CA Top Secret

 View Only

[TRANSCRIPT] CA Mainframe Security: Access Control – September 19, 2018 

Sep 19, 2018 12:59 PM

Lenn Thompson (CA) to Everyone: @Everyone: Good morning. Let's jump right in. Please remember to "Send to: Everyone" and to @Name when you're replying to someone in particular.


Lenn Thompson (CA) to Everyone: @Mark: Good morning! Do you have any questions for the team today?


Mark Kirby to Everyone: Is there a simple integrated way within Top Secret to answer the basic auditor question "give us the list of all acids that can update a specific resource?" What we built was to run a batch simultation for every acid. That was the only way we could find that would give a complete list.


Lenn Thompson (CA) to Everyone: @Mark: Thanks for the question. I'm going to let the experts respond -- I'm just the community manager


Joseph Porto to Everyone: Good morning Mark...


Joseph Porto to Everyone: The current method you are using is the best way method to determine te list of all acids that can update a specific resource.


Lenn Thompson (CA) to Everyone: @Josef: Good morning! (or maybe afternoon for you!) Do you have any question for the team.


Mark Kirby to Everyone: Ok, thanks for the confirmation. I will explain that to our auditors as the best way.


Lenn Thompson (CA) to Everyone: @Mark: Great! Do you have any other questions for the team today?


Josef Thaler to Everyone: Thanks, Lenn for your welcome, and ideed, I have two general questions, which might be difficult to answer, but ... may I ?


Lenn Thompson (CA) to Everyone: @Josef: Please feel free to ask. If we can answer we will!


Josef Thaler to Everyone: company, not only for the mainframe?


Josef Thaler to Everyone: lost some text


Josef Thaler to Everyone: next try: We had some discussions in our company: And the question is: Can Top Secret act as a security server for the whole company nor only for the mainframe?


Josef Thaler to Everyone: I mean for a company using aix and other distributed servers etc. 


Joseph Porto to Everyone: Thank you for your question.


Josef Thaler to Everyone: or in other words: Can Top Secret on the z/mainframe (together with additional products) act as a central security server (authentication/authorization) for the whole enterprise? Especially for AIX (on power-8) and windows? If yes, would you have some indications about such a conception and how and with which additional products/features / under which conditions this could be realized. Do you know about reference installations, which could be contacted?


John Pinkowski (CA) to Everyone: @Josef that is not a simple answer. Would it be possible to set up a 30-60 minute call to discuss in detail what your vision would be? We would have our security architects join as well.


Josef Thaler to Everyone: If this would be possible, this would be great! As this question came from my manager, I'd like to involve him too. John, may we stay in touch by mail?


John Pinkowski (CA) to Everyone: yes we can. I will drop you an email now.


Mark Kirby to Everyone: So I will drop in now a couple of other questions in one "send".


Mark Kirby to Everyone: I am installing/configuring Mainframe Advanced Authentication. If an acid has access to a facility in multiple profiles, does it matter where the Permit to CASECMFA(TSSMFA.RSA.facility) ACC(USE) resides? Also, is there a way to easily see how an acid has access to a specific facility?


Josef Thaler to Everyone: And my second question is again about Top Secret, with a more personal flavour: What really makes Top Secret for z superior in comparison to the competing z/mainframe products (as there are ACF2 and RACF)?


Joseph Porto to Everyone: @Mark: The best way to easily see how an acid has access to a specific FACILITY is to use TSSSIM....


Joseph Porto to Everyone: It doesn't matter where CASECMFA(TSSMFA.RSA.facility) ACC(USE) resides.


Mark Kirby to Everyone: Ok, I got the answer to question 1, which is what I thought/wanted. However, I don't understand the answer to question 2, TSSSIM trace does not show me the answer to why a facility allowed logon, just yes or no. Is there some aspect of TSSSIM beyond the basic?


Mary Ann Furno (CA) to Everyone: @Josef: ACF2 and Top Secret are unique in their approach to securing mainframe resources. ACF2 takes a resource-centric approach and Top Secret take a user-centric view (RACF takes user centric approach as well). All have equivalent functionality so none is superior to the other. Each takes a different approach to securing the platform. Are there specific use cases you are looking to resolve? Our security teams can help.


Josef Thaler to Everyone: Thank you Mary Ann. I ask, because I would like to know, whether there are more than commercial reasons to decide or choose one or the other product.

Joseph Porto to Everyone: @Mark...Currently TSSSIM LOGON only indicates if the signon to the FACILITY was successful or not successful. for


Josef Thaler to Everyone: maybe I should make a "poll" in the CA community to get a flavor about it. But in my experience CA community behaves rather inert


Joseph Porto to Everyone: @Mark..If you need to know why the logon was would issue a TSS LIST(acid) DATA(PROFILE) and look for FACILITY authorization or lack of FACILITY authorization.


Mark Kirby to Everyone: That is how I'm doing it now; I was just wondering if there was a 'better' way. So that answers my questions. Thanks,
09/19/2018 11:46:46 AM from Joseph Porto to Everyone: @Mark...currently there is no built-in feature that will automatically tell you this information automatically.

Mary Ann Furno (CA) to Everyone: @Josef – As we look at Defense in Depth and the new threats in today’s world we consider the base external security managers as well as additional layers of security that are complementary. CA continues to invest in the security and compliance portfolio. We also make available several additional layers of security, some at no charge - including advanced authentication for mainframe and management and control of privileged users.

Josef Thaler to Everyone: @Mary Ann - thank you for this consideration, I comprehend. Security in an enterprise is really not based on a single product.


Lenn Thompson (CA) to Everyone: @Everyone: Are there any other questions for the team while we have them gathered?


Mark Kirby to Everyone: I do not have anymore for this session.


Lenn Thompson (CA) to Everyone: @Mark: Thank you and thanks for joining!


Mark Kirby to Everyone: Thank you, I will drop off now.


Josef Thaler to Everyone: Well, when I started to work with TSS I submitted several ideas in the ideation. I'd would accept, that not every idea can be realized. But I would appreciate very much, when the idea is commented by CA after a certain timeframe.


John Pinkowski (CA) to Everyone: @Josef - This is on my plate. You are absolutly correct and while we have put in over 23 features, I need to update Communities.


Lenn Thompson (CA) to Everyone: @Everyone: Okay folks, we are almost at the end of our time together todayl. I'd like to thank each and every one of your for joining. We'll see you next time!

0 Favorited
0 Files

Related Entries and Links

No Related Resource entered.