This document discusses how Micro Focus products can help improve security for systems that access mainframes. It describes how Micro Focus Management and Security Server (MSS) can centrally manage user authentication using technologies like smart cards and biometrics. The MSS Security Proxy Server only allows authenticated connections, protecting mainframes. The document also explains how Micro Focus terminal emulation can mask sensitive fields, disable copying of fields, and re-authenticate users at different points. It provides an example of how MSS was used to securely provide travel agents access to an airline's mainframe without needing a thick client. Overall, the document summarizes how Micro Focus can help modernize mainframe security practices.
8. What if you could…
• Stop the user having to enter a user / password
• Allow multi-factor authentication
• Something you have
• Something you are
• Something you know
• Use your Active Directory / eDirectory to store…
• Users password
• Bio-metric information such as finger print
• Smart card details
• Bring the login screen in-line with modern security standards
• Protect sys admin logins
9. Well you can…
• Micro Focus Advanced
Authentication Framework
• Link with Reflection Desktop /
Rumba terminal emulation
• Choice of smart cards and/or
bio-metrics such as fingerprint
recognition
10. What if you could…
• Centrally manage the sign on to the mainframe
• Use a RACF one-time token in place of a password
• No need for user to enter or remember a password
• User doesn’t get prompted for user/password
• User need never know their password
11. Well you can…
Automated Sign-On with
Management and Security Server
1. The terminal emulator launches a host session
and requests user credentials for the host
application from Automated Sign-On.
2. Automated Sign-On requests a one-time-use
PassTicket from RACF (from the IBM z/OS Digital
Certificate Access Server).
3. The terminal emulator uses the one-time-use
PassTicket credential to automatically log the
user on to the host application.
12. With Micro Focus…
• Access to the mainframe
• No longer reliant on the historic 8 character password
• Now tied to the corporate Active Directory / eDirectory
credentials
• Access to the mainframe can be revoked through group
membership in Active Directory / eDirectory
• Mainframe access becomes security compliant
• Protect sys admin access
• You can automatically provision users along with permissions
on host systems
14. • Particular networks
• All workstations
• Any terminal emulator
• No restrictions on who
Not Everything has Changed
15. What if you could…
• Control who can access the mainframe
• Only allow authorised terminal emulators to be used
• Access control through Active Directory / eDirectory
• Roll Based Access Control (RBAC)
• Centrally managed
• Make the firewall rules simple for mainframe
16. Well you can…
Client
workstation
Telnet, FTP, INT-
1, T27, ALC,
SSL/TLS
SSL/TLS
MSS Server
MSS Security Proxy
LDAP
Directory
HTTPS
Content inspection
(Intrusion Detection
System, etc.)
Host
Micro Focus Management
and Security Server
Access control in middle tier:
• A layer of security in front
of your hosts
• Without touching the
hosts
• Using read-only access to
the LDAP Directory
17. With Micro Focus…
• A connection to the host can only be performed if you
have been pre-authenticated
• Access to the host based upon AD/eDirectory
membership
• Host can be protected by a firewall / simplified firewall
rules
• Only allow connections originating from the Micro Focus
Security Proxy Server
19. User Case Study – Airline Industry
• Problem
• Need to give travel agents access to their mainframe
• A traditional thick client was heavy on management
• Don’t own or manage the desktop
• Had to use a VPN to tunnel traffic – further complicated
the set-up
• New travel agents opening all the time and also some
closing
• Spread through out the world
20. User Case Study – An Airline
• Solution
• Management and Security Server
• Strong authentication
• Security Proxy Server
• Only authenticated clients could connect to the mainframe
• Thin client emulation
• Readily configured sessions deployed to the desktop using
Java Applets
• Changes automatically deployed on next connection
21. User Case Study – An Airline
• Benefits
• Mainframe protected from unauthorised access
• Deployment as easy as providing a URL and adding user to
LDAP database
• Decommissioning as easy as removing the user from the
LDAP database
• Easy centralised management
• Small client foot print on desktop
• Very little management of agent required by airlines help
desk
22. Airline Solution Graphic
Travel Agent
Desktop
Airlines TrafficSSL/TLS
MSS Server
MSS Security Proxy
LDAP
Directory
Authenticated by
MSS Server
Content inspection
(Intrusion Detection
System, etc.)
Airlines
Host
Secure token
passed
HTTPS
No direct access to mainframe.
Only allowed through Security Proxy
Server if authenticated by MSS Server
24. Not Everything has Changed
• Credit card number remains on
screen after typing
• No additional access
authentication required to view
credit card number
• Terminal emulator only displays
what the host sends it
25. What if you could…
• Mask credit card numbers or any other sensitive field
• With out changes to the host application
• Stop copy to clipboard from working for certain fields
• Redact information once typed i.e. after entry of a
credit card number
26. Well you can…
Micro Focus Terminal Emulation
• Fields can be displayed masked
with asterisks
• After typing a credit card
number it can be redacted
• The copy to clipboard field can
be disabled for certain fields
27. With Micro Focus…
• Sensitive information is only displayed to those who
really need access to it
• Information typed only left on the screen until last
character typed and then it is redacted
• Helps with PCI DSS
• Stop user from using terminal emulation trace facility
by locking the terminal emulator down
29. Not Everything has Changed
• Authenticated once
• Application security controlled
by application
• Non-repudiation
• No re-authentication for certain
tasks
30. • Replace the normal Signon with a stronger method of Authentication and enable Single
Signon?
