-- A whitepaper written in 2002 for Rocket Software, Natick, Mass. --
 |
Rocket Agent for OS/390 (Part 2) |
'Rocket Agent for OS/390' Native SecurIDŽ Authentication
cont'd from part 1
|
Solution - Add Native OS/390 Authentication Rocket Agent for OS/390 is a native VTAM application that virtually eliminates such opportunities for attackers, and hidden costs, by introducing token-based, two-factor authentication directly into existing logon routines for OS/390 and z/OS environments. Instead of static passwords, randomly-generated token codes change each end user's authentication code literally once per minute. This creates an impossibly small opportunity for intrusion by another party, and even prevents accidental disclosure of passwords resulting from end user neglect. SecurID authentication not only prevents identity theft, but also creates a robust audit trail of every login event, guaranteeing that access is easily traced to a valid user every time. Any activity of the Agent requires two factors that can never be used more than once. Every individual in the network gets a new password automatically every minute. If someone tries to use someone else's Token, or copies someone else's logon, they will fail. If a Token is lost or stolen it is virtually useless until the real owner reports it missing and a new one assigned, at which point it is perfectly useless. Authenticating on the OS/390 means that users only need to carry a single Token for enterprise-wide authentication, since SecurID can be implemented on every platform. In addition, corporations may customize their authentication schemes for an even greater level of security with Rocket's Application Programming Interfaces (APIs).
Rocket Agent for OS/390 provides essential security capabilities for OS/390, including:
ˇ Enhancement of and compatibility with the security systems of the OS/390 base operating system (all versions) ˇ Meeting auditor requirements for strong authentication (rather than static passwords) ˇ Securing of applications in IBM's CICS Transaction Server for OS/390 environment
Rocket Agent's native OS/390 authentication also allows companies to confidently grow the amount of applications handled by their mainframe, to gain the advantages of the cost-effectiveness made possible by the unmatched scalability of those systems, rather than expanding their high-maintenance client/server networks. The latter approach places a far greater burden on costs -- as the network grows, the cost of adding routers and firewalls increases exponentially, as well as the cost of individually configuring each for SecurID authentication. Administrative overhead also balloons, as does the time and effort expended on the continual patching for Windows and Unix. In Partnership with RSA Security Rocket Agent for OS/390 is offered in partnership with RSA Security as an extension of their industry standard SecurID technology. Rocket Agent works like other RSA ACE/Agents, used in conjunction with RSA ACE/Server and RSA SecurID tokens. RSA has chosen Rocket Software as their partner to market, support, and add Rocket's mainframe expertise to its ongoing development. Rocket has assumed development of the former RSA ACE/Agent for OS/390, and will customize and resell RSA's portfolio of integrated security products to Rocket Agent customers. Rocket and RSA Security will work actively together to extend your OS/390 security investment into the future. The Rocket Agent is the only authentication solution for OS/390 and z/OS that enables mainframes to interconnect seamlessly with the RSA network. As a partner in the RSA SecurIDŽ Ready program., the Rocket Agent is tested by RSA to ensure complete compatibility with all interrelated products. Rocket and RSA Security will work actively together to extend OS/390 security investment into the future. Rocket Software's extensive experience as an IBM Solution Provider -- developing and supporting products for IBM's premier computing environments -- makes it the ideal provider for RSA SecurID needs on OS/390. Accessing host through Rocket Agent on the OS/390 Why control authentication from OS/390, when it is already being controlled at all points on other, connected systems? In terms of overall security, it's only logical to authenticate point closest to a corporation's most valuable assets. But besides being much less vulnerable, authenticating on the OS/390 is also far more efficient, drawing on the unmatched scalability and performance of mainframe systems. Storing the corporation's security data repository on the mainframe system gives additional benefits, deriving from the nature of the technology. It's more physically secure, due simply to the fact that access to mainframe installations is already restricted as a matter of course. As we've discussed, Rocket Agent also permits single sign-on through SecurID, meaning employees can spend more time doing business and less time trying to keep track of multiple passwords or Tokens. The result:
ˇ Logons extended safely to thin clients, very large numbers of users ˇ Additional authentication check-points can easily be built into existing applications
Features and Functionality Features
ˇ Adds security in addition to RACF, CA-ACF2 or CA-Top Secret. ˇ Allows you to require RSA SecurID authentication to any system connected via VTAM. ˇ Provides an audit trail with the online event log; integrates with SMF batch logging. ˇ Prompts users with your custom designed warning message before they connect. ˇ Authenticates users regardless of the device used to access the mainframe. ˇ Supports all RSA SecurID form factors including key fobs, hardware tokens, pin pads and software tokens. ˇ Functions seamlessly with existing RSA ACE/Server solutions. ˇ Provides seamless integration between the RSA ACE/Agent for OS/390 audit log and the IBM SMF batch logging system. ˇ Configures to require RSA SecurID authentication for all devices or only those you select. ˇ Provides a customizable greeting screen that presents the username and passcode prompt with warnings about unauthorized access to their system. (This is required by law in some U.S. States in order to prosecute hackers). ˇ Offers an option that allows authentication upon demand, from within a CICS task. The customer may select when and where to invoke this authentication.
