, partner, supplier), similar operationsInsight Correlate mobile and desktop events across broader end to end workload to identify vulnerabilities and anomaliesSystems of Engagement should share Insight with other Systems to reduce cost and risk 2018 Rocket Software Inc. All rights reserved.14

What is multi-factor authentication?SOMETHING THAT YOU KNOW- Usernames and passwords- PIN CodeSOMETHING THAT YOU HAVE- ID Badge- One time passwords- Time-basedSOMETHING THAT YOU ARE- BiometricsCapture 2018 Rocket Software Inc. All rights reserved.15

Trust model must be consistent across All SystemsSuppose a business adopts a new policy:¡Multi Factor Authentication for mobile and/or desktop Sign on to PC / Mobile / VPN requires call out to MFAThat user then goes to web page with malwareØ A key logger gets installed prior to any “detection”User signs on to “System of Record” with userid/passwordØThose credentials are now stolen by key loggerØAn insider theft occurs via unlocked device while user is outWhat prevents the thief from signing on to the system of Record?¡Better policy: Replace Userid/PW with MFA Sign on to PC / Mobile / VPN requires call out to MFASubsequent human sign on to System of Record requires call out to MFA Screen saver time out requires call out to MFANew Insight: Cross system audit log showing user sign on behaviorsConsistency of Authentication across All systems is critical to driving end to end security 2018 Rocket Software Inc. All rights reserved.16

Black Hat 2017 Hacker Survey Report1QUESTION: What type of security is the hardest to get past?68% say multi-factor authentication and encryption are biggest hacker obstaclesthycotic Black Hat 2017 Hacker Survey 7-survey/1 2018 Rocket Software Inc. All rights reserved.17

IBM Multi-Factor Authentication for z/OSHigher assurance authentication for IBM z/OS systems that use RACFFast, flexible, deeplyintegrated, easy to deploy,easy to manage, and easy touseIBM Multi-Factor Authentication on z/OSprovides a way to raise the assurance level ofz/OS, applications, and hosting environments byextending RACF to authenticate users withmultiple factors. 2018 Rocket Software Inc. All rights reserved.PCI-DSSAchieve regulatorycompliance, reduce risk tocritical applications and dataArchitecture supports multiplethird-party authenticationsystems at the same time18

Who should be protected with MFA?§ Work with Personally Identifiable Information Human ResourcesHealthcare workersLaw ClerksDMV Clerks§ Authority over managing money Brokers, Traders, AnalystsTellersPayrollCredit Card Processing§ Knowledge of Corporate Intellectual Property ExecutivesEngineers§ Business Partners – access YOUR data Agents – Travel, InsuranceContract organization - Outsourcers§ Those managing key IT assets Systems ProgrammersSecurity AdministratorsDatabase Admins, DevelopersAnyone with access to data that you don’t want released to the public!! 2018 Rocket Software Inc. All rights reserved.19

Example¡ Callsign Virtual Appliance¡¡ The Callsign Virtual Appliance should run on most hypervisors but only run our QA regressions tests onVMWare ESXi/vSphere for the moment. We do support RADIUS PAP out of the box.¡¡ I have enabled your Callsign to access our developers’ website which offers the VA ual-appliance-configuration/. We also have RADIUS guides s/integration/ and s/connector/.¡ 2018 Rocket Software Inc. All rights reserved.20

What works with IBM MFA?IBM MFA for z/OS supports a wide range of authentication systems!**In-BandProprietary Protocol:RADIUS Based Factors:MobileOut-of-BandTOTP Support:Certificate Authentication:Password/Passphrase:RACF Password/Passphrase can be used inconjunction with all in-band authentication methods.Disclaimer: Not everything above has been fully tested, but they should work, if not we will investigate. 2018 Rocket Software Inc. All rights reserved.**Not an all-inclusive list21