pre-con ed: enterprise wide advanced authentication: introducing advanced authentication mainframe
TRANSCRIPT
World®’16
EnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframeJeffCherrington- SrDirector,ProductManagementJohnPinkowski- ProductOwner
MFX42E
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Themainframeisaninterconnectedcomponentofthemoderndatacenter,andnow,securingaccesstomainframeapplicationswithonlyapasswordisnolongersecureenough.Inthissession,we’llreviewthefeaturesandfunctionalitiesofCAAdvancedAuthenticationMainframe,includingitssupportforhardandsofttokensthroughRSASecurID andintegrationswithCAACF2™andCATopSecret®.You’llwalkawayknowinghowtocreateaconsistentadvancedauthenticationsecuritystrategyacrossallplatformsintheenterprise.
JeffCherrington andJohnPinkowski
CATechnologies
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImpactofDataTheftHealthInsuranceAnnounced:March2015Recordsstolen:11MCost:Tobedetermined.Facingaclassactionlawsuitaswellaspotentialregulatoryviolationfines.
RetailAnnounced:September2014Recordsstolen:56MCost:$43Mandcounting.Estimatesputthisashighas$10B(includesallremediationcostsbornebythecompanyandconsumers)
HealthSystemsAnnounced:August2014Recordsstolen:4.5MCost:$75M– $150M
eCommerceAnnounced:May2014Recordsstolen:233MCost:$200Mandcounting.
RetailAnnounced:December2013Recordsstolen:70MCost:$162Mandcounting.Recentestimatesputthisatwellover$1B.
GovernmentAnnounced:May2015Recordsstolen:22MCost:Tobedetermined.Likelyfacingaclassactionlawsuitaswellasothers.
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
PROBLEMTOSOLVE
THEPLAN
PIV/CACOVERVIEW
ARCHITECTURE
CAADVANCEDAUTHENTICATIONMAINFRAMEOVERVIEW
IBMMULTI-FACTORAUTHENTICATIONOVERVIEW
1
2
3
4
5
6
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SecurityandComplianceManagingSecurity,DataAccessandCompliance
CADataProtection
3rd partyDLPSolution
3rd partyDLPSolution
SIEM
CAAdvancedAuthenticationMainframe
CADataContentDiscovery
CAAuditor
SecuremainframeassetsCaptureeventsaffectingcomplianceandpolicyDiscoversensitivedata
ExtendcomplianceeventdatatoanalyticssolutionsEnablesecuredatainmotionacrosstheenterprise
SecurityAdministrator
BigDataAnalystAuditor
Planned
Available
Non-CAProduct
CAComplianceEventManager
IBMRACF
CATopSecret
CAACF2
CACleanup
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ProblemToSolve
§ Large,commercialorganizationsseektoavoiddatabreaches,insiderfraud,andsecurityaccessauditissues.
§ Federalagenciesmustadopttwo-factorauthentication(2FA)forprivilegedusersasdirectedbytheBindingOperationalDirective(BOD)issuedin2015.
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OurPlan– BigPicture
§ Allowflexibleimplementationcontroloverallusersorasubsetofusers(e.g.privileged)
§ PassticketSupport§ Flexibleuseofauthenticatorsandcredentials
– SupportofRSASecurIDhardandsofttokens– SupportofIBMMFA– SupportofHSPD-12smartcards(PIV/CAC)integratingwithCAPAM– Moretocome
§ ComplywithNIST/FIPSstandards
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
STARTGETPUTSTOP
JavaLayer
JNI(Client)
AuthorizedAssembler
RACROUTE(anyaddressspace)
AAMAddressSpace
SignonworkelementforAAM
AnaddressspacecreatesandqueuesasignonworkelementtotheAAMaddressspaceforprocessing.TheAAMassemblercodepicksuptheworkelementandpushestheworkelementtotheJavalayer.TheJavalayerprocessestheworkelementandsendsbackaresponsetotheJNI.TheJNIthensendstheresponsebacktotherequesterintheworkelement.
CrossMemoryWAITAndPOST
Authenticator STARTGETPUTSTOP
ReferenceArchitecture
Currently3PatentsPublished
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAdvancedAuthenticationMainframeviaRSASecurID
§ IntheESM,userswillbedefinedtouseRSAornot,witharesourceruleinACF2orPermitinTopSecret
§ Useropens3270sessiontomainframe,andlogsinwithuseridandRSAtokencodeand/orassociatedPIN(Currently,PINsupportedonlyforTSOlogon)
§ Atlogon,theESMwilldetermineiftheuserisinRSAruleorpermit§ If(andonlyif)theuserisintheRSAruleorpermit,RSAAgentwillbe
calledtoprocesstherequestandpassittoRSAserverforvalidation
§ OncetheRSAservervalidatestheuser’scredentials,itpassestheinformationbacktoRSAagent
§ RSAAgentpassestheinformationtoESM§ ESMauthenticatestheuserbasedontheinformationfromRSA
Agent§ Note:RSAAgentisacombinationofJavaandAssemblercodeand
isentirelyonz/OS.CommunicationtoRSAserverisviaRSAAPIs
AvailablenowatnoadditionalchargeforCAACF2r16andCATopSecretr16customers
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPoints§ ControlledusingCAACF2rulesandCATopSecretpermissions
§ AllowsforusermappingtoaRSAuserid
§ Canbecontrolledattheapplicationlevel
§ Allowspasstickets tobeusedforapplications(TPXforexample)
§ DoesnotrequirePassphrasetobeactiveattheESMlevel
§ SupportsRSASecurID tokenandtoken+pin authentication
§ Canbeconfiguredtofallbacktopasswordprocessing
§ Beforestartingyourmigrationevaluateyourapplicationsabilitytosupporttheenteringofmorethan8-charactercredentials!
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPoints
§ Yes,wearesupportingIBMMulti-factorAuthentication!
§ ControlledwithCAACF2viaControlandUserProfilerecords
§ ControlledwithCATopSecretvianewrecordsintheVSAMdatabase
§ SupportaddedforR_factorcallableservices
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IntegrationPhase2– CAESMs&CAPAM(pka Xceedium Xsuite)
§ PrivilegedUserlogsintoPC/networkwithPIVcard&associatedPINorpasswordand“enrolls”inXsuite§ Xsuiteauthenticatestheuseragainstauthoritiesuploadedtoitscredentialvault§ PrivilegedUserhasarecordontheirIDonESMtoindicatethe2FArequirement§ PrivilegedUseropens3270sessiontomainframe,andlogsinwiththeircredentials§ ESMdetectsthe2FArequirementfortheuserbasedontherecordontheirID§ AnAPIcallismadetoXsuiteappliancetoverifyiftheuserisloggedin/enrolledwithPIV/CACorPINandvalidateiftheuserthatcameinfromaparticularIPaddressistheonewhohasthe2FAinXsuite.FollowingdetailsaresentforverificationtoXsuite:– UserID– IPAddressfromwheretheuserloggedin
§ TheXsuiteAppliancesendsbacktheauthenticationstatusuponverifyingthecredentialsfromtheFIPSvault§ Iftheuserpassedthe2FArequirement,ESMauthenticatesuserformainframeresources,ornot§ Note:Browserisinplay,asInternetExplorerissourceforMicrosoftCryptographicAPI(CAPI)library
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFT53TIntheVoiceofaMainframeMillennial:HowCanMainframeSecurityBeMadeEasier? 11/16/2016at12:45pm
MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData 11/17/2016at12:45pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecretMainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2MainframeTheatre