z/VM V6R4 was announced on October 25, 2016 with a planned availability date of November 11, 2016.
A summary of the toleration fixes that have been made available for zSecure can be found on the Service Management Connect - System z blog.
They apply to zSecure Manager for RACF z/VM 1.11.1 and 1.11.2, and to zSecure for z/OS 2.1.0, 2.1.1, and 2.2.0.
This SSE for zSecure 2.2 provides the following benefits:
- filter commands to quickly zoom in to records of interest
- fast navigation to jump to RACF user and group details
- quick admin capability for TSO and UNIX properties
- enhanced e-mail configuration
- ability to configure large buffers 'above the bar' (64-bit exploitation)
These changes apply to one or more of the following components: zSecure Admin, zSecure Audit, and zSecure Alert.
Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
On October 1, 2015 IBM issued a Statement of Direction about providing 64-bit addressing support in IBM Security zSecure. This support has now become available as a Service Stream Enhancement (SSE) to zSecure 2.2.0.
64-bit addressing allows the use of memory above the 2GB "bar" implied by addresses consisting of only 31 bits. Besides allowing the program to store and retrieve larger amounts of data, this also frees up memory "below the bar" that can be used by (other) 31-bit addressing programs.
Typical functions in zSecure that benefit from having a lot of memory available include
- processing very large numbers of events from the SMF event log, e.g. as sent on to IBM Security QRadar SIEM;
- analyzing data for many security databases and LPARs at the same time;
- rule-based compliance analysis based on many underlying technical reports;
- analyzing large intervals (possibly a year or more) of access use data, e.g. to identify obsolete permissions.
The SSE also includes enhancements to 31-bit addressing support. Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
The changes apply to all components of zSecure for z/OS except for zSecure CICS Toolkit and zSecure Command Verifier. For the full benefits a z196 or newer hardware is required.
On February 16, 2016 IBM announced authentication enhancements for z Systems, including a new product IBM Multi-Factor Authentication for z/OS (5655-162), with a planned availability date of March 25, 2016.
IBM z/OS Security Server Resource Access Control Facility (RACF) provided enabling infrastructure updates for z/OS V2R1 and V2R2.
IBM Security zSecure suite provided supporting updates for zSecure 2.1, 2.1.1, and 2.2.
Multi-Factor Authentication raises the level of assurance of mission-critical systems by requiring authentication with multiple factors during the logon process.
Each authentication factor must be from a separate category of credential types:
1) Something you know (e.g. a password or PIN code),
2) Something you have (e.g. an ID badge or a cryptographic key),
3) Something you are (e.g. a fingerprint or other biometric data).
More details can be located through this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
You might also be interested in the zSec
z/OS V2R2 was announced on July 28, 2015 with a planned availability date of September 30, 2015.
A summary of the toleration fixes that have been made available for zSecure 1.13.0, 1.13.1, 2.1.0, and 2.1.1 can be found on the Service Management Connect - System z blog.
You might also be interested in the following page that was recently added to the zSecure wiki: Samp
Release 1.11.2 of IBM
This release of zSecure for z/VM includes the zSecure Compliance Testing Framework that was first made available for z/OS in release 1.13.1. It also has many small applicable enhancements parallel to the 1.13.1, 2.1, and 2.1.1 releases. A summary is available on the Service Management Connect blog.
zSecure 2.1.1 has been announced with the following products...
... and the following solutions
Please refer to this blog entry on System z Management for details on the solutions.
All zSecure products support RACF. zSecure Audit and Adapters for QRadar SIEM support CA-ACF2 and CA-Top Secret. zSecure Alert supports CA-ACF2.
You might also be interested in this article on 50 years of mainframe security.
Edit: Updated zSecure for z/VM release from 1.11.1; 1.11.2 became available on March 13, 2015.
Edit: The latest zSecure for z/OS release is zSecure 2.3.0.
In one way, mainframe environments are just like server environments; they are increasingly exposed to the Internet. In a more important way, though, they are different -- they have more complex security requirements than many server systems. Security intelligence -- a single view of threats, automated assistance, deeper experiential insight, and real-time detection -- is the component that allows these two factors to meet and merge into a meaningful solution.
Here are two painlessly short articles that can jumpstart your journey into understanding and implementing an intelligent security policy and mechanism tailored to meet the complex requirements of the mainframe environment:
Understanding the shifting nature of malicious attacks on and vulnerabilities of your enterprise mainframe or hybrid system, especially as your organization implements new technologies -- cloud computing, response-based workload resource balancing, mobile access, big data handling, social collaboration -- is just the beginning of establishing a comprehensive security policy for your mainframe-oriented environment. In "Creating the ultimate security platform," IBM explains how System z can deliver proactive protection for data, web, cloud, mobile, and enterprise environments on mainframe systems.
This whitepaper starts by detailing how mainframe security requirements have changed in the Internet era. Originally, mainframes were isolated from outside influences, but now many are just as connected to the web as a typical smartphone; the difference is that it is relatively easy to secure the simple environment of a phone, but not so easy with the complex architecture of a mainframe.
The paper describes how security intelligence, consistent, normalized analysis of disparate data to recognize and block attacks, takes an "umbrella" approach to security (from network intrusion prevention all the way to endpoint management) in order to create a complete picture of the infrastructure and the attacks and vulnerabilities that threaten it. The security intelligence approach, optimized for the way a contemporary computer system is used, replaces the traditional "security only at the obvious vulnerable points" way of protecting your mainframe.