-- Back to - Writing Index / Samples

-- A whitepaper written in 2002 for Rocket Software, Natick, Mass. --

Rocket Agent for OS/390

Maximum Confidence in MainframeRisk Management with
'Rocket Agent for OS/390' Native SecurID® Authentication

    More than ever before, corporate information systems need the best, most up-to-the-minute security that can be found. Networks are now open to customers, suppliers, remotely-connected employees, and e-business transactions with the entire Internet - and those networks are under constant threat of attack. Meanwhile, the number of potential failure points that could allow a system to be compromised has grown exponentially from the days of far simpler, closed systems.

    In the past, perhaps, a simple password could be accepted as sufficient means of securing a corporation's information, but that time is long gone. With weeks, even months to try under password systems like IBM's RACF, the odds are on the side of determined hackers, either simple vandals or competitively funded professionals, of finding a way to fake or steal a password and gain entrance.

    Taking the extra step of Authentication offers the system owner the knowledge that the person signing on is, in fact, who they say they are. SecurID Authentication is the standard worldwide for protecting networks by most reliably identifying remote and network users. Only Rocket Agent for OS/390 performs SecurID authentication natively on IBM OS/390 and z/OS systems, allowing authentication screening to be placed as close as possible to a corporation's most vital information systems.

    Rocket Agent - The Benefits Are Clear

    • Deployable in OS/390 (and every) environment
    • Standard RSA SecurID two-factor authentication
    • Keep security easily under control with a single point of configuration for one or more host environments
    • Give end users significant platform independence through any device that can support host access, including Web browsers
    • Directly leverage the scalability of OS/390 or z/OS servers, instead of being limited by choke points on LAN, VPN, gateways, or non-OS/390 portal applications
    • Lock down sensitive tasks in widely used host applications; require periodic reauthentication as needed
    • Minimize complexity, potential points of failure, labor, and costs
    • Customization to corporate policies, in any computing environment, with APIs

    The Highest Stakes

    When what's at issue is accessing applications and accounts on a corporation's host system, the stakes are high, since that's where organizations typically store and manage their customer accounts and other mission-critical data and applications. In today's computer-based business world, compromising the vital data on a firm's mainframe could easily endanger or even ruin a company, and in an instant.

    The common goals of attacks on systems, whatever the purpose, are the destruction of data, theft of information, and transfer of authority or funds. In a world where so much vital infrastructure is controlled by computer systems, the dangers of hostile access are even more serious than merely financial losses. These include:

    • The threat of disruption of communication flows, economic transactions, public information campaigns, electrical power grids, political negotiations, water distribution
    • The threat of exploitation of sensitive, proprietary, or classified information
    • The threat of manipulation, altered personal financial information
    • The threat of destruction of information or its underpinning infrastructure components, attacks against highly specific power distribution and fuel manufacturing infrastructure

    Translate these threats into scenarios involving a utility company with millions of customers, into banks and insurance companies where intruders were writing themselves checks, into compromised inventories of manufacturers and pharmaceutical firms, into any company's general ledger. Such robberies and destructive acts are being attempted now on a large scale.

    The dangers are equally as grave in terms of potential liabilities from, for example, individuals whose financial or medical records were exposed and misused via preventable hacking. Such requirements are now also mandated by the Health Insurance Portability and Accountability Act (HIPAA).

    A crucial part of the responsibility of guarding corporate information assets, information must be protected if:

    • Its disclosure could cause harm to an individual
    • Its disclosure could cause embarrassment or loss to the institution
    • Its alteration could result in financial loss or incorrect management decisions
    • Its destruction could cause an interruption in critical organization functions.

    The threats to information systems are greater than ever before, since not only are networks larger and more loosely interconnected, it's also never been easier to digitally steal and destroy assets than it is today. Michael Vatis, director of the FBI's National Infrastructure Protection Center (NIPC), observed, "The tools of cybercrime are increasingly sophisticated and available to anyone who can access the Internet." And those tools are being used very aggressively. Speaking at a security conference of the eight industrialized nations in October, 2000, German Foreign Minister Joschka Fischer stated that cybercrime losses have reached US$42.9 billion for the eight major countries, including the U.S. "Without a doubt," he added, "this is only the beginning."

