Multifactor Authentication for the Mainframe?

Is the password is dead or dying?

Lots of articles talk about the death of passwords. Google aims to kill them off by the end of 2017. According to the company, Android users will soon be able to log in to services using a combination of face, typing, and movement patterns. Apple figured this out long ago (Apple Pay) and continues to move away from passwords. Even the U.S. government is coming to grips with the fact that passwords don’t cut it anymore.

Enter multifactor authentication or MFA. Almost everyone agrees that MFA provides the strongest level of authentication (who you are) possible. It’s great for users, too. My iPhone is a great example. While I like many things about it, Touch ID is my favorite feature. I never have to remember my thumb print (it’s always with me), and no one can steal it (except James Bond). Touch ID makes secure access so easy.

Given the riskiness of passwords and the rise of MFA solutions, I have to ask why it’s still okay to rely on passwords for mainframe access. Here’s my guess: This question has never occurred to many mainframe system admins because there’s never been any other way to authenticate host access—especially for older mainframe applications.

 Are mainframe passwords secure?

When you think about passwords, it’s clear that the longer and more complex the password, the more secure it will be. But mainframe applications—especially those written decades ago, the ones that pretty much run your business—were hardcoded to use only weak eight-character, case-insensitive passwords.  Ask any IT security person if they think these passwords provide adequate protection for mission-critical applications and you will get a resounding “No way!”

As far as anyone knows, though, they’ve been the only option available. Until now. At Micro Focus, we are bridging the old and the new, helping our digitally empowered customers to innovate faster, with less risk. One of our latest solutions provides a safe, manageable, economical way for you to use multifactor authentication to authorize mainframe access for all your users—from employees to business partners.

Multifactor authentication to authorize mainframe access?

It’s a logical solution because it uses any of our modern terminal emulatorsthe tool used for accessing host applications—and a newer product called Host Access Management and Security Server (MSS). Working alongside your emulator, MSS makes it possible for you to say goodbye to mainframe passwords, or reinforce them with other authentication options. In fact, you can use up to 14 different types of authentication methods—from smart cards and mobile text-based verification codes to fingerprint and retina scans. You’re free to choose the best solution for your business.

In addition to strengthening security, there’s another big benefit that can come with multifactor authentication for host systems: No more passwords means no more mainframe password-reset headaches!

Yes, it’s finally possible to give your mainframe applications the same level of protection your other applications enjoy. Using MFA for your mainframes brings them into the modern world of security. You’ll get rid of your password headaches and be better equipped to comply with industry and governmental regulations. All you need is a little “focus”—Micro Focus.

You’ve Solved Password Resets for Your Network. Now What About Your Mainframe?

Humans. For the person managing network access, we are nothing but a pain. That’s because network access involves passwords, and passwords are hard for humans. We hide them, lose them, forget them, share them, and fail to update them.

The struggle is real, and understandable. We are buried in passwords. They’re needed for every aspect of our lives. To keep track of them, most of us write them down and use the “increment” strategy to avoid recreating and trying to memorize a different password at every turn. But the struggle continues.

Yes, passwords are hard for humans. And that makes them an incredibly weak security solution.

If you’ve been in IT for any length of time, you get it. For years, password resets were a constant interruption and source of irritation for IT. Fortunately, that changed when password-reset tools came along. Now used by most enterprises, these tools help IT shops get out of the password-reset business and onto more strategic tasks.

What About Mainframe Passwords?

Mainframe-password resets are even more costly and time consuming than network-password resets. That’s because mainframe passwords have to be reset in RACF, on the mainframe, which means someone who has mainframe access and knows how to execute this type of command has to do it—typically a mainframe systems programmer/admin. Plus, mainframe users often need access to multiple hosts and applications. And each application requires a separate username and password.

There are no automated password-reset tools for the mainframe—your wealthiest data bank of all. But what if there were a completely different way to solve this problem? What if you could get rid of mainframe passwords altogether and strengthen security for mainframe access in the process?

In fact, there is a way that you can do just that. Two Micro Focus products—Host Access Management and Security Server (MSS) and an MSS add-on product called Automated Sign-On for Mainframe (ASM) make it possible.

How Do MSS and ASM Work?

