Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?

Tech Talk: Isn’t One Authentication
Mechanism for z Systems Enough?
Jeff Cherrington
Mainframe
CA Technologies
Product Manager, Mainframe Security
MFT29T
#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA
World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer
references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in
this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such
release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-
available basis. The information in this presentation is not deemed to be incorporated into any contract.
Terms of this Presentation

Identity and Access Management:
Keeping the Bad Guys Out
Letting the Good Guys In

What do these people
have in common?

MYTH
The mainframe is an impenetrable fortress.
REALITY
 Increased vulnerability to social engineering: Entry points to the mainframe have
changed
 Traditional mainframe access control is no longer sufficient – new vectors require
a different approach to infrastructure security
Cybercriminal teen hacked prison mainframe while taking IT course
- Techworld.com, March 2013
One of the UK’s most skilled and successful convicted cybercriminals was allegedly able to hack into his
prison’s mainframe after being allowed to take an IT course, an industrial tribunal hearing has heard.

MYTH
Data at rest and in use on the mainframe is safe from breaches
because it stays on the mainframe.
REALITY
 Big Data and Cloud: IT and the business want Mainframe data and analytics and
agility use cases cause data to leave the platform
 Proliferation of mainframe web services and APIs make data on the mainframe
more susceptible to a breach than ever before.
How good is your mainframe at data security? Not as good as you think.
- Techtarget.com, May 2010
Despite mainframes' reputation for data security, their increasing interaction with Web-based environments
makes them vulnerable.

MYTH
The mainframe has been well covered and well represented in the risk management
and control three lines of defense.
REALITY
Three lines of defense for effective risk management and control:
1. Operational Management
2. Risk Management and Compliance
3. Internal Audit
Mainframe as “black box” mentality breeds false sense of trust and assumptions
made across all three lines of defense  effectively increasing risks to the enterprise.

71% of the world’s mission critical
data is on the mainframe*
Mainframe is now an enterprise IT
server and with that role
it has more entry and exit vectors
Source: Rehabilitating the Perception of Mainframes, Enterprise systems Media, 22 July 2015

Authentication Factors
 What: An authentication factor is a requirement that is designed to verify the identity of an
authorized user during the login process.
 Three categories of authentication factors
– The knowledge factor: Something that is known only by the user, such as a password or
PIN
– The inherence factor: Something that is physically unique to the user, such as a
fingerprint or iris scan
– The possession factor: Something that only the user possesses, such as a smartphone,
smartcard, USB token, or other hardware key
 Additional factors: Location factor and time factor are sometimes added

The Need for Advanced Authentication
 Reduce vulnerability
– Single authentication factors such as passwords and personal identification
numbers (PINs) have proven too easy for hackers to steal and exploit
– Advanced authentication methods and factors reduce vulnerability by
preventing a bad actor from easily logging in or authenticating as a specific
identity
Cost of Data Breach Study: Global Analysis - Ponemon Institute, May 2014
In 2014, recovery costs to companies from a single data breach ranged from an average of $3.5M to $31M
and the likelihood over the next two years of a sensitive data breach of at least 10,000 records per
company is 22%.

From Need to Mandate
https://www.whitehouse.gov/blog/2015/06/17/fact-sheet-enhancing-and-strengthening-federal-government-s-cybersecurity
FACT SHEET: Enhancing and Strengthening the
Federal Government’s Cybersecurity
Posted by Tony Scott on June 17, 2015 at 05:44 PM EDT
“Dramatically accelerate implementation of multi-
factor authentication, especially for privileged
users.
Intruders can easily steal or guess usernames/passwords
and use them to gain access to Federal networks, systems,
and data. Requiring the utilization of a Personal Identity
Verification (PIV) card or alternative form of multi-factor
authentication can significantly reduce the risk of
adversaries penetrating Federal networks and systems.
Agencies must report to OMB and DHS on progress
and challenges within 30 days.”
As part of this mandate
Tony Scott formed a Cybersecurity Sprint Team, to lead a 30-
day review of the Federal Government’s cybersecurity
policies, procedures, and practices. At the end of the review,
the Federal CIO will create and operationalize a set of action
plans and strategies to further address critical cybersecurity
priorities and recommend a Federal Civilian Cybersecurity
Strategy.
The first item on the six item strategy?
Protecting data at rest and in transit