    Highly publicized break-ins at CitiBank (with at least $12 million siphoned from various branches), Microsoft (stolen product source code), and many others are only the tip of the iceberg, since many companies choose not to reveal their vulnerability. Usually, these companies only think seriously about risk management of their information systems after the fact. Even worse, less than 5% of system operators realize they have been hit. The effects of system breaches can include:

    1) Negative publicity or loss of reputation
    2) Disruptions to service
    3) Downtime
    4) Losses to fraud or embezzlement
    5) Future business or funding losses
    6) Costly, time-consuming investigations
    7) Litigation
    8) Loss of confidentiality
    9) Loss of money and goods
    10) Loss of vital information
    11) Loss of system integrity
    12) Loss of opportunities
    13) Misuse of resources

    Risk Management - Limits of Minimizing the Threat

    In light of the extreme complexity of present-day systems, where literally almost countless layers of people, software, and subsystems are interacting, it's impossible to have perfect security. Risk Management, the vital defensive strategizing of a responsible large institution of any kind, can only pursue the objective of reducing the odds of intrusion and criminal activity by as much as possible.

    It's been said that perfect security on a computer system can be obtained in only two ways:

    1. Don't buy a computer

    2. If you buy a computer… Don't turn it on.

    But since the larger the business, the more it's based on networked computers in every way possible, the only practical approach is to work at minimizing the risk to the greatest degree available, as balanced against the cost. Since no guarantees can realistically be offered in this environment, Risk Management policy is formed by assessing the tradeoffs between the threats against the computer system and the costs to minimize the success of potential threats.

      Risk Management Strategy

      · Determine the likely threats to the system

      · Assess the amount and type of data that is expendable

      · Determine the cost of protecting all data versus some of the data

      · Choose the protective measures that are affordable and necessary to meet the perceived security needs.

    New Risks Require New Solutions - Authentication with SecurID


      Authorization - (RACF, etc.)

      Is the user allowed to do what they're trying to do?

      Authentication -- Rocket Agent/SecurID

      Is the user actually who they say they are?

      Privacy - (Secure Socket Layer (SSL))

      Can any non-authorized person see the user's data?


      User can't claim it wasn't them

    In the hierarchy of network security, a password is simply an Authorization device: it gives the system approval for access to the holder of that password. But to effectively protect your information, it's also necessary to Authenticate users -- to know, with as much certainty as possible, who is using that password and getting into your network. Advances in security technology provide authentication mechanisms that can be used in combination with passwords to reliably identify authorized users, vastly improving systems' overall resistance to intrusion.

    Privacy subsystems, such as SSL, cannot alone guarantee the identity of a person using an authorized account. Without strong authentication, no functionality in SSL would prevent an intruder getting biometric or keystroke recording, and impersonating an authorized user.

    Customers whose businesses require stringent security have made RSA Security's SecurID® two-factor strong authentication the standard for protecting networks. SecurID two-factor authentication is based on something users know (a password or PIN), and something they have (an authenticator "token," in forms such as a smartcard or key chain fob), providing a far more reliable level of user authentication than reusable passwords.

    The authenticators generate numbers in sync with the host system that change every minute - thus making it virtually impossible for any would-be intruder to gain access even with a stolen sign-on.

    An Ounce of Prevention Worth a Pound of Cure

    Authentication serves the additional purpose of discouraging potential troublemakers with valid accounts from any destructive acts, since they'll now know that their identity is being verified whenever they sign on, indisputably linking them to all of their activity on the network. Users must authenticate each time they sign on - at the very least, since Rocket Agent can be configured to require multiple authentication demands within sessions or even applications. This is a necessity to protect tasks which involve large amounts of money or other sensitive information, requiring higher permission levels.

    This White Paper will address the necessity of two-factor (or "challenge-response") authentication native to the OS/390 environment, and how Rocket Agent for OS/390 and z/OS fulfills those requirements. We will discuss current offerings in detail, and plans for both the short and long term integration of two-factor security into new technologies.

    Only a Password: Data Insecurity

    A corporation's data is equivalent to its working memory. Most corporations use their mainframe systems for their primary data repository, including the financial transactions and accounts, intellectual property, and other records that are the most vital to the enterprise:

      · Source code

      · Financial

      · Human resources

      · Engineering designs

      · Archives

      · Inventory control

      · Customer databases

    Security that relies solely on passwords has often failed to provide adequate protection for corporate information systems for a number of reasons. If users are allowed to make up their own passwords, they tend to choose ones that are easy to remember and therefore easy to guess. Password systems can be effective if managed properly, but this is seldom the case.

    Meanwhile, there are simply far too many people determinedly trying to break into corporations' information systems, whether they are hackers randomly probing, corporate spies, or perhaps the most dangerous of all, employees with a grudge.

