ca acf2 and ca top secret part 2: r16 is here - more capabilities to better your enterprise...
TRANSCRIPT
CAACF2andCATopSecretPart2:r16isHere-MoreCapabilitiestoBetterYourEnterpriseProtectionandImproveBreachProtection
PaulRauchet–Director, SoftwareEngineeringJohn Pinkowski– SeniorPrincipalProduct Manager
Mainframe
CATechnologiesMFX11E
2 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation©2015CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2015isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswithcustomerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.ThispresentationisbasedoncurrentinformationandresourceallocationsasofNovember18,2015,andissubjecttochangeorwithdrawalbyCAatanytimewithoutnotice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease. SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhenandif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
CAdoesnotprovidelegaladvice.NeitherthispresentationnoranyCAsoftwareproductreferencedhereinshallserveasasubstituteforyourcompliancewithanylaws(includingbutnotlimitedtoanyact,statute,regulation,rule,directive,policy,standard,guideline,measure,requirement,administrativeorder,executiveorder,etc.(collectively,“Laws”))referencedinthispresentation.YoushouldconsultwithcompetentlegalcounselregardinganyLawsreferencedherein.
3 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Abstract
CAACF2™andCATopSecret®r16arehere!
Thissessionwillcoverthenewr16featuresaddedtohelpeaseadministration,andtohelpsimplifycomplianceandaudittasks.
PaulRauchet–Sr.Director,Engineering
JohnPinkowski–ProductOwner
CAACF2™andCATopSecret®Part2
4 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Agenda
ENHANCEMENTSELECTIONPROCESS1
2
3
4
CAACF2&TOPSECRETR15POSTGARECAP
CATOPSECRETR16SPECIFICENHANCEMENTS
CAACF2R16SPECIFICENHANCEMENTS
WHYTHER16’SNEEDTOBEONYOURRADAR
FINALQUESTIONS/RACAP
2
3
4
5
6
5 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
40Trillionmobiletransactionsperdayby2025
TheMainframeSupportstheCustomerExperience
SOURCES:IBM,Gartner,AberdeenResearch,EnterpriseSystemsMedia
IncreasingMobileApps&Devices
2/3transactionsself-serveby2017
25%ofusersabandonanappaftera3seconddelay
71%ofcorporatedatasitsonmainframesystems
RisingCustomerExpectations
DataforAnalytics&Apps
6 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecret&ACF2r15ReleaseUpdates
Wedeliveredinnovation….Withyourideasandhelp…
Wouldn’t itbeniceif…
36differentcustomersitesparticipated…
2½timesther15Betaprograms!!!
8 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2&TopSecretr16– “Ideas”Release
§ StoredinCACommunitiessite.
§ Viewablebyallcustomers.
§ ForumallcustomerscanleveragetoeasilyandanonymouslydiscussenhancementswithCAaswellasotherCAsecuritycustomers.
§ CAreviewsallentriessubmittedandupdateswithcurrentreviewstatus.
§ Customervoting/inputheavilyweightedinfulfillmentdecision.
10 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
ACF2/TSSr16s– 100%AgileBornandBred
§ Majorityenhancementscompletedusing:§ “Ideas”bornonCACommunitiessite§ Agilesprints§ Engagedwithmultiplecustomersto:
§ Shapethefeature§ GainagreedConsensus
TSS ACF2
TimetodiveinandtakeapeakattheGAr16enhancements!
11 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr15PostGAEnhancements
MirrorFeature.Createsamirrorofthesecurityfileforimmediaterestartincaseoffiledevice/channelfailure.EnforcesecurityadministratorstofollowNEWPWruleswhenissuing password relatedTopSecretcommands.JES2/JES3 shutdown/restartimprovements.Performanceimprovements asaresultofreducedstorageobtains.Enhancedrestrictedpasswordlist.ExpansionofCOMPAREcommandtoincludeotherACIDtypes.RefinementofWHOHAScommand.AllTSSMODIFYcommands checkedasCASECAUTresources.FACILITYtrackingaddedtoCACleanup interface.UtilityimprovementstoTSSUTIL,LDAP,TSSAUDIT,TSSSIM.CHKCERTandCertificateUtilitydisplayPublic/Private keysizeandtype.ECCkeyscanbestoredandretrievedforICSF.Eliminateneedforsuperuserprivilegeforusermountandunmounts.