MSS puts a security control point between mainframe users and your host systems. It uses your existing Identify and Access Management structure—specifically, strong authentication—to authorize access to the mainframe. The MSS-ASM combo enables automatic sign-on all the way to the mainframe application—eliminating the need for users to enter any IDs or passwords.

Here’s what’s happening behind the scenes: When a user launches a mainframe session though a Micro Focus terminal emulator’s logon macro, the emulator requests the user’s mainframe credentials from MSS and ASM. ASM employs the user’s enterprise identity to get the mainframe user ID.

Then, working with the IBM z/OS Digital Certificate Access Server (DCAS) component, ASM obtains a time-limited, single-use RACF PassTicket for the target application. In case you didn’t know, PassTickets are dynamically generated by RACF each time users attempt to sign on to mainframe applications. Unlike static passwords, PassTickets offer replay protection because they can be used only once. PassTickets also expire after a defined period of time (10 minutes by default), even if they have never been used. These features all translate into secure access.

ASM returns the PassTicket and mainframe user ID to the terminal emulator’s logon macro, which sends the credentials to the mainframe to sign the user on to the application.

No interaction is needed from the user other than starting the session in the usual way. Imagine that. They don’t have to deal with passwords, and neither do you.

No More Mainframe Passwords

Humans. We are a messy, forgetful, chaotic bunch. But fortunately, we humans know that. That’s why we humans at Micro Focus build solutions to help keep systems secure and humans moving forward. Learn more about Host Access Management and Security Server and its Automated Sign-On Add-On.

Is Secure File Transfer Protocol (SFTP) Its Own Worst Enemy?

At Micro Focus, our customers are asking for a holistic approach to secure file transfer—one that provides more visibility, flexibility, and control. That’s why we’ve introduced Reflection® for Secure IT Gateway. This new SSH-based solution sits between the user and the SFTP server, and acts as a central point of control. Its job is to track every file going in and out of your enterprise, including who transferred it and what’s in it. David Fletcher investigates further in this blog….

Secure File Transfer Protocol

SFTP has long been a de facto standard for secure file transfer.  Originally designed by the Internet Engineering Task Force (IETF), this extension of the Secure Shell protocol (SSH) 2.0 provides secure file transfer capabilities over the SSH network protocol.

In a nutshell, SFTP encrypts your data and moves it through an impenetrable encrypted tunnel that makes interception and decoding virtually impossible. While incredibly useful for business-to-business data sharing, SFTP poses a problem in our security-conscious world. Oddly enough, the problem is that SFTP works too well.

Let me explain. SFTP works so well that no one can see what’s being transferred—not even the people who need to see it for security reasons. Case in point: Edward Snowden. No matter what your thoughts on the subject, the fact is that Snowden used his privileged user status to transfer and steal sensitive files. Why was he able to do this? Because no one could see what he was doing. As a “privileged user” on the network, he had extensive access to sensitive files—files that he was able to transfer about, as he desired, without detection.

Iris2blog

In addition to the threats posed by unscrupulous privileged users, there’s another threat that’s cause for alarm. It’s called Advanced Persistent Threat (APT).  Basically, an APT is a ceaseless, sophisticated attack carried out by an organized group to accomplish a particular result—typically, the acquisition of information. The classic APT mode of operation is to doggedly steal the credentials of privileged users. The purpose, of course, is to gain unfettered access to sensitive or secret data. Once “in,” these APTers can transfer data and steal it without detection.  On a side note, Snowden used some of these APT tactics to steal credentials and validate self-signed certificates to gain access to classified documents.

APTs are often discussed in the context of government, but let me be clear: Companies are also a primary target. Take the recent Wall Street Journal article about a foreign government stealing plans for a new steel technology from US Steel. Such behavior is just the tip of the iceberg when it comes to how far some entities will go to steal information and technology.

Introducing Micro Focus Reflection for Secure IT Gateway

So given that transferring files is an essential business operation, what can you do to protect your organization from these dangerous threats? At Micro Focus, our customers are asking for a holistic approach to secure file transfer—one that provides more visibility, flexibility, and control. That’s why we’re introducing Reflection® for Secure IT Gateway. This new SSH-based solution sits between the user and the SFTP server, and acts as a central point of control. Its job is to track every file going in and out of your enterprise, including who transferred it and what’s in it.   It also provides the ability to essentially offload files and allow for 3rd party inspection and can then either stop the transfer and notify if something seem amiss or complete the transfer as required.

