CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection

CAACF2andCATopSecretPart2:r16isHere-MoreCapabilitiestoBetterYourEnterpriseProtectionandImproveBreachProtection

PaulRauchet–Director, SoftwareEngineeringJohn Pinkowski– SeniorPrincipalProduct Manager

Mainframe

CATechnologiesMFX11E

2 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation©2015CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2015isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswithcustomerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.ThispresentationisbasedoncurrentinformationandresourceallocationsasofNovember18,2015,andissubjecttochangeorwithdrawalbyCAatanytimewithoutnotice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease. SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhenandif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.

CAdoesnotprovidelegaladvice.NeitherthispresentationnoranyCAsoftwareproductreferencedhereinshallserveasasubstituteforyourcompliancewithanylaws(includingbutnotlimitedtoanyact,statute,regulation,rule,directive,policy,standard,guideline,measure,requirement,administrativeorder,executiveorder,etc.(collectively,“Laws”))referencedinthispresentation.YoushouldconsultwithcompetentlegalcounselregardinganyLawsreferencedherein.


Abstract

CAACF2™andCATopSecret®r16arehere!

Thissessionwillcoverthenewr16featuresaddedtohelpeaseadministration,andtohelpsimplifycomplianceandaudittasks.

PaulRauchet–Sr.Director,Engineering

JohnPinkowski–ProductOwner

CAACF2™andCATopSecret®Part2


Agenda

ENHANCEMENTSELECTIONPROCESS1

2

3

4

CAACF2&TOPSECRETR15POSTGARECAP

CATOPSECRETR16SPECIFICENHANCEMENTS

CAACF2R16SPECIFICENHANCEMENTS

WHYTHER16’SNEEDTOBEONYOURRADAR

FINALQUESTIONS/RACAP

2

3

4

5

6


40Trillionmobiletransactionsperdayby2025

TheMainframeSupportstheCustomerExperience

SOURCES:IBM,Gartner,AberdeenResearch,EnterpriseSystemsMedia

IncreasingMobileApps&Devices

2/3transactionsself-serveby2017

25%ofusersabandonanappaftera3seconddelay

71%ofcorporatedatasitsonmainframesystems

RisingCustomerExpectations

DataforAnalytics&Apps


CATopSecret&ACF2r15ReleaseUpdates

Wedeliveredinnovation….Withyourideasandhelp…

Wouldn’t itbeniceif…

36differentcustomersitesparticipated…

2½timesther15Betaprograms!!!


OldDARSystem?

Noneofthatstuff!!!x


CAACF2&TopSecretr16– “Ideas”Release

§ StoredinCACommunitiessite.

§ Viewablebyallcustomers.

§ ForumallcustomerscanleveragetoeasilyandanonymouslydiscussenhancementswithCAaswellasotherCAsecuritycustomers.

§ CAreviewsallentriessubmittedandupdateswithcurrentreviewstatus.

§ Customervoting/inputheavilyweightedinfulfillmentdecision.


CAMainframeSecurityCommunityIdeas(asof10/17/15)


ACF2/TSSr16s– 100%AgileBornandBred

§ Majorityenhancementscompletedusing:§ “Ideas”bornonCACommunitiessite§ Agilesprints§ Engagedwithmultiplecustomersto:

§ Shapethefeature§ GainagreedConsensus

TSS ACF2

TimetodiveinandtakeapeakattheGAr16enhancements!


CATopSecretr15PostGAEnhancements

MirrorFeature.Createsamirrorofthesecurityfileforimmediaterestartincaseoffiledevice/channelfailure.EnforcesecurityadministratorstofollowNEWPWruleswhenissuing password relatedTopSecretcommands.JES2/JES3 shutdown/restartimprovements.Performanceimprovements asaresultofreducedstorageobtains.Enhancedrestrictedpasswordlist.ExpansionofCOMPAREcommandtoincludeotherACIDtypes.RefinementofWHOHAScommand.AllTSSMODIFYcommands checkedasCASECAUTresources.FACILITYtrackingaddedtoCACleanup interface.UtilityimprovementstoTSSUTIL,LDAP,TSSAUDIT,TSSSIM.CHKCERTandCertificateUtilitydisplayPublic/Private keysizeandtype.ECCkeyscanbestoredandretrievedforICSF.Eliminateneedforsuperuserprivilegeforusermountandunmounts.


