Integration von HPE NonStop

in Enterprise IT-Umgebungen
- 3 Fallbeispiele
Helmut Bernhard – Sr. Solutions Architect
Böblingen, 9. Mai 2019
 Agenda

NSGit – Erfolgreiches Projektsetup

NonStop-Einbindung in Enterprise MFA, IAM und Break Glass – Prozessen

SecurDPS Enterprise Tokenization REST-API

 What is NSGit all about?
• NSGit is the Guardian plugin to communicate with
git on OSS as gateway to the open (development)
world
• NSGit will free up NonStop development from the
current island/castle existence
• Security will be greatly enhanced
• No remote passwords
• Separation and decoupling of different environments
and synchronisation via SSH
• “Evidence of Origin” - Compliance metrics will be
achieved due to convenient and exhaustive
monitoring and detecting of changes in all
environments
 Positioning NSGit
> NSGit is a GUARDIAN front-end client to integrate HPE
Nonstop into an Open Systems git environment.
> git-like interface from TACL
> Dual-mode files:
> File name equivalence between OSS formats and GUARDIAN
> Pattern-based and direct name mapping
> Support for Native and code 100 objects, ENSCRIBE structured files, DDL
dictionary distribution, POBJ distribution, File attribute preservation
> NSGit is not a NonStop standalone version
management system. It works on top of the Open
System environment. OSS hierarchies map to multiple
subvolumes
 PCI related requirements

Risk of unsecure data is unacceptable

Code must never access, modify, or
transmit data inappropriately
All installed code must be specific in its
purpose
No installed code can do anything
outside of requirements
 SWIFT adds Detect and Respond to PCI Compliance

Identification of what should be installed where

Clear evidence of where changes originate
Only allow change access to good players
Maintain complete audit trails of all changes in all
environments
Remove manual processes (cannot be audited)
 Positioning git
>Git is the leading DVCS – Distributed Version Control System
> Widely accepted and used in colleges, universities, small and large corporations, and
Open Source projects
> Code can move from development to production and back with full audit
> Supports projects with thousands of participants
> Authenticated signatures with GPG
> Many non-proprietary security options for customers
> Integration with:
> Build automation (Jenkins)
> Code review systems (Gerrit)
> and much more (GitHub, Stash/Bitbucket)
 Why Git for NonStop?
> Any decent VCS product supports basic versioning
> ITUGLIB has ported CVS, RCS, Git
> Customers have Control, RMS/PrimeCode, ClearCase, and above
> On the surface, Git is yet another version control system… but NSGit brings:
> Supports GUARDIAN EDIT, Objects, Data, Structured and Unstructured files
> Preserves GUARDIAN file codes, extents, and structure
> Builds are added to history including GUARDIAN artifacts
> Release packages include metadata to deploy exactly what was built
 Why Git for NonStop? (cont.)
> Key reasons why customers should chose Git:
> Code transport is the key
> Packaging from vendors
> Receiving at customer sites
> Merging in customizations
> Pull changes into production = installation
> Push changes back to development for in situ bug-fixes
 NSGit - Fundamental Technology Benefits
> Git, and all that it brings, including:
> Software transport
> Vendor desk to customer production audit and accountability
> Retrofit bug fixes as far back as needed
> GUARDIAN file system support
> Dual-mode for files and directories
> Reconstituting and diff of GUARDIAN attributes
> Release packaging of GUARDIAN files in Git
> Independent of Git versions
> Fully backed by Git repositories
> Git is the standard VCS skill for new hires
 NSGit Architecture
TACL

http nsgit
Online Help osstty
object
NonStop SSH

Automatic
Sync OpenSSH
git
$data01.repo.*
GUARDIAN pair where OSS object
you work.
libcurl OpenSSL

/home/myuser/repo /home/randall/repo/.git
my working index in OSS NSGit Git Repository
Meta
data
 The Project Voodoo setup to be avoided

