MCP Guru Seminar Series: Security. Mike Kain, Consulting Engineer and Security Architect Wednesday, September 10 th, :00 pm

Transcription

1 MCP Guru Seminar Series: Security Mike Kain, Consulting Engineer and Security Architect Wednesday, September 10 th, :00 pm

2 Agenda A discussion about MCP Security Presentation of MCP 15.0 features Open discussion of issues driving MCP customers in the area of security What issues are you seeing? What is the most pressing problem at your site? These will be weaved together in this presentation 2013 Unisys Corporation. All rights reserved. 2

3 What s driving your MCP security? What s is your # 1 security concern? A. Audit / Assessment / Security Intelligence about the business B. Encryption / Preventing loss of PII (Personally Identifiable Information) C. Compliance & adherence to regulation(s) D. Whatever my boss tells me E. Whatever my auditor tells me F. All of the above different days are different answers What s # 2? 2013 Unisys Corporation. All rights reserved. 3

4 Network Security Logging MCP 15.0 new feature Applicable Network Security Events are now logged as security RELEVANT or security VIOLATION records in the sumlog Includes SSH, SSL, and IPsec security relevant and security violation records Previously logged as Diagnostics events in Security log TCP/IP Firewall entries already have been marked with these designations. This features makes events more accessible by a security administrator with standard LOGANALYZER queries Unisys Corporation. All rights reserved. 4

5 Network Security Logging Applicable Network Operations Interface (OI) messages (CMDs, RSPs, RPTs, and log-only RPTs) are now logged as security RELEVANT or security VIOLATION records in the sumlog. Tables showing which Networking OI messages are logged are included as appendices in: Security Administration Guide Networking Encoded Messages Programming Reference Manual 2013 Unisys Corporation. All rights reserved. 5

6 Network Security Logging Examples: LOG UC. RESULT RELEVANT Selects all records that are marked security RELEVANT LOG UC. RESULT VIOLATION Selects all records that are marked security VIOLATION LOG UC. RESULT RELEVANT VIOLATION Selects all records that are marked security RELEVANT or security VIOLATION. Requires SYSTEM/IGSDASUPPORT and that the SACM (formerly known as InfoGuard) keys are in the keys file Unisys Corporation. All rights reserved. 6

7 Locum Software MCP 15.0 enhancements SafeSurvey: User Privileges Report enhanced with COMS CFILE Privileges and RBAC permissions New RBAC report (if enabled in SecurityCenter and/or Workload Management) RealTime Monitor: New dashboard with moving timeline graph Allow customization of limit for stored alert messages (default is 1000 messages) Additional customization of alerts (specifying FROM, and multiple addresses) Updated version of Protecting Your Business Security with Locum RealTime Monitor white paper will be posted Unisys Corporation. All rights reserved. 7

8 Encryption / Cryptography What data do you encrypt? A. Any PII (Personally Identifiable Information) B. All data for backup C. All data across the network D. All data leaving the site E. All of the above What encryption solutions do you have to improvise? What about key management? 2013 Unisys Corporation. All rights reserved. 8

9 Tape / DVD Encryption - MCP 15.0 Enhancements Provides Enhanced Security for Encrypted Tapes/CDs/ DVDs AES-GCM encryption, the standard algorithm for tape encryption as specified by the IEEE ESSIV scheme is used with CBC-mode to generate a random Initialization Vector (IV) for each tape and each file on a tape. Additional data integrity checking added to encrypted data Enhancements are known as Version 2 Media Encryption Format of Version 2 encrypted media is different from the original, Version 1, tape encryption format 2013 Unisys Corporation. All rights reserved. 9

10 Tape / DVD Encryption Enhancements Examples COPY F/= TO BACKUPTAPE(SERIALNO= , ENCRYPT=AESGCM) Specifying ENCRYPT=AESGCM by definition creates a Version 2 Encrypted Tape COPY F/= TO BACKUPCD(CD, ENCRYPT=AES256, ENCRYPTVERSION=V2) Specifying ENCRYPTVERSION=V2 forces the use of ESSIV when doing AES with CBC-mode encryption 2013 Unisys Corporation. All rights reserved. 10

11 Tape / DVD Encryption Enhancements Migration and Compatibility Version 1 is used by default but Version 2 is recommended A tape/cd/dvd created using Version 2 Media Encryption cannot be read on a system that only supports Version 1 tape encryption Systems that support Version 2 Media Encryption can read and write both Version 1 and Version 2 tapes/cds/dvds Library Maintenance will not support encryption using Version 1 in software released after October 2015 but decryption of media created using Version 1 will continue to be supported Only Library Maintenance supports the new Media Encryption Version 2 enhancements TapeStack and DMUTILITY do not 2013 Unisys Corporation. All rights reserved. 11

12 Tape / DVD Encryption Enhancements Operator Controls The existing LMENCRYPT SYSOP can now be set to AESGCM Thus all tape/cd/dvd copies would be encrypted using AESGCM unless over-ridden in the COPY statement itself and would be in Media Encryption Version 2 format A new LMDEFENCRYPT SYSOP can be set to V1 or V2 LMDEFENCRYPT defaults to V1 LMDEFENCRYPT set to V2 and LMENCRYPT set to AES256 causes ESSIV to be used along with AES256 in CBC-mode and creates the encrypted media in Version 2 format LMDEFENCRYPT set to V1 and LMENCRYPT set to AES256 uses AES256 in CBC-mode and creates the media in Version 1 format 2013 Unisys Corporation. All rights reserved. 12

