Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers
-
Upload
ca-technologies -
Category
Technology
-
view
44 -
download
2
Transcript of Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers
World®’16
CAACF2andCATopSecret– Part1:What’sNewintheEnterpriseSecurityManagers
JohnPinkowski- ProductOwner
MFX39EA
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Businesssuccessintheapplicationeconomydependsonareliableandcost-effectivesecurityinfrastructure.ThissessionwillcoverthelatestenhancementsintheExternalSecurityManagers(ESMs)CATopSecret®andCAACF2™—rangingfromrole-basedaccesscontroltouser-orientedarchitecture—tohelpeaseyourmainframesecurityadministrationandsimplifyyourcomplianceandaudittasks.
JohnPinkowski
CATechnologies
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
EOSDATES
THEOLD
THENEW
1
2
3
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SecurityandComplianceManagingSecurity,DataAccessandCompliance
CADataProtection
3rd partyDLPSolution
3rd partyDLPSolution
SIEMCAComplianceEventManager
IBMRACF
CATopSecret
CAACF2
CACleanup
CAAdvancedAuthenticationMainframe
CADataContentDiscovery
CAAuditor
SecuremainframeassetsCaptureeventsaffectingcomplianceandpolicyDiscoversensitivedata
ExtendcomplianceeventdatatoanalyticssolutionsEnablesecuredatainmotionacrosstheenterprise
SecurityAdministrator
BigDataAnalystAuditor
Planned
Available
Non-CAProduct
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EOSDates
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!
§ …notificationthatwearediscontinuingsupportforCATopSecretVersion14.0,
includingServicePacksbeginningDecember31,2016andVersion15.0beginning
December31,2017.ThiswillallowourDevelopmentorganizationtomore
effectivelyfocusitsresourcesandaddvaluetothenextreleaseofCATopSecret
forz/OS.
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!HelpfulLinks
§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-
content/status/support-life-cycle/indexes/ca-top-secret-product-family-release-
and-support-lifecycle-dates.html
§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-
content/status/support-life-cycle/indexes/ca-acf2-product-family-release-and-
support-lifecycle-dates.html
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheOld
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:Ineedtohaveastatusforauserthatremovestheabilitytoaccessasystem,yetnotallowthatusersIDtobereused
Solution:AnuserthenewRETIREstatusforauser.Theuserwilllosetheabilitytologon/accessasystem.Furtherelevatedprivilegesarerequiredtoun-RETIREanuser.
Benefit:- CentralRepositorytoNotAllowingtheRe-UseofID- CompliancewithIRSPub1075
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:Aspartofourauditreview,movingthefacilityinformationtothesecurityfilewouldbeagreatbenefit.
Solution:ActiveFACTOR(YES|NO)tostorethefacilitymatrixinformationonthesecurityfile.
Benefit:- Facilitydefinitionsprotectedfromview- EasiertoadministerandmaintainmultipleLPARcomplexes- SizeoftheTSSPARMSFILEgreatlyreduced
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:IhaveimplementedarolebasesecurityarchitectureandneedtheabilitytoprovideaLogonIDaccessreportby role
Solution:RolesupportfortheLogonIDAccessreport.AbilitytocontrolthecreationofthereportusingthenewROLEinputparameter.Providingareportsectionforeachroleshowingwhichrulelinesgrantorpreventaccess
Benefit:- Improvedcompliancereportingbyroles- Improvedperformancebenefits
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:ThereisaneedtogivemoregranularityoveradminscanassignaUID(0)
Solution:FornonMSCAadminsanadditionalauthorizationchecktoCASECAUT(TSSCMD.ADMIN.UID0)isissued.TheadminmusthaveACID(MAINTAIN)authorityandcheckisonlyissuedwhenUID(0)ispresentwithinaTSSADDorREPLACEcommandstring
Benefit:- FurtherrestrictswhocanassignauthorizationforUID(0)- Satisfiescompliancerequirements
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WehaveanewPCIrequirementtoensurewelimitthedatabeingmadevisibleduringmessageprocessing.Thisdetailedsysteminformationmaybeusedtocreatedenialofserviceinterruptions,orcausesecuritytofailwhenusedbyhackers
Solution:TheACF2MSGOPTSrecordallowstheadministratortocontrolwhichsignonmessageswillbeconvertedtoasinglegenericmessageACF01125LogonCredentialsInvalid.TheTopSecretcontroloptionGENSMSGallowstheadministratortocontroltheissuingofthegenericmessageTSS7099ESignonCredentialsInvalid
Benefit:- PCI6.5.5compliance- Limitedsecurityinformationshared
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:IwasaskedbyourauditorwhatistheencryptionstrengthsofthepasswordsontheCAACF2andareweatthestrongest
Solution:ActivateAES256-bitencryptionforCAACF2passwordsandpasswordhistory
Benefit:Makesbruteforcepassworddecryptionofpasswordshardertoattain
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:MystorageteamisaskingifthereareanystorageimprovementsinCAACF2.Moreworkloadsaremovingtothemainframeandwewanttobeinpositiontoscale.
