Neil Harrison

Malcolm Trigg

21/03/2017

Big Iron, Big Risk!

Securing the mainframe

#MFSummit2017

The Big Iron Risk

Addressing the challenges

• Securing access

• Data privacy

• Management and best practice

Solutions in action

Q&A

Agenda

Mainframes host business-critical data and core applications

• Large number of endpoints and users connecting to hosts

• Increasing regulatory requirements

• Rise of cyber crime

Mainframe applications written for older security technologies

• Eight character passwords

• Not integrated with corporate identity stores and security infrastructure

• Access via older protocols that need to be secured for end-to-end privacy

• Security through obscurity and siloed approach increasingly unacceptable

Big Iron: The risk

Host

Protocols

AS/400

Unix

Mainframe

Unisys

Addressing the challenges

Securing access• Authenticating end users including

privileged access

• Integration with enterprise identity infrastructure

Data privacy• Securing data in motion and in use

Management and best practice• Technical currency to address

deprecated technologies

• Capitalise on new developments

and standards

Corporate

Directory Services

Reporting and

Centralised

Management

• User identity established from client X.509 certificate• RACF matches user ID with client

certificate

• DCAS provides PassTicket

• User ID and PassTicket used for authentication

• Benefits

• Enables auto sign on to mainframe

• Eliminates password maintenance for administrators and users

• Other considerations

• Certificate management overhead

RACF = Resource Access Control FacilityDCAS = Digital Certificate Access Server

End User Authentication:

IBM Express Logon Feature (ELF)

Terminal

Emulation

Clients

Mainframe

Client X.509 Certificate

RACF

DCAS

User ID &

PassTicketAutomated logon

SSL/TLS TN3270

If the user is already authenticated why make

them authenticate again on the host system?

• Uses Micro Focus Management &

Security Server (MSS)

1. MSS authenticates and identifies user

2. DCAS issues one time use PassTicket

3. User ID and PassTicket used for authentication

• Benefits

• Enables auto sign on to mainframe

• Eliminates password maintenance for

administrators and users

• Removes client certificate management

overhead associated with ELF

• Takes advantage of corporate identity

infrastructure

End User Authentication:

Automated sign-on

Terminal

Emulation

Clients

Mainframe

Management &

Security Server

Identify userRACF

DCAS Request PassTicket

Automated logon

Corporate

Directory Services

• Uses MSS and Micro Focus

Advanced Authentication

• Framework with broad support for

platforms, devices and applications.

• Multiple authentication mechanisms

• Benefits

• Provides strong authentication

for secure environments and

privileged users

• Flexible solution that can be used for other

use cases

• Works with Automated Sign On for great end

user experience

End User Authentication:

Multi-factor Authentication

Terminal

Emulation

Clients

Mainframe

Management &

Security Server

Advanced

Authentication

Corporate

Directory Services

Multi-Factor Authentication required for

access to CDE in some cases

• PCI DSS 8.3: Secure all individual non-

console administrative access and all

remote access to the CDE using multi-

factor authentication.

CDE = Cardholder Data Environment

Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016

• Provides end-to-end data privacy and integrity

• Support for TLS1.2, SHA-256, HTTPS and FIPS 140-2 validated

• Continued investment in TLS 1.3 and Elliptical Curve Cryptography (ECC)

• MSS proxy securely extends reach beyond the firewall

• Enforces perimeter control

• Can isolate and control network access to critical systems inside the firewall to support best practice

• Securely extends application access for anywhere, anytime, any device access.

Securing data in motion

Terminal

Emulation

Clients

Mainframe

Management &

Security Server

Security Proxy

DMZ

TLS 1.2 encryption level mandated as of

June 2018

• After June 30, 2018, all

entities must have stopped

using SSL/early TLS as a

security control.

Reference: PCIDSS Requirements and Security Assessment Procedures v3.2-April 2016

Information privacy filters enable

access while protecting sensitive

data

• Flexible PAN detection and

redaction

• Extensible for all data items

• Supports all screen actions

(cut copy paste, print, API

access..)

Securing data in use

General Data Protection Regulation

Article 25: Data protection by design and

by default

• implement appropriate technical and

organisational measures, such as

pseudonymisation, which are designed to

implement data-protection principles,

• The controller shall implement appropriate

technical and organisational measures for

ensuring that, by default, only personal data

which are necessary for each specific purpose of

the processing are processed.

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Management and Security Server

enforces security by providing:

• Centralised configuration

management

• Security proxy services

• Auto Sign on and

Multi-Factor Authentication

• Integration to corporate identity

store & certificate management

• Reporting and metering control

Centralising Host Connectivity Management

Terminal

Emulation

Clients

Mainframe

Management &

Security Server

DMZ

Corporate

Directory Services

Reporting and

Metering

• Windows Lifecycle

• Look for desktop products that have

Windows certifications and lifecycle

support statements

• Browser currency and NPAPI

deprecation

• End of browser plugin technology

• Impacts Java Applets, ActiveX, Flash

and Silverlight plugins

Technical currency and deprecation

https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet

https://www.google.co.uk/?gws_rd=ssl#q=oracle+java+browser+plugin+support

What’s new in Firefox

https://www.mozilla.org/en-US/firefox/52.0/releasenotes/

https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/

http://support.attachmate.com/techdocs/2797.html

Removed support for Netscape Plugin API (NPAPI) plugins

other than Flash. Silverlight, Java, Acrobat and the like are no

longer supported

Removed Battery Status API to reduce fingerprinting of users

by trackers

Implemented the Strict Secure Cookies specification which

forbids insecure HTTP sites from setting cookies with the

"secure" attribute

Various security fixes (28 security vulnerabilities)

• Reflection ZFE developed using HTML5

• Supports broad range of modern browsers

• Device independent

• Provides anywhere access at any time

Good for when you are away from your desk,

only have a mobile device with you,

even if you have privileged system access

• Eliminates needs for Java plug in!

Any Time, Any Device, Any Modern Browser

Solutions in action

Implement strong

authentication mechanisms

Integrate with enterprise

identity infrastructure

Secure data in motion

and in use

Centralise management

Address technical debt

Addressing the Big Iron Risk

Mainframe

Management &

Security Server

DMZ

Corporate

Directory Services

Reporting and

Metering

Securely extending the reach of mainframe applications

to any device, anywhere at anytime

Terminal Emulation security risk assessment

Free assessment of Terminal

Emulation security configuration

settings

Answers key questions:

• Are my host connections secure?

• Am I meeting regulatory

requirements?

• Are all the connections secure?

• Can I go beyond the firewall?

• What about mobile users?

www.microfocus.com

Strong authentication solutions

address weak passwords

Use data encryption

Redaction protects data in use

Centralised management

Address technical debt

Addressing the Big Iron Risk

Host

Protocols

AS/400

Unix

Mainframe

Unisys

Reporting and

Centralised

Management

Corporate

Directory Services

Securely extending the reach of Mainframe

applications to any device, anywhere at anytime