Reflection for Secure IT Gateway comes with a powerful browser-based interface that you can use to accomplish a number of transfer-related tasks:

  • Expose files for inspection by third-party tools
  • Automate pre- and post-transfer actions
  • Grant and manage SFTP administrator rights
  • Provision users
  • Configure transfers
  • Create jobs for enterprise level automation
  • Delegate tasks

Read more about Reflection for Secure IT Gateway or download our evaluation software and take a test drive. Learn how you can continue to benefit from the ironclad security of SFTP while also gaining greater file transfer visibility, flexibility, and control.

RUMBA9.4.5
Sr. Product Marketing Manager
Host Connectivity
(Orginally Published here)

It ain’t broke, but there’s still a better way

The latest release of Rumba+ Desktop now offers centralized security and management via Host Access Management and Security Server (MSS). MSS meets one of IT’s greatest challenges—keeping up with an ever-changing IT security landscape. David Fletcher covers better secure access to host systems in this blog.

“If it ain’t broke, don’t fix it.”

We’ve all heard the old adage  But here’s the thing: Even if it’s not broken, it could be better. Think about regular film versus digital? Rotary phones versus smartphones? Those electric football games that vibrated the players across the field versus Xbox?  All the early versions worked just fine. They delivered the same results as their new counterparts. So why did we upgrade?

The answer is obvious. We wanted a better experience. After all, what’s not to like about achieving the same thing with less effort, achieving more with less effort, improving results, or just having more fun along the way?

The same is true for software. Remember the early days of running a single application in DOS? Think back to how clunky and inefficient those applications were. Yet we thought they were amazing!

These days there’s another topic that is top-of-mind in the software world, and that is the topic of computer security. While an older version of your software may still accomplish the task it was designed for, the world in which that software lives has undergone radical change. Software designed ten years ago isn’t able to shield your enterprise against the sophisticated threats of today. The gap is vast and dangerous.

rumsec

Micro Focus and The Attachmate Group

Change comes when the benefits of a new solution outweighs the risk or pain of change. The good news is that change has come to Micro Focus® Rumba+ Desktop. The merger of Micro Focus and The Attachmate Group is enabling customers of both Rumba and Reflection terminal emulation software to get the best of both worlds. That’s why there are big gains to be had by updating now.

Let me be more specific. The latest release of Rumba+ Desktop now offers centralized security and management via Host Access Management and Security Server (MSS).  MSS meets one of IT’s greatest challenges—keeping up with an ever-changing IT security landscape. Customers always say, “We have 1000s of desktops at 100s of global locations. How do we keep up with PCI DSS, SHA-2, and TLS standards? How can we keep all of our clients up-to-date and secure? Just when we get everything updated, something new comes along that requires touching all of those workstations again.”

Rumba+ with Host Access Management and Security Server

Well, Rumba+ Desktop combined with Host Access Management and Security Server solves the problem.  Together, these products make it possible for you to:

  • Take centralized control of your host-access operations. You can lock down 100s (or 1000s) of desktops with ease, control access using your Identity and Access Management system (yes, it’s possible), and grant or deny access based on group or role. You can quickly apply changes to align with business needs or make post-install adjustments. And you can do it on your schedule, not someone else’s.
  • Reinforce security as you remove the need for mainframe passwords. By teaming Rumba+ Desktop with MSS, you can integrate your host systems with your existing IAM system. Then you can replace weak eight-character passwords with strong complex ones. You can even banish mainframe passwords—and password-reset headaches—by automatically signing users on to their mainframe applications.
  • Build a wall of security in front of your host. You can deliver end-to-end encryption and enforce access control at the perimeter with a patented security proxy. You can also enable multifactor authentication to authorize access to your host systems—which means you can take complete control of who is accessing your most valuable assets.

Micro Focus terminal emulation products have been providing secure access to host systems for decades. As technology advances and the security landscape continues to change, you can count on Micro Focus to help you find a better way.

