CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection

CA ACF2 and CA Top Secret Part 2: r16
is Here - More Capabilities to Better
Your Enterprise Protection and Improve
Breach Protection
Paul Rauchet – Director, Software Engineering
John Pinkowski – Senior Principal Product Manager
Mainframe
CA Technologies
MFX11E

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
Terms of this Presentation
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World 2015
is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to
customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or
obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software product; or (ii)
amend any product documentation or specifications for any CA software product. This presentation is based on current informationand resource
allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The development, release and timing
of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this
presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release may be
made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-available basis. The
information in this presentation is not deemed to be incorporated into any contract.
CA does not provide legal advice. Neither this presentation nor any CA software product referenced herein shall serve as a substitute for your
compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement,
administrative order, executive order, etc. (collectively, “Laws”)) referenced in this presentation. You should consult with competent legal counsel
regarding any Laws referenced herein.

Abstract
CA ACF2™ and CA Top Secret® r16 are here!
This session will cover the new r16 features
added to help ease administration, and to help
simplify compliance and audit tasks.
Paul Rauchet –
Sr. Director,
Engineering
John Pinkowski –
Product Owner
CA ACF2™ and CA Top
Secret® Part 2

Agenda
ENHANCEMENT SELECTION PROCESS1
2
3
4
CA ACF2 & TOP SECRET R15 POST GA RECAP
CA TOP SECRET R16 SPECIFIC ENHANCEMENTS
CA ACF2 R16 SPECIFIC ENHANCEMENTS
WHY THE R16’S NEED TO BE ON YOUR RADAR
FINAL QUESTIONS/RACAP
2
3
4
5
6

40 Trillion mobile
transactions
per day by 2025
The Mainframe Supports the Customer Experience
SOURCES: IBM, Gartner, Aberdeen Research, Enterprise Systems Media
Increasing Mobile
Apps & Devices
2/3 transactions
self-serve by 2017
25% of users abandon
an app after a
3 second delay
71% of corporate
data sits on
mainframe systems
Rising
Customer Expectations
Data for
Analytics & Apps

CA Top Secret & ACF2 r15 Release Updates
We delivered innovation….
With your ideas and help…
Wouldn’t it
be nice if…
36 different customer sites participated…
2 ½ times the r15 Beta programs!!!

Old DAR System?
None of that stuff!!!
x

CA ACF2 & Top Secret r16 – “Ideas” Release
§ Stored in CA Communities site.
§ Viewable by all customers.
§ Forum all customers can leverage to easily and
anonymously discuss enhancements with CA
as well as other CA security customers.
§ CA reviews all entries submitted and updates
with current review status.
§ Customer voting/input heavily weighted
in fulfillment decision.

CA Mainframe Security Community Ideas (as of 10/17/15)

ACF2/TSS r16s – 100% Agile Born and Bred
§ Majority enhancements completed using:
§ “Ideas” born on CA Communities site
§ Agile sprints
§ Engaged with multiple customers to:
§ Shape the feature
§ Gain agreed Consensus
TSS ACF2
Time to dive in
and take a peak
at the GA r16
enhancements!

CA Top Secret r15 Post GA Enhancements
Mirror Feature. Creates a mirror of the security file for immediate restart in case of file device/channel failure.
Enforce security administrators to follow NEWPW rules when issuing password related Top Secret commands.
JES2/JES3 shutdown/restart improvements.
Performance improvements as a result of reduced storage obtains.
Enhanced restricted password list.
Expansion of COMPARE command to include other ACID types.
Refinement of WHOHAS command.
All TSS MODIFY commands checked as CASECAUT resources.
FACILITY tracking added to CA Cleanup interface.
Utility improvements to TSSUTIL, LDAP, TSSAUDIT, TSSSIM.
CHKCERT and Certificate Utility display Public/Private key size and type.
ECC keys can be stored and retrieved for ICSF.
Eliminate need for superuser privilege for user mount and unmounts.

CA Top Secret r16 GA Enhancements
Store the FACILITY definitions on the security file. The Facility definitions are no long stored in the TSS PARMS file.
Restrict who can assign UID(0) to an user using the CASECAUT authorization.
Support AES(256) for password storage on the security file.
Increase all ACID types to record size 1024K
Option to disable the CA Top Secret TRANID Bypass list.
Allow the TSSCFILE utility to be run against the Backup Security file (Planned).
Enhance the add DFLTGRP command to enforce group name is valid and complete (Planned).
Release validated on z13 processor.
z/OS 2.2 exploitation support.
Release Common Criteria certified.

CA Top Secret r16 Enhancement Details
Store FACILITY Parameters
On Security File
•TSS Control option: FACSTOR(YES|NO)
•Store facility matrix entries on the security
file (instead of the parameter file).
•When you specify FACSTOR(YES):
•Entries are hardened to the security file
after the product is restarted.
•Any changes to the entries are:
•automatically stored on the security
file
•logged to the recovery file.
Benefits:
•Facility definitions protected from view
(no longer in TSS PARMS file).
•Easier to administer and maintain multiple
LPAR complexes.
•Size of the TSS PARMS FILE greatly
reduced.