13 SecurityCenter MCP 15.0 enhancement Secure Erase of SecurityCenter Database Files The SENSITIVEDATA attribute is set on files associated with the Security Center database: Data set and set, control, audit and LOAD/DUMP files When removed or replaced, a SENSITIVEDATA file is overwritten by a pattern determined by SECOPT ERASE. Pattern options are ZEROS, TRIPLE, TRIPLEVERIFY. The overwrite is performed by a separate MCP task Not by the program accessing the database Unisys Corporation. All rights reserved. 13

14 Sending data off of the premises Are you allowed to send data off-site? A. Clear-text? B. Encrypted? C. Never? Separate process (including destruction of media)? Or only if could have customer data? Some data allowed (sumlog, etc.) Some not (MCP dumps, Wireshark, etc.)? 2013 Unisys Corporation. All rights reserved. 14

15 SFTP Enhancements MCP 15.0 enhancements Server support for Windows SFTP clients The ClearPath SFTP Server transfers files with the following Windows SFTP clients. WinSCP Attachmate Reflection FTP Client FileZilla FTP Client - We ll update the compatibility matrix on the support website. Server support to append to ClearPath files SFTP clients can append data to the end of existing ClearPath files. Example using WinSCP put -append TransactionHistory 2013 Unisys Corporation. All rights reserved. 15

16 SFTP Enhancements (cont.) Server support for dynamic Startup Files Allow SFTP clients to modify the current session values read from the FTP/STARTUP file. An FTP/STARTUP file can be stored on the client host as FTP STARTUP ONDEMAND. When this file is transferred to the ClearPath host, the default values in the Server Section of the file are used in the current session. Example FTP STARTUP ONDEMAND file. [SERVER SECTION] TYPE ASCII NONPRINT; DIRECTORY_FORMAT = STANDARD; FILESIZE = 8000 MB; DEFAULT MAPIN TEXT STYLE = TEXT; 2013 Unisys Corporation. All rights reserved. 16

17 FTPS Enhancements Server support for Custom Site Commands Allows the FTP Administrator to create Work Flow Language source code that can be processed by the WFL compiler. FTPS clients can run the WFL source using the Server SITE command. Example: [LIBRARY SECTION] CUSTOM_SITE_CMND = "MAKE_REPORT_PUBLIC = 'SECURITY NEW/REPORT PUBLIC',", "COPY_REPORT = 'BEGIN JOB COPY_REPORT;", "FAMILY DISK = REPORTS OTHERWISE DISK;", "REMOVE REPORT/FILE; COPY NEW/REPORT AS REPORT/FILE;", "END JOB'"; 2013 Unisys Corporation. All rights reserved. 17

18 Patch management / security relevance How much patch management / update do you do on your ClearPath MCP? A. Only what patches affect me B. Only what patches involve security C. A and B D. I don t take anything only until the next MCP release. E. I don t know, since I don t know what each patch does and how critical it is. Is the operation of your ClearPath MCP influenced by best practices of other environments? 2013 Unisys Corporation. All rights reserved. 18

19 Identity Management How do the users of your ClearPath MCP relate to your user base? A. Everyone has a separate account on the MCP system B. Only certain users use the MCP system C. It s only me who knows the difference (users don t know that they re using a ClearPath MCP) Do you use accesscodes? 2013 Unisys Corporation. All rights reserved. 19

20 Accesscode Violation Counting Violation counts can be attributed to an accesscode (instead of usercode) New User attributes ACSAVEVIOLCOUNT ACDEFVIOLLIMIT ACVIOLINFO group ACVIOLNAME, ACSUSPENDED, ACSUSPENDEDCODE, ACVIOLCOUNT, ACVIOLLIMIT, ACVIOLDATE Behaves like usercode violation counting and limiting ICs available in MCP 13.0 (54.1) & MCP 14.0 (55.1) including SecurityCenter Unisys Corporation. All rights reserved. 20

21 Future Deimplementations Security Monitoring Workstation (SMW) Migrate to Locum Realtime Monitor MINIMAL Security Class Use existing privileges and station attributes (see PRI ) Deimplementation scheduled for MCP 17.0 (58.1) 2013 Unisys Corporation. All rights reserved. 21

22 Questions? Further questions, comments, and suggestions to: Thank you! 2013 Unisys Corporation. All rights reserved. 22

23 MCP 15.0 Security Major Features Major Features in MCP 15.0 Tape / DVD Encryption Enhancements Network Security Logging Locum Software Enhancements Accesscode Violation Counting SecurityCenter Enhancements Secure Erase of SecurityCenterDB SFTP Enhancements Support for additional clients Other functional enhancements Future Deimplementations Secure Monitoring Workstation MINIMAL Security Class 2013 Unisys Corporation. All rights reserved. 23