big iron, big risk? securing the mainframe - #mfsummit2017
TRANSCRIPT
![Page 1: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/1.jpg)
Neil Harrison
Malcolm Trigg
21/03/2017
Big Iron, Big Risk!
Securing the mainframe
#MFSummit2017
![Page 2: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/2.jpg)
The Big Iron Risk
Addressing the challenges
• Securing access
• Data privacy
• Management and best practice
Solutions in action
Q&A
Agenda
![Page 3: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/3.jpg)
Mainframes host business-critical data and core applications
• Large number of endpoints and users connecting to hosts
• Increasing regulatory requirements
• Rise of cyber crime
Mainframe applications written for older security technologies
• Eight character passwords
• Not integrated with corporate identity stores and security infrastructure
• Access via older protocols that need to be secured for end-to-end privacy
• Security through obscurity and siloed approach increasingly unacceptable
Big Iron: The risk
![Page 4: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/4.jpg)
Host
Protocols
AS/400
Unix
Mainframe
Unisys
Addressing the challenges
Securing access• Authenticating end users including
privileged access
• Integration with enterprise identity infrastructure
Data privacy• Securing data in motion and in use
Management and best practice• Technical currency to address
deprecated technologies
• Capitalise on new developments
and standards
Corporate
Directory Services
Reporting and
Centralised
Management
![Page 5: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/5.jpg)
• User identity established from client X.509 certificate• RACF matches user ID with client
certificate
• DCAS provides PassTicket
• User ID and PassTicket used for authentication
• Benefits
• Enables auto sign on to mainframe
• Eliminates password maintenance for administrators and users
• Other considerations
• Certificate management overhead
RACF = Resource Access Control FacilityDCAS = Digital Certificate Access Server
End User Authentication:
IBM Express Logon Feature (ELF)
Terminal
Emulation
Clients
Mainframe
Client X.509 Certificate
RACF
DCAS
User ID &
PassTicketAutomated logon
SSL/TLS TN3270
If the user is already authenticated why make
them authenticate again on the host system?
![Page 6: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/6.jpg)
• Uses Micro Focus Management &
Security Server (MSS)
1. MSS authenticates and identifies user
2. DCAS issues one time use PassTicket
3. User ID and PassTicket used for authentication
• Benefits
• Enables auto sign on to mainframe
• Eliminates password maintenance for
administrators and users
• Removes client certificate management
overhead associated with ELF
• Takes advantage of corporate identity
infrastructure
End User Authentication:
Automated sign-on
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Identify userRACF
DCAS Request PassTicket
Automated logon
Corporate
Directory Services
![Page 7: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/7.jpg)
• Uses MSS and Micro Focus
Advanced Authentication
• Framework with broad support for
platforms, devices and applications.
• Multiple authentication mechanisms
• Benefits
• Provides strong authentication
for secure environments and
privileged users
• Flexible solution that can be used for other
use cases
• Works with Automated Sign On for great end
user experience
End User Authentication:
Multi-factor Authentication
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Advanced
Authentication
Corporate
Directory Services
![Page 8: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/8.jpg)
Multi-Factor Authentication required for
access to CDE in some cases
• PCI DSS 8.3: Secure all individual non-
console administrative access and all
remote access to the CDE using multi-
factor authentication.
CDE = Cardholder Data Environment
Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
![Page 9: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/9.jpg)
• Provides end-to-end data privacy and integrity
• Support for TLS1.2, SHA-256, HTTPS and FIPS 140-2 validated
• Continued investment in TLS 1.3 and Elliptical Curve Cryptography (ECC)
• MSS proxy securely extends reach beyond the firewall
• Enforces perimeter control
• Can isolate and control network access to critical systems inside the firewall to support best practice
• Securely extends application access for anywhere, anytime, any device access.
Securing data in motion
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
Security Proxy
DMZ
![Page 10: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/10.jpg)
TLS 1.2 encryption level mandated as of
June 2018
• After June 30, 2018, all
entities must have stopped
using SSL/early TLS as a
security control.
Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016
![Page 11: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/11.jpg)
Information privacy filters enable
access while protecting sensitive
data
• Flexible PAN detection and
redaction
• Extensible for all data items
• Supports all screen actions
(cut copy paste, print, API
access..)
Securing data in use
![Page 12: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/12.jpg)
General Data Protection Regulation
Article 25: Data protection by design and
by default
• implement appropriate technical and
organisational measures, such as
pseudonymisation, which are designed to
implement data-protection principles,
• The controller shall implement appropriate
technical and organisational measures for
ensuring that, by default, only personal data
which are necessary for each specific purpose of
the processing are processed.
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
![Page 13: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/13.jpg)
Management and Security Server
enforces security by providing:
• Centralised configuration
management
• Security proxy services
• Auto Sign on and
Multi-Factor Authentication
• Integration to corporate identity
store & certificate management
• Reporting and metering control
Centralising Host Connectivity Management
Terminal
Emulation
Clients
Mainframe
Management &
Security Server
DMZ
Corporate
Directory Services
Reporting and
Metering
![Page 14: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/14.jpg)
• Windows Lifecycle
• Look for desktop products that have
Windows certifications and lifecycle
support statements
• Browser currency and NPAPI
deprecation
• End of browser plugin technology
• Impacts Java Applets, ActiveX, Flash
and Silverlight plugins
Technical currency and deprecation
https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet
https://www.google.co.uk/?gws_rd=ssl#q=oracle+java+browser+plugin+support
![Page 15: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/15.jpg)
What’s new in Firefox
https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
http://support.attachmate.com/techdocs/2797.html
Removed support for Netscape Plugin API (NPAPI) plugins
other than Flash. Silverlight, Java, Acrobat and the like are no
longer supported
Removed Battery Status API to reduce fingerprinting of users
by trackers
Implemented the Strict Secure Cookies specification which
forbids insecure HTTP sites from setting cookies with the
"secure" attribute
Various security fixes (28 security vulnerabilities)
![Page 16: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/16.jpg)
• Reflection ZFE developed using HTML5
• Supports broad range of modern browsers
• Device independent
• Provides anywhere access at any time
Good for when you are away from your desk,
only have a mobile device with you,
even if you have privileged system access
• Eliminates needs for Java plug in!
Any Time, Any Device, Any Modern Browser
![Page 17: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/17.jpg)
Solutions in action
![Page 18: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/18.jpg)
Implement strong
authentication mechanisms
Integrate with enterprise
identity infrastructure
Secure data in motion
and in use
Centralise management
Address technical debt
Addressing the Big Iron Risk
Mainframe
Management &
Security Server
DMZ
Corporate
Directory Services
Reporting and
Metering
Securely extending the reach of mainframe applications
to any device, anywhere at anytime
![Page 19: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/19.jpg)
Terminal Emulation security risk assessment
Free assessment of Terminal
Emulation security configuration
settings
Answers key questions:
• Are my host connections secure?
• Am I meeting regulatory
requirements?
• Are all the connections secure?
• Can I go beyond the firewall?
• What about mobile users?
![Page 20: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/20.jpg)
www.microfocus.com
![Page 21: BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017](https://reader030.vdocument.in/reader030/viewer/2022021502/58edd6381a28ab88078b46f9/html5/thumbnails/21.jpg)
Strong authentication solutions
address weak passwords
Use data encryption
Redaction protects data in use
Centralised management
Address technical debt
Addressing the Big Iron Risk
Host
Protocols
AS/400
Unix
Mainframe
Unisys
Reporting and
Centralised
Management
Corporate
Directory Services
Securely extending the reach of Mainframe
applications to any device, anywhere at anytime