Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Similar documents
Authentication: Password Madness

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

Host Access Management and Security Server

Have you taken a good look at your Reflection lately?

Web Express Logon Reference

How Reflection Software Facilitates PCI DSS Compliance

Extranet Access Management Web Access Control for New Business Services

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

API-Security Gateway Dirk Krafzig

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Security. TestOut Modules

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Reflection Desktop Deployment Guide. Version 16.0

IBM Tivoli Access Manager for Enterprise Single Sign-On

Securing Citrix with SSL VPN Technology

SCB Access Single Sign-On PC Secure Logon

STRONGER AUTHENTICATION for CA SiteMinder

Additional Security Considerations and Controls for Virtual Private Networks

Advanced Authentication

Getting Started with Clearlogin A Guide for Administrators V1.01

Modern Multi-factor and Remote Access Technologies

ViSolve Open Source Solutions

nexus Hybrid Access Gateway

VIRGINIA DEPARTMENT OF MOTOR VEHICLES SECURITY ARCHITECTURE POLICY. 03/27/09 Version

A Guide to New Features in Propalms OneGate 4.0

In this topic we will cover the security functionality provided with SAP Business One.

Citrix MetaFrame Password Manager 2.5

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

A brief on Two-Factor Authentication

OracleAS Identity Management Solving Real World Problems

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Architecture Guidelines Application Security

5 Day Imprivata Certification Course Agenda

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Choosing an SSO Solution Ten Smart Questions

Deploying RSA ClearTrust with the FirePass controller

Deploying NetScaler Gateway in ICA Proxy Mode

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Server-based Password Synchronization: Managing Multiple Passwords

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

IBM Maximo technology for business and IT agility

Integrating Hitachi ID Suite with WebSSO Systems

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Secret Server Qualys Integration Guide

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Flexible Identity Federation

HOBCOM and HOBLink J-Term

VERIFONE ENHANCED ZONE ROUTER

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

F5 BIG-IP: Configuring v11 Access Policy Manager APM

Active Directory and DirectControl

The Top 5 Federated Single Sign-On Scenarios

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Controlling Web Access with BMC Web Access Manager WHITE PAPER

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Enterprise Security Interests Require SSL with telnet server from outside the LAN

Citrix Password Manager 4.1

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

(A) User Convenience. Password Express Benefits. Increase user convenience and productivity

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

ADDING STRONGER AUTHENTICATION for VPN Access Control

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

How Secure is your Authentication Technology?

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

PINsafe Multifactor Authentication Solution. Technical White Paper

Securing Physician and Patient Portals for HIPAA Compliance

Integration Guide. SafeNet Authentication Service. Using RADIUS and LDAP Protocols for Cisco Secure ACS

Creating a generic user-password application profile

Extending Identity and Access Management

Entrust IdentityGuard Comprehensive

DigitalPersona Pro. Password Manager. Version 5.x. Application Guide

F5 Identity and Access Management (IAM) Overview. Laurent PETROQUE Manager Field Systems Engineering, France

Security Technology: Firewalls and VPNs

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Did you know your security solution can help with PCI compliance too?

SharePlus Enterprise: Security White Paper

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

CTS2134 Introduction to Networking. Module Network Security

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

Transcription:

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

The World s Changed What is my account balance?

The World s Changed Internal Security Standards

The World s Changed

Not Everything has Changed. Is that Good?

Not Everything has Changed

What if you could Stop the user having to enter a user / password Allow multi-factor authentication Something you have Something you are Something you know Use your Active Directory / edirectory to store Users password Bio-metric information such as finger print Smart card details Bring the login screen in-line with modern security standards Protect sys admin logins

Well you can Micro Focus Advanced Authentication Framework Link with Reflection Desktop / Rumba terminal emulation Choice of smart cards and/or bio-metrics such as fingerprint recognition

What if you could Centrally manage the sign on to the mainframe Use a RACF one-time token in place of a password No need for user to enter or remember a password User doesn t get prompted for user/password User need never know their password

Well you can Automated Sign-On with Management and Security Server 1. The terminal emulator launches a host session and requests user credentials for the host application from Automated Sign-On. 2. Automated Sign-On requests a one-time-use PassTicket from RACF (from the IBM z/os Digital Certificate Access Server). 3. The terminal emulator uses the one-time-use PassTicket credential to automatically log the user on to the host application.

