Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. © 2018 IBM Corporation 3 Acknowledgement Our very best thanks belong to Florian Warband – Fiducia & GAD IT AG Christian Tatz – Fiducia & GAD IT AG Pascal Meyer – Fiducia & GAD IT AG Andreas Geiss – Fiducia & GAD IT AG Karsten Rohrbach – ABK Systeme GmbH Uwe Denneler – IBM Günter Weber – IBM Richard Young - IBM and all the others who contributed to this session. © 2018 IBM Corporation Current Security Landscape 1,935 81% Number of security incidents Number of breaches in 2015 with confirmed data due to stolen and/or disclosure as a result of weak passwords.1 stolen credentials.1 (18% worse than prior year) (506 worse than prior year) 60% $4 million Number of security The average total cost incidents that are from 2 of a data breach. insider threats. 3 Criminals are identifying key employees at organizations and exploiting them with savvy phishing attacks to gain initial access to the employees’ system and steal their account credentials. This puts emphasis on the need for tighter restrictions on access privileges to key data repositories.1 1 2017 Verizon Data Breach Investigations Report 2 Ponemon: 2016 Cost of Data Breach Study: Global Analysis © 2018 IBM Corporation 4 3 IBM X-Force 2016 Cyber Security Intelligence Index Current Security Landscape . •“81% of hacking-related breaches leveraged either stolen and/or weak passwords.” Source: Verizon Data Breach Investigations Report, 2017 •In 2014, 2 in 5 people − Received notice that their personal information was breached − Had an account hacked − Had a password stolen • 73% of online accounts are guarded by duplicate passwords • 47% of people use passwords that are at least 5 years old • 21% of people use passwords that are over 10 years old Source: https://www.entrepreneur.com/article/246902 •“59% of employees steal proprietary corporate data when they quit or are fired.” •“In 93% of breaches, attackers take minutes or less to compromise.” Source: https://www.bitsighttech.com/blog/data-breach-statistics • According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Source https://www.lexology.com/library/detail.aspx?g=5df10dbf-54fa-40dd-9f3f-2d08d275bf75 5 © 2018 IBM Corporation User Authentication Today • Users can authenticate with: ‒ Passwords ‒ Password phrases ‒ Digital Certificates ‒ via Kerberos • Problems with passwords: ‒ Common passwords ‒ Employees are selling their passwords ‒ Password reuse ‒ People write down passwords ‒ Malware ‒ Key log ‒ Password cracking ‒ . 6 © 2018 IBM Corporation Compliance PCI DSS v3.2 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. 8.3.1 Incorporate multi-factor authentication for all non-console access into the Cardholder Data Environment (CDE) for personnel with administrative access. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement. NIST SP 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Note: Network access is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). Note: This requirement is effective December 31, 2017. 7 © 2018 IBM Corporation Why MFA is needed • We need to be sure the person logging in is you! A single factor alone is more susceptible to unauthorized use. • To better secure your systems, application, and data, by thwarting attacks of only a single factor. • Payment Card Industry (PCI) requires it for things such as remote access and administrative access to the card data environment • Requirements for access to Federal Government systems • Possibly to follow your own corporate security policy • MFA is especially important for privileged administrative accounts. • To be smart and secure your data! 8 © 2018 IBM Corporation Authentication is a journey Moving to stronger, easier authentication Capture SOMETHING THAT YOU KNOW SOMETHING THAT YOU HAVE SOMETHING THAT YOU ARE - Usernames and passwords - ID Badge - Biometrics - PIN Code - One time passwords - Knowledge questions - Time-based - Email / SMS 9 © 2018 IBM Corporation What is multi-factor authentication (MFA) • Authentication with more than one factor such as a password or a key to gain access • A factor could be something only you know (ie password), something only you have (ie key fob), or something only you are (i.e. biometrics) • ATM Card and PIN – Something you have and something you know • More factors generally mean more security, as if one factor is compromised such as a password, more factors are still required to successfully authentication • There is a distinction between multi-factor authentication
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages39 Page
-
File Size-