RUMBA9.4.5
Sr. Product Marketing Manager
Host Connectivity
(Orginally Published here)

Browser-Based Terminal Emulation and the Java Plug-In—What You Need to Know

The death of the Java plug-in is not news. Lots of articles talk about it. Even Oracle (who makes the Java plug-in) has finally agreed to dump it. For many users and businesses, this is not a big deal. And for IT staff, it’s actually a relief. It means they’ll no longer have to deal with the annoying Java Runtime Environment (JRE). The question for many IT Departments right now is this: “What’s your plan to transition off the Java plug-in for terminal emulation access?” David Fletcher looks at some answers…..

The death of the Java plug-in is not news. Lots of articles talk about it. Even Oracle (who makes the Java plug-in) has finally agreed to dump it. For many users and businesses, this is not a big deal. And for IT staff, it’s actually a relief. It means they’ll no longer have to deal with the annoying Java Runtime Environment (JRE).

It wasn’t always this way. In the beginning, IT saw Java as a way to build enterprise applications that could be run without installation, updates, or device-specific requirements. But naturally, there’s a tradeoff: You must install and maintain some notoriously problematic software—the Java Runtime Environment (JRE)—on all participating devices. That’s one big maintenance and security headache for IT. Basically, it reintroduces the very problem that Java was originally supposed to solve.

Enter HTML5/JavaScript. The HTML5/JavaScript approach requires no device-specific components beyond a modern browser. IT staff can serve up web applications to hundreds or thousands of users without having to touch any user devices. They need only maintain a dozen or so application servers. Goodbye endpoint-management headaches!

An often overlooked application that uses the Java plug-in is the browser-based terminal emulator. For many medium to large companies, as well as numerous government agencies, terminal emulators are a mission-critical necessity. For years, these applications have used the Java plug-in to provide access to mainframes and other host systems from within a browser that supports the plug-in.

Rumba+What’s your plan to transition off the Java plug-in for terminal emulation access?

It’s a question you may have to grapple with sooner rather than later because of the release of Windows 10. More and more companies are looking to move to this new platform. But the Edge browser that comes with it does not support Java plug-ins. Yes, you can run IE on Windows 10, but essentially you are poking holes in your secure browser-based access by using this older technology.  Not to mention the headaches that IT will continue to have when applying security updates, which Oracle won’t continue to support forever.

There is an easy solution. Micro Focus now offers Reflection ZFE, a terminal emulator built on the advanced technology of HTML5. With Reflection ZFE, you can deliver browser-based host access efficiently and securely with a true zero-footprint client designed to reduce IT costs and desktop management time.

Our 2.0 release of Reflection ZFE delivers many great new features, including support for:

  • Unisys hosts (UTS)
  • IND$FILE
  • Windows 10 Enterprise
  • Automated sign-on for mainframe applications
  • Reflection for the Web Profile Import
  • VBA and VBA macros

Learn more about our HTML5 terminal emulation solution.

RUMBA9.4.5
Sr. Product Marketing Manager
Host Connectivity
(Originally published here)

Move beyond weak mainframe passwords with advanced multifactor authentication

Flexibility is the key when it comes to multifactor authentication and you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console. David Fletcher provides more insight in his blog….

More and more companies are moving to multifactor authentication. Almost everyone agrees that multifactor authentication is the best way to provide the strongest level of authentication (who you are). This technology is taking hold in many industries, and for the most part it’s working pretty well. Now ask yourself “How can I use multifactor authentication to authorize access to my host systems?”

thumb

Complex and Expensive?

Wow—things just got really complicated and expensive. Think about who is accessing your host systems today. Employees all over the world with different devices and different access needs. Business partners who need access but don’t have your same systems and devices. What about customers who are actually updating their own data via web services on your host systems? The level of complexity that comes with implementing multifactor authentication for enterprise applications is hard enough. Now throw in the mainframe and it’s enough to keep anyone from moving in that direction.

But what if there was a flexible and manageable way to use multifactor authentication for host applications? Because Micro Focus is the expert in securing and managing access to your host systems, we have developed new capabilities to make implementing and managing multifactor authentication flexible and affordable. You can even use the same products for implementing multifactor authentication for your enterprise applications and authorizing access to your host systems.

