ever before, corporate information systems need the best, most
up-to-the-minute security that can be found. Networks are now
open to customers, suppliers, remotely-connected employees, and
e-business transactions with the entire Internet - and those networks
are under constant threat of attack. Meanwhile, the number of
potential failure points that could allow a system to be compromised
has grown exponentially from the days of far simpler, closed systems.
the past, perhaps, a simple password could be accepted as
sufficient means of securing a corporation's information,
but that time is long gone. With weeks, even months to try
under password systems like IBM's RACF, the odds are on
the side of determined hackers, either simple vandals or
competitively funded professionals, of finding a way to
fake or steal a password and gain entrance.
the extra step of Authentication offers the system owner
the knowledge that the person signing on is, in fact, who
they say they are. SecurID Authentication is the standard
worldwide for protecting networks by most reliably identifying
remote and network users. Only Rocket Agent for OS/390 performs
SecurID authentication natively on IBM OS/390 and z/OS systems,
allowing authentication screening to be placed as close
as possible to a corporation's most vital information systems.
Rocket Agent - The Benefits Are Clear
in OS/390 (and every) environment
RSA SecurID two-factor authentication
security easily under control with a single point
of configuration for one or more host environments
end users significant platform independence through
any device that can support host access, including
leverage the scalability of OS/390 or z/OS servers,
instead of being limited by choke points on LAN,
VPN, gateways, or non-OS/390 portal applications
down sensitive tasks in widely used host applications;
require periodic reauthentication as needed
complexity, potential points of failure, labor,
to corporate policies, in any computing environment,
The Highest Stakes
at issue is accessing applications and accounts on a corporation's
host system, the stakes are high, since that's where organizations
typically store and manage their customer accounts and other mission-critical
data and applications. In today's computer-based business world,
compromising the vital data on a firm's mainframe could easily
endanger or even ruin a company, and in an instant.
goals of attacks on systems, whatever the purpose, are the destruction
of data, theft of information, and transfer of authority or funds.
In a world where so much vital infrastructure is controlled by
computer systems, the dangers of hostile access are even more
serious than merely financial losses. These include:
- The threat
of disruption of communication flows, economic transactions,
public information campaigns, electrical power grids, political
negotiations, water distribution
- The threat
of exploitation of sensitive, proprietary, or classified information
- The threat
of manipulation, altered personal financial information
- The threat
of destruction of information or its underpinning infrastructure
components, attacks against highly specific power distribution
and fuel manufacturing infrastructure
Translate these threats into scenarios involving a utility company
with millions of customers, into banks and insurance companies where
intruders were writing themselves checks, into compromised inventories
of manufacturers and pharmaceutical firms, into any company's general
ledger. Such robberies and destructive acts are being attempted
now on a large scale.
are equally as grave in terms of potential liabilities from, for
example, individuals whose financial or medical records were exposed
and misused via preventable hacking. Such requirements are now
also mandated by the Health Insurance Portability and Accountability
part of the responsibility of guarding corporate information assets,
information must be protected if:
- Its disclosure
could cause harm to an individual
- Its disclosure
could cause embarrassment or loss to the institution
- Its alteration
could result in financial loss or incorrect management decisions
- Its destruction
could cause an interruption in critical organization functions.
The threats to information systems are greater than ever before,
since not only are networks larger and more loosely interconnected,
it's also never been easier to digitally steal and destroy assets
than it is today. Michael Vatis, director of the FBI's National
Infrastructure Protection Center (NIPC), observed, "The tools
of cybercrime are increasingly sophisticated and available to
anyone who can access the Internet." And those tools are being
used very aggressively. Speaking at a security conference of the
eight industrialized nations in October, 2000, German Foreign
Minister Joschka Fischer stated that cybercrime losses have reached
US$42.9 billion for the eight major countries, including the U.S.
