Resource Access Control Facility (RACF) is an IBM software security system that provides access control and auditing functions for the z/OS and z/VM operating systems. RACF fits into the mainframe security environment by providing:
- Authentication: Identification and verification of a user through user ID and password checks; identification, classification, and protection of system resources
- Authorization: Maintenance of access rights to protected resources; control of the means of access to protected resources
- Auditing: Logging of accesses to a protected system and protected resources
RACF was introduced in 1976, but it has continuously evolved to support modern security mechanisms like digital certificates/public key infrastructure services, LDAP interfaces, and case-sensitive IDs/passwords. Case sensitivity has enabled RACF to be more interoperable with systems such as UNIX® and Linux®. IBM zSeries hardware is designed to work closely with RACF. RACF's primary competitors have been ACF2 and TopSecret, both now produced by CA. (See Resources for more on RACF.)
“ RACF is a powerful authentication, authorization, and auditing tool for your security portfolio. zSecure suite makes using it easier by introducing a high level of automation.”
The IBM Security zSecure suite helps you manage RACF in a variety of ways. This article explains the IBM Security zSecure suite and highlights some of the exciting features of the newest release, version 2.1.
What is the zSecure suite?
IBM Security zSecure suite provides cost-effective security administration, improves service by automating routine tasks and threat detection, and reduces risk with automated audit and compliance reporting. Automation and built-in expertise are key features of zSecure. By automating tasks and employing best practices gleaned from millions of hours of expertise in security auditing, reporting, verifying, and managing, security administrators can gain back time previously stolen by these mundane tasks.
Components in the zSecure suite (also known as product editions) include:
- zSecure Admin: Adds a user-friendly layer over RACF to help ease and improve administration and reporting.
- zSecure Alert/for ACF2/for RACF: Monitors the mainframe for external and internal security threats. It can detect and prevent intrusions and identify misconfigurations through real-time mainframe (ACF2, RACF) threat monitoring. (ACF2 is Access Control Facility, a commercial, discretionary access-control software security system developed for the z/OS, z/VSE, and z/VM.)
- zSecure Audit/for ACF2/for RACF/for Top Secret: Enables you to detect and report security events and exposures on mainframes. It enables analysis and reporting on mainframe security events (ACF2, RACF, Top Secret); auditing detects exposures. It also formats and reports on more than 50 other z/OS System Management Facilty (SMF) records without any effort on your part. (Top Secret, or TSS, is the Computer Associates product for mainframe control and auditing functions.)
- zSecure CICS Toolkit: Helps free TSO resources from routine administrative tasks through a CICS interface.
- zSecure Command Verifier: Helps enforce mainframe compliance to installation-defined and standardized policies through granular controls for RACF commands.
- zSecure Manager for RACF z/VM: Provides combined audit and administration functions for the virtual machine environment.
- zSecure Visual: Enables cost savings by decentralizing RACF administration through a Microsoft® Windows®-based GUI.
See Resources for more on IBM Security zSecure suite 2.1.
New release, new features
The new zSecure suite release 2.1 delivers some especially interesting features (in my opinion):
- Additional IBM DB2 compliance analysis and reporting
- Digital certificate management enhancement
- Easier compliance reporting for multiple (and roll-your-own) standards
- Additional integration with QRadar SIEM
You can now order the zSecure suite 2.1, preceding the z/OS 2.1 release for the first time. I like this because it means you don't have to work with a previous version of zSecure while testing the new release of z/OS. You also won't have to install the new zSecure separately (like I did when it came out a few months after the new z/OS). Now you have one-stop shopping for z/OS and zSecure suite.
“One of most exciting "features" of zSecure 2.1 for a support technician is that it is coming out concurrently with z/OS 2.1. You can install the latest version of both at the same time.”
Let's look a bit deeper into the interesting new features and what they mean.
Additional IBM DB2 compliance analysis and reporting
The breadth of coverage for IBM DB2 compliance analysis and reporting has been increased. The zSecure environmental collection program (zSecure Collect) will collect much more information from DB2 systems, making it even easier to produce more granular reporting than before. This includes reporting from both the DB2 perspective and RACF (or comparable product) point of view. This added collection of data greatly simplifies the compliance reporting requirements that pop up almost daily.
Figure 1. Reporting details for DB2 tables
Digital certificate management enhancement
zSecure is aware of the complexities and demands of certificate requests. It automates renewing and rolling-over certifications and maintaining key rings and the related structures. zSecure 2.1 makes caring for and working with digital certificates within a RACF (or comparable product) so much easier.
With this new release, more data that is related, but may not be visible together, will be collected and reported, which greatly simplifies digital certificate processing and controls. When it's time to clean up the RACF digital cert repository and remove obsolete or unused certificates, the Access Monitor has been enhanced to provide assistance in identifying which digital certificates are effectively still in use, aiding administrators in removing obsolete profiles and unused IDs. It also reveals access to resources by watching your users and tracking the authorizations they make use of and those they do not.
Figure 2. zSecure is highly aware of the components of the certificate ecosystem
Easier compliance reporting for multiple and roll-your-own standards
Remember all that time you spent writing custom audit reports and checking to ensure they were properly testing for all the compliance requirements? Well, in zSecure 2.1, you get the ability to ease compliance reporting, including a user interface for the Defense Information Systems Agency (DISA), Security Technical Implementation Guide (STIG) (DISA-STIG), and RACF Standards. Now compliance reports can be standardized, stored in a library, and easily run by the auditors—not taking up your valuable time!
What's more, if you do need to write your own, there is a mechanism in place to standardize, store, and catalog them for later use. zSecure 2.1 comes with a library of compliance reports and lets you store the reports in a centralized repository. Now you can write the reports and allow the users to run them as needed, without your further involvement.
Figure 3. Sample output summary for compliance and auditing
Additional integration with QRadar SIEM
Keeping track of security events across multiple environments within z/OS is made easier by zSecure Audit; it provides this information to the IBM Security QRadar SIEM dashboard. This integration greatly eases the effort of reporting and following up on important events in the z/OS environment, including events occurring in RACF, ACF2, CICS, and DB2. You might even say "But QRadar SIEM functionality is a dense topic; zSecure and QRadar integration could be the subject of an entire series of articles." (For more on QRadar SIEM and how it interacts with zSecure, see Resources.)
Figure 4. Integration with QRadar SIEM brings security events from multiple systems to one console
Automation, best practices, saves time and effort
Your time, like mine, is too valuable to have to focus on producing audit reports, tracking security events, and worrying about digital certificate currency and obsolescence and how DB2 is being administered. I'm going to let zSecure 2.1 help me get back hours in my day; you can too.
- Explore the topics in this article:
- Explore the technologies in this article:
- Explore expert's knowledge on the the topics in this article:
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.