Affordable and Flexible:

The key to making multifactor authentication affordable and flexible is having a system that supports many different ways of authenticating. Such a system could support whatever methods of authentication are right for your users and your budget.

There are many different ways that a user can be authenticated. You can take advantage of the fact that most (if not all) employees or partners have a cell phone. No need for costly devices to increase security to your systems. What if you could let a partner choose between answering three security questions or using a fingerprint for authenticating or a combination of questions and cell phone?

Flexibility is the key when it comes to multifactor authentication. Now you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console.

Micro Focus® Advanced Authentication, combined with Host Access Management and Security Server (MSS) and one or more of our terminal emulation clients, provide up to 14 different methods of authentication to authorize access to host systems. As new technologies emerge, you can count on Micro Focus to stay ahead of the game so that when you are ready to make a move, we are too.

To learn more about enabling multifactor authentication to authorize access to your host systems, contact your Micro Focus sales representative today.

Originally published here

Merging Attachmate and Micro Focus will change how you think about Terminal Emulation

There is no company out there that has the depth and breadth of technology and product expertise that we bring to the table. David Fletcher blogs about how the Micro Focus and Attachmate merger is leading to stronger and more secure host access solutions.

When it comes to mergers and acquisitions we have all heard and read about the chaos that comes from the ones that don’t work.  Remember when AOL announced that it was buying Time Warner to create the “world’s largest media company” or how about when Sprint and Nextel agreed to merge only to have Sprint shut down the Nextel network a few years later?

The interesting thing is that these days’ mergers fail more often than marriages.  There are many reasons for failures – technology differences market changes and especially company cultural differences to name a few.

Not only did these mergers above fail – they brought a lot of pain and suffering to their customers.  They gutted the market place with the lack of ability to make something new and better out of two different companies and cultures.  They took a chance to re-think their strategies and failed to move forward with the products and services into a new age of technology and customer satisfaction.

MF_Attachmate_lockup-02

 

The Micro Focus and Attachmate merger is leading to stronger and more secure host access solutions.

With this merger, there is now no other company that can better address the needs of organizations that want to fit their host systems into a modern and secure IT environment.

With our combined portfolios our customers can:

  • Deliver best-of-class terminal emulation solutions across the range of devices required by their business users
  • Harden their endpoints to help secure the sensitive data and protect the host systems accessed by end users…without impacting user productivity
  • Simplify the interaction with non-intuitive mainframe apps for today’s “Facebook generation” users not familiar with green screens
  • Non-invasively extend the business logic embedded in mainframe apps to developers as web services
  • Work with a single partner that is focused on helping companies get the most out of their long-term IT investments

Whatever mainframe or host system you have – we have experts with years of experience with these technologies.  When it comes to understanding how to secure and manage access to mainframe and host systems – there simply is no vendor that has a more complete set of solutions to protect your critical data-in-motion or at rest.  When it comes to enabling mainframe-based applications to new users in new ways – no other vendor is as passionate about bringing new solutions to our customers. There is no company out there that has the depth and breadth of technology and product expertise that Micro Focus brings to the table.

So how will this merger be different than other technology mergers?

It’s easy to say, “Oh, but this merger is different”.  But what really matters is how have our companies fared with mergers in the past and how is this merger benefiting customers for the future. Both Attachmate and Micro Focus have a history of mergers and acquisitions where we have taken the opportunity to bring products and services into our portfolio to provide more value for our customers.

Since this merger was completed in November of 2014 we’ve been working hard on the nuts and bolts that make a company work.  Bringing together people, systems and processes to make it easy to do business the combined Micro Focus company.  We’ve also been busy working through our product portfolios and determining how we can best enable this combined product set to help customers secure and manage their host systems.  We’ve been cross-pollinating our products with the best of breed technologies so that our customers can take advantage of these solutions without having to swap applications.

Here are just a few examples of how we are bringing these technologies together:

  • Reflection Desktop and InfoConnect Desktop now offer the User Interface Modernization capabilities that originated with Rumba+
  • Delivered Host Access Management and Security Server to market which will allow our customers to centrally manage and authenticate access to mainframe systems from our terminal emulation clients.