• If the below mentioned project setup points are

ignored a voodoo project setup is the most
probable outcome
• As outlined before, this project needs a cooperative
setup to be successful
• Git knowledge is a MUST (git has a large user community)
• DevOps experience is needed for a greater/more
sophisticated setup (e.g. full automation via Jenkins)
• No holy “legacy “ cows (e.g. MLF – Multi Level Fix), i.e.
not jeopardizing the end2end approach needed for
compliance reasons
• The comforte part can only cover approx. 10-30 % of the
estimated project resources/tasks
NSGit advantages in a true DevOps environment (e.g. Jenkins,
Nexus, etc.)
• These different roles and knowledge sets need to be understood to make
NSGit in a DevOps environment successful:
• NSGit – GUARDIAN bridge for git
• git – the repository manager
• Enterprise Git Server – holds the main
repository
• Jenkins – runs jobs
• Jenkins Git Plugin – detects changes in git
• Jenkins NSGit Plugin – Runs NSGit activities
• NEXUS – the archive
• Ansible – the deployment manager
NonStop-Einbindung in Enterprise MFA, IAM/PAM und Break Glass – Prozessen

• Starting Point from a enterprise compliance

standpoint 2. Log on to
NonStop

• MFA should be done in the base-network System without

being prompted
for user name

• IAM/PAM is mainly locking “root” or “admin”

1. Log on to and password
Window
s

credentials up in a central directory (sometimes

additionally in a hardened vault like in centrify, Windows PC running
MR-Win6530 or

CyberArk, etc.) and tightly controlling access to

other compliant
emulator

them so as to increase assurance

Microsoft Active NonStop
Directory Server with System running
Policies (e.g. IIQ, Centrify, HPE NonStop SSH
etc.)

• A “break glass” scenario is needed for emergency

access
• Implementation Option from comforte
• No NonStop specific solution, development, risk, etc.
via asymmetric key cryptography and a trusted third
party interface, i.e. AD via Kerberos
 SecurDPS Enterprise Tokenization – WHY?

Endpoint &
Mobile
Protection

These measures
Security
Network &
Gateway
Monitoring only protect you
&
Defense
Operations against known
attack methods

So, even with all

these defenses in
Threat &
Vulnerability
Cloud place, it is not
Security
Mgmt possible to prevent
breaches
Application
Security
THE ONLY SOLUTION IS TO PROTECT THE DATA ITSELF AND NOT JUST THE
PERIMETER AROUND IT

Endpoint &
Mobile
Protection

Security
Data is a pervasive critical asset that crosses
Network &
Gateway
Monitoring
&
traditional silo boundaries on-premises and in
Defense
Operations the cloud.

DATA
PROTECTION
This requires a data-centric security strategy
that prioritizes datasets and mitigates evolving
business risks such as regulatory compliance
Threat &
Vulnerability
Cloud
Security
and threats from hacking, fraud and
Mgmt
ransomware.
Application
Security
Gartner, July 2017
 SOLID ARCHITECTURE YOU CAN RELY ON – COMFORTE DATA PROTECTION CLUSTER
P
Protection Node
N
E
E
A Enterprise Application E A E
A
A A
C Audit Console

M E P E
C Management Console
A N A
P P
Management Console (MC) Audit Console (AC) creates a
N N
configures SDF (configuration solid audit trail and allows real-
M A
file) and generates token tables time insights into key questions
C C around enterprise data
MC can be stopped after cluster P P
startup protection
N N
E
P
A
N
E E
Cluster of Protection Nodes (PN) A E A
PN monitor/restart each other A
Failure of single Protected Node (PN)
will have no impact to the enterprise
application (EA), as another PN will comforte
automatically take over In environments with Tokens
NonStop systems, NS can SecurDPS
SDF & token tables & endpoint run as MC and/or PN
authentication data loaded into PN
HPE NonStop
 SecurDPS Enterprise Tokenization REST-API

• The SecurDPS Enterprise

REST API provides the ability
to consume protection
services provided by the
Secur-DPS Enterprise
Protection Cluster via a
standard REST interface.
• This is on top of our
intercepting and API
protocol suites (a customer
use case will be presented
at ETC next week)
 For More Information Thank You!
• Contact comforte sales
• Come see us at the booth

Helmut Bernhard
Sr. Solutions Architect

+49-171-6949285

h.bernhard@comforte.com