Vanguard Introduction to ez/Token Tokenless Authentication

06/11/18 1

Title

Sub-title

Stuart Walton Professional Services Consultant

Vanguard Introduction to

ez/Token Tokenless Authentication

06/11/18 2

Regulations and Compliance

Sarbanes-‐Oxely Act

Payment Card Industry Data Security Standard

Health Insurance Portability & Accountability Act

Federal Financial Ins>tu>ons Examina>on Council

Na>onal Ins>tute of Standards and Technology

06/11/18 3


Payment Card Industry Data Security Standard

Requirement 8.3: Incorporate two factor authen>ca>on for remote access (network-‐level access origina=ng from outside the network) to the network by employees, administrators, and third par=es.

Note: Two factor authen=ca=on requires that two of the three authen=ca=on methods (something you know -‐ something you have -‐ something you are) be used for authen=ca=on. Using one factor twice (for example, using two separate passwords) is not considered two factor authen=ca=on.

06/11/18 4


Financial ins=tu=ons offering internet-‐based products and services to their customers should use effec=ve methods to authen=cate the iden=ty of customers using those products and services. Furthermore, the FFIEC considers single-‐factor authen>ca>on (as the only control mechanism) to be inadequate for high-‐risk transac=ons involving access to customer informa=on or the movement of funds to other par=es.

Federal Financial Ins>tu>ons Examina>on Council

06/11/18 5

What is Multi-Factor Authentication

•  Multi-Factor Authentication or (MFA) is a security system that requires more than one method of authentication from at least two of the following:

-  Knowledge Factors

-  Possession Factors

-  Inherence Factors

06/11/18 6

Knowledge Factors

•  Something the user knows

-  Password

-  PIN Number

-  Mother’s Maiden Name

-  Favorite Crisp

06/11/18 7

Possession Factors

•  Something the user has

-  Credit Card / ATM Card

-  Tokens (one time password)

-  Smart Phone

-  PIV / Smart Card

06/11/18 8

Inherence Factors

•  Something the user is

-  Fingerprint

-  Voice

-  Iris

-  Facial Recognition

06/11/18 9

What is the Goal

•  Create a layered defense and make it more difficult or impossible for unauthorized people to access

-  Physical Locations -  Computer Devices -  Networks -  Databases

•  If one target is compromised or broken, the attacker still has to get through at least one more barrier before accessing his or her target

•  This means not only do you need a front door, but you also need a home security system

06/11/18 10

Key Players

•  Employees

•  Partners

•  Customers

•  Administrators

06/11/18 11

5 reasons to Consider Multi-Factor

•  Company resources

•  People tend to be lazy

•  Employees are being targeted directly

•  New authentication methods

•  Regulatory compliance

06/11/18 12

Token Threats

06/11/18 13

Some Disadvantages

•  Knowledge Factors

-  You are not the sole protector ü  Passwords are shared with secure sites you visit

-  Challenge questions are easily guessed or found ü  What city were you born in

-  If database is compromised or captured ü  Passwords will fall

-  Does not prove who you are

06/11/18 14

Some Disadvantages

•  Inherence Factors

-  Facial recognition may fail ü  Poor lighting

-  Picture of owner allows access

-  Recording of voice for recognition

-  Retinal or fingerprint scans not practical

06/11/18 15

The Good News

•  Possession Factors

-  Loss of ATM Card ü  It can not work without the PIN

-  Loss of PIV / Smart Card ü  Can contain expiration dates and can be cancelled

-  PIN Reset ü  Number of invalid PIN tries can be set

-  Token or Tokenless ü  Generates one-time, one-use passcode ü  Cryptographically generated passcodes expire within specified time period

06/11/18 16

ez/Token ez/Token

ez/Token

06/11/18 17

ez/Token

•  Authenticate through RSA SecurID, SafeSign, Fortress, ActiveIdentity, OAUTH HOTP/TOTP (such as Google authenticator), Yubikey or native RACF

•  Authenticates to zSeries Server or any other application currently using RACF authentication