It’s been a challenge – but we’ve stayed focused on driving new releases and updates for the products that our customers rely on.   Take a closer look what we’ve been up to:

As these products move forward we will continue to invest in and enable the best technologies and solutions across the portfolio.  No longer will customers have to choose between different products for the solutions they need.

When you look at your mainframe and host systems, ask yourself – are you getting the most out of these investments as possible?  If it was simple and less risky to your business to re-think how you are using these systems– what would you do differently?

Just like with anything – change is hard and can be daunting but now you have a combined company in your corner to help you re-think your business and make each step of the way a safe one.

Keep your eyes on Micro Focus over the coming months as we continue to drive innovation that solve modern customer challenges with host systems.  Take a look at how our customers that have taken the steps to make change to their systems and processes and how they have benefited.  This could be your business.

Health Plan of San Mateo

Bauverein der Elbgemeinden (BVE)

Renew Insurance

Rumba 9.4: A New Way to Think about Green Screens

David Fletcher, Senior Marketing Manager for Micro Focus Rumba, talks about the challenges with green screen applications and the innovative Screen Canvas feature now available in Rumba 9.4.

Lean and Green

If you’re reading this blog, you probably know about green screens. You probably wish they were more flexible and easy to use, but you still understand their overall value. You know that green screen applications, while written decades ago, still run the world. And behind the scenes, they make our lives easier in more ways than we may actually know.

rumba9.4.0

 ‘Sorry please hold, I will have to switch to another screen’

Most of us will have interacted with green screen systems[1]—for example, when you’re talking to a call center rep’ who is using one to look up your insurance details, or book your travel, or check your banking details. These are the people who often need to put you on hold because the “system is slow” or they have to “go to another screen.” That’s what these green-screen applications are like to use—complicated, convoluted, confusing. They don’t play well together, and don’t take advantage of the latest graphical interfaces either.

However, despite their limitations, green screens and the applications they “represent” are so entrenched in our world that now even mobile users want to access them from their modern laptops, tablets, and smart phones. So why are we content to continue interacting with these outdated systems? One simple reason: These applications are still business critical. And updating them is difficult, time consuming, risky, and prohibitively expensive.

But wouldn’t it be great if there was some way to bring these outdated applications into the modern world?

At Micro Focus we continue to make investments to help organizations get the most out of their existing IT investments—including core green screen business applications. We provide low-risk, easy-to-use software that modernizes the user interface of core business applications and drives business efficiency.

Enter the new Rumba 9.4

You may have read about the user interface modernization capabilities of Rumba in the past, but with this new release we have added more capabilities to help revive tired applications.

Rumba+ 9.4 offers a new facility called Screen Canvas. With Screen Canvas, you are no longer bound by the old 24 row x 80 column limits of the traditional green screen. You can combine what used to be several different green screens into a single page.

rumba9.4.1

Rumba9.4.2

Users with the new version can consolidate several green screens into a single page, re-organizing and merging disparate information to make the user experience more intuitive and easy to use – with no coding or changes to the host application.

To the customer, this is a new way to improve usability of older application. It is a new view of the green screen – it feels updated and contemporary.  It improves the user experience. To Micro Focus, it is the result of an ongoing commitment to improve the user experience for the customer.

And that’s not all. Rumba+ is the perfect partner product of Rumba 9.4 and enables customers to extend their reach even further, with access to Windows, iPad and mobile technologies. Ultimately, Rumba+ represents and supports a full evolution and modernization from green screen to GUI.

Learn more about the all of the Rumba product line, or contact your local sales representative.

RUMBA9.4.5
fletcher


[1] Green screens: Text displays used by the mainframe applications to present information to users.

Terminals: Traditional hardware/screens used to access core application green-screens. The IBM 3270 is a classic example.

Terminal Emulator: A dedicated computer program that replicates the terminal viewing experience through an alternative display, typically a PC screen. Rumba is a terminal emulator.

User Interface: The visible part of the operating system and an older, character-based user interface is a problem for anyone familiar with the Graphical User Interfaces (GUI) on personal tech, such as laptops and tablets.