CICS API for Rocket Agent for OS/390 Provides authentication on demand anywhere within a CICS application More than thirty million people use IBM's Customer Information Control System (CICS) for online transaction management and connectivity. CICS handles more than thirty billion transactions per day, worth more than US$1 trillion. Rocket Agent for OS/390 provides an optional Rocket Agent API for CICS Server for OS/390. This component supplies the end user with a capability that allows RSA SecurID authentication upon demand, from within a CICS task. This authentication is completely under the control of the user and may be placed within the application wherever it is necessary to secure access to transactions, programs or data. Authenticate at critical steps in a process:
ˇ Before authorizing a transaction ˇ Before authorizing a change in a formula ˇ Etc.
How it works Rocket Agent for OS/390 is a native VTAM application that functions much like a security guard, standing between the user and a protected resource or device to enforce two-factor authentication via using RSA ACE/Server software. When a logon is attempted, the Rocket Agent for OS/390 first challenges the user to provide a valid user ID, Personal Identification Number (PIN) and a unique, randomly generated token code from his or her RSA SecurID authenticator. These credentials are passed from the Rocket Agent to the RSA ACE/Server for authentication. The logon process is fast and easy. No matter what device or network protocol is used in your environment, the Rocket Agent for OS/390 protects access to your system. Whether users are connecting from an emulator or an actual terminal using SNA, TCP/IP, Token Ring, Ethernet, etc., the Rocket Agent for OS/390 will interrupt the connection and challenge users for their RSA SecurID token code. For existing RSA ACE/Server and RSA SecurID customers, the Rocket Agent for OS/390 provides an opportunity to extend the security provided by two-factor authentication to employees and other individuals who access mission critical applications and systems inside the network environment. By adding Rocket Agent, organizations can continue to leverage the RSA ACE/Server and RSA SecurID authenticators already deployed in their environment. The Rocket Agent solution is complementary to native OS/390 security and management products, such as RACF, CA-Top Secret and CA-ACF2.
Future Developments and Enhancements Rocket Software is currently working on expanding its range of offerings for OS/390 authentication, to bring the enhanced security of SecurID to (the entire mainframe environment). Rocket will more closely integrate its Agent for OS/390 with other security offerings on the mainframe, such as IBM Resource Access Control Facility (RACF). RSA Security's technology will play a key role in the ongoing evolution of Rocket's enterprise security solutions. One of the areas currently being addressed is application control, to be able to restrict usage at a more granular level, by task or transaction. The first implementation of this has already been achieved with the Rocket CICS API -- opening the door to customers implementing any number of additional authorization "checkpoints" for their particularly sensitive CICS transactions. The CICS API is just the first in a line of application programming interfaces that Rocket Software will deliver in the very near future. The second, an API for IBM Websphere, should be available in early 2002. APIs are currently under development for: Rocket is also examining how Rocket Agent for OS/390 can meet the challenge of two-factor authentication in USS (Unix System Services) and TCP/IP facilities. These facilities represent a different security challenge than VTAM since they are, by their very definition, designed to be open systems -- and therefore present potential security threats for the OS/390 environment. Rocket will block these potential weaknesses with enhancements appropriate to these environments, extending the advantages of single sign-on more comprehensively to every OS/390 environment. |
Rocket Software's site