Modern Security Solutions for the Mainframe

It has become common place to hear breaking news about the latest security breach affecting large organizations, smaller companies, government agencies, and consumers. In many cases, the headlines focus on nefarious external threats such as hackers, viruses, ransomware, and much more. In addition, it is rare to hear any stories about how these threats affect the mainframe. Instead the spotlight is placed on the mainstream topics of the day such as point of sale or cloud systems.

While these threats remain serious concerns and require tremendous effort to prevent future attacks, the threat from insiders is often overlooked yet is equally dangerous, especially when it comes to mainframe security.

Most large institutions across all industries continue to rely on the speed, efficiency, and the perceived inherent security of the z/OS mainframe to handle their core operations. This is understandable, especially when considering IBM’s Resource Access Control Facility (RACF) for z/OS has provided a reliable security framework upon which numerous organizations have counted on since 1976.

However, in many cases, these same organizations indicate they expect little growth in mainframe application usage. The common response is to tighten their mainframe operation budgets and conclude it is best to maintain the status quo.

Additionally, much of the mainframe workforce is approaching retirement age resulting in a significant skills gap, especially among RACF security teams. The resources backfilling these positions are often unfamiliar with the organization’s current RACF environment and prefer modern GUI interfaces over the traditional green screen aesthetic. As a result, the potential of realizing internal and external security threats becomes an unmitigated disaster in waiting.

After weighing these concerns against an organization’s long term interests, common questions arise around what steps institutions can take to mitigate these risks all while lowering mainframe operational costs.

• What about organizations that already have tools to support RACF administration, auditing, and security vulnerability detection?

• Is there something else they can do?

Myriads of institutions realize their z/OS access control measures were configured many years ago and recent audit results cause concerns about complying with industry regulations. Are they following the latest best practice security standards?

The answer to each of the above questions is a resounding yes, and it is imperative that organizations seeking comprehensive data security solutions do not neglect their mainframe data and resources protected by RACF.

Definition of STIG

The best place to start is to check for system security vulnerabilities by comparing current RACF environment settings to industry standards defined by Security Technical Implementation Guides (STIGs).

In the early 2000’s, the US National Institute of Standards and Technology (NIST) published industry recommended security configuration controls which continue to be updated on a yearly basis. The list of controls includes STIGs for z/OS and RACF which effectively became best practice standards for both public and private sector organizations who use RACF to protect enterprise system resources.

The key reason for measuring an environment’s current security settings against STIGs is to protect an organization from the very external and internal threats presented earlier by complying with industry guidelines.

It is important to note that STIGs are classified by “severity” levels of High, Medium, or Low. Each classification indicates the level of risk an organization is taking if the security vulnerability is not mitigated.

234 STIGs for RACF

There are a total of 234 STIGs for RACF, of which 225 have a severity classification of High or Medium. Even though these guidelines have been available for many years, institutions have neglected assessing whether or not their mainframe environment is adequately protected.

This problem is only exacerbated by:

• today’s high turnover rates in mainframe staff,

• tightening operation budgets,

• increase in regulatory audits, and

• positive assumptions about mainframe security.

Lacking time & experience

Though understanding what STIGs are and why they are important is a critical first step, many organizations may not have the time or experienced staff to review and implement over 200 individual security guidelines for their RACF environments.

If this is the case, what are their options?

Partnering with a company such as Beta Systems Software can help provide the tools and experience necessary to support the unique RACF security challenges organizations face today. When it comes to enterprise security, the central goal of an organization should be to implement solutions which allow the responsible resources to quickly identify, remediate, and report on security vulnerabilities in their RACF environment based on industry standard STIGs, ensuring sensitive mainframe data and assets remain fully protected.

At Beta Systems, our approach is to provide the clarity and simple solutions necessary for organizations to meet their security and compliance goals.

Our suite of tools include modern RACF administration and auditing solutions, security monitoring, and a comprehensive guide to understanding, implementing, and reporting on RACF STIGs.