"Without a doubt," he added, "this is only the beginning."
break-ins at CitiBank (with at least $12 million siphoned from
various branches), Microsoft (stolen product source code), and
many others are only the tip of the iceberg, since many companies
choose not to reveal their vulnerability. Usually, these companies
only think seriously about risk management of their information
systems after the fact. Even worse, less than 5% of system operators
realize they have been hit.
of system breaches can include:
publicity or loss of reputation
to fraud or embezzlement
business or funding losses
of money and goods
of vital information
of system integrity
Risk Management -
Limits of Minimizing the Threat
of the extreme complexity of present-day systems, where literally
almost countless layers of people, software, and subsystems are
interacting, it's impossible to have perfect security. Risk Management,
the vital defensive strategizing of a responsible large institution
of any kind, can only pursue the objective of reducing the odds
of intrusion and criminal activity by as much as possible.
said that perfect security on a computer system can be obtained
in only two ways:
buy a computer
2. If you
buy a computer… Don't turn it on.
the larger the business, the more it's based on networked computers
in every way possible, the only practical approach is to work
at minimizing the risk to the greatest degree available, as balanced
against the cost. Since no guarantees can realistically be offered
in this environment, Risk Management policy is formed by assessing
the tradeoffs between the threats against the computer system
and the costs to minimize the success of potential threats.
the likely threats to the system
the amount and type of data that is expendable
the cost of protecting all data versus some of the data
the protective measures that are affordable and necessary to
meet the perceived security needs.
New Risks Require
New Solutions - Authentication with SecurID
THE FOUR LEVELS OF SECURITY
- (RACF, etc.)
Is the user allowed to do what they're trying to do?
Authentication -- Rocket Agent/SecurID
Is the user actually who they say they are?
Privacy - (Secure Socket Layer (SSL))
Can any non-authorized person see the user's data?
User can't claim it wasn't them
In the hierarchy
of network security, a password is simply an Authorization device:
it gives the system approval for access to the holder of that
password. But to effectively protect your information, it's also
necessary to Authenticate users -- to know, with as much certainty
as possible, who is using that password and getting into your
network. Advances in security technology provide authentication
mechanisms that can be used in combination with passwords to reliably
identify authorized users, vastly improving systems' overall resistance
subsystems, such as SSL, cannot alone guarantee the identity of
a person using an authorized account. Without strong authentication,
no functionality in SSL would prevent an intruder getting biometric
or keystroke recording, and impersonating an authorized user.
whose businesses require stringent security have made RSA Security's
SecurID® two-factor strong authentication the standard for protecting
networks. SecurID two-factor authentication is based on something
users know (a password or PIN), and something they have (an authenticator
"token," in forms such as a smartcard or key chain fob), providing
a far more reliable level of user authentication than reusable
generate numbers in sync with the host system that change every
minute - thus making it virtually impossible for any would-be
intruder to gain access even with a stolen sign-on.
An Ounce of Prevention
Worth a Pound of Cure
serves the additional purpose of discouraging potential troublemakers
with valid accounts from any destructive acts, since they'll now
know that their identity is being verified whenever they sign
on, indisputably linking them to all of their activity on the
network. Users must authenticate each time they sign on - at the
very least, since Rocket Agent can be configured to require multiple
authentication demands within sessions or even applications. This
is a necessity to protect tasks which involve large amounts of
money or other sensitive information, requiring higher permission
Paper will address the necessity of two-factor (or "challenge-response")
authentication native to the OS/390 environment, and how Rocket
Agent for OS/390 and z/OS fulfills those requirements. We will
discuss current offerings in detail, and plans for both the short
and long term integration of two-factor security into new technologies.
a Password: Data Insecurity
data is equivalent to its working memory. Most corporations use
their mainframe systems for their primary data repository, including
the financial transactions and accounts, intellectual property,
and other records that are the most vital to the enterprise:
· Source code
that relies solely on passwords has often failed to provide adequate
protection for corporate information systems for a number of reasons.
If users are allowed to make up their own passwords, they tend
to choose ones that are easy to remember and therefore easy to
guess. Password systems can be effective if managed properly,
but this is seldom the case.
there are simply far too many people determinedly trying to break
into corporations' information systems, whether they are hackers
randomly probing, corporate spies, or perhaps the most dangerous
of all, employees with a grudge.
