Active User Envolvement
Realtime Notifications
Notification of credential use, at logon, gives your users confidence that their integrity and the integrity of the system has not been undermined by credential theft. Notification of password/phrase reset request/attempt provides users additional assurance that overall integrity remains intact and that they have not been ‘Locked Out’. These notifications allow you to engage your staff in the premier defense of your z/OS Systems.
Watchful Periods & Conditions
‘Flooding’ would exist if emails, texts, or SIEM messages, were sent with each logon, each reset, or each password expiration event. Not a good idea! ICE/PSWD deals with potential 'flooding' by supporting the creation of ‘Watchful Periods’ - selected by Day, Date, and Time - and/or ‘Watchful Conditions’ – triggered by selected Return Codes or events on specifically Named z/OS LPARs - that will satisfy each individual's requirement.
Stronger Password Processes
How do users know when their passwords are expiring?
Typically, they don't! A z/OS user may, from time to time, logon to TSO and be notified of a pending expiration. But this is not so for CICS, FTP, VTAM, and others. Expiration notification leads to stronger passwords because it gives the user an interval of time to plan for a stronger password reset.
How can we enforce the use of more complex passwords?
By using a simple process, called 'Format Binding', individual users can be bound to one or more of the available password format rules. Complex format rules (mixed case, special characters) generally result in passwords that are more difficult for hackers to guess.
What about Failed Logons and Invalid UserIds?
When a password fails during logon, it may be the result of an invalid password/userid or a malicious "Brute-Force" or "Password Spray" attack. ICE/PSWD will report these and other such events - for example, the logon of Privileged Users - in real time, by email, text, or by logging it to your SIEM.
Equally troubling is the discovery of an invalid and/or revoked UserId, often used in various types of "Phishing" attacks. When ICE/PSWD detects such an event, notification is sent directly to a named, central location, by email, text, and/or routed directly to your SIEM.
Use Multi-Factor Authentication - MFA
What is MFA?
MFA is a process for adding a ‘Factor’ to the user's logon credential. Such a process often results in a secret only the user knows, or an object only the user has. The use of MFA can dramatically enrich the integrity of all system credentials. The result is better overall system security.
ICE/PSWD takes the MFA process one step further with processes that add factors to both the logon and password reset processes. Together, they enforce a better, overall higher level of system integrity and security. Using ICE/PSWD, a user never knows a required password until it is actually needed and requested from the target z/OS system.
Multi-Factor Logon - MFL
Including a z/OS complex, with the control of a Federated Identity Management(FIM) or Single Sign On(SSO), user logon process often invites a loss of system integrity and security. MFL employs the best MFA concepts, i.e. the user never knows the complete password/passphrase in advance of logon, while at the same time preserving the user RACF credential and RACF's ultimate control over the user logon. All software, simple, straight-forward.
Both MFL and MFR support the users MFA secret, her prefix, by generating and storing its encrypted form within z/OS. The prefix may be updated at any time, as often as needed. Users begin a logon by entering their valid, RACF userid and password after which the z/OS system generates and sends them, via email or text, a time-sensitive suffix. The user concatenates the prefix and suffix into a new password that, along with their userid, can be used for logging on during a 'Validity Window'.
Multi-Factor Reset - MFR
Conventional MFA systems either totally ignore or overlook the need for users to update/reset their passwords or passphrase. The result: a critical RACF control point becomes disabled, thus eliminating a 'factor' from the overall Multi-Factor process.
ICE/PSWD preserves RACF control over the reset process, whether voluntary or required. During either, users request a One-Time Password suffix, to which they append their secret prefix, and return to complete the reset. If the reset is voluntary, and the password has not expired, the user may be allowed to bypass the reset. But, if the reset is required because the password has expired, the user MUST complete the reset all within a window of time, not to exceed 15 minutes.
What People are saying
Security Culture
"In a recent survey of prospective ICE/PSWD users, over 95% said they believe that ICE/PSWD would help them to improve their organization's Security Culture"
MFA Implementation
"ICE/PSWD simplifies the implementation of MFA and enriches it by providing a software solution that supports both Multi-Factor Logon & Multi-Factor Reset"
Privileged Users
"Not all users should be treated the same. ICE/PSWD can discriminate, allowing Privileged Users to adhere to better password/passphrase use and reset practices."