At a glance, understanding STIGs and the underlying value they provide once implemented in an enterprise system can be a challenge for any organization. This is where Beta Systems excels by simplifying the complex.

Our solution starts by breaking down the full list of STIGs into meaningful groups while providing the ability to execute comprehensive reports based on each category.

Categories as assigned by Beta Systems

Each RACF STIG item can be assigned one of the following categories:

• System Configuration (SETROPTS)

• Access Limitation

• Access Control

• UNIX Protection

From here, Beta Systems’ suite of tools provide clear guidelines and reports that allow administrators, auditors, security personnel, and managers to stay updated on how secure their organization’s mainframe resources really are.

The below example illustrates how our solutions can make it easy to interpret the meaning of individual STIGs, describe how to implement best practice policies, and most importantly, how it benefits an organization’s bottom line.

• RACF STIG V-112 as defined by NIST: Write or greater access to SYS1.LPALIB must be limited to system programmers only.

• Purpose of STIG V-112 and Best Practice Recommendation from Beta Systems: At its core, this STIG is about properly protecting sensitive system resources and data. STIG V-112 is classified with a severity of “High” and falls into the “Access Limitation” category. In a typical z/OS mainframe environment, there are many resources and data sets that are critical in supporting the consistent and reliable operation of the platform, including SYS1.LPALIB. This means protecting these resources by allowing only a select few individuals (System Programmers) to access them is imperative to mitigating any risks of tampering, regardless of malicious or involuntarily intention. Implementation of STIG V-112 helps ensure that the mainframe resources in question can only be accessed by trusted, operational level users which drastically reduces the chance of insiders stealing sensitive data or harming key operational resources on the mainframe.

• Validation with Beta Systems RACF Tools: Beta Systems core RACF tool _beta access contains key features that enable administrators and auditors to quickly validate compliance with STIG V-112 through a quick search panel or in a report. Reviewing access authorization to critical system files is accomplished by using our primary interface, searching for the SYS1.LPALIB resource

  profile, and then drilling down using an “Analyze Permits” function that allows the Administrator to view a list of all RACF permits allowing users to access the resource, what level of access each user has, and how each user has been granted access (i.e. which RACF Group is responsible for providing a user access to a resource).

The above scenario covers just one example of Beta Systems’ solutions for STIG compliance and general RACF security. For more detailed examples of STIGs and “how to” screenshots, please reference our Technical White Paper on STIGs.

Following industry standards and best practice security recommendations can seem like an overwhelming task for any business, especially when the risks are high if not implemented appropriately. And with mature systems like the mainframe, most organizations assume they are

• adequately protected,

• do not want to increase costs, or

• already have tools in place and feel there is no need to make a change.

At Beta Systems, our solutions address each of these concerns. We have modern tools that make it easy for both veteran and new generation RACF administrators to ensure proper protection of mainframe resources and sensitive data through compliance with industry standard STIGs. As an added value, the same reports used for STIGs make it that much quicker to prepare for compliance or regulatory audits, providing significant overhead savings.

Additionally, for organizations who already have RACF tools for administration and reporting, our tools not only match very well against our competitors’ tools, we offer our solution package at a 50% discount to your current costs today, all while we continue research and development of best practice security solutions for RACF environments.

Beta Systems developed the _beta access software suite in response to the growing requirements that govern the management of access rights. It empowers even non-specialized staff to reliably manage the z/OS RACF Security Server and generate audit reports. This is achieved by providing an interface that is very easy to operate in comparison with other administration solutions.

Standard tasks such as resetting passwords can thus be delegated to the helpdesk, which greatly reduces the amount of routine work previously handled by the core IT team.

_beta access also acts as a monitoring tool, which means that is issues realtime alerts about RACF events. Triggers may include access to sensitive data or changes made to user attributes. These functions, together with options for versioning and backups, significantly bolster the security status of your IT landscape.

The Beta Systems modules of the z/OS Access Rights Management Suite for RACF, or _beta access in brief, address the different RACF administration areas. The modules can be used individually or combined with one another.