Mainframe Security | Access Control


Mainframe access control is important; Top Secret, ACF2 or RACF security for z/OS is a great start, but more is needed. Learn why here and supplement your organization’s protection.


Controlling access to any system is extremely important, but mainframe access control is crucial. Without maintaining control over who accesses the system, there’s no point in attempting any other mainframe security efforts. The big three security servers, CA ACF2™, Top Secret® and RACF®, can keep a system fairly secure. However, there’s more work to be done beyond simply implementing a RACF security server for a mainframe. Focused on a variety of topics, these articles will help secure a system’s access in one way or another.

 

The Score on Defending Your Endpoints: The Latest Way Attackers Are Entering Your Network

This is a short and to-the-point article that provides some of the methods attackers are using to enter (or at least attempting to enter) your network. Finding and identifying any weak points is an extremely important part of any security plan. This should be revisited often; this piece may help you do just that.

The Score on Defending Your Endpoints: The Latest Way Attackers Are Entering Your Network by Jeff Multz

 

Protecting Data is Crucial as Your Business Connects to New Access Points

Data is as vulnerable as it’s ever been. One of the reasons is the focus of this article: more brand new access points within an organization. As technologies have evolved, so to have access points and connections within networks; in today’s organizations, more people now have access to different components. Whenever there are more access points and more people accessing the network and data, there’s more potential for something to go wrong or for nefarious folks to gain access to critical data. Mainframes are vulnerable too; “over the last five years, the cost of data loss has increased by 68%.”

“With the growing number of access points, users and permissions, safety and security are critical. Most businesses have some means of being notified when sensitive information is breached, but being notified of an attack after it occurs can expose customer information and involve complex recovery measures—in addition to costly compliance regulatory penalty fines and loss of reputation. To stay truly protected, organizations must step away from the traditional approach of reactive governance and compliance and embrace a proactive stance of risk management.” This proactive approach must include monitoring software and other security solutions.

Protecting Data is Crucial as Your Business Connects to New Access Points by Glinda Cummings

 

Automating the Cleanup of Your Security Database

This article is focused on keeping a secure and clean security database to keep unwanted hackers and outdated users from accessing the database. Keeping access to the security databases limited to authorized users only is paramount for absolute mainframe security. Mr. Segreti says, “when we talk about security databases, we’re mostly referring to the databases used by security products that secure the IBM z/OS mainframe. The reasoning and techniques described here can be used by any security database that controls authentication and entitlements,” and as such, the information provided here has a wide reach within overall security and relevant security software solutions.

Automating the Cleanup of Your Security Database by Kevin Segreti

 

Mainframe Security: Security Over System Access Through Batch Jobs

Stu Henderson highlights the importance of knowing potential limitations of your security software regarding batch jobs. Depending on the major security software you’re using on your mainframe- be it ACF2, Top Secret or RACF for security- it’s important to make sure only defined users according to the software are allowed to submit batch jobs. This will help protect your data and make sure only the users you want in your system are there. This article will explain complications present in the three security software products and provide you solutions accordingly.

Mainframe Security: Security Over System Access Through Batch Jobs by Stu Henderson

 

Mainframe Security: Securing UNIX®

How to gain full security for UNIX on the mainframe is discussed. First off, the three possible configurations for running UNIX on the mainframe are described: “running Linux directly on a CPU or Logical Partition (LPAR),” “Linux guests under the VM operating system; each running in its own virtual machine,” “UNIX System Services (USS) under z/OS with additional security provided by the security software.” Then, how to secure each of these three situations is briefly talked about.

Mainframe Security: Securing UNIX by Stu Henderson

 

Mainframe Security: How Well Do We Secure Access to the System?

The main question addressed here is “how well do we secure access to the system?” Included is how users are identified and how they’re restricted from mainframe system access. Some specific cases are looked at: your main security software (RACF, ACF2, Top Secret) and how it should control every access point into the system, the use of LANs and how they’re potentially vulnerable, how CICS® regions are set up and potential threats, several security issues regarding TCP/IP.

