Transcription
#MFSummit2017Big Iron, Big Risk!Securing the mainframeNeil HarrisonMalcolm Trigg21/03/2017
AgendaThe Big Iron RiskAddressing the challenges Securing access Data privacy Management and best practiceSolutions in actionQ&A
Big Iron: The riskMainframes host business-critical data and core applications Large number of endpoints and users connecting to hosts Increasing regulatory requirements Rise of cyber crimeMainframe applications written for older security technologies Eight character passwords Not integrated with corporate identity stores and security infrastructure Access via older protocols that need to be secured for end-to-end privacy Security through obscurity and siloed approach increasingly unacceptable
Addressing the challengesSecuring access CorporateDirectory ServicesAuthenticating end users includingprivileged accessIntegration with enterprise identityinfrastructureAS/400MainframeData privacy Securing data in motion and in useHostProtocolsManagement and best practice UnisysUnixTechnical currency to addressdeprecated technologiesCapitalise on new developmentsand standardsReporting andCentralisedManagement
End User Authentication:IBM Express Logon Feature (ELF) User identity established from clientIf the user is already authenticated why makethem authenticate again on the host system?X.509 certificate RACF matches user ID with clientcertificate DCAS provides PassTicket User ID and PassTicket used forauthenticationSSL/TLS TN3270 Benefits Enables auto sign on to mainframe Eliminates password maintenance foradministrators and users Other considerations Certificate management overheadRACF Resource Access Control FacilityDCAS Digital Certificate Access ServerClient X.509 CertificateAutomated logonTerminalEmulationClientsMainframeRACFDCASUser ID &PassTicket
End User Authentication:Automated sign-on Uses Micro Focus Management &CorporateDirectory ServicesSecurity Server (MSS)1.MSS authenticates and identifies user2.DCAS issues one time use PassTicket3.User ID and PassTicket used for authenticationManagement &Security ServerMainframe Benefits Enables auto sign on to mainframe Eliminates password maintenance forIdentify useradministrators and usersAutomated logon Removes client certificate managementoverhead associated with ELF Takes advantage of corporate identityinfrastructureRequest PassTicketTerminalEmulationClientsRACFDCAS
End User Authentication:Multi-factor Authentication Uses MSS and Micro FocusCorporateDirectory ServicesAdvanced Authentication Framework with broad support forplatforms, devices and applications.Management &Security Server Multiple authentication mechanismsMainframe Benefits Provides strong authenticationfor secure environments andprivileged usersAdvancedAuthentication Flexible solution that can be used for otheruse cases Works with Automated Sign On for great enduser experienceTerminalEmulationClients
Multi-Factor Authentication required foraccess to CDE in some cases PCI DSS 8.3: Secure all individual nonconsole administrative access and allremote access to the CDE using multifactor authentication.CDE Cardholder Data EnvironmentReference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
Securing data in motion Provides end-to-end data privacy andintegrity Support for TLS1.2, SHA-256, HTTPS and FIPS 1402 validated Continued investment in TLS 1.3 and Elliptical CurveCryptography (ECC)Management &Security ServerSecurity Proxy MSS proxy securely extends reachMainframebeyond the firewall Enforces perimeter control Can isolate and control network access to criticalsystems inside the firewall to support best practice Securely extends application accessfor anywhere, anytime, any deviceaccess.DMZTerminalEmulationClients
TLS 1.2 encryption level mandated as ofJune 2018 After June 30, 2018, allentities must have stoppedusing SSL/early TLS as asecurity control.Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
Securing data in useInformation privacy filters enableaccess while protecting sensitivedata Flexible PAN detection andredaction Extensible for all data items Supports all screen actions(cut copy paste, print, APIaccess.)
General Data ProtectionRegulationArticle 25: Data protection by design andby default implement appropriate technical andorganisational measures, such aspseudonymisation, which are designed toimplement data-protection principles, The controller shall implement appropriatetechnical and organisational measures forensuring that, by default, only personal datawhich are necessary for each specific purpose ofthe processing are ion/reform/files/regulation oj en.pdf
Centralising Host Connectivity ManagementManagement and Security Serverenforces security by providing:CorporateDirectory ServicesManagement &Security Server Centralised configurationmanagement Security proxy servicesMainframe Auto Sign on andMulti-Factor Authentication Integration to corporate identityDMZstore & certificate management Reporting and metering controlTerminalEmulationClientsReporting andMetering
Technical currency and deprecation Windows Lifecycle Look for desktop products that haveWindows certifications and lifecyclesupport statements Browser currency and NPAPIdeprecation End of browser plugin technology Impacts Java Applets, ActiveX, Flashand Silverlight .co.uk/?gws rd ssl#q oracle java browser plugin support
What’s new in FirefoxRemoved support for Netscape Plugin API (NPAPI) pluginsother than Flash. Silverlight, Java, Acrobat and the like are nolonger supportedRemoved Battery Status API to reduce fingerprinting of usersby trackersImplemented the Strict Secure Cookies specification whichforbids insecure HTTP sites from setting cookies with the"secure" attributeVarious security fixes (28 security ttachmate.com/techdocs/2797.html
Any Time, Any Device, Any Modern Browser Reflection ZFE developed using HTML5 Supports broad range of modern browsers Device independent Provides anywhere access at any timeGood for when you are away from your desk,only have a mobile device with you,even if you have privileged system access Eliminates needs for Java plug in!
Solutions in action
Addressing the Big Iron Risk Implement strongCorporateDirectory Servicesauthentication mechanisms Integrate with enterpriseManagement &Security Serveridentity infrastructureMainframe Secure data in motionand in use Centralise management Address technical debtDMZSecurely extending the reach of mainframe applicationsto any device, anywhere at anytimeReporting andMetering
Terminal Emulation security risk assessmentFree assessment of TerminalEmulation security configurationsettingsAnswers key questions: Are my host connections secure? Am I meeting regulatoryrequirements? Are all the connections secure? Can I go beyond the firewall? What about mobile users?
www.microfocus.com
Addressing the Big Iron RiskReporting andCentralisedManagement Strong authentication solutionsaddress weak passwords Use data encryption Redaction protects data in use Centralised management Address technical debtSecurely extending the reach of Mainframeapplications to any device, anywhere at rateDirectory Services
User identity established from client X.509 certificate RACF matches user ID with client certificate DCAS provides PassTicket User ID and PassTicket used for authentication Benefits Enables auto sign on to mainframe Eliminates password maintenance for administrators and users Other considerations Certificate management overhead RACF Resource Access Control .