12 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16GAEnhancements
StoretheFACILITYdefinitionsonthesecurityfile.TheFacilitydefinitionsarenolongstoredintheTSSPARMSfile.
RestrictwhocanassignUID(0)toanuserusingtheCASECAUTauthorization.
SupportAES(256)forpasswordstorageonthesecurityfile.
IncreaseallACIDtypestorecordsize1024K
OptiontodisabletheCATopSecretTRANIDBypasslist.
AllowtheTSSCFILEutilitytoberunagainsttheBackupSecurityfile(Planned).
EnhancetheaddDFLTGRPcommandtoenforcegroupnameisvalidandcomplete(Planned).
Releasevalidatedonz13processor.
z/OS2.2exploitationsupport.
ReleaseCommonCriteriacertified.
13 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16EnhancementDetails
StoreFACILITYParametersOnSecurityFile
•TSSControloption:FACSTOR(YES|NO)• Storefacilitymatrixentriesonthesecurityfile(insteadoftheparameterfile).•Whenyouspecify FACSTOR(YES):•Entriesarehardenedtothesecurityfileaftertheproductisrestarted.
•Anychangestotheentriesare:• automaticallystoredonthesecurityfile
• loggedtotherecoveryfile.
Benefits:
• Facilitydefinitions protectedfromview(nolongerinTSSPARMSfile).
•EasiertoadministerandmaintainmultipleLPARcomplexes.
• SizeoftheTSSPARMSFILEgreatlyreduced.
14 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16EnhancementDetails
RestrictUID0AssignmentToSpecificAdmins• MSCAexemptfromUID(0)restriction• RestrictionperformedviaCASECAUT(TSSCMD.ADMIN.UID0)authoritychecking,when:• Admin(alltypes)hasACID(MAINTAIN)authority• UID(0)ispresentwithinaTSSADDorREPLACEcommandstring• IfanACIDalreadyhasUID0,norestrictionisenforcedtoremoveit,orreplaceitwithnon-zerovalue.
• OnlyiftheintentistogiveanACIDUID0doesrestrictionoccur.
Benefits:• FurtherrestrictswhocanassignauthorizationforUID(0).• Addresscompliancerequirements
15 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16EnhancementDetails
AES256-BitPasswordEncryption• CATopSecretcurrentlysupports128-bitAESencryptionforpasswordsandphrases.Itrequiresa16byteencryptionkeyandcanbedoneviasoftwareorhardware.IBMhasprovided256-bitAESencryptionforRACFpasswords/phrasesinz/OS2.1.ThisenhancementwillprovidethesameforTSS.
Benefits:• Addsadvancedpasswordencryptionalgorithmwhichaddressescurrentcorporateaswellasgovernmentcompliancerequirements.
16 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16EnhancementDetails
IncreasedUser&ProfileRecordSize(ACID)to1024K• Youcannowassignamaximumvalueof1024usingtheMAXACIDSIZEControlOptionparameter.
Benefits:• Reducecomplexityandcosttomaintainsecurityrelatedupdates.• Helptoreducesecurityadministrationcomplexityforsitesrunningwith:
• AUTH(OVERRIDE,ALLOVER)• Eliminate/delayneedtoaddnewProfiles
• Allowforprofileconsolidationwherepossible
Rolebasedsecurityimproved• Reducethenumberofprofilesrequiredtobuildrolebasessecurityprofiles.
17 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16EnhancementDetails
OptiontoDisableCICSBypassProcessing• CATopSecretCICSFacilitysuboption:(BYPLIST=NO|YES|AUDIT)• BYPLIST=NODisablesbypass listbyfacility• BYPLIST=YESEnablesbypass listbyfacility– thisisthedefault• BYPLIST=AUDITWorkssimilartoTrackingTRANIDBypassedTransactionsUsedfeaturewithouttheneedtoadd+AtotransactionsintheTRANIDbypass list.
Benefits:• OptiontoenforcedefinedsecurityauthorizationseliminatinguseoftheBYPASSlist.
ImproveWHOHASUID(0)Reporting• PreventsfalsepositivesfromUIDpersistenceafterACIDdeletion
18 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16enhancementdetails– Status:Planned
ExecuteTSSCFILEagainsttheTopSecretBackupFile• LeveragetheTSSBackupfileforTSSCFILEexecution
Benefits:• EliminatestheoverheadofexecutingTSSCFILEagainstthelive(Primary)CATopSecretsecurityfile.• Removesinadvertentperformance impactwhenTSSCFILEisrunduring busyworkloads.• ExpandTSSCFILEexecutionwindowtoincludeprimetimeprocessingperiods.
