Upload
micro-focus
View
9
Download
0
Embed Size (px)
Citation preview
Neil Harrison
Malcolm Trigg
21/03/2017
Big Iron, Big Risk!
Securing the mainframe
#MFSummit2017
The Big Iron Risk
Addressing the challenges
• Securing access
• Data privacy
• Management and best practice
Solutions in action
Q&A
Agenda
Mainframes host business-critical data and core applications
• Large number of endpoints and users connecting to hosts
• Increasing regulatory requirements
• Rise of cyber crime
Mainframe applications written for older security technologies
• Eight character passwords
• Not integrated with corporate identity stores and security infrastructure
• Access via older protocols that need to be secured for end-to-end privacy
• Security through obscurity and siloed approach increasingly unacceptable
Big Iron: The risk
Host
Protocols
AS/400
Unix
Mainframe
Unisys
Addressing the challenges
Securing access• Authenticating end users including
privileged access
• Integration with enterprise identity infrastructure
Data privacy• Securing data in motion and in use
Management and best practice• Technical currency to address
deprecated technologies
• Capitalise on new developments
and standards
Corporate
Directory Services
Reporting and
Centralised
Management
• User identity established from client X.509 certificate• RACF matches user ID with client
certificate
• DCAS provides PassTicket
• User ID and PassTicket used for authentication
• Benefits
• Enables auto sign on to mainframe
• Eliminates password maintenance for administrators and users
• Other considerations
• Certificate management overhead
RACF = Resource Access Control FacilityDCAS = Digital Certificate Access Server
End User Authentication:
IBM Express Logon Feature (ELF)
Terminal
Emulation
Clients
Mainframe
Client X.509 Certificate
RACF
DCAS
User ID &
PassTicketAutomated logon
SSL/TLS TN3270
If the user is already authenticated why make
them authenticate again on the host system?
• Uses Micro Focus Management &
Security Server (MSS)
1. MSS authenticates and identifies user
2. DCAS issues one time use PassTicket
3. User ID and PassTicket used for authentication
• Benefits
• Enables auto sign on to mainframe
• Eliminates password maintenance for
administrators and users
• Removes client certificate management
overhead associated with ELF
• Takes advantage of corporate identity
infrastructure
End User Authentication:
Automated sign-on
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Identify userRACF
DCAS Request PassTicket
Automated logon
Corporate
Directory Services
• Uses MSS and Micro Focus
Advanced Authentication
• Framework with broad support for
platforms, devices and applications.
• Multiple authentication mechanisms
• Benefits
• Provides strong authentication
for secure environments and
privileged users
• Flexible solution that can be used for other
use cases
• Works with Automated Sign On for great end
user experience
End User Authentication:
Multi-factor Authentication
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Advanced
Authentication
Corporate
Directory Services
Multi-Factor Authentication required for
access to CDE in some cases
• PCI DSS 8.3: Secure all individual non-
console administrative access and all
remote access to the CDE using multi-
factor authentication.
CDE = Cardholder Data Environment
Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
• Provides end-to-end data privacy and integrity
• Support for TLS1.2, SHA-256, HTTPS and FIPS 140-2 validated
• Continued investment in TLS 1.3 and Elliptical Curve Cryptography (ECC)
• MSS proxy securely extends reach beyond the firewall
• Enforces perimeter control
• Can isolate and control network access to critical systems inside the firewall to support best practice
• Securely extends application access for anywhere, anytime, any device access.
Securing data in motion
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Security Proxy
DMZ
TLS 1.2 encryption level mandated as of
June 2018
• After June 30, 2018, all
entities must have stopped
using SSL/early TLS as a
security control.
Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
Information privacy filters enable
access while protecting sensitive
data
• Flexible PAN detection and
redaction
• Extensible for all data items
• Supports all screen actions
(cut copy paste, print, API
access..)
Securing data in use
General Data Protection Regulation
Article 25: Data protection by design and
by default
• implement appropriate technical and
organisational measures, such as
pseudonymisation, which are designed to
implement data-protection principles,
• The controller shall implement appropriate
technical and organisational measures for
ensuring that, by default, only personal data
which are necessary for each specific purpose of
the processing are processed.
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Management and Security Server
enforces security by providing:
• Centralised configuration
management
• Security proxy services
• Auto Sign on and
Multi-Factor Authentication
• Integration to corporate identity
store & certificate management
• Reporting and metering control
Centralising Host Connectivity Management
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
DMZ
Corporate
Directory Services
Reporting and
Metering
• Windows Lifecycle
• Look for desktop products that have
Windows certifications and lifecycle
support statements
• Browser currency and NPAPI
deprecation
• End of browser plugin technology
• Impacts Java Applets, ActiveX, Flash
and Silverlight plugins
Technical currency and deprecation
https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet
https://www.google.co.uk/?gws_rd=ssl#q=oracle+java+browser+plugin+support
What’s new in Firefox
https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
http://support.attachmate.com/techdocs/2797.html
Removed support for Netscape Plugin API (NPAPI) plugins
other than Flash. Silverlight, Java, Acrobat and the like are no
longer supported
Removed Battery Status API to reduce fingerprinting of users
by trackers
Implemented the Strict Secure Cookies specification which
forbids insecure HTTP sites from setting cookies with the
"secure" attribute
Various security fixes (28 security vulnerabilities)
• Reflection ZFE developed using HTML5
• Supports broad range of modern browsers
• Device independent
• Provides anywhere access at any time
Good for when you are away from your desk,
only have a mobile device with you,
even if you have privileged system access
• Eliminates needs for Java plug in!
Any Time, Any Device, Any Modern Browser
Solutions in action
Implement strong
authentication mechanisms
Integrate with enterprise
identity infrastructure
Secure data in motion
and in use
Centralise management
Address technical debt
Addressing the Big Iron Risk
Mainframe
Management &
Security Server
DMZ
Corporate
Directory Services
Reporting and
Metering
Securely extending the reach of mainframe applications
to any device, anywhere at anytime
Terminal Emulation security risk assessment
Free assessment of Terminal
Emulation security configuration
settings
Answers key questions:
• Are my host connections secure?
• Am I meeting regulatory
requirements?
• Are all the connections secure?
• Can I go beyond the firewall?
• What about mobile users?
www.microfocus.com
Strong authentication solutions
address weak passwords
Use data encryption
Redaction protects data in use
Centralised management
Address technical debt
Addressing the Big Iron Risk
Host
Protocols
AS/400
Unix
Mainframe
Unisys
Reporting and
Centralised
Management
Corporate
Directory Services
Securely extending the reach of Mainframe
applications to any device, anywhere at anytime