CATopSecretr16GAEnhancements

StoretheFACILITYdefinitionsonthesecurityfile.TheFacilitydefinitionsarenolongstoredintheTSSPARMSfile.

RestrictwhocanassignUID(0)toanuserusingtheCASECAUTauthorization.

SupportAES(256)forpasswordstorageonthesecurityfile.

IncreaseallACIDtypestorecordsize1024K

OptiontodisabletheCATopSecretTRANIDBypasslist.

AllowtheTSSCFILEutilitytoberunagainsttheBackupSecurityfile(Planned).

EnhancetheaddDFLTGRPcommandtoenforcegroupnameisvalidandcomplete(Planned).

Releasevalidatedonz13processor.

z/OS2.2exploitationsupport.

ReleaseCommonCriteriacertified.


CATopSecretr16EnhancementDetails

StoreFACILITYParametersOnSecurityFile

•TSSControloption:FACSTOR(YES|NO)• Storefacilitymatrixentriesonthesecurityfile(insteadoftheparameterfile).•Whenyouspecify FACSTOR(YES):•Entriesarehardenedtothesecurityfileaftertheproductisrestarted.

•Anychangestotheentriesare:• automaticallystoredonthesecurityfile

• loggedtotherecoveryfile.

Benefits:

• Facilitydefinitions protectedfromview(nolongerinTSSPARMSfile).

•EasiertoadministerandmaintainmultipleLPARcomplexes.

• SizeoftheTSSPARMSFILEgreatlyreduced.



RestrictUID0AssignmentToSpecificAdmins• MSCAexemptfromUID(0)restriction• RestrictionperformedviaCASECAUT(TSSCMD.ADMIN.UID0)authoritychecking,when:• Admin(alltypes)hasACID(MAINTAIN)authority• UID(0)ispresentwithinaTSSADDorREPLACEcommandstring• IfanACIDalreadyhasUID0,norestrictionisenforcedtoremoveit,orreplaceitwithnon-zerovalue.

• OnlyiftheintentistogiveanACIDUID0doesrestrictionoccur.

Benefits:• FurtherrestrictswhocanassignauthorizationforUID(0).• Addresscompliancerequirements



AES256-BitPasswordEncryption• CATopSecretcurrentlysupports128-bitAESencryptionforpasswordsandphrases.Itrequiresa16byteencryptionkeyandcanbedoneviasoftwareorhardware.IBMhasprovided256-bitAESencryptionforRACFpasswords/phrasesinz/OS2.1.ThisenhancementwillprovidethesameforTSS.

Benefits:• Addsadvancedpasswordencryptionalgorithmwhichaddressescurrentcorporateaswellasgovernmentcompliancerequirements.



IncreasedUser&ProfileRecordSize(ACID)to1024K• Youcannowassignamaximumvalueof1024usingtheMAXACIDSIZEControlOptionparameter.

Benefits:• Reducecomplexityandcosttomaintainsecurityrelatedupdates.• Helptoreducesecurityadministrationcomplexityforsitesrunningwith:

• AUTH(OVERRIDE,ALLOVER)• Eliminate/delayneedtoaddnewProfiles

• Allowforprofileconsolidationwherepossible

Rolebasedsecurityimproved• Reducethenumberofprofilesrequiredtobuildrolebasessecurityprofiles.



OptiontoDisableCICSBypassProcessing• CATopSecretCICSFacilitysuboption:(BYPLIST=NO|YES|AUDIT)• BYPLIST=NODisablesbypass listbyfacility• BYPLIST=YESEnablesbypass listbyfacility– thisisthedefault• BYPLIST=AUDITWorkssimilartoTrackingTRANIDBypassedTransactionsUsedfeaturewithouttheneedtoadd+AtotransactionsintheTRANIDbypass list.

Benefits:• OptiontoenforcedefinedsecurityauthorizationseliminatinguseoftheBYPASSlist.

ImproveWHOHASUID(0)Reporting• PreventsfalsepositivesfromUIDpersistenceafterACIDdeletion


CATopSecretr16enhancementdetails– Status:Planned

ExecuteTSSCFILEagainsttheTopSecretBackupFile• LeveragetheTSSBackupfileforTSSCFILEexecution

Benefits:• EliminatestheoverheadofexecutingTSSCFILEagainstthelive(Primary)CATopSecretsecurityfile.• Removesinadvertentperformance impactwhenTSSCFILEisrunduring busyworkloads.• ExpandTSSCFILEexecutionwindowtoincludeprimetimeprocessingperiods.