•  Provides more secure alternative than usual RACF User ID/Password combination

•  Users substitute a new one-time passcode in place of a password

•  Passcodes are generated randomly every 60 seconds

•  Can be combined with a PIN number

06/11/18 18

Key Features

•  Supports requirement of users with elevated privileges to supply two factors during the authentication process

•  Lets security administrators decide which users will or will not require a PIN number along with the token code

•  Eliminates the need for users to remember passwords

•  Requires no changes to the logon screens

•  RACF User IDs can be mapped to distributed User IDs

•  Supports New PIN and Next Token code functions through a Web Interface

06/11/18 19

ez/Token Process Flow

User starts a 3270 Terminal session or another ez/Token enabled applica>on like CICS

User enters appropriate RACF User ID and RSA Authen>ca>on

This is either a Passcode, a Tokencode, or a Pin/Token combina>on depending on the RSA requirements

3270

1

06/11/18 20


Vanguard’s VIPMAIN has to be started on the host for this process to work

3270 VIPMAIN

ICHRIX01

IAMEZTSV

RACF

2

z/OS ICHRIX01 Exit delivers control to Vanguard’s ICHRIX01 Process (IAMEZTSV)

1

06/11/18 21


3270 VIPMAIN

ICHRIX01

IAMEZTSV

RACF

3

IAMEZTSV started task on z/OS determines if the User is required to use RSA

If the user is not required to use RSA, control is passed to RACF for normal processing

1

2

06/11/18 22


3270 VIPMAIN

ICHRIX01

IAMEZTSV

RACF

4

If the user is required to use RSA, IAMEZTSV connects to the Vanguard ez/Token Agent Host on the Windows Server

Vanguard Token Agent

13

2

06/11/18 23


3270 VIPMAIN

ICHRIX01

IAMEZTSV

RACF 5

Vanguard’s ez/Token Agent host contacts the RSA Server


13

24

06/11/18 24


3270 VIPMAIN

IAMEZTSV

RACF

RSA Server determines if the user’s authen>ca>on a`empt succeeds

RSA 6

13

24

5

06/11/18 25


3270 VIPMAIN

ICHRIX01

IAMEZTSV

RACF

Return communica>ons occurs back to z/OS either permibng or denying logon a`empts


RSA 7

13

24

5

6

06/11/18 26

ez/Token - TSO

06/11/18 27

ez/Token - CICS

06/11/18 28

Tokenless Tokenless

Tokenless

06/11/18 29

Vanguard Tokenless Authentication

•  Most cost effective and convenient way to implement

-  No need to deploy and manage expensive physical token devices -  No need to manage token distribution -  No additional third party software needed

•  Generates a one time, one use password to a virtual token, like the users smart phone, each time sign-on is attempted

•  Cryptographically generated passcodes expire within a short specified time period

06/11/18 30


USER

USER

MAINFRAME

SERVER

CELL PHONE

When a user logs on at the applica>on level, Tokenless Authen>ca>on (VTA) validates the user name and password at login

06/11/18 31


USER

USER

MAINFRAME

SERVER

CELL PHONE

Then generates and sends back an 8 character one >me use, >me sensi>ve passcode to the user’s cell phone

06/11/18 32


USER

USER

MAINFRAME

SERVER

CELL PHONE

The user enters the passcode at the second level of authen>ca>on

06/11/18 33


USER

USER

MAINFRAME

SERVER

CELL PHONE

Once the passcode is validated by Tokenless Authen>ca>on, the user will gain access to the applica>on

06/11/18 34

Vanguard Tokenless Administration

Simple Web Based Administra>on Interface

Setup users to use Vanguard Tokenless Authen>ca>on Change Tokenless type (password + token or token only) Change delivery address (cell phone / email)

06/11/18 35

Tokenless Authentication – Use Email/SMS)

•  Enter UserID •  Enter Password •  Receive E-Mail/SMS •  Enter Tokenless Code

06/11/18 36

At the Very Least

•  Anyone in the organization that has the ability to create, edit or exfiltrate critical data should be required to use Multi-Factor Authentication to access those critical resources

06/11/18 37

Title

Sub-title

Thank you!

Questions

Vanguard Introduction to ez/Token Tokenless Authentication

Documents

Transcript of Vanguard Introduction to ez/Token Tokenless Authentication