Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Transcription

1 Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

2

3 The World s Changed What is my account balance?

4 The World s Changed Internal Security Standards

5 The World s Changed

6 Not Everything has Changed. Is that Good?

7 Not Everything has Changed

8 What if you could Stop the user having to enter a user / password Allow multi-factor authentication Something you have Something you are Something you know Use your Active Directory / edirectory to store Users password Bio-metric information such as finger print Smart card details Bring the login screen in-line with modern security standards Protect sys admin logins

9 Well you can Micro Focus Advanced Authentication Framework Link with Reflection Desktop / Rumba terminal emulation Choice of smart cards and/or bio-metrics such as fingerprint recognition

10 What if you could Centrally manage the sign on to the mainframe Use a RACF one-time token in place of a password No need for user to enter or remember a password User doesn t get prompted for user/password User need never know their password

11 Well you can Automated Sign-On with Management and Security Server 1. The terminal emulator launches a host session and requests user credentials for the host application from Automated Sign-On. 2. Automated Sign-On requests a one-time-use PassTicket from RACF (from the IBM z/os Digital Certificate Access Server). 3. The terminal emulator uses the one-time-use PassTicket credential to automatically log the user on to the host application.

12 With Micro Focus Access to the mainframe No longer reliant on the historic 8 character password Now tied to the corporate Active Directory / edirectory credentials Access to the mainframe can be revoked through group membership in Active Directory / edirectory Mainframe access becomes security compliant Protect sys admin access You can automatically provision users along with permissions on host systems

13 Which Devices can Connect?

14 Not Everything has Changed Particular networks All workstations Any terminal emulator No restrictions on who

15 What if you could Control who can access the mainframe Only allow authorised terminal emulators to be used Access control through Active Directory / edirectory Roll Based Access Control (RBAC) Centrally managed Make the firewall rules simple for mainframe

16 Well you can Micro Focus Management and Security Server Access control in middle tier: A layer of security in front of your hosts Without touching the hosts Using read-only access to the LDAP Directory Client workstation HTTPS SSL/TLS MSS Server LDAP Directory Telnet, FTP, INT- MSS Security Proxy 1, T27, ALC, SSL/TLS Content inspection (Intrusion Detection System, etc.) Host

17 With Micro Focus A connection to the host can only be performed if you have been pre-authenticated Access to the host based upon AD/eDirectory membership Host can be protected by a firewall / simplified firewall rules Only allow connections originating from the Micro Focus Security Proxy Server

18 Well you can Client workstation Client workstation SSL/TLS Telnet, FTP, INT- MSS Security Proxy 1, T27, ALC, SSL/TLS Content inspection (Intrusion Detection System, etc.) Host

19 User Case Study Airline Industry Problem Need to give travel agents access to their mainframe A traditional thick client was heavy on management Don t own or manage the desktop Had to use a VPN to tunnel traffic further complicated the set-up New travel agents opening all the time and also some closing Spread through out the world

20 User Case Study An Airline Solution Management and Security Server Strong authentication Security Proxy Server Only authenticated clients could connect to the mainframe Thin client emulation Readily configured sessions deployed to the desktop using Java Applets Changes automatically deployed on next connection

21 User Case Study An Airline Benefits Mainframe protected from unauthorised access Deployment as easy as providing a URL and adding user to LDAP database Decommissioning as easy as removing the user from the LDAP database Easy centralised management Small client foot print on desktop Very little management of agent required by airlines help desk

22 Airline Solution Graphic Authenticated by MSS Server HTTPS MSS Server LDAP Directory Travel Agent Desktop SSL/TLS Secure token passed MSS Security Proxy Content inspection (Intrusion Detection System, etc.) Airlines Traffic Airlines Host No direct access to mainframe. Only allowed through Security Proxy Server if authenticated by MSS Server

23 Screen Content

24 Not Everything has Changed Credit card number remains on screen after typing No additional access authentication required to view credit card number Terminal emulator only displays what the host sends it

25 What if you could Mask credit card numbers or any other sensitive field With out changes to the host application Stop copy to clipboard from working for certain fields Redact information once typed i.e. after entry of a credit card number

26 Well you can Micro Focus Terminal Emulation Fields can be displayed masked with asterisks After typing a credit card number it can be redacted The copy to clipboard field can be disabled for certain fields

27 With Micro Focus Sensitive information is only displayed to those who really need access to it Information typed only left on the screen until last character typed and then it is redacted Helps with PCI DSS Stop user from using terminal emulation trace facility by locking the terminal emulator down

28 Multiple Authentication Points

29 Not Everything has Changed Authenticated once Application security controlled by application Non-repudiation No re-authentication for certain tasks

30 What if you could Replace the normal Signon with a stronger method of Authentication and enable Single Signon? Prompt a user at any point during any type of transaction to Re-Authenticate? Re-Authentication could have context like: Financial Value or transaction type? Time since last Authentication? Write away before and after values of any transaction to a Non-Repudiation system which could be used to report on activity? With NO changes of any code on the legacy system?