With Micro Focus Access to the mainframe No longer reliant on the historic 8 character password Now tied to the corporate Active Directory / edirectory credentials Access to the mainframe can be revoked through group membership in Active Directory / edirectory Mainframe access becomes security compliant Protect sys admin access You can automatically provision users along with permissions on host systems

Which Devices can Connect?

Not Everything has Changed Particular networks All workstations Any terminal emulator No restrictions on who

What if you could Control who can access the mainframe Only allow authorised terminal emulators to be used Access control through Active Directory / edirectory Roll Based Access Control (RBAC) Centrally managed Make the firewall rules simple for mainframe

Well you can Micro Focus Management and Security Server Access control in middle tier: A layer of security in front of your hosts Without touching the hosts Using read-only access to the LDAP Directory Client workstation HTTPS SSL/TLS MSS Server LDAP Directory Telnet, FTP, INT- MSS Security Proxy 1, T27, ALC, SSL/TLS Content inspection (Intrusion Detection System, etc.) Host

With Micro Focus A connection to the host can only be performed if you have been pre-authenticated Access to the host based upon AD/eDirectory membership Host can be protected by a firewall / simplified firewall rules Only allow connections originating from the Micro Focus Security Proxy Server

Well you can Client workstation Client workstation SSL/TLS Telnet, FTP, INT- MSS Security Proxy 1, T27, ALC, SSL/TLS Content inspection (Intrusion Detection System, etc.) Host

User Case Study Airline Industry Problem Need to give travel agents access to their mainframe A traditional thick client was heavy on management Don t own or manage the desktop Had to use a VPN to tunnel traffic further complicated the set-up New travel agents opening all the time and also some closing Spread through out the world

User Case Study An Airline Solution Management and Security Server Strong authentication Security Proxy Server Only authenticated clients could connect to the mainframe Thin client emulation Readily configured sessions deployed to the desktop using Java Applets Changes automatically deployed on next connection

User Case Study An Airline Benefits Mainframe protected from unauthorised access Deployment as easy as providing a URL and adding user to LDAP database Decommissioning as easy as removing the user from the LDAP database Easy centralised management Small client foot print on desktop Very little management of agent required by airlines help desk

Airline Solution Graphic Authenticated by MSS Server HTTPS MSS Server LDAP Directory Travel Agent Desktop SSL/TLS Secure token passed MSS Security Proxy Content inspection (Intrusion Detection System, etc.) Airlines Traffic Airlines Host No direct access to mainframe. Only allowed through Security Proxy Server if authenticated by MSS Server

Screen Content

Not Everything has Changed Credit card number remains on screen after typing No additional access authentication required to view credit card number Terminal emulator only displays what the host sends it

What if you could Mask credit card numbers or any other sensitive field With out changes to the host application Stop copy to clipboard from working for certain fields Redact information once typed i.e. after entry of a credit card number

Well you can Micro Focus Terminal Emulation Fields can be displayed masked with asterisks After typing a credit card number it can be redacted The copy to clipboard field can be disabled for certain fields

With Micro Focus Sensitive information is only displayed to those who really need access to it Information typed only left on the screen until last character typed and then it is redacted Helps with PCI DSS Stop user from using terminal emulation trace facility by locking the terminal emulator down

Multiple Authentication Points

Not Everything has Changed Authenticated once Application security controlled by application Non-repudiation No re-authentication for certain tasks

What if you could Replace the normal Signon with a stronger method of Authentication and enable Single Signon? Prompt a user at any point during any type of transaction to Re-Authenticate? Re-Authentication could have context like: Financial Value or transaction type? Time since last Authentication? Write away before and after values of any transaction to a Non-Repudiation system which could be used to report on activity? With NO changes of any code on the legacy system?