Solution:UpgradetoCAACF2r16.Outoftheboxrulesetswillbemovedtointo64-bitCSA.
Benefit:Potentiallya70-90%savingsinCSAutilizationbelowthebar(ResultsMayVary)
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:OurauditorswouldlikeustostopusingtheCICSBypassprocessinginourCTSregions
Solution:ExploitthenewCICSfacilitysubfunctionBYPLIST.YoucanstarttoworkwithyourauditorsimplementingBYPLIST(AUDIT)totracktheusageofbypasswithintheregion.OncetheseaccessesareadministrateditisasimpleswitchtoBYPLIST(NO)tonotallowtheuseofbypassinthefuture.
Benefit:- CompletecontrolofCTSresourcesfromCATopSecretpermissions- Improvedauditabilityoftheseresources
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheNew
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:Iwasaskedbyourauditorifwecanuseourtokenstosignontothemainframe!
Solution:EnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframeSession:MFX42E
Benefit:Education!
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WearelookingtoexploitPasswordPhraseinourenvironmentandwouldliketoensureupperandlowercasecharactersarefollowingcompliancerequirements.
Solution:NewoptionswereintroducedviaPTFRO92400toenablethecontrolofforcingatleaseoneupperorlowercasecharacterinCAACF2.EquivalentsupportisbeingbuiltinCATopSecretifyouareinterestedpleasecontactus!
Benefit:- Greatercontroloverphraseedits- Additionalcomplianceregulationadherence
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WeareexploitingtheCAACF2andCATopSecretinformationinwaysthatthetraditionalprintercarriagecontrolcharactersareahindrance.
Solution:TheteamshavedevelopedsolutionsforreportsACFRPTRV,ACFRPTSLandTSSUTILfortherespectiveproducts.Ifyouareinterestedinanyofthesereports,pleaseletusknow.
Benefit:Improvedsortingofdatafromreports
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:CurrentlyweareusingtheCASECAUTresourcetocontroladministratorsaccesstothecertificateprocess.Weareinterestedinhavingmoregranularcontroloverthisprocess.
Solution:CAACF2nowhassupportforadditionalGranularCertificateAdministration.YoumaynowuseRDATALIBclassrulestocontrolaccesstothespecificcertificateandkeyringcommands.TheexistingCASECAUTrulessimplyallowedaccesstousethecertificatecommandsbutgaveaccesstoallcertificatesownedbyanotheruserorbySITECERTorCERTAUTH.PTF:RO89501
Benefits:Thegranularadministrationallowsyoutocreaterulestoprovideaccesstoaspecificuserscertificateorasub-setofthem
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:WehaveexploitedtheuseofexitsinCATopSecret.Aspartofserviceabilitywewouldlikethedatasetthattheexitisbeingloadedfromdisplayed.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).Aninitializationmessagewillbeaddedtoprovideexitinformation.
Benefits:Easeofsupportability
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:WeareusingtheACFESAGEoutputtohelpconvertinstallationstoaRBACimplementation.Wearelookingtoexploitmoreoftheruntimeinformationinthisprocessandwouldlikeadditionaldatatobeavailableintheunload.
Solution:CAACF2ACFESAGEreportnowincludesadditionalactivesysteminformation:Rundate/time,databasenames,exitinformation,classmapdefinitions,andsomeoptioninformation.PTF:RO92424.
Benefits:AdditionaldatapointsforRBACconversions
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:ForauditpurposeswewouldliketoseemoreenvironmentalinformationavailableintheTSSCFILErun.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionalinformationisscheduledtobeaddedtoTSSCFILE:CreationDate,LPARofTSSCFILErun,andSecurityfilenames.
Benefits:Additionaldatapointsforaudittrail
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:WewouldlikeCATopSecrettohaveadditionadministrativeeditsaroundDFLTGRPprocessing.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionaleditstovalidatetheGROUP,andthatitisassignedtothetargetACID’sGROUPlistandthataGIDisassignedtoit.
Benefits:- Easeofadministration- EnsuresvalidusableUnixSystemServicescredentialareassigned
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX39EBPre-ConEd:CAACF2andCATopSecret– Part2:AdvancedSecurityControls 11/14/2016at10:00am
MFX42EEnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframe 11/14/2016at3:00pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecretMainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2MainframeTheatre
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.32 @CAWORLD#CAWORLD
MainframeandWorkloadAutomation
FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI