Vanguard Introduction to ez/Token Tokenless Authentication
-
Upload
khangminh22 -
Category
Documents
-
view
14 -
download
0
Transcript of Vanguard Introduction to ez/Token Tokenless Authentication
06/11/18 1
Title
Sub-title
Stuart Walton Professional Services Consultant
Vanguard Introduction to
ez/Token Tokenless Authentication
06/11/18 2
Regulations and Compliance
Sarbanes-‐Oxely Act
Payment Card Industry Data Security Standard
Health Insurance Portability & Accountability Act
Federal Financial Ins>tu>ons Examina>on Council
Na>onal Ins>tute of Standards and Technology
06/11/18 3
Regulations and Compliance
Payment Card Industry Data Security Standard
Requirement 8.3: Incorporate two factor authen>ca>on for remote access (network-‐level access origina=ng from outside the network) to the network by employees, administrators, and third par=es.
Note: Two factor authen=ca=on requires that two of the three authen=ca=on methods (something you know -‐ something you have -‐ something you are) be used for authen=ca=on. Using one factor twice (for example, using two separate passwords) is not considered two factor authen=ca=on.
06/11/18 4
Regulations and Compliance
Financial ins=tu=ons offering internet-‐based products and services to their customers should use effec=ve methods to authen=cate the iden=ty of customers using those products and services. Furthermore, the FFIEC considers single-‐factor authen>ca>on (as the only control mechanism) to be inadequate for high-‐risk transac=ons involving access to customer informa=on or the movement of funds to other par=es.
Federal Financial Ins>tu>ons Examina>on Council
06/11/18 5
What is Multi-Factor Authentication
• Multi-Factor Authentication or (MFA) is a security system that requires more than one method of authentication from at least two of the following:
- Knowledge Factors
- Possession Factors
- Inherence Factors
06/11/18 6
Knowledge Factors
• Something the user knows
- Password
- PIN Number
- Mother’s Maiden Name
- Favorite Crisp
06/11/18 7
Possession Factors
• Something the user has
- Credit Card / ATM Card
- Tokens (one time password)
- Smart Phone
- PIV / Smart Card
06/11/18 8
Inherence Factors
• Something the user is
- Fingerprint
- Voice
- Iris
- Facial Recognition
06/11/18 9
What is the Goal
• Create a layered defense and make it more difficult or impossible for unauthorized people to access
- Physical Locations - Computer Devices - Networks - Databases
• If one target is compromised or broken, the attacker still has to get through at least one more barrier before accessing his or her target
• This means not only do you need a front door, but you also need a home security system
06/11/18 11
5 reasons to Consider Multi-Factor
• Company resources
• People tend to be lazy
• Employees are being targeted directly
• New authentication methods
• Regulatory compliance
06/11/18 13
Some Disadvantages
• Knowledge Factors
- You are not the sole protector ü Passwords are shared with secure sites you visit
- Challenge questions are easily guessed or found ü What city were you born in
- If database is compromised or captured ü Passwords will fall
- Does not prove who you are
06/11/18 14
Some Disadvantages
• Inherence Factors
- Facial recognition may fail ü Poor lighting
- Picture of owner allows access
- Recording of voice for recognition
- Retinal or fingerprint scans not practical
06/11/18 15
The Good News
• Possession Factors
- Loss of ATM Card ü It can not work without the PIN
- Loss of PIV / Smart Card ü Can contain expiration dates and can be cancelled
- PIN Reset ü Number of invalid PIN tries can be set
- Token or Tokenless ü Generates one-time, one-use passcode ü Cryptographically generated passcodes expire within specified time period
06/11/18 17
ez/Token
• Authenticate through RSA SecurID, SafeSign, Fortress, ActiveIdentity, OAUTH HOTP/TOTP (such as Google authenticator), Yubikey or native RACF
• Authenticates to zSeries Server or any other application currently using RACF authentication
• Provides more secure alternative than usual RACF User ID/Password combination
• Users substitute a new one-time passcode in place of a password
• Passcodes are generated randomly every 60 seconds
• Can be combined with a PIN number
06/11/18 18
Key Features
• Supports requirement of users with elevated privileges to supply two factors during the authentication process
• Lets security administrators decide which users will or will not require a PIN number along with the token code
• Eliminates the need for users to remember passwords
• Requires no changes to the logon screens
• RACF User IDs can be mapped to distributed User IDs
• Supports New PIN and Next Token code functions through a Web Interface
06/11/18 19
ez/Token Process Flow
User starts a 3270 Terminal session or another ez/Token enabled applica>on like CICS
User enters appropriate RACF User ID and RSA Authen>ca>on
This is either a Passcode, a Tokencode, or a Pin/Token combina>on depending on the RSA requirements
3270
1
06/11/18 20
ez/Token Process Flow
Vanguard’s VIPMAIN has to be started on the host for this process to work
3270 VIPMAIN
ICHRIX01
IAMEZTSV
RACF
2
z/OS ICHRIX01 Exit delivers control to Vanguard’s ICHRIX01 Process (IAMEZTSV)
1
06/11/18 21
ez/Token Process Flow
3270 VIPMAIN
ICHRIX01
IAMEZTSV
RACF
3
IAMEZTSV started task on z/OS determines if the User is required to use RSA
If the user is not required to use RSA, control is passed to RACF for normal processing
1
2
06/11/18 22
ez/Token Process Flow
3270 VIPMAIN
ICHRIX01
IAMEZTSV
RACF
4
If the user is required to use RSA, IAMEZTSV connects to the Vanguard ez/Token Agent Host on the Windows Server
Vanguard Token Agent
13
2
06/11/18 23
ez/Token Process Flow
3270 VIPMAIN
ICHRIX01
IAMEZTSV
RACF 5
Vanguard’s ez/Token Agent host contacts the RSA Server
Vanguard Token Agent
13
24
06/11/18 24
ez/Token Process Flow
3270 VIPMAIN
IAMEZTSV
RACF
RSA Server determines if the user’s authen>ca>on a`empt succeeds
RSA 6
13
24
5
06/11/18 25
ez/Token Process Flow
3270 VIPMAIN
ICHRIX01
IAMEZTSV
RACF
Return communica>ons occurs back to z/OS either permibng or denying logon a`empts
Vanguard Token Agent
RSA 7
13
24
5
6
06/11/18 29
Vanguard Tokenless Authentication
• Most cost effective and convenient way to implement
- No need to deploy and manage expensive physical token devices - No need to manage token distribution - No additional third party software needed
• Generates a one time, one use password to a virtual token, like the users smart phone, each time sign-on is attempted
• Cryptographically generated passcodes expire within a short specified time period
06/11/18 30
Vanguard Tokenless Authentication
USER
USER
MAINFRAME
SERVER
CELL PHONE
When a user logs on at the applica>on level, Tokenless Authen>ca>on (VTA) validates the user name and password at login
06/11/18 31
Vanguard Tokenless Authentication
USER
USER
MAINFRAME
SERVER
CELL PHONE
Then generates and sends back an 8 character one >me use, >me sensi>ve passcode to the user’s cell phone
06/11/18 32
Vanguard Tokenless Authentication
USER
USER
MAINFRAME
SERVER
CELL PHONE
The user enters the passcode at the second level of authen>ca>on
06/11/18 33
Vanguard Tokenless Authentication
USER
USER
MAINFRAME
SERVER
CELL PHONE
Once the passcode is validated by Tokenless Authen>ca>on, the user will gain access to the applica>on
06/11/18 34
Vanguard Tokenless Administration
Simple Web Based Administra>on Interface
Setup users to use Vanguard Tokenless Authen>ca>on Change Tokenless type (password + token or token only) Change delivery address (cell phone / email)
06/11/18 35
Tokenless Authentication – Use Email/SMS)
• Enter UserID • Enter Password • Receive E-Mail/SMS • Enter Tokenless Code
06/11/18 36
At the Very Least
• Anyone in the organization that has the ability to create, edit or exfiltrate critical data should be required to use Multi-Factor Authentication to access those critical resources