pre-con ed: enterprise wide advanced authentication: introducing advanced authentication mainframe

World®’16

EnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframeJeffCherrington- SrDirector,ProductManagementJohnPinkowski- ProductOwner

MFX42E

MAINFRAMEANDWORKLOADAUTOMATION

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.


Abstract

Themainframeisaninterconnectedcomponentofthemoderndatacenter,andnow,securingaccesstomainframeapplicationswithonlyapasswordisnolongersecureenough.Inthissession,we’llreviewthefeaturesandfunctionalitiesofCAAdvancedAuthenticationMainframe,includingitssupportforhardandsofttokensthroughRSASecurID andintegrationswithCAACF2™andCATopSecret®.You’llwalkawayknowinghowtocreateaconsistentadvancedauthenticationsecuritystrategyacrossallplatformsintheenterprise.

JeffCherrington andJohnPinkowski

CATechnologies


TheImpactofDataTheftHealthInsuranceAnnounced:March2015Recordsstolen:11MCost:Tobedetermined.Facingaclassactionlawsuitaswellaspotentialregulatoryviolationfines.

RetailAnnounced:September2014Recordsstolen:56MCost:$43Mandcounting.Estimatesputthisashighas$10B(includesallremediationcostsbornebythecompanyandconsumers)

HealthSystemsAnnounced:August2014Recordsstolen:4.5MCost:$75M– $150M

eCommerceAnnounced:May2014Recordsstolen:233MCost:$200Mandcounting.

RetailAnnounced:December2013Recordsstolen:70MCost:$162Mandcounting.Recentestimatesputthisatwellover$1B.

GovernmentAnnounced:May2015Recordsstolen:22MCost:Tobedetermined.Likelyfacingaclassactionlawsuitaswellasothers.


CompromisedCredentialsRoleinDataBreaches


LackofChangeLeavesEnterprisesExposed….


Two-FactorAuthenticationNecessarytoReduceRisk…


Two-FactorAuthenticationSpecifiedinBestPractices


Agenda

PROBLEMTOSOLVE

THEPLAN

PIV/CACOVERVIEW

ARCHITECTURE

CAADVANCEDAUTHENTICATIONMAINFRAMEOVERVIEW

IBMMULTI-FACTORAUTHENTICATIONOVERVIEW

1

2

3

4

5

6


SecurityandComplianceManagingSecurity,DataAccessandCompliance

CADataProtection

3rd partyDLPSolution

3rd partyDLPSolution

SIEM

CAAdvancedAuthenticationMainframe

CADataContentDiscovery

CAAuditor

SecuremainframeassetsCaptureeventsaffectingcomplianceandpolicyDiscoversensitivedata

ExtendcomplianceeventdatatoanalyticssolutionsEnablesecuredatainmotionacrosstheenterprise

SecurityAdministrator

BigDataAnalystAuditor

Planned

Available

Non-CAProduct

CAComplianceEventManager

IBMRACF

CATopSecret

CAACF2

CACleanup


ProblemtoSolve


ProblemToSolve

§ Large,commercialorganizationsseektoavoiddatabreaches,insiderfraud,andsecurityaccessauditissues.

§ Federalagenciesmustadopttwo-factorauthentication(2FA)forprivilegedusersasdirectedbytheBindingOperationalDirective(BOD)issuedin2015.


ThePlan


OurPlan– BigPicture

§ Allowflexibleimplementationcontroloverallusersorasubsetofusers(e.g.privileged)

§ PassticketSupport§ Flexibleuseofauthenticatorsandcredentials

– SupportofRSASecurIDhardandsofttokens– SupportofIBMMFA– SupportofHSPD-12smartcards(PIV/CAC)integratingwithCAPAM– Moretocome

§ ComplywithNIST/FIPSstandards


OurArchitecture


STARTGETPUTSTOP

JavaLayer

JNI(Client)

AuthorizedAssembler

RACROUTE(anyaddressspace)

AAMAddressSpace

SignonworkelementforAAM

AnaddressspacecreatesandqueuesasignonworkelementtotheAAMaddressspaceforprocessing.TheAAMassemblercodepicksuptheworkelementandpushestheworkelementtotheJavalayer.TheJavalayerprocessestheworkelementandsendsbackaresponsetotheJNI.TheJNIthensendstheresponsebacktotherequesterintheworkelement.

