Implementing a zero trust strategy

Zero trust is a strategy rather than something that you implement by a specific configuration option. It is essentially an increasing series of best practices that you need to review, implement, and maintain as part of your IT strategy.

There are a number of best practices that are described in How it works: Zero trust in CICS. Implementing zero trust might seem a daunting task. It is not something that can be implemented quickly or all at once. Therefore, it is essential to develop a plan to prioritize this work. This will probably be done in conjunction with your CISO looking at zero trust across the enterprise.

You’re encouraged to adopt a zero trust strategy regardless of your current CICS® release. However, some functions such as security discovery and security definition capture (SDC) that are provided in more recent releases of CICS can ease this process.

Follow steps in this roadmap to start the journey of implementing a zero trust strategy in CICS.

Identifying the data that needs protection

Some data is more sensitive or valuable to the company than other data. You might already have reviewed your data for GDPR or similar regulation, or for PCI-DSS compliance by following best practices in How it works: Zero trust in CICS.

If you have separate sets of regions that access this data, it is recommended to concentrate on these regions first. If there are particular resource types that store this data, such as files, concentrate on these resources first.

Identifying who needs to access the data

As described in How it works: Zero trust in CICS, you need to ensure access to applications and their data is associated with roles.

You might have already implemented transaction security for users who need access to an application that then needs access to run certain transactions. If this is done on an individual user ID basis, you need to migrate your security definitions to be role based.

To do that, you can use CICS security discovery to identify and refine the groups of user IDs (roles) associated with groups of transactions (applications).

6.2 and later After identifying the roles and applications, you can further refine roles with usage data. The CICS security discovery data (SDD) helps you identify the resource groups that are accessed by each role.

Configuring controls to protect the data

To implement resource security, you need to define a RACF® class for the resource with profiles that define which roles have access to which groups of data. You then need to specify the RACF class on the corresponding CICS SIT parameter (Xnnn parameter) for the regions that use this data.
Recommended: To conform with a zero trust strategy, it's recommended that you define resource group classes (member lists) in RACF. Generic profiles are not recommended as part of a zero trust strategy because they require other controls to ensure that definitions are added during development.

CICS security discovery allows you to convert required resource security definitions back into RACF commands.

After you have applied required security definitions, you need to make sure command security (CMDSEC) and resource security (RESSEC) are enabled in such regions:
  • 6.2 and later As of CICS TS 6.2, all CICS transactions, excluding CJXA and CICSPlex® SM transactions (CO**), are defined with RESSEC(YES) and CMDSEC(YES) by default, which requires extra security configuration for some CICS transactions. See CICS transactions subject to security checking.
  • Your transactions that are running in these CICS regions also need to be defined with RESSEC(YES) and CMDSEC(YES).
  • When all of your transactions definitions implement RESSEC(YES) and CMDSEC(YES), you can set the SIT parameters CMDSEC=ALWAYS and RESSEC=ALWAYS to override transaction settings to prevent future transaction definitions from breaking your zero trust policy.

Monitoring who is accessing the data

By implementing the previously mentioned command and resource security, you will be able to monitor key resources using the RACF SMF 80 records or by using zSecure Access Monitor.

Zero trust is about monitoring the end user’s access. Therefore, the user ID that is used for the authentication request must either be the end user’s user ID, or have the distributed identity associated with it if it is a functional user ID.

Auditing CICS to make sure best practices are used

SMF 1154-80 records includes auditing of the best practices’ compliance. See Compliance data collection.

Maintaining security when developing new applications or changing applications

After your production CICS regions are migrated to use resource and command security, you need to ensure that the security definitions of new or changed applications are identified and added whenever a new set of code is delivered to production.

6.2 and later CICS security definition capture (SDC) provides a manual way of identifying required security definitions for changed applications during development, before promoting the changes to production. You can also integrate it into a CI/CD pipeline by leveraging other automation solutions.