The Evolution of ESP
If you have Extra-Sensory Perception, then you’ll know that the ESP I’m talking about here is Enhanced Security Profiles. More specifically, it’s Enhanced Security Profiles for OS 2200, a service introduced about eight years ago by the Unisys USA Client Support Center. ESP gives you the ability to enforce virtually any OS 2200 password rules you want for TIP Session Control, Demand, and Business Information Server (BIS) logons.
For example, ESP can enforce any of these requirements that might be part of your company’s password policy:
- Minimum and maximum password length (up to 32)
- Minimum number of
- Alphabetic characters
- Upper case characters
- Lower case characters
- Numeric characters
- Special characters
- Character groups
- Sequence controls on the use of
- Repeated characters
- Sequential characters (e.g., 34567, cdefg)
- Keyboard sequences (e.g., qwerty, zxcv)
- Password reuse control
- Number of previous passwords that cannot be reused
- Password reuse expiration
- Variance controls – how different a new password must be from
- The user-id
- The current password
- Personal information in the user-id security record
- String controls
- Dictionary of words that may not be in the password (forward or reverse)
You can also display the password strength when a user enters a password and give the user the option to use that one or try again.
ESP enforces the password policy using a custom Authentication Module that plugs into the OS 2200 User Authentication product (called FLEX for short, based on its original name: Flexible User Authentication).
Several of the early adopters of ESP used it to make their OS 2200 password policy comply with requirements from the Payment Card Industry Data Security Standard – requirements that cannot be met with standard Exec password enforcement.
ESP evolved in response to the requirements of clients who subscribed to this service, taking its capabilities beyond the focus on the password syntax and tracking password reuse to offer choices of lifecycle policies and operational settings. Here are a few of the options:
- Inhibit individual users from logging on during certain times of day and days of the week.
- Solicit twice for a new password and make sure the two values match.
- Specify the length of time in hours that a password is valid after being reset by an administrator. If the time is exceeded the password must be reset by an administrator again before the user will be able to sign-on.
- Allow a user to self-reset his password. ESP has the capability to have users reset their own passwords if they know the answers to a configured number of personal questions that they have previously entered.
ClearPath OS 2200 Release 15 includes the next step in the evolution of ESP. In this release, the features of the ESP service have been incorporated into Configured Password Profiles (CPP). CPP is delivered as Authentication Module 19 (AM19) with FLEX, and its administrative interface is part of Apex, a new product introduced in Release 15.
From a business standpoint, the most significant difference between ESP and CPP is that CPP is now a standard product release, not a custom service. The ESP design and code became the starting point for CPP, with license management code removed; CPP support follows the same processes as the rest of Release 15. Furthermore, when your password policy changes, instead of contacting the Client Support Center to make changes to your ESP configuration, your own administrator makes changes to the CPP configuration using Apex. Current ESP users can use ESP and CPP concurrently as they make the transition to CPP.
By offering Configured Password Profiles as a standard product, we hope to increase awareness of this powerful feature set while boosting the security capabilities of the standard ClearPath OS 2200 release.
For more information about Configured Password Profiles, refer to the ClearPath OS 2200 User Authentication Administration Guide (7850 4586–008) and the ClearPath OS 2200 Apex Help (8207 4154).