CrossMemoryWAITAndPOST

Authenticator STARTGETPUTSTOP

ReferenceArchitecture

Currently3PatentsPublished


CAAdvancedAuthenticationMainframeOverview


CAAdvancedAuthenticationMainframeviaRSASecurID

§ IntheESM,userswillbedefinedtouseRSAornot,witharesourceruleinACF2orPermitinTopSecret

§ Useropens3270sessiontomainframe,andlogsinwithuseridandRSAtokencodeand/orassociatedPIN(Currently,PINsupportedonlyforTSOlogon)

§ Atlogon,theESMwilldetermineiftheuserisinRSAruleorpermit§ If(andonlyif)theuserisintheRSAruleorpermit,RSAAgentwillbe

calledtoprocesstherequestandpassittoRSAserverforvalidation

§ OncetheRSAservervalidatestheuser’scredentials,itpassestheinformationbacktoRSAagent

§ RSAAgentpassestheinformationtoESM§ ESMauthenticatestheuserbasedontheinformationfromRSA

Agent§ Note:RSAAgentisacombinationofJavaandAssemblercodeand

isentirelyonz/OS.CommunicationtoRSAserverisviaRSAAPIs

AvailablenowatnoadditionalchargeforCAACF2r16andCATopSecretr16customers


KeyPoints§ ControlledusingCAACF2rulesandCATopSecretpermissions

§ AllowsforusermappingtoaRSAuserid

§ Canbecontrolledattheapplicationlevel

§ Allowspasstickets tobeusedforapplications(TPXforexample)

§ DoesnotrequirePassphrasetobeactiveattheESMlevel

§ SupportsRSASecurID tokenandtoken+pin authentication

§ Canbeconfiguredtofallbacktopasswordprocessing

§ Beforestartingyourmigrationevaluateyourapplicationsabilitytosupporttheenteringofmorethan8-charactercredentials!


IBMMulti-FactorAuthenticationOverview


KeyPoints

§ Yes,wearesupportingIBMMulti-factorAuthentication!

§ ControlledwithCAACF2viaControlandUserProfilerecords

§ ControlledwithCATopSecretvianewrecordsintheVSAMdatabase

§ SupportaddedforR_factorcallableservices


PIV/CACOverview


CAESMs&CAPAM(pka Xceedium Xsuite)


IntegrationPhase2– CAESMs&CAPAM(pka Xceedium Xsuite)

§ PrivilegedUserlogsintoPC/networkwithPIVcard&associatedPINorpasswordand“enrolls”inXsuite§ Xsuiteauthenticatestheuseragainstauthoritiesuploadedtoitscredentialvault§ PrivilegedUserhasarecordontheirIDonESMtoindicatethe2FArequirement§ PrivilegedUseropens3270sessiontomainframe,andlogsinwiththeircredentials§ ESMdetectsthe2FArequirementfortheuserbasedontherecordontheirID§ AnAPIcallismadetoXsuiteappliancetoverifyiftheuserisloggedin/enrolledwithPIV/CACorPINandvalidateiftheuserthatcameinfromaparticularIPaddressistheonewhohasthe2FAinXsuite.FollowingdetailsaresentforverificationtoXsuite:– UserID– IPAddressfromwheretheuserloggedin

§ TheXsuiteAppliancesendsbacktheauthenticationstatusuponverifyingthecredentialsfromtheFIPSvault§ Iftheuserpassedthe2FArequirement,ESMauthenticatesuserformainframeresources,ornot§ Note:Browserisinplay,asInternetExplorerissourceforMicrosoftCryptographicAPI(CAPI)library


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

MFT53TIntheVoiceofaMainframeMillennial:HowCanMainframeSecurityBeMadeEasier? 11/16/2016at12:45pm

MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData 11/17/2016at12:45pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm


MustSeeDemos

Real-TimeDataSecurity&Compliance

CADataContentDiscoveryMainframeTheatre

MainframeSecuritySmartBar

CATopSecretMainframeTheatre

Real-TimeDataSecurity&Compliance

CAComplianceEventManagerMainframeTheatre

MainframeSecuritySmartBar

CAACF2MainframeTheatre


Thankyou.

Stayconnectedatcommunities.ca.com

pre-con ed: enterprise wide advanced authentication: introducing advanced authentication mainframe

Technology