Well you can Micro Focus Advanced Authentication Framework Link with Reflection Desktop / Rumba terminal emulation Choice of smart cards and/or bio-metrics such as fingerprint recognition

Micro Focus Multi-Factor Solution

With Management Security Server (MSS) and Advanced Authentication you can... Create an enforceable access control layer between your employees and your legacy systems. Leverage your enterprise directory to authorise users to host sessions. Utilise strong authentication technology to confirm user identity. Make use of multifactor Authentication. Invoke Authentication and Authorisation at any stage during a session or function on a legacy application with full audit reporting. Centrally administer access to terminal host sessions and macros.

Reflection / Rumba and Advanced Authentication Framework Directory (edir, AD, LDAP, RACF) Credentials (MFA, Mix & Match) AAF RTE VBA Reflection / Rumba RACF/TOP Secret Authentication Secondary Application Authentication Sensitive Enquiry Authentication Sensitive Transaction Authentication User Time Based Authentication

With Micro Focus Insecure user/password host logon a thing of the past Multiple re-authentication points can be utilised Multi-factor authentication Tied into AD / edirectory security groups Roll Based Access Control can be applied Permissions can be easily revoked Central management of terminal emulation and access

Re-using Mainframe Information

Not Everything has Changed What is my account balance? Account Balance is here.

What if you could

What if you could

Well you can with Micro Focus Micro Focus IBM 3270 IBM 5250 VT/UNIX HP700/92 Business Application Well featured design time environment Wraps host application logic with SOA interface Non invasive off host architecture No change to host applications Leverage existing business rules Real time integration Acts as a data firewall securing and guaranteeing integrity of the application Robust, scalable and secure Rejuvenation options available

Full Terminal Support Zero Footprint No Map 1 2 3 Screen re-presented as HTML or HTML5 Terminal Emulation Enhanced Emulation Custom Mobile Apps One to one with host screen Can be accessed on desktop to mobile devices Provides a secure method of accessing the host remotely Custom Web Services No direct access to host from client

Custom Forms Server-Side Macros Managed 1 2 3 Automation of host application Terminal Emulation Enhanced Emulation Custom Mobile Apps Still have access to host screen Secure connection Scalable No direct access to host from client Custom Web Services

Fully Customized UI SOA Capable Transform 1 2 3 User sees no host screens Terminal Emulation Enhanced Emulation Custom Mobile Apps Complete web-frontend Fields can be hidden from user No direct access to host from client Secure and scalable Custom Web Services

With Micro Focus Host systems can easily become web service enabled Providing a secure method of integrating Hide fields from developers Platform for rejuvenation Integration with other systems Mobile device access as well as desktop Secure and scalable solution

Macros Useful?

Not Everything has Changed Macros managed by users Development against production system Sharing of macros Ownership / support Change control

What if you could Prevent users from creating macros Prevent users from viewing macros If macros not required then prevent running of macros Control the distribution of macros Make macros part of a secure development life cycle Ensure macros are part of change control

Well you can Management and Security Server Distribute macros Control access to terminal emulation Reflection / Rumba Terminal Emulation Lock down emulation Prevent macros being run from untrusted locations Prevent macros from being created Lock down API

With Micro Focus Macros can be managed Terminal emulation locked down Macros become known and managed by IT Secures the mainframe from abuse by macros

Security Across the Board

General Security Crypto modules FIPS 140-2 validated Used by US DoD TLS 1.2 fully supported Secure development life cycle (SDLC) Security given prominence throughout development of products Intensive security testing of products

Summary

General Security Advanced Authentication Framework Enhance the authentication process Multi factor authentication Multiple points of authentication Allow automated provisioning of mainframe users and permissions

General Security Manage access to mainframe Management and Security Server Security Proxy Server Can t connect unless authenticated Redaction of sensitive information Secure integration of mainframe information Macros can be managed

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information