Restrict UID 0 Assignment To Specific Admins
• MSCA exempt from UID(0) restriction
• Restriction performed via CASECAUT(TSSCMD.ADMIN.UID0) authority
checking, when:
• Admin (all types) has ACID(MAINTAIN) authority
• UID(0) is present within a TSS ADD or REPLACE command string
• If an ACID already has UID 0, no restriction is enforced to remove it, or
replace it with non-zero value.
• Only if the intent is to give an ACID UID 0 does restriction occur.
Benefits:
• Further restricts who can assign authorization for UID(0).
• Address compliance requirements

AES 256-Bit Password Encryption
• CA Top Secret currently supports 128-bit AES encryption for
passwords and phrases. It requires a 16 byte encryption key
and can be done via software or hardware. IBM has provided
256-bit AES encryption for RACF passwords/phrases in z/OS
2.1. This enhancement will provide the same for TSS.
Benefits:
• Adds advanced password encryption algorithm which
addresses current corporate as well as government
compliance requirements.

Increased User & Profile Record Size (ACID) to 1024K
• You can now assign a maximum value of 1024 using the MAXACIDSIZE Control Option
parameter.
Benefits:
• Reduce complexity and cost to maintain security related updates.
• Help to reduce security administration complexity for sites running with:
• AUTH(OVERRIDE,ALLOVER)
• Eliminate/delay need to add new Profiles
• Allow for profile consolidation where possible
Role based security improved
• Reduce the number of profiles required to build role bases security profiles.

Option to Disable CICS Bypass Processing
• CA Top Secret CICS Facility sub option: (BYPLIST=NO|YES|AUDIT)
• BYPLIST=NO Disables bypass list by facility
• BYPLIST=YES Enables bypass list by facility – this is the default
• BYPLIST=AUDIT Works similar to Tracking TRANID Bypassed Transactions Used
feature without the need to add +A to transactions in the TRANID bypass list.
Benefits:
• Option to enforce defined security authorizations eliminating use of the BYPASS list.
Improve WHOHAS UID(0) Reporting
• Prevents false positives from UID persistence after ACID deletion

CA Top Secret r16 enhancement details – Status : Planned
Execute TSSCFILE against the Top Secret Backup File
• Leverage the TSS Backup file for TSSCFILE execution
Benefits:
• Eliminates the overhead of executing TSSCFILE against the live (Primary) CA Top Secret
security file.
• Removes inadvertent performance impact when TSSCFILE is run during busy
workloads.
• Expand TSSCFILE execution window to include prime time processing periods.
• Establishes a point in time snapshot:
• Eliminates output anomalies caused by Top Secret commands processed during
TSSCFILE execution.

CA Top Secret r16 enhancement details – Status : Planned
Enhance USS administration when adding DFLTGRP
• Cross check to verify that the GROUP name used in the DFTLGRP field:
• Is an existing valid GROUP
• that is assigned to target ACID’s GROUP list.
• Has a GID assigned to it.
Benefits:
• Ease of administration.
• Ensures valid usable Unix Systems Services (O/E) credentials are set.

CA ACF2 r15 Post GA Enhancements
Role Based Security Refinements:
• Enhanced Model and Archive commands
• Role records now included
• Builds ACF commands to generate a modeled user
• Builds ACF commands to re-add an Archived user to role records
• Clean-up X-ROL Role records when a user account is deleted
• Role Include/Exclude fields updated for non-masked values
• Incorporate Role rule sets in CA ACF ACCESS command
• Prevention of changing Role record type
• X(ROL) records defined as ‘role’ or ‘group’ record type
• Role Based API Enhanced (ACF00RBS) Improved Resource Utilization.

Improved Usability:
• ACFVSAM Reserve Enqueue Name
• Improved CSA Storage Utilization
• x(ROL), x(RGP) and x(SGP) records increase for 4K to 16K
• GSO INFORDIR Expanded
• Additional IMS Enhancements.
• New ACFAESAGE Unload Utility.
• Additional SHOW Command Options.

z/OS 2.1 Support:
• BPX.DEFAULT.USER no longer valid.
• Controlling Access to JobClass
• POSIX CHOWN Unrestricted
• Certificate Protection after GENREQ
• Certificate CHAIN Support on CHKCERT
• Symbolic in OMVS Segment
• TYPE ENF71 Notification Event (ENF)

New MSGOPTS GSO Record
• Designate signon messages to
be replaced by a generic
(ACF01125 Logon Credentials
Invalid message.
Benefits:
• The MSGOPTS record also lets
you prevent the unintentional
leaking of information
(existence of a valid logonid)
to malicious users. When
using MSGOPTS, you can
determine the original cause
of the invalid signon by
viewing the ACFRPTPW
report.
CA ACF2 r16 Enhancement Details

Validate Sub Command
• CA ACF2 V16.0 introduces the
new validate subcommand. The
subcommand lets you validate
the existence of logonids or
roles included or excluded in
the target X(ROL) role records.
The validate subcommand must
be issued from within the SET
X(ROL) setting of the ACF
command.
Benefits:
• Early detection of invalid data
entered by administrators.