31 Well you can Micro Focus Advanced Authentication Framework Link with Reflection Desktop / Rumba terminal emulation Choice of smart cards and/or bio-metrics such as fingerprint recognition

32 Micro Focus Multi-Factor Solution

33 With Management Security Server (MSS) and Advanced Authentication you can... Create an enforceable access control layer between your employees and your legacy systems. Leverage your enterprise directory to authorise users to host sessions. Utilise strong authentication technology to confirm user identity. Make use of multifactor Authentication. Invoke Authentication and Authorisation at any stage during a session or function on a legacy application with full audit reporting. Centrally administer access to terminal host sessions and macros.

34 Reflection / Rumba and Advanced Authentication Framework Directory (edir, AD, LDAP, RACF) Credentials (MFA, Mix & Match) AAF RTE VBA Reflection / Rumba RACF/TOP Secret Authentication Secondary Application Authentication Sensitive Enquiry Authentication Sensitive Transaction Authentication User Time Based Authentication

35 With Micro Focus Insecure user/password host logon a thing of the past Multiple re-authentication points can be utilised Multi-factor authentication Tied into AD / edirectory security groups Roll Based Access Control can be applied Permissions can be easily revoked Central management of terminal emulation and access

36 Re-using Mainframe Information

37 Not Everything has Changed What is my account balance? Account Balance is here.

38 What if you could

39 What if you could

40 Well you can with Micro Focus Micro Focus IBM 3270 IBM 5250 VT/UNIX HP700/92 Business Application Well featured design time environment Wraps host application logic with SOA interface Non invasive off host architecture No change to host applications Leverage existing business rules Real time integration Acts as a data firewall securing and guaranteeing integrity of the application Robust, scalable and secure Rejuvenation options available

41 Full Terminal Support Zero Footprint No Map Screen re-presented as HTML or HTML5 Terminal Emulation Enhanced Emulation Custom Mobile Apps One to one with host screen Can be accessed on desktop to mobile devices Provides a secure method of accessing the host remotely Custom Web Services No direct access to host from client

42 Custom Forms Server-Side Macros Managed Automation of host application Terminal Emulation Enhanced Emulation Custom Mobile Apps Still have access to host screen Secure connection Scalable No direct access to host from client Custom Web Services

43 Fully Customized UI SOA Capable Transform User sees no host screens Terminal Emulation Enhanced Emulation Custom Mobile Apps Complete web-frontend Fields can be hidden from user No direct access to host from client Secure and scalable Custom Web Services

44 With Micro Focus Host systems can easily become web service enabled Providing a secure method of integrating Hide fields from developers Platform for rejuvenation Integration with other systems Mobile device access as well as desktop Secure and scalable solution

45 Macros Useful?

46 Not Everything has Changed Macros managed by users Development against production system Sharing of macros Ownership / support Change control

47 What if you could Prevent users from creating macros Prevent users from viewing macros If macros not required then prevent running of macros Control the distribution of macros Make macros part of a secure development life cycle Ensure macros are part of change control

48 Well you can Management and Security Server Distribute macros Control access to terminal emulation Reflection / Rumba Terminal Emulation Lock down emulation Prevent macros being run from untrusted locations Prevent macros from being created Lock down API

49 With Micro Focus Macros can be managed Terminal emulation locked down Macros become known and managed by IT Secures the mainframe from abuse by macros

50 Security Across the Board

51 General Security Crypto modules FIPS validated Used by US DoD TLS 1.2 fully supported Secure development life cycle (SDLC) Security given prominence throughout development of products Intensive security testing of products

52 Summary

53 General Security Advanced Authentication Framework Enhance the authentication process Multi factor authentication Multiple points of authentication Allow automated provisioning of mainframe users and permissions

54 General Security Manage access to mainframe Management and Security Server Security Proxy Server Can t connect unless authenticated Redaction of sensitive information Secure integration of mainframe information Macros can be managed

55 Q & A