Although CyberArk supports multi-factor authentication (to/with CyberArk), if you configure RACF (or your other z/OS ESM) to trust CyberArk fully then there’s no multi-factor authentication to/with z/OS or any applications running on z/OS. And that means that if CyberArk is ever compromised it’s “game over.”(*) To their partial credit CyberArk emphasizes the importance of keeping the CyberArk server (which runs on Microsoft Windows) secure, but I think you have to assume the worst, that any/every single system could be compromised. Consequently if you have CyberArk managing RACF passwords/passphrases that’s probably fine provided you also still challenge the user to provide a second factor when authenticating with RACF — in their TSO/E sign-on, as one example. And that second factor provider might be the same second factor provider that you use when you authenticate with CyberArk, but it’s still a second factor outside of both CyberArk and RACF.
“Quis custodiet ipsos custodes?” Unfortunately I’ve seen a lot of examples of mainframe shops effectively shutting off RACF. They configure RACF to delegate all or most authentication and authorization decisions to something else, some singleton (in security terms). And that’s bad, often really bad. It’s OK or even better than OK for your z/OS ESM to work *collaboratively* with other security providers to achieve more secure outcomes — and with more convenience and manageability, such as identity management/governance across an enterprise. But don’t effectively disable RACF! RACF (and other z/OS ESMs) have unique security domain expertise, and they need to be meaningfully “in the loop” if you’re ever going to achieve even reasonably secure outcomes. As a reminder, my views are my own. (*) Think about it this way. Imagine somebody walks into a bank branch and demands a $1 million withdrawal from a bank account. It’s an account that’s set up as a joint account, and the account requires two individuals to sign off. The bank teller asks, “Where’s the other account holder? We need her authorization, too.” And the person says, “She told me it’s OK. Take my word for it.” That’s what’s going on here if you misconfigure z/OS RACF with CyberArk. You might be authenticating with CyberArk using a second factor, and that’s great. But when you go to the bank (RACF) is it good enough to assert that your “buddy” said it’s OK? No, it really isn’t. RACF should be checking directly with your buddy, too. Now that you know, go fix this exposure if you have it. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
