About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,

Similar documents
RSA SecurID Two-factor Authentication

ESET Secure Authentication

A brief on Two-Factor Authentication

Controlling Remote Access to IBM i

Workspot, Inc. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: September 16, Product Information Partner Name

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

8 Best Practices for IT Security Compliance

Achieving PCI-Compliance through Cyberoam

Catapult PCI Compliance

Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Parallels Plesk Panel

Alternative authentication methods. Niko Dukić/Mario Šale CS Computer Systems

How do I secure and manage an out-of-band connection to network devices?

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

Choosing an SSO Solution Ten Smart Questions

Password Self Help Password Reset for IBM i

Compliance and Security Challenges with Remote Administration

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Allianz Global Investors Remote Access Guide

Compliance and Industry Regulations

Network Security 1. Module 4 Trust and Identity Technology. Ola Lundh ola.lundh@edu.falkenberg.se

PortWise Access Management Suite

Did you know your security solution can help with PCI compliance too?

SonicWALL PCI 1.1 Implementation Guide

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Exporting IBM i Data to Syslog

A Decision Maker s Guide to Securing an IT Infrastructure

SECURING YOUR REMOTE DESKTOP CONNECTION

RSA SECURITY SOLUTIONS. Secure Mobile & Remote Access

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

CONTENTS. PCI DSS Compliance Guide

Allianz Global Investors Remote Access Guide

74% 96 Action Items. Compliance

Retail Stores Networks and PCI compliance

Identity Access Management: Beyond Convenience

ProtectID. for Financial Services

Two-factor Authentication: A Tokenless Approach

Stonesoft Corp. Stonegate Firewall and VPN

PortWise Access Management Suite

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Balancing risk, cost and user experience with SMS for 2FA

Securing corporate assets with two factor authentication

Virtual Private Network (VPN)

University of Sunderland Business Assurance PCI Security Policy

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

French Justice Portal. Authentication methods and technologies. Page n 1

Parallels Plesk Panel

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

I D C V E N D O R S P O T L I G H T

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

RSA AUTHENTICATION. 20 Settembre, Jesi - SICUREZZA ICT SOIEL. Copyright 2011 EMC Corporation. All rights reserved.

PROTECT YOUR WORLD. Identity Management Solutions and Services

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Implementation Guide

Replacing legacy twofactor. with YubiRADIUS for corporate remote access. How to Guide

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 5

Passlogix Sign-On Platform

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Check Point FW-1/VPN-1 NG/FP3

RSA Security. RSA, RC2, RC4, RC5, MD5 AES RC6 PKCS RSA Keon PKI. RSA BSAFE 5 Web. RSA SecurID 4000

CompTIA Security+ Certification SY0-301

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Preemptive security solutions for healthcare

Lots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them.

Two-Factor Authentication

RSA SecurID Ready Implementation Guide

NC CJIN Governing Board. 13 October, George A. White

The City of New York

The Benefits of an Industry Standard Platform for Enterprise Sign-On

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Risk Based Authentication and AM 8. What you need to know!

Policies and Procedures

Secure Authentication Managed Service Portfolio

Security Overview Enterprise-Class Secure Mobile File Sharing

PCI DSS Compliance Guide

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

RSA SecurID Ready Implementation Guide

ADDING STRONGER AUTHENTICATION for VPN Access Control

RSA AUTHENTICATION AGENTS FOR MICROSOFT WINDOWS

General Information. About This Document. MD RES PCI Data Standard November 14, 2007 Page 1 of 19

Two-Factor Authentication Evaluation Guide

EURECOM VPN SSL for students User s guide

CSP & PCI DSS Compliance on HP NonStop systems

MICROS Customer Support

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Hitachi ID Password Manager Telephony Integration

The State of System i Security & The Top 10 OS/400 Security Risks. Copyright 2006 The PowerTech Group, Inc

STRONGER AUTHENTICATION for CA SiteMinder

BlackBerry Enterprise Solution and RSA SecurID

Transcription:

TWO FACTOR AUTHENTICATION FOR THE IBM SYSTEM i WHITE PAPER MAY 2010 About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II, coupled with the increased value placed on the information created and stored, means organizations are faced with the challenge of securely controlling access to sensitive data. Ever changing user requirements inside the firewall and the need for employees, partners, suppliers, etc. to have access to data outside the firewall; only increase the complexity of securely managing user access. The traditional access control method of user IDs and passwords can no longer be considered the most secure option.

Table of Contents and Compliance... 3 vs. Passwords... 4 : The Basics... 4 The Secure Token: RSA SecurID... 5 DetectIT SecurID Agent for IBM i... 7 System Requirements... 7 Conclusion... 7 2

and Compliance Organizations facing a more advanced threat landscape and a complex regulatory environment require a solution which addresses the need for securely controlling access to existing systems and applications. In addition, this solution should not increase the workload on support, application providers or the end user. The solution must also meet specific access control standards such as those specified within the PCI DSS, which states: PCI DSS Requirement 8: Assign a unique ID to each person with computer access 8.1 Assign all users a unique username before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: o Password or passphrase o Two-factor authentication (e.g., token devices, smart cards, biometrics, or public keys) 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. (TFA) helps organizations meet compliance standards and improve the existing security environment. But what is TFA and how does it work, specifically on the System i server? 3