    The Threat from Outsiders

    The longer security requirements remain static, unchanged, the more time intruders have to find a way in. Single-factor security in OS/390 environments gives potential intruders weeks, even months, to sniff out opportunities -- to wait for someone to make a mistake, to search for weaknesses, and to find ways to cover their tracks.

    This threat is common in environments dependent upon user IDs and passwords that change only periodically, including those managed by IBM RACF®. Static passwords like these are subject to surveillance, discovery through carelessness, or even guessing.

    Intruders use a wide variety of methods to steal sign-ons and passwords, not limited to programmatic attempts via networks. If they can steal legitimate user names and passwords, they can access whatever resources with whatever permissions that user has, up until the password changes.

    Password Capture

    There's no shortage of choices in tools available to someone intent on stealing valid sign-ons. For example, inexpensive, compact devices can be attached to individual computers, unnoticeable among the snarl of cables in the back, that can record entire sessions on that computer for later retrieval. The replay will reveal all of that user's sign-ons and passwords.

    "Web spoofing" redirects Internet traffic to fake sites that present a realistic-appearing sign-on screen in order to capture IDs and passwords. Packet sniffing code, freely available on the Internet and useable even by novices, can be deployed internally, accomplishing similar ends by reading the information in packets as they are relayed across the network. That information can contain sensitive information itself, or passwords for later intrusion.

    The Threat Inside

    In a 1999 report, the Computer Security Institute (CSI) noted that unauthorized access by insiders rose for the third straight year, and 55 percent of the organizations surveyed reported intrusions by employees. CSI also estimates that between 60 and 65 percent of all unauthorized computer access happens due to people inside an organization.

    With threats from the inside, if someone with a valid account on the system has a malicious intent, they will be able to do damage. If only a password is used, without authentication of the holder of the password, there will be no ability to trace the activity of that user during that session. Their actions are literally gone without a trace.

    The Limitations of RACF

    IBM's Resource Access Control Facility (RACF) only provides authorization/approval, not Authentication. This means that using only RACF does not guarantee that the holder of a password is in fact the authorized user. Passwords have many other disadvantages when relied on as a sole security device.

    Disadvantages of passwords

      · Can be stolen or observed

      · IDs and passwords travelling over the network increasingly prone to "eavesdropping" via packet sniffers

      · Subject to replay attacks

      · Can be captured under false pretenses with Trojan horses (such as Web spoofing)

      · Subject to password guessing

      · Ineffective password management and controls (i.e. re-issue, unlocking, etc.)

      · Lack of user awareness and training

    Problem: Using SecurID only off the host

    Many companies already use SecurID, based on servers run under Unix, Windows, or other platforms within their networks, to authenticate users' access to their mainframe systems. However, this approach alone is a far more risky, and inefficient.

    In this scheme, RSA SecurID logons must be enabled far from the host and typically at multiple entry points, each one requiring configuration, administration and maintenance. This decreases scalability and greatly increases:

      · Potential points of failure

      · Complexity of host access configuration

      · Maintenance errors and delays

      · Network traffic and latency

      · MIS equipment and labor costs

    An Open Window

    Experienced hackers find it no challenge, after being authenticated on the network outside the host, to then mask their identity with a stolen password and gain entrance through RACF to vital host systems. For this reason, it is essential to also require authentication on the host system with Rocket Agent, at the host perimeter and often at points within critical applications. Without authentication on the host, activity cannot be traced to user authenticated outside the mainframe and its applications and data, and audit trails are left incomplete - and useless.

    Organizations need to protect both the boundaries as well as critical systems internally. Most companies allow free access to applications once the user has been authenticated at the boundary, whether access is via Virtual Private Network (VPN) software, routers, modem-pools, or direct-dialed PCs. However, some systems must not have free access via an ID and password alone, since the applications and data are extremely sensitive, such as financials, Human Resources records, data mining, or proprietary algorithms locked in source code. Systems and applications that handle such data need greater protection, since many of the threats are internal.

    Network packet sniffing software, freely available on the Internet, can be employed by any programmer to capture passwords and other sensitive data. In this case perimeter two-factor authentication is not enough, but two-factor authentication of access to sensitive systems helps eliminate the threat.

    Effectively managing risk for mission-critical systems requires that all the bases are covered, that network perimeter security is complemented with the most effective available host-based security.

    Solution - Add Native OS/390 Authentication     NEXT PAGE: > -- Back to - Writing Index / Samples
- mail to: billross @ cove . com