Strategic Opportunities for Ongoing Engagement
 Active Working groups
– Data-centric Security
– Advanced Authentication
– Compliance
 Help us understand your enterprise security needs
– Mobile applications to mainframe
– Data-centric audit and protection

It’s About Your Input and Ensuring We Deliver
the Right Product When You Need It
 The Agile framework
– Your collaboration and input makes it possible
– Repeated customer inspection and product team adaption
– Incremental delivery/customer validation of testable working software
 End of sprint reviews occur every 2 - 4 weeks
– Demo Discuss  Feedback Adjust  improve for the next iteration
 Join us to deliver on your requirements
– please sign up at validate.ca.com

Q & A

Types of Authentication
SINGLE-FACTOR TWO-STEP TWO-FACTOR MULTI FACTOR
Single process based on one
category of factor
Additive process: Authenticate once
with a single factor and then again
with another single factor from the
same category
Multiplicative process: Combination
from the knowledge or inherence
factor and the possession factor
derives a stronger single credential
than each independent credential
Multiplicative process: Combination
of three or more, each from a
separate category of factors,
derives a stronger single credential
than each independent factor
Includes the following factors:
Knowledge factor: one thing you
“know”
or
Inherence factor: one thing you
“are”
Knowledge factor or inherence factor:
one thing you “know” or “are”
plus
Knowledge factor or inherence factor:
one thing you “know” or “are”
Knowledge and inherence factor:
one thing you “know” or one thing
you “are”
plus
Possession factor: one thing you
“have”
Knowledge factor: one thing you
“know”
plus
Inherence factor: one thing you
“are”
plus
Possession factor: one thing you
“have”
Examples:
 PIN
 Password
 Finger print
 Iris scan
Examples:
 Two physical keys
 Two passwords (user + one time
only password via SMS, generator,
email)
 Two forms of biometric
identification
Examples:
 Password or biomarker with an
identity card
 PIN, secret key or biomarker
with a hardware token
Examples:
 Password and fingerprint and
identity card
 PIN and iris scan and hardware
token

WHO CARES ABOUT IT WHY DO THEY CARE
Payment Card Industry Data
Security Standard (PCI/DSS)
Any organization who accepts or stores credit or debit card
information.
Fines can be assessed up to $500,000 USD per
data breach incident where PCI/DSS non-
compliance is proven
Personally Identifiable
Information (PII)
Any organization who accepts, collects or stores information that can
potentially be used to uniquely identify a person. It can include
national identification numbers, Social Security numbers, street
addresses, driver’s license numbers, telephone numbers, IP
addresses, email addresses, vehicle registrations, and ages.
 Civil monetary fines of varying amounts up to
$1 million USD and more
 Identity Theft and Deterrence Act of 1998 –
Violations of the act are subject to a fine
and/or jail time in a federal prison from three
to 15 years.
Health Insurance Portability
and Accountability Act
(HIPAA) and Protected Health
Information (PHI)
Any organization who creates, stores, transmits or electronically
receives protected health information (PHI). PHI relates to past,
present, or future physical or mental health conditions of an
individual, the provision of health care to the individual, or past,
present, or future payment for health care to an individual, and that
identifies the individual; or with respect to which there is a
reasonable basis to believe the information can be used to identify
the individual.
 Fines/penalties ranging from $100 per incident
to $1.5 million USD for all violations of an
identical provision
 Criminal penalties of up to 10 years in jail for
misuse, unauthorized use
Federal Information Security
Management Act (FISMA)
U.S. Government organizations who wish to protect government
information, operations and assets against natural or man-made
threats. If a business works with data provided by the government
under contract, it is likely they are subject to FISMA compliance.
Civil penalties are difficult to quantify given FISMA
regulates government organizations
Sarbanes-Oxley
All U.S. public company boards, management and public accounting
firms. There are also a number of provisions of the Act that also apply
to privately held companies. Sarbanes-Oxley covers a public
corporation's board of directors and adds criminal penalties for
certain misconduct.
 Criminal fines and penalties range from
$20,000 to millions plus decades in prison
 Average SOX compliance costs over $3M

For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15

Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?

More Related Content

What's hot (20)

Similar to Tech Talk: Isn’t One Authentication Mechanism z Systems Enough? (20)

More from CA Technologies (20)

Recently uploaded (20)

Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?