• Establishesapoint intimesnapshot:• EliminatesoutputanomaliescausedbyTopSecretcommandsprocessedduringTSSCFILEexecution.
19 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr16enhancementdetails– Status:Planned
EnhanceUSSadministrationwhenaddingDFLTGRP• CrosschecktoverifythattheGROUPnameusedintheDFTLGRPfield:• IsanexistingvalidGROUP• thatisassignedtotargetACID’sGROUPlist.• HasaGIDassignedtoit.
Benefits:• Easeofadministration.• EnsuresvalidusableUnixSystemsServices(O/E)credentialsareset.
20 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2r15PostGAEnhancements
RoleBasedSecurityRefinements:• EnhancedModelandArchivecommands• Rolerecordsnowincluded• BuildsACFcommandstogenerateamodeleduser• BuildsACFcommandstore-addanArchivedusertorolerecords• Clean-upX-ROLRolerecordswhenauseraccountisdeleted• RoleInclude/Excludefieldsupdatedfornon-maskedvalues• IncorporateRolerulesets inCAACFACCESScommand• PreventionofchangingRolerecordtype• X(ROL)recordsdefinedas‘role’or‘group’recordtype• RoleBasedAPIEnhanced(ACF00RBS)ImprovedResourceUtilization.
21 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2r15PostGAEnhancements
ImprovedUsability:• ACFVSAMReserveEnqueueName• ImprovedCSAStorageUtilization• x(ROL),x(RGP)andx(SGP)recordsincreasefor4Kto16K• GSOINFORDIRExpanded• AdditionalIMSEnhancements.• NewACFAESAGEUnloadUtility.• AdditionalSHOWCommandOptions.
22 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2r15PostGAEnhancements
z/OS2.1Support:• BPX.DEFAULT.USERnolongervalid.• ControllingAccesstoJobClass• POSIXCHOWNUnrestricted• CertificateProtectionafterGENREQ• CertificateCHAINSupportonCHKCERT• SymbolicinOMVSSegment• TYPEENF71NotificationEvent(ENF)
23 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
NewMSGOPTSGSORecord
• Designatesignonmessagestobereplacedbyageneric(ACF01125LogonCredentialsInvalidmessage.
Benefits:
• TheMSGOPTSrecordalsoletsyoupreventtheunintentionalleakingofinformation(existenceofavalidlogonid)tomalicioususers.WhenusingMSGOPTS,youcandeterminetheoriginalcauseoftheinvalidsignonbyviewingtheACFRPTPWreport.
CAACF2r16EnhancementDetails
24 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
ValidateSubCommand
• CAACF2V16.0introducesthenewvalidatesubcommand.ThesubcommandletsyouvalidatetheexistenceoflogonidsorrolesincludedorexcludedinthetargetX(ROL)rolerecords.ThevalidatesubcommandmustbeissuedfromwithintheSETX(ROL)settingoftheACFcommand.
Benefits:
• Earlydetectionofinvaliddataenteredbyadministrators.
CAACF2r16EnhancementDetails
25 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
AES256-BitPasswordEncryption
• CAACF2currentlysupports128-bitAESencryptionforpasswordsandphrases.Itrequiresa16byteencryptionkeyandcanbedoneviasoftwareorhardware.WiththissupportCAACF2willnowhavetheabilitytosupply256-bitAESencryption.
Benefits:
• Addsadvancedpasswordencryptionalgorithmwhichsatisfiesacurrentcorporateaswellasgovernmentcompliancerequirement.
CAACF2r16EnhancementDetails
26 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Increaseuseof64-bitCSAStorageforUser
Records
• Thecontinuationofmigratingdataoutofe/CSAinto64-Bitstorage.Nowruleobjectsaremovedinto64-bitstorage.
Benefits:
• Decreaseine/CSAusageandimprovedREFRESHprocessing.Initialfeedbackisa74%-92%buyback.Resultsmayvary!
CAACF2r16EnhancementDetails
27 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
RoleSupportforLogonidAccessReport
• ROLEinputparameteradded
• Singleroleorrolemaskcanbespecified
• SpecifyingROLEwillcreateanaccessreportsectionforeachROLEshowingwhichrulelinesgrantorpreventaccess.