• Establishesapoint intimesnapshot:• EliminatesoutputanomaliescausedbyTopSecretcommandsprocessedduringTSSCFILEexecution.


CATopSecretr16enhancementdetails– Status:Planned

EnhanceUSSadministrationwhenaddingDFLTGRP• CrosschecktoverifythattheGROUPnameusedintheDFTLGRPfield:• IsanexistingvalidGROUP• thatisassignedtotargetACID’sGROUPlist.• HasaGIDassignedtoit.

Benefits:• Easeofadministration.• EnsuresvalidusableUnixSystemsServices(O/E)credentialsareset.


CAACF2r15PostGAEnhancements

RoleBasedSecurityRefinements:• EnhancedModelandArchivecommands• Rolerecordsnowincluded• BuildsACFcommandstogenerateamodeleduser• BuildsACFcommandstore-addanArchivedusertorolerecords• Clean-upX-ROLRolerecordswhenauseraccountisdeleted• RoleInclude/Excludefieldsupdatedfornon-maskedvalues• IncorporateRolerulesets inCAACFACCESScommand• PreventionofchangingRolerecordtype• X(ROL)recordsdefinedas‘role’or‘group’recordtype• RoleBasedAPIEnhanced(ACF00RBS)ImprovedResourceUtilization.



ImprovedUsability:• ACFVSAMReserveEnqueueName• ImprovedCSAStorageUtilization• x(ROL),x(RGP)andx(SGP)recordsincreasefor4Kto16K• GSOINFORDIRExpanded• AdditionalIMSEnhancements.• NewACFAESAGEUnloadUtility.• AdditionalSHOWCommandOptions.



z/OS2.1Support:• BPX.DEFAULT.USERnolongervalid.• ControllingAccesstoJobClass• POSIXCHOWNUnrestricted• CertificateProtectionafterGENREQ• CertificateCHAINSupportonCHKCERT• SymbolicinOMVSSegment• TYPEENF71NotificationEvent(ENF)


NewMSGOPTSGSORecord

• Designatesignonmessagestobereplacedbyageneric(ACF01125LogonCredentialsInvalidmessage.

Benefits:

• TheMSGOPTSrecordalsoletsyoupreventtheunintentionalleakingofinformation(existenceofavalidlogonid)tomalicioususers.WhenusingMSGOPTS,youcandeterminetheoriginalcauseoftheinvalidsignonbyviewingtheACFRPTPWreport.

CAACF2r16EnhancementDetails


ValidateSubCommand

• CAACF2V16.0introducesthenewvalidatesubcommand.ThesubcommandletsyouvalidatetheexistenceoflogonidsorrolesincludedorexcludedinthetargetX(ROL)rolerecords.ThevalidatesubcommandmustbeissuedfromwithintheSETX(ROL)settingoftheACFcommand.

Benefits:

• Earlydetectionofinvaliddataenteredbyadministrators.



AES256-BitPasswordEncryption

• CAACF2currentlysupports128-bitAESencryptionforpasswordsandphrases.Itrequiresa16byteencryptionkeyandcanbedoneviasoftwareorhardware.WiththissupportCAACF2willnowhavetheabilitytosupply256-bitAESencryption.

Benefits:

• Addsadvancedpasswordencryptionalgorithmwhichsatisfiesacurrentcorporateaswellasgovernmentcompliancerequirement.



Increaseuseof64-bitCSAStorageforUser

Records

• Thecontinuationofmigratingdataoutofe/CSAinto64-Bitstorage.Nowruleobjectsaremovedinto64-bitstorage.

Benefits:

• Decreaseine/CSAusageandimprovedREFRESHprocessing.Initialfeedbackisa74%-92%buyback.Resultsmayvary!



RoleSupportforLogonidAccessReport

• ROLEinputparameteradded

• Singleroleorrolemaskcanbespecified

• SpecifyingROLEwillcreateanaccessreportsectionforeachROLEshowingwhichrulelinesgrantorpreventaccess.

Benefits:

• Improvedcompliancereportingbyroles.