The Threat from
security requirements remain static, unchanged, the more time
intruders have to find a way in. Single-factor security in OS/390
environments gives potential intruders weeks, even months, to
sniff out opportunities -- to wait for someone to make a mistake,
to search for weaknesses, and to find ways to cover their tracks.
is common in environments dependent upon user IDs and passwords
that change only periodically, including those managed by IBM
RACF®. Static passwords like these are subject to surveillance,
discovery through carelessness, or even guessing.
use a wide variety of methods to steal sign-ons and passwords,
not limited to programmatic attempts via networks. If they can
steal legitimate user names and passwords, they can access whatever
resources with whatever permissions that user has, up until the
no shortage of choices in tools available to someone intent on
stealing valid sign-ons. For example, inexpensive, compact devices
can be attached to individual computers, unnoticeable among the
snarl of cables in the back, that can record entire sessions on
that computer for later retrieval. The replay will reveal all
of that user's sign-ons and passwords.
redirects Internet traffic to fake sites that present a realistic-appearing
sign-on screen in order to capture IDs and passwords. Packet sniffing
code, freely available on the Internet and useable even by novices,
can be deployed internally, accomplishing similar ends by reading
the information in packets as they are relayed across the network.
That information can contain sensitive information itself, or
passwords for later intrusion.
The Threat Inside
In a 1999
report, the Computer Security Institute (CSI) noted that unauthorized
access by insiders rose for the third straight year, and 55 percent
of the organizations surveyed reported intrusions by employees.
CSI also estimates that between 60 and 65 percent of all unauthorized
computer access happens due to people inside an organization.
from the inside, if someone with a valid account on the system
has a malicious intent, they will be able to do damage. If only
a password is used, without authentication of the holder of the
password, there will be no ability to trace the activity of that
user during that session. Their actions are literally gone without
Access Control Facility (RACF) only provides authorization/approval,
not Authentication. This means that using only RACF does not guarantee
that the holder of a password is in fact the authorized user.
Passwords have many other disadvantages when relied on as a sole
· Can be stolen
and passwords travelling over the network increasingly prone
to "eavesdropping" via packet sniffers
to replay attacks
be captured under false pretenses with Trojan horses (such as
to password guessing
password management and controls (i.e. re-issue, unlocking,
of user awareness and training
Problem: Using SecurID
only off the host
already use SecurID, based on servers run under Unix, Windows,
or other platforms within their networks, to authenticate users'
access to their mainframe systems. However, this approach alone
is a far more risky, and inefficient.
scheme, RSA SecurID logons must be enabled far from the host and
typically at multiple entry points, each one requiring configuration,
administration and maintenance. This decreases scalability and
points of failure
of host access configuration
errors and delays
traffic and latency
equipment and labor costs
An Open Window
hackers find it no challenge, after being authenticated on the
network outside the host, to then mask their identity with a stolen
password and gain entrance through RACF to vital host systems.
For this reason, it is essential to also require authentication
on the host system with Rocket Agent, at the host perimeter and
often at points within critical applications. Without authentication
on the host, activity cannot be traced to user authenticated outside
the mainframe and its applications and data, and audit trails
are left incomplete - and useless.
need to protect both the boundaries as well as critical systems
internally. Most companies allow free access to applications once
the user has been authenticated at the boundary, whether access
is via Virtual Private Network (VPN) software, routers, modem-pools,
or direct-dialed PCs. However, some systems must not have free
access via an ID and password alone, since the applications and
data are extremely sensitive, such as financials, Human Resources
records, data mining, or proprietary algorithms locked in source
code. Systems and applications that handle such data need greater
protection, since many of the threats are internal.
packet sniffing software, freely available on the Internet, can
be employed by any programmer to capture passwords and other sensitive
data. In this case perimeter two-factor authentication is not
enough, but two-factor authentication of access to sensitive systems
helps eliminate the threat.
managing risk for mission-critical systems requires that all the
bases are covered, that network perimeter security is complemented
with the most effective available host-based security.