Speaker: Sean Bicknell

Strengthening NonStop Security with XYGATE Software

5

Agenda

• Why focus on Security?

• XYPRO Overview

• Beyond Guardian & Safeguard with XYGATE

• Questions

Why focus on Security?

4q0501

Why focus on Security?

• Regulations−Governments, Regulatory Bodies, Trade Organisations

−PCI, SOX, Basel II, CISP, Data Protection Acts

−Auditors

• Secrecy of sensitive information• Ensuring availability and integrity of

system• Prevention of Corporate Scandal• Financial Protection

4q0501

Regulatory Compliance• PCI………

−1. Firewalls−2. Eliminate vendor defaults−3. Protect stored data−4. Encrypt data in transit−5. Use and update Anti-virus software−6. Develop & maintain secure systems & applications−7. Restrict access by “need-to-know”−8. Assign a unique ID to each user who has access−9. Restrict physical access to cardholder data−10. Track and monitor all access to cardholder data−11. Regularly test security systems & processes−12. Maintain a policy that addresses information

security

Regulatory Compliance papers

•“PCI & SOX Compliance” solutions papers show where PCI & Sarbanes-Oxley applies to HP NonStop Server enterprises.

•Also demonstrates how XYGATE software helps IT managers’ compliance efforts. −Product tables describe each PCI or SOX

objective and which XYGATE module helps compliance.

PCI & SOX Solutions white papers

Download Compliance Solution PapersDownload from www.xypro.com

About XYPRO Technology

• Producers of XYGATE security software• HP NonStop Security Experts• Proven Performers & Business Partners

−XYGATE security software since 1990

• Large Customer Base−Financial Institutions−Government, Military, Telecoms, ISPs, Manufacturing,

Health−Many countries

USA, UK, Europe, Africa, Asia

Security Best Practices for the NonStop Server

• Written by XYPRO

• Published by HP

http://www.hp.com/hpbooks

The XYGATE Product SuiteThe XYGATE Product Suite

Multi-platform Encryption Software

NonStop Server Platform Security

Encryption PRO

Protect business data: at rest and in transit

•Full crypto library•Multi-platform support •ESDK to crypto- enable via APIs •File encryption•Static key mgmt•Session security

Safeguard PRO

Simplify & enhance Safeguard environments

•User, alias, globals, object ACL mgmt•Dynamic object security•Password quality & updating•User authentication

Compliance PRO

Develop & monitor security policy compliance

•Multi-node data collection & view•Best practice analysis•Anomaly & exception mgmt•System integrity checks

Audit PRO

Consolidate audit data across many nodes

•Multi-node view•Multi-source audits: XYGATE, Safeguard . . . •Single repository for all audit data•Automatic alerts

Access PRO

Grant privileges according to job function

•Access control•Process control•CMON logon control & load balancing•Spooler & print job management

XYGATE GUI

XYGATE Access Pro

XYGATE AC (Access Control)

• Reduce usage of powerful userids such as super.super

• Authorise users to run regular tasks normally requiring powerful userid, from their own userid

• Command level securityE.g. (1) Start SCF session as SUPER user, from personal userid

Allow SCF START, ABORT, STATUS, INFO Deny SCF ALTER, DELETE, ADD

(2) Start FUP session as DBA user, from personal userid

Allow FUP LOAD, RELOAD, INFO, STAT Deny FUP PURGE, PURGEDATA, CREATE

XYGATE Access Pro

XYGATE AC (Access Control)• Full capture of all user key strokes (Guardian &

OSS)

• Audit captured of all actions performed by user including:− Date/Time− Userid/Alias− Command Input− Command Output (configurable)− Terminal Name− IP Address− Process Name

XYGATE Access Pro

XYGATE CM (CMON)• Fully supported CMON product

• Enforce logon to personal userid before logon to powerful userid such as super.super

• Restrict users to logon only from specific IP Address range or terminal name− E.g. super.super only able to logon at system console

(TSM)

• Deny users the ability to increase process priority

XYGATE Access Pro

XYGATE SP (Secure Spoolcom Peruse)• Authorise users to control spooler jobs owned by

another user, from their own userid• Restrict which commands a user can perform on

those jobs• Restrict which print devices users can send jobs to• Allow printing of spool jobs without allowing

reading – E.g. user can send spool job with PIN numbers

to a printer, but unable to read the data.• Full auditing of all commands

XYGATE OS (Object Security)

• More granular security than Guardian or Safeguard• Security of objects (files, processes, devices)• Secure on attributes other than name of object

− Requesting program, File type, Owner of the object

• Full wildcarding of object names− Regular expressions (grep style)

• Create rules for objects that don’t exist yet • Vary security of object over time

− Creationdate, lastmodified, lastopened

• Secure SQL/MP to the table level• Full auditing of all access attempts

XYGATE Safeguard Pro

XYGATE SM (Safeguard Manager)

• Simplified Safeguard configuration and management

• No need to learn Safecom syntax

• Full user management

• Visibility of existing Safeguard configuration

• Drag and drop configuration from one system to another

XYGATE Safeguard Pro

XYGATE SR (Safeguard Reports)• Customisable reporting on Safeguard logs

• Easy to read reports

• Run from host or run from GUI based client− XYGATE Report Manager

• Run in batch or on-demand

XYGATE Safeguard Pro

XYGATE PQ (Password Quality)• Enforce strong user passwords

• Upper & lower case characters• Numbers• Special characters• Repeated characters and consecutive

characters• Split passwords• System generated passwords

• Ease password administration • Delegate password ownership e.g. helpdesk• Network password synchronisation

XYGATE Safeguard Pro

XYGATE UA (User Authentication)• Control of user logons

• Who can logon from where (IP address range/terminal)

• Which users can logon to powerful userids• Enforce logon to personal userid before

super.super• Which program users can logon to (TACL, FTP)

• Strong authentication of users • RSA SecurID token/smart card support• Authentication against ACE/Server

• Centralised User Administration • LDAP/Active Directory support

XYGATE Safeguard Pro

XYGATE Audit Pro

XYGATE MA (Merged Audit)

• Centralised Reporting on all security logs

• Use standard PC based reporting tools• MS Access, Crystal Reports

• Real time alerting on security events • Safeguard, XYGATE, EMS• Alert via Email, SNMP, EMS, Syslog, custom• Example: super.super logon → email security

admin

XYGATE Audit Pro

XYGATE MA (Merged Audit)

Pathway

SQL Database

Alerts

Email

EMS

Custom

XYGATE Compliance Pro

XYGATE SW (Security Compliance Wizard)

• Analyses all security configuration on the system

• Monitors compliance against security policy

• Easy graphical interface shows pass or fail

• Compares configuration with industry best practices

• Provides integrity checks to ensure no modification to critical objects

• Reduces time and cost to audit system

• Please contact me if you have questions or require any further information.

1. Sean.Bicknell@XYPRO.co.uk

2. http://www.xypro.com

QUESTIONS ?

Whom to contact