NewEra Software Inc. is a sponsor of the zExchange - A community of z/OS Citizens
We should all consider it self-evident that z/OS System Integrity is enriched by the inclusion of the user as an active participant in the overall z/OS mainframe Security Paradigm. Consider this: in real time, the Only Person who can ACTUALLY know if YOUR logon credential is being used legitimately is YOU! Not a SIEM, not the Help Desk, certainly not an SMF record of any type. Just YOU and YOU alone!
Notification of credential use, at logon, gives your users confidence that their integrity and the integrity of the system has not been undermined by credential theft. Notification of password/phrase reset request/attempt provides users additional assurance that overall integrity remains intact and that they have not been ‘Locked Out’. These notifications allow you to engage your staff in the premier defense of your z/OS Systems.
‘Flooding’ would exist if emails, texts, or SIEM messages, were sent with each logon, each reset, or each password expiration event. Not a good idea! ICE/PSWD deals with potential 'flooding' by supporting the creation of ‘Watchful Periods’ - selected by Day, Date, and Time - and/or ‘Watchful Conditions’ – triggered by selected Return Codes or events on specifically Named z/OS LPARs - that will satisfy each individual's requirement.
Typically, they don't! A z/OS user may, from time to time, logon to TSO and be notified of a pending expiration. But this is not so for CICS, FTP, VTAM, and others. Expiration notification leads to stronger passwords because it gives the user an interval of time to plan for a stronger password reset.
By using a simple process, called 'Format Binding', individual users can be bound to one or more of the available password format rules. Complex format rules (mixed case, special characters) generally result in passwords that are more difficult for hackers to guess.
When a password fails during logon, it may be the result of an invalid password/userid or a malicious "Brute-Force" or "Password Spray" attack. ICE/PSWD will report these and other such events - for example, the logon of Privileged Users - in real time, by email, text, or by logging it to your SIEM.
Equally troubling is the discovery of an invalid and/or revoked UserId, often used in various types of "Phishing" attacks. When ICE/PSWD detects such an event, notification is sent directly to a named, central location, by email, text, and/or routed directly to your SIEM.
MFA is a process for adding a ‘Factor’ to the user's logon credential. Such a process often results in a secret only the user knows, or an object only the user has. The use of MFA can dramatically enrich the integrity of all system credentials. The result is better overall system security.
ICE/PSWD takes the MFA process one step further with processes that add factors to both the logon and password reset processes. Together, they enforce a better, overall higher level of system integrity and security. Using ICE/PSWD, a user never knows a required password until it is actually needed and requested from the target z/OS system.
Including a z/OS complex, with the control of a Federated Identity Management(FIM) or Single Sign On(SSO), user logon process often invites a loss of system integrity and security. MFL employs the best MFA concepts, i.e. the user never knows the complete password/passphrase in advance of logon, while at the same time preserving the user RACF credential and RACF's ultimate control over the user logon. All software, simple, straight-forward.
Both MFL and MFR support the users MFA secret, her prefix, by generating and storing its encrypted form within z/OS. The prefix may be updated at any time, as often as needed. Users begin a logon by entering their valid, RACF userid and password after which the z/OS system generates and sends them, via email or text, a time-sensitive suffix. The user concatenates the prefix and suffix into a new password that, along with their userid, can be used for logging on during a 'Validity Window'.
Conventional MFA systems either totally ignore or overlook the need for users to update/reset their passwords or passphrase. The result: a critical RACF control point becomes disabled, thus eliminating a 'factor' from the overall Multi-Factor process.
ICE/PSWD preserves RACF control over the reset process, whether voluntary or required. During either, users request a One-Time Password suffix, to which they append their secret prefix, and return to complete the reset. If the reset is voluntary, and the password has not expired, the user may be allowed to bypass the reset. But, if the reset is required because the password has expired, the user MUST complete the reset all within a window of time, not to exceed 15 minutes.
"In a recent survey of prospective ICE/PSWD users, over 95% said they believe that ICE/PSWD would help them to improve their organization's Security Culture"
"ICE/PSWD simplifies the implementation of MFA and enriches it by providing a software solution that supports both Multi-Factor Logon & Multi-Factor Reset"
"Not all users should be treated the same. ICE/PSWD can discriminate, allowing Privileged Users to adhere to better password/passphrase use and reset practices."
ICE/PSWD, like all NewEra Software Products, is licensed on an MSU, tiered price scale,
for a defined term or in perpetuity by CPU, Site, Region or Globaly.
Maintenance is included in the first license year and thereafter is 15% of the then current list price.