Mainframe Security: How Well Do We Secure Access to the System? by Stu Henderson

 

DB2® 10 for z/OS: The Most Secure DB2 Yet

Here DB2 10 for z/OS is explored and why it’s a very vital upgrade from DB2 9 is one of the main focuses. There are many worthwhile z/OS security improvements contained in the newest version of DB2. “DB2 does an outstanding job at separating security, data access, and commonly performed administrative tasks; the EXPLAIN system privilege is just one example of this separation.”

DB2 10 for z/OS: The Most Secure DB2 Yet by Willie Favero

 

CICS and Identity Propagation: Solving the End-to-End Security Challenge

Managing the end to end authentication and accountability in a distributed environment can be a daunting task. Workarounds can often make it easier to set up access but can incur a loss of accountability. Using identity propagation that has been introduced in z/OS 1.11 can remove some of the complexity while maintaining accountability.

CICS and Identity Propagation: Solving the End-to-End Security Challenge by Phil Wakelin, Nigel Williams & Martin Brown

 

Securable to Secure: Steps on the Journey to System z® Security

Potential problems and why the mainframe may not be 100% safe from attacks as previously thought by many are explored in this comprehensive study on mainframe access control and security. Then, the thought process goes from “Securable to Secure” and how System z is without a doubt the most securable platform. Finally, broken down into five steps, an approach is given to attain complete and mature System z security: secure, comply, automate, integrate, leverage.

Securable to Secure: Steps on the Journey to System z Security by Alan Harrison

 

Resource Access Control: z/OS Resource Control and the Three Security Servers

The need for identity and resource access management on the mainframe to alleviate misuse of applications and data is explored. It does so by looking at how identity and resource access management on the mainframe is applied by RACF, Top Secret and ACF2. System z is inherently the most secure way to host sensitive data, “including electronic keys required to access encryption-protected data and to sign and authenticate sensitive data exchanges.” The question of how these three security servers are growing to manage these keys and their role in an enterprise PKI (Public Key Infrastructure) are contemplated.

Resource Access Control: z/OS Resource Control and the Three Security Servers by Joe Sturonas & Jeff Cherrington

 

Mainframe Security: Laying the Security Groundwork

Many major security-related concerns in today’s data centers are listed. Within these major concerns, there are many specific topics that Stu Henderson will be focusing on throughout his forthcoming column at z/Journal. The mainframe access and security issues are broken down into 6 categories: access to the system, access to data sets and resources, access to the network, operating system protection, organizational issues, dealing with auditors.

Mainframe Security: Laying the Security Groundwork by Stu Henderson

 

Identity and Access Management on the Mainframe

Most enterprise-level companies now have multiple Identity Access Management (IAM) systems instead of the old days when these systems were solely for the mainframe. The different platforms an organization uses combined with the different devices users can access the system with creates the need for a broader IAM architecture. Managing how these systems work together and making sure access points are secure are some of the challenges that are discussed here.

Identity and Access Management on the Mainframe by Richard Adhikari

 

z/OS Passwords: All Grown Up

With the increased ability and speed of hardware to crack passwords, the traditional 8 character passwords used by RACF for security have become antiquated. IBM has been rolling out extensions since z/OS 1.7 that make passphrases for z/OS much more resilient to cracking. In this short article, the syntax rules for the new passphrases are explored along with some general help related to password phrases.

z/OS Passwords: All Grown Up by Eric Rosenfeld

 

Making the Mainframe Secure

This is a fun narrative history of RACF and ACF2 by one of the most important people involved in their development, Barry Schrager. There’s not any actual applicable ACF2 or RACF security information here, but if it’s fun for you to look back at how these two extremely important pieces of security software came about, this quick read is for you.

Making the Mainframe Secure by Barry Schrager