vs. Passwords Traditionally, access to a System i server is made with a user ID and a password. Auditors have encouraged security administrators to enforce a strong password policy which traditionally consists of criteria such as alpha-numeric combinations, minimum/maximum lengths, upper and lower case characters and use of special characters. However, a strong password policy can be self defeating as employees use countless systems and applications that require separate and disparate log-ins and passwords. This often leads to unsafe password practices such as using the same password on multiple systems, sharing passwords, and keeping record of passwords in handwritten or electronic documents. Hence security built on static, reusable passwords has proven easy for hackers to beat and corporations having to question if they really know who is accessing their most sensitive networked information assets. In addition to users managing their passwords according to the password policy there is the challenge for administrators who must assist users who forget passwords. There are studies which show resetting passwords for disabled profiles can cost as much as $70 each. This can be taxing on IT resources and does not account for the lost productivity time for the end user. Alternatives to passwords include Single Sign On using EIM and Kerberos, and biometrics. While both of these technologies make access to the server more secure than a password neither has been widely accepted by most System i shops. : The Basics Two factor authentication is based on something you know (a password or PIN number) and something you have (a hardware or software token.) To assure positive proof of an identity, a user must successfully present both factors to the system in order to gain access. Implementing TFA in the System i world requires a user to enter a user ID and password as something you know, and a token code which appears on their token at that time as something you have. The random code is typically generated on a Windows or UNIX server and provided to the user via hardware or software. The user enters their user ID and password on the OS/400 sign-on screen, and is prompted for the code. If both the password and code are recognized by the system, the user is authenticated and granted access to the system and is able to access objects, files, and applications their assigned profile allows. 4

The token code is much more secure than a password because it changes regularly; usually every 60 seconds. There is never an opportunity to reuse it as the token code server demands that a current token is used, not a previous one. Therefore there is no need to write the code down, you simply use the next one that is issued when you next need to authenticate. This one time authentication is what provides the additional security that only TFA can offer. Many people don t realize they use TFA on a daily basis when they use their ATM card. Their card is something they have, and their pin number is something they know. Combining the card with the pin provides two different forms of authentication, making the access more secure than it would be if there was only one. The Secure Token: RSA SecurID Let s look at the vendors available if you want to implement TFA in your environment. Safestone has partnered with RSA, the security division of EMC to provide the token provisioning. RSA is a market leader for TFA based on the strength of their security, application support, variety of authentication methods, and their reliability. RSA has over 28,000 customers and 30 million end-users for their TFA product, RSA Authentication Manager. RSA Authentication Manager is implemented using RSA SecurID. One of the benefits of RSA SecurID is its flexibility. It can provide tokens using hardware or software, or on demand. The hardware available includes key fobs and token cards, and the software can be accessed as an application or part of the toolbar on your desktop/laptop/mobile device. If you prefer on demand tokens they can be delivered using SMS to your cell phone or other mobile device. If you need additional security for your TFA environment you can use a digital certificate for authentication that is opened using the token. RSA s SecurID can be delivered as an integrated rack mountable hardware appliance which is easy to deploy and maintain, and designed so it can be up and running in as little as 30 minutes. 5

RSA provides the tokens for a TFA environment, but what does Safestone provide? In this case it is the agent for SecurID (DetectIT SecurID Agent) needed as a client for the RSA SecurID server. The client is a small footprint API included in a user profile s initial program. This makes it easy to implement on an as-needed basis so users, groups, departments or the entire enterprise can use TFA. The API can also be called to authenticate a user with a token to any application needing additional security. The agent is typically implemented for telnet emulation, but can also be used for network access like FTP where the user is required to authenticate to a network server. It supports both SNA and TCP/IP environments. (Fig. 1) Figure 1: for the System i with Safestone DetectIT and RSA SecurID 6

DetectIT SecurID Agent for IBM i Benefits of DetectIT SecurID Agent include: Protect corporate assets: Through increased security at point of entry using strong two factor authentication ensuring that only those who are truly entitled can access sensitive data. Helps to achieve compliance: Adhere with many of today s regulations and standards (Sarbanes-Oxley, PCI DSS, Basel II, and ISO27002). Risk free implementation: Easy to implement into an existing environment as there is no need for re-development of existing in- house or Third Party applications. Maximize existing SecurID investment: Extend coverage to incorporate IBM i on Power Systems (AS/400, iseries, System i) System Requirements Safestone s Agent for SecurID is certified for RSA s SecurID V6.x and older, and is also certified for new release of V7.1. Conclusion There are a number of forces driving the need for TFA in organizations running System i. These include regulations like PCI, access to data from outside the firewall, and traditional password weaknesses and expense. TFA is a proven technology which provides additional security for companies who either need to meet regulatory requirements, or want to have more secure access to their systems. A strong user ID and password are no longer enough to meet compliance standards and properly secure the System i. Adding an additional form of authentication, such as a token, provides the security needed to protect System i data. TFA is cost effective, reasonable to implement, and has little additional impact on end users. RSA SecurID is a market leader for implementing TFA. While RSA has created agents for many systems/applications to use SecurID, they have partnered with Safestone to create the agent for the System i. Together, we provide a simple, flexible environment which allows you to implement TFA quickly and with minimum disruption to your users and especially your business. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information