Benefits:
• Improvedcompliancereportingbyroles.
CAACF2r16EnhancementDetails
28 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
NewRetireStatusforUsers
• Thereisaneedto‘retire’alogonidwherethelogonidvaluewillnotbereused.Meaningtheuserwillberemovedoftheabilitytologon/accessasystemandallprivilegesareremoved.Thevalueofthelogonidneedstoberetainedsoitcannotbeusedagain.
Benefits:
• CentralRepositorytoNotAllowingtheRe-UseofID.
• IRSPub1075Requirement
CAACF2r16EnhancementDetails
30 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2&TopSecretr16EnhancementBenefits• Sourced throughthe lastweekoftheBeta!• Getcurrent andlevelsetonmaintenanceasyourollout thenewrelease
AllexistingCATopSecretr15correctivesolutionsincorporated
intother16release.
•MajorityoftheCAACF2&CATopSecretr15&r16featuresgeneratedfromcustomerrequests
•Manytiedtocompliancerequirementneeds (breachprotection)
45(andcounting)newfeaturesavailable
• GetLPARsstagedandreadytoIPLandexploitnewlyintroduced zSeriesrelatedsecurityfeatures.StagedforfuturezSeriesreleases
IBMz13hardwarecertified
CommonCriteriacertified
31 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Recap
CAACF2&TopSecretr16GAEnhancements• Vastmajorityofupdatesoriginated fromcustomerenhancementrequests.• Manyoftheenhancementsprovided toaddresssitespecificand/orfederalregulatedcompliancerequirements.
Howtogettheseenhancements?• UpgradetoCAACF2orCATopSecretr16• AllenhancementsdiscussinthissessionincludedattheCAACF2&TopSecretr16baseinstalls.
• Noadditionalmaintenancerequired.• Fullyregression tested.• Stagedforthenextnewreleaseofz/OS.
32 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
SummaryAfewwordstoreview
RememberYouareonly assecureasyourleastsecurevendor(none aretoosmalltoconsider)
Implementingasecondlayerofauthenticationcanprotectyoufromthingsoccurringoutside ofyournetwork
DoBeawareofrecentbreachesandensureyouraisethebarforattackers
Provideuserswithflexibilityandaneasywaytodotherightthing
Don’tBeconvincedthatyouaresecurebecauseyourinfrastructurehasadvancedmonitoringandprotection
Cripple thebusiness withcumbersomeprocessestheywillfindawaytocircumvent
34 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
HowdoIdeliveraflawlessexperienceeverytimeanapplicationtouchesthemainframe?
Intheapplicationeconomyit’sallaboutyourcustomers.Youneedtothinkaboutyourmainframereframed.
Connectmobile-to-mainframeapplications
Createmainframeinfrastructureflexibility
forthefuture
Unleashthepowerofdataonthemainframe
35 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
RecommendedSessionsSESSION# TITLE DATE/TIME
MainframeTheater CastleWallsUnderDigitalSiege:Risk-basedSecurity
11/18– 1:00pm
MainframeTheater
MFX25S LocatingUnmanagedbutRegulatedDataonSystemz11/18– 3:00pm
BreakersI
MainframeTheater
PanelDiscussion: IsComplacency AroundMainframeSecurityaDisasterWaitingtoHappen?
11/18– 3:45pm
MainframeTheater
Tech Talk Isn’toneauthenticationmechanismonzSystems™enough?11/18– 4:30pm
MainframeContentCenter
TechTalkTheKnownUnknown – Findinglost, abandoned,andhiddenregulateddataontheMainframe
11/19– 12:15pm
MainframeContentCenter
MFX26SHowtoIncreaseUserAccountabilitybyEliminatingtheDefaultUserinUnixSystemServices
11/19– 1:00pm
BreakersI
MFX47STop10things youshout NOTforgetwhenevaluatingyoursecurityimplementation
11/19– 2:00pm
BreakersI
36 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
FollowConversationsintheMainframeContentCenter
CADataContentDiscoveryCAACF2™forz/OSCATopSecret®forz/OSCACleanupCAAuditor
ProductXTheater#location
AdvancedAuthentication –Nov18th@4:30pm
TheKnownUnknown -Nov19th@12:15pm
DEMOS
SMART BAR
TECH TALKS
IdentifyandControlSecurityRisk
DiscoverregulateddataonzSystems™andmaintainasecureinfrastructure