Originally published in The Connection September – October 2016 pg. 19
Andrew Price > VP Technology > XYPRO Technology
Wendy Bartlett > Distinguished Technologist > HPE
XYGATE User Authentication (XUA) supports PCI DSS Multi Factor Authentication (MFA) requirement.
The Payments Card Industry Data Security Standard (PCI DSS) version 3.2 has recently been published.  The previous version, 3.1, expired on Oct 31, 2016, at which time all new assessments must use PCI DSS 3.2.  New requirements are considered best practices until Jan 31, 2018, at which point the new requirements become fully effective.
One of the main areas that has changed in scope from 3.1 to 3.2 is the requirement for Multi Factor Authentication (MFA).  As of 3.2, MFA is required for all non-console administrative access to the Cardholder Data Environment (CDE).  Simply put, and in NonStop terms, anyone who has access to the CDE (NonStop systems or applications) from anywhere other than the NonStop System Console is now required to be authenticated using MFA.
The good news is that many NonStop Security Administrators should be able to implement MFA using the tools they already have.
XYGATE User Authentication (XUA) has been included on all commercial NonStop Blade Servers shipped since September 2013. Others may order it separately using the PID QSN52 or QSN52U. XUA integrates NonStop authentication with a variety of off board authentication mechanisms, including Active Directory, LDAP, RADIUS and RSA SecurID.  When configured correctly, these can provide MFA support, addressing the 3.2 requirement for all command line (TACL and OSS) based access “out of the box”.
Application-level MFA can also be achieved in a Safeguard environment with XUA configured if the application already authenticates its users by calling USER_AUTHENTICATE_ or is changed to do so. The call to USER_AUTHENTICATE_ will invoke XUA automatically, which will perform MFA.  Applications that have their own User store may need slightly more work, but can likely be modified to call USER_AUTHENTICATE_ to invoke XUA, rather than consulting their own User store for authentication.
To learn more about XUA, and to take advantage of a solution that you probably have access to already, click here, or contact your HPE or XYPRO account rep.
Andrew Price
VP Technology
XYPRO Technology
Wendy Bartlett
Distinguished Technologist
Hewlett Packard Enterprise
HPE NonStop Security