• Prompt a user at any point during any type of transaction to Re-Authenticate?
• Re-Authentication could have context like:
• Financial Value or transaction type?
• Time since last Authentication?
• Write away before and after values of any transaction to a Non-Repudiation system
which could be used to report on activity?
• With NO changes of any code on the legacy system?
What if you could…
31. Well you can…
• Micro Focus Advanced
Authentication Framework
• Link with Reflection Desktop /
Rumba terminal emulation
• Choice of smart cards and/or
bio-metrics such as fingerprint
recognition
33. With Management Security Server (MSS)
and Advanced Authentication you can...
• Create an enforceable access control layer between your
employees and your legacy systems.
• Leverage your enterprise directory to authorise users to host
sessions.
• Utilise strong authentication technology to confirm user
identity.
• Make use of multifactor Authentication.
• Invoke Authentication and Authorisation at any stage during a
session or function on a legacy application with full audit
reporting.
• Centrally administer access to terminal host sessions and
macros.
34. Directory
(eDIR, AD, LDAP, RACF)
User
Reflection /
Rumba
AAF
RTE
Credentials
(MFA, Mix & Match)
RACF/TOP Secret Authentication
Secondary Application Authentication
Sensitive Enquiry Authentication
Sensitive Transaction Authentication
Time Based Authentication
VBA
Reflection / Rumba and Advanced Authentication Framework
35. With Micro Focus…
• Insecure user/password host logon a thing of the past
• Multiple re-authentication points can be utilised
• Multi-factor authentication
• Tied into AD / eDirectory security groups
• Roll Based Access Control can be applied
• Permissions can be easily revoked
• Central management of terminal emulation and access
40. Well you can with Micro Focus…
Micro Focus
IBM 3270
IBM 5250
VT/UNIX
HP700/92
Business Application
• Well featured design time environment
• Wraps host application logic with SOA interface
• Non invasive ‘off host’ architecture
• No change to host applications
• Leverage existing business rules
• Real time integration
• Acts as a ‘data firewall’ – securing and guaranteeing integrity of
the application
• Robust, scalable and secure
• Rejuvenation options available
41. 1 2 3
Full Terminal Support
Zero Footprint
No Map
Enhanced Emulation
Custom Web
Services
Custom Mobile AppsTerminal Emulation
• Screen re-presented as HTML or
HTML5
• One to one with host screen
• Can be accessed on desktop to
mobile devices
• Provides a secure method of
accessing the host remotely
• No direct access to host from
client
42. 1 2 3
Custom Web
Services
Custom Forms
Server-Side
Macros
Managed
Enhanced Emulation Custom Mobile AppsTerminal Emulation• Automation of host application
• Still have access to host screen
• Secure connection
• Scalable
• No direct access to host from
client
43. 1 2 3
Custom Web
Services
Fully Customized UI
SOA Capable
Trans-
form
Terminal Emulation Enhanced Emulation Custom Mobile Apps• User sees no host screens
• Complete web-frontend
• Fields can be hidden from user
• No direct access to host from
client
• Secure and scalable
44. With Micro Focus…
• Host systems can easily become web service enabled
• Providing a secure method of integrating
• Hide fields from developers
• Platform for rejuvenation
• Integration with other systems
• Mobile device access as well as desktop
• Secure and scalable solution
46. Not Everything has Changed
• Macros managed by users
• Development against production system
• Sharing of macros
• Ownership / support
• Change control
47. What if you could…
• Prevent users from creating macros
• Prevent users from viewing macros
• If macros not required then prevent running of macros
• Control the distribution of macros
• Make macros part of a secure development life cycle
• Ensure macros are part of change control
48. Well you can…
Management and Security Server
• Distribute macros
• Control access to terminal emulation
Reflection / Rumba Terminal Emulation
• Lock down emulation
• Prevent macros being run from untrusted
locations
• Prevent macros from being created
• Lock down API
49. With Micro Focus…
• Macros can be managed
• Terminal emulation locked down
• Macros become known and managed by IT
• Secures the mainframe from abuse by macros
51. General Security
• Crypto modules FIPS 140-2 validated
• Used by US DoD
• TLS 1.2 fully supported
• Secure development life cycle (SDLC)
• Security given prominence throughout development of
products
• Intensive security testing of products
53. General Security
• Advanced Authentication Framework
• Enhance the authentication process
• Multi factor authentication
• Multiple points of authentication
• Allow automated provisioning of mainframe users and
permissions
54. General Security
• Manage access to mainframe
• Management and Security Server
• Security Proxy Server
• Can’t connect unless authenticated
• Redaction of sensitive information
• Secure integration of mainframe information
• Macros can be managed