AES 256-Bit Password
Encryption
• CA ACF2 currently supports
128-bit AES encryption for
passwords and phrases. It
requires a 16 byte
encryption key and can be
done via software or
hardware. With this support
CA ACF2 will now have the
ability to supply 256-bit AES
encryption.
Benefits:
• Adds advanced password
encryption algorithm which
satisfies a current corporate
as well as government
compliance requirement.

Increase use of 64-bit
CSA Storage for User
Records
• The continuation of
migrating data out of
e/CSA into 64-Bit
storage. Now rule
objects are moved into
64-bit storage.
Benefits:
• Decrease in e/CSA
usage and improved
REFRESH processing.
Initial feedback is a
74%-92% buy back.
Results may vary!

Role Support for Logonid
Access Report
• ROLE input parameter
added
• Single role or role mask can
be specified
• Specifying ROLE will create
an access report section
for each ROLE showing
which rule lines grant or
prevent access.
Benefits:
• Improved compliance
reporting by roles.

New Retire Status for Users
• There is a need to ‘retire’ a
logonid where the logonid
value will not be reused.
Meaning the user will be
removed of the ability to
logon/access a system and
all privileges are removed.
The value of the logonid
needs to be retained so it
cannot be used again.
Benefits:
• Central Repository to Not
Allowing the Re-Use of ID.
• IRS Pub 1075 Requirement

Why Should CA ACF2 & CA Top Secret R16 Be
on Your Radar?

CA ACF2 & Top Secret r16 Enhancement Benefits
• Sourced through the last week of the Beta!
• Get current and level set on maintenance as you rollout the new release
All existing CA Top Secret r15
corrective solutions incorporated
into the r16 release.
• Majority of the CA ACF2 & CA Top Secret r15 & r16 features generated from
customer requests
• Many tied to compliance requirement needs (breach protection)
45 (and counting) new features
available
• Get LPARs staged and ready to IPL and exploit newly introduced z Series related
security features.
Staged for future z Series releases
IBM z13 hardware certified
Common Criteria certified

Recap
CA ACF2 & Top Secret r16 GA Enhancements
• Vast majority of updates originated from customer enhancement requests.
• Many of the enhancements provided to address site specific and/or federal
regulated compliance requirements.
How to get these enhancements?
• Upgrade to CA ACF2 or CA Top Secret r16
• All enhancements discuss in this session included at the CA ACF2 & Top Secret r16
base installs.
• No additional maintenance required.
• Fully regression tested.
• Staged for the next new release of z/OS.

Summary
A few words to review
Remember
You are only as secure as your
least secure vendor (none are
too small to consider)
Implementing a second layer
of authentication can protect
you from things occurring
outside of your network
Do
Be aware of recent breaches
and ensure you raise the bar
for attackers
Provide users with flexibility
and an easy way to do the right
thing
Don’t
Be convinced that you are
secure because your
infrastructure has advanced
monitoring and protection
Cripple the business with
cumbersome processes they
will find a way to circumvent

Q & A

How do I deliver a flawless experience every
time an application touches the mainframe?
In the application economy it’s all about your customers.
You need to think about your mainframe reframed.
Connect mobile-to-
mainframe applications
Create mainframe
infrastructure flexibility
for the future
Unleash the power of
data on the mainframe

Recommended Sessions
SESSION # TITLE DATE/TIME
Mainframe
Theater
Castle Walls Under Digital Siege: Risk-based Security
11/18 – 1:00pm
Mainframe Theater
MFX25S Locating Unmanaged but Regulated Data on System z
11/18 – 3:00pm
Breakers I
Mainframe
Theater
Panel Discussion: Is Complacency Around Mainframe Security
a Disaster Waiting to Happen?
11/18 – 3:45pm
Mainframe Theater
Tech Talk Isn’t one authentication mechanism on z Systems™ enough?
11/18 – 4:30pm
Mainframe Content Center
Tech Talk
The Known Unknown – Finding lost, abandoned, and hidden
regulated data on the Mainframe
11/19 – 12:15pm
Mainframe Content Center
MFX26S
How to Increase User Accountability by Eliminating the Default
User in Unix System Services
11/19 – 1:00pm
Breakers I
MFX47S
Top 10 things you shout NOT forget when evaluating your
security implementation
11/19 – 2:00pm
Breakers I

Follow Conversations in the Mainframe Content Center
CA Data Content Discovery
CA ACF2 ™ for z/OS
CA Top Secret® for z/OS
CA Cleanup
CA Auditor
Product X
Theater # location
Advanced Authentication –
Nov 18th @ 4:30pm
The Known Unknown -
Nov 19th @ 12:15pm
DEMO
S
SMART BAR
TECH
TALKS
Identify and Control
Security Risk
Discover regulated data on z
Systems™ and maintain a
secure infrastructure

CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection

Similar to CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection (20)

More from CA Technologies

More from CA Technologies (20)

Recently uploaded

Recently uploaded (20)

CA ACF2 and CA Top Secret Part 2: r16 is Here - More Capabilities to Better Your Enterprise Protection and Improve Breach Protection