NewRetireStatusforUsers

• Thereisaneedto‘retire’alogonidwherethelogonidvaluewillnotbereused.Meaningtheuserwillberemovedoftheabilitytologon/accessasystemandallprivilegesareremoved.Thevalueofthelogonidneedstoberetainedsoitcannotbeusedagain.

Benefits:

• CentralRepositorytoNotAllowingtheRe-UseofID.

• IRSPub1075Requirement



WhyShouldCAACF2&CATopSecretR16BeonYourRadar?


CAACF2&TopSecretr16EnhancementBenefits• Sourced throughthe lastweekoftheBeta!• Getcurrent andlevelsetonmaintenanceasyourollout thenewrelease

AllexistingCATopSecretr15correctivesolutionsincorporated

intother16release.

•MajorityoftheCAACF2&CATopSecretr15&r16featuresgeneratedfromcustomerrequests

•Manytiedtocompliancerequirementneeds (breachprotection)

45(andcounting)newfeaturesavailable

• GetLPARsstagedandreadytoIPLandexploitnewlyintroduced zSeriesrelatedsecurityfeatures.StagedforfuturezSeriesreleases

IBMz13hardwarecertified

CommonCriteriacertified


Recap

CAACF2&TopSecretr16GAEnhancements• Vastmajorityofupdatesoriginated fromcustomerenhancementrequests.• Manyoftheenhancementsprovided toaddresssitespecificand/orfederalregulatedcompliancerequirements.

Howtogettheseenhancements?• UpgradetoCAACF2orCATopSecretr16• AllenhancementsdiscussinthissessionincludedattheCAACF2&TopSecretr16baseinstalls.

• Noadditionalmaintenancerequired.• Fullyregression tested.• Stagedforthenextnewreleaseofz/OS.


SummaryAfewwordstoreview

RememberYouareonly assecureasyourleastsecurevendor(none aretoosmalltoconsider)

Implementingasecondlayerofauthenticationcanprotectyoufromthingsoccurringoutside ofyournetwork

DoBeawareofrecentbreachesandensureyouraisethebarforattackers

Provideuserswithflexibilityandaneasywaytodotherightthing

Don’tBeconvincedthatyouaresecurebecauseyourinfrastructurehasadvancedmonitoringandprotection

Cripple thebusiness withcumbersomeprocessestheywillfindawaytocircumvent


Q&A


HowdoIdeliveraflawlessexperienceeverytimeanapplicationtouchesthemainframe?

Intheapplicationeconomyit’sallaboutyourcustomers.Youneedtothinkaboutyourmainframereframed.

Connectmobile-to-mainframeapplications

Createmainframeinfrastructureflexibility

forthefuture

Unleashthepowerofdataonthemainframe


RecommendedSessionsSESSION# TITLE DATE/TIME

MainframeTheater CastleWallsUnderDigitalSiege:Risk-basedSecurity

11/18– 1:00pm

MainframeTheater

MFX25S LocatingUnmanagedbutRegulatedDataonSystemz11/18– 3:00pm

BreakersI

MainframeTheater

PanelDiscussion: IsComplacency AroundMainframeSecurityaDisasterWaitingtoHappen?

11/18– 3:45pm

MainframeTheater

Tech Talk Isn’toneauthenticationmechanismonzSystems™enough?11/18– 4:30pm

MainframeContentCenter

TechTalkTheKnownUnknown – Findinglost, abandoned,andhiddenregulateddataontheMainframe

11/19– 12:15pm

MainframeContentCenter

MFX26SHowtoIncreaseUserAccountabilitybyEliminatingtheDefaultUserinUnixSystemServices

11/19– 1:00pm

BreakersI

MFX47STop10things youshout NOTforgetwhenevaluatingyoursecurityimplementation

11/19– 2:00pm

BreakersI


FollowConversationsintheMainframeContentCenter

CADataContentDiscoveryCAACF2™forz/OSCATopSecret®forz/OSCACleanupCAAuditor

ProductXTheater#location

AdvancedAuthentication –Nov18th@4:30pm

TheKnownUnknown -Nov19th@12:15pm

DEMOS

SMART BAR

TECH TALKS

IdentifyandControlSecurityRisk

DiscoverregulateddataonzSystems™andmaintainasecureinfrastructure

Technology

CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection