JSON Web Tokens (JWTs) are a popular option in the authentication space, but there are some inherent risks. While you gain flexibility by using a JWT, you lose the ability to revoke a token once it’s issued. To minimize the time between an administrator locking a user account and the time at which a previously issued token expires, the JWT should be short lived. This time window, while designed to be brief is a common security concern. Traditional solutions to this problem defeat the benefits of using a portable identity. Inversoft has come up with a novel way to solve this issue in a complementary method. Brian Pontarelli will cover how to implement this JWT revoke strategy to reduce the vulnerability window.
The different options within Bluemix bear diverse requirements to the authentication of users. This new article explains the various possibilities on how Bluemix users are managed and authenticated. The authentication covered in this article focuses on users of the Bluemix platform, i.e., developers, administrators, or operators. Applications running on top of Bluemix can use any authentication method that is appropriate for the application’s purpose.
Jeroen Tiggelman posted a sum
The new checks are centered around CA-ACF2 data set related controls.
An overview of all available compliance controls can be found in an updated technote.
You might also be interested in rece
Latest in dW Security: Play in the brand new sandbox and create a machine-learning, security front end
If you haven't checked it out yet, make sure to read the two newest articles on developerWorks Security:
Another tutorial we recently published, Crea
This provides service for new DB2 region security settings, new SMF log event records, and a new DB2 object privilege.
You can find technical details on the Service Management Connect - System z blog, in this entry.
The IBM Security zSecure team published a service stream enhancement (SSE) providing this Access Monitor data feed on March 30, 2017.
The IBM Operations Analytics for z Systems team published Insight Pack 3 providing the capability to interpret the data feed on March 29, 2017.
Technical details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
Increasing demand from today’s employees for a flexible experience that affords them the option to use the mobile technology of their choosing has disrupted traditional approaches to IT management and security.As a first response, it’s not uncommon for companies to launch brin
Join guest speaker, Forrester Senior Analyst Chris Sherman, and IBM MaaS360 portfolio marketing leader, Jonathan Dale as they share best practices for securing and empowering your mobile workforce.
You will learn:
Rolling out large enterprise software across any organization requires a smart infrastructure plan and an eye towards future scalability if the deployment is going to be a success. With IBM BigFix Software, there are some specific challenges that need to be met when designing a deployment from a performance perspective. Here is how one team within IBM faced a performance challenge and solved it using a smart infrastructure plan.
Read the full paper by authors Shaun T. Kelley and Mark Leitch:
It provides security intelligence and analytics improvements:
* a near real-time SMF event feed to IBM Security QRadar SIEM
* a zSecure Admin Access Monitor feed to zSecure Alert
* performance and scalability improvements
It extends support for these security standards:
* Security Technical Implementation Guide (STIG) 6.29
* Payment Card Industry Data Security Standard (PCI-DSS) 3.2
It provides currency support for:
* CA-ACF2 16 and CA-Top Secret 16
* MQ 9
* Service stream security enhancements for z/OS and RACF
Details can be found on Service Management Connect - System z in this blog entry by Jeroen Tiggelman.
z/VM V6R4 was announced on October 25, 2016 with a planned availability date of November 11, 2016.
A summary of the toleration fixes that have been made available for zSecure can be found on the Service Management Connect - System z blog.
They apply to zSecure Manager for RACF z/VM 1.11.1 and 1.11.2, and to zSecure for z/OS 2.1.0, 2.1.1, and 2.2.0.
Subject matter experts will be available to answer your questions, which you can ask through web chat during the presentation. You can also submit them in advance at this URL.
You might also be interested in this
This integration also applies to the zSecure Adapters for QRadar SIEM. The complementary integration with zSecure Alert will be briefly mentioned.
This SSE for zSecure 2.2 provides the following benefits:
- filter commands to quickly zoom in to records of interest
- fast navigation to jump to RACF user and group details
- quick admin capability for TSO and UNIX properties
- enhanced e-mail configuration
- ability to configure large buffers 'above the bar' (64-bit exploitation)
These changes apply to one or more of the following components: zSecure Admin, zSecure Audit, and zSecure Alert.
Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
On October 1, 2015 IBM issued a Statement of Direction about providing 64-bit addressing support in IBM Security zSecure. This support has now become available as a Service Stream Enhancement (SSE) to zSecure 2.2.0.
64-bit addressing allows the use of memory above the 2GB "bar" implied by addresses consisting of only 31 bits. Besides allowing the program to store and retrieve larger amounts of data, this also frees up memory "below the bar" that can be used by (other) 31-bit addressing programs.
Typical functions in zSecure that benefit from having a lot of memory available include
- processing very large numbers of events from the SMF event log, e.g. as sent on to IBM Security QRadar SIEM;
- analyzing data for many security databases and LPARs at the same time;
- rule-based compliance analysis based on many underlying technical reports;
- analyzing large intervals (possibly a year or more) of access use data, e.g. to identify obsolete permissions.
The SSE also includes enhancements to 31-bit addressing support. Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
The changes apply to all components of zSecure for z/OS except for zSecure CICS Toolkit and zSecure Command Verifier. For the full benefits a z196 or newer hardware is required.
On February 16, 2016 IBM announced authentication enhancements for z Systems, including a new product IBM Multi-Factor Authentication for z/OS (5655-162), with a planned availability date of March 25, 2016.
IBM z/OS Security Server Resource Access Control Facility (RACF) provided enabling infrastructure updates for z/OS V2R1 and V2R2.
IBM Security zSecure suite provided supporting updates for zSecure 2.1, 2.1.1, and 2.2.
Multi-Factor Authentication raises the level of assurance of mission-critical systems by requiring authentication with multiple factors during the logon process.
Each authentication factor must be from a separate category of credential types:
1) Something you know (e.g. a password or PIN code),
2) Something you have (e.g. an ID badge or a cryptographic key),
3) Something you are (e.g. a fingerprint or other biometric data).
More details can be located through this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
You might also be interested in the zSec
IBM Security Guardium® leads the way in providing a monitoring and auditing solution for NoSQL database systems. In this article by Kathryn Zeidenstein and Sundari Voruganti, the authors provide an overview of one popular NoSQL database, Apache Cassandra, and explain how and why Guardium can help organizations protect Cassandra data and automate compliance reporting and sign-offs. This article includes detailed instructions and a sample security policy to help you configure Guardium and extract value immediately.