IBM Z Security and Compliance Center Everything you need to get started quickly. Get started
It's challenging for teams to demonstrate compliance against regulations ordinarily written for distributed systems. With prerequisites like a high level of domain knowledge, coordination of multiple experts across organizations, and the manual retrieval of compliance data, audits can be an arduous and lengthy process.

IBM Z Security and Compliance Center is a simple, flexible browser-based application that simplifies the overall compliance process for IBM Z teams. The application enables rapid analysis and reporting of an IBM Z system's compliance posture. Capability mapping, fact collection, and validation can all be conducted without a high level of expertise. Users can set a profile of security controls, and with a collector microservice connected to their on-premise environment, collect facts and compliance data to be validated against regulatory frameworks.

See what IBM Z Security and Compliance Center can do for your business.
Related solution zCX Foundation for Red Hat OpenShift

Deploy containerized Linux-on-Z applications in a Red Hat OpenShift cluster on z/OS with zCX.

Big picture 1. Build a profiles of controls set against a regulatory framework, or choose from a selection of predefined profiles. 2. Create a scope of resources from which you plan to collect information. 3. Schedule one-time or automatically repeated scans of system resources. 4. Collect facts about system configuration and resources and store them in a secured database. 5. Use a customizable interface to view and analyze results, and track compliance drift with visualizations displaying compliance scores. 6. Export a report of your compliance standing and share with stakeholders. How to get started
Hardware prerequisites

An IBM z16™ server is required for deployment of IBM Z Security and Compliance Center. Evidence data can be collected from systems running on an IBM z16™ or IBM z15™ server.

The necessary Linux partition will require the use of 8 IFLs, 6 of which will be used for Red Hat OpenShift Container Platform, and 2 of which will be used for IBM Z Security and Compliance Center. These IFLs may be shared with other workloads.

IBM Z Security and Compliance Center also requires 64 GB of memory per compute node, 1 TB of Filesystem type storage for ReadWriteOncePod use by containers for config data, and 3 TB of Filesystem type storage for ReadWriteOncePod use by DB container for database data.

Additionally, a Linux logical partition with a z/VM or KVM hypervisor is required, with Red Hat OpenShift Container Platform (OCP) requiring three control nodes (z/VM or KVM) and two compute nodes, and IBM Z Security and Compliance Center requiring at least one compute node.

Operating systems

IBM Z Security and Compliance Center requires the use of z/OS v. 2.4 or later with PTFs. Use the new fix category (FIXCAT) to get the latest PTFs. This is due to the use of a specific SMF Type 1154 record which is not available on back-level z/OS versions.

Note: At least one z/OS endpoint is required to initialize IBM Z Security and Compliance Center. Optionally, more can be added beyond the first.

Additionally, the following versions are supported for Linux on IBM Z compliance data providers:

Middleware components

If you are running middleware applications on top of z/OS, you will require the following versions or later:

  • IBM CICS: v. 6.1
  • IBM Db2: v. 13.0
  • IBM IMS: v. 15.0 with PTFs for APAR PH42600
  • IBM MQ: v. 9.2.0
Hosting

IBM Z Security and Compliance Center requires the use of Red Hat OpenShift Container Platform 4.10 or higher, with an unrestricted license.

Planning z/OS host customization

Prior to configuring IBM Z Security and Compliance Center, ensure that your z/OSMF table has all the names of the LPARs from which you plan to collect data.

Planning for multiple sysplexes

While only a single z/OS endpoint is required to initialize IBM Z Security and Compliance Center, you may plan to report data from multiple sysplexes. For each sysplex containing a system from which you plan to collect data, ensure that a z/OSMF server is active. Additionally, ensure that access is authorized for the user who will be assigned as administrator for IBM Z Security and Compliance Center.

Planning for Linux on IBM Z compliance data providers

In preparing to configure Linux on IBM Z for IBM Z Security and Compliance Center, plan to have the following information ready.

To collect compliance data from Red Hat Enterprise Linux (RHEL), SUSE Enterprise Linux, or Ubuntu, you require:

  • At least one username with sudo access, with passwordless sudo enabled for that user

To collect compliance data from Oracle or PostgreSQL, you require:

  • At least one database username and password
  • An authentication database to work with
Overview

The Compliance Center, which runs on a Linux on IBM Z partition, differs from the actual data providers which feed it information—for example, z/OS or Linux on IBM Z systems. This section refers to configuring IBM Z Security and Compliance Center, rather than the compliance data providers which will eventually be connected to it.

To complete the initialization process, first assign a user to act as administrator for IBM Z Security and Compliance Center.

In the interface, create a new user for the administrator with an email address, password, and assigned policies.

One-time initialization steps

Once you have assigned an administrator, they will need to complete the following initialization steps:

  1. Go to Access Management, which leads to the KeyCloak administration page. Add any necessary new users, as well as policies for those users.
  2. Go to Configure in the KeyCloak administration page. In the Email tab, add the SMTP host name, port number and sender email. This setting is required for resetting user passwords.
  3. Go to Settings, then go to IBM Z Settings to add z/OS-related connection information and/or Linux-related connection information.
  4. If you are planning on z/OS fact collection, go to Settings. Note the Logstash connection details and configure Common Data Provider (outside of IBM Z Security and Compliance Center) with the appropriate Logstash details.
  5. In Settings, click Credentials to add credentials for the IBM Z connections which were added in Step 3.
  6. In Settings, click Collector to create a new collector.
Collecting from your first z/OS sysplex

In order to begin collecting from your first z/OS sysplex, you need to enable z/OSMF to receive requests from IBM Z Security and Compliance Center.

Enable the collection of SMF Type 1154 records via SMFPRMxx parmlib. Once enabled, all components that are set as listeners will write to their subtypes. Optionally, you can turn off specific subtypes for any that you want to exclude.

Install and configure an IBM Common Data Provider component per z/OS LPAR from which you are collecting data. The log stash files need to be installed alongside IBM Z Security and Compliance Center, and the IBM Common Data Provider profile must be updated to establish a connection.

Collecting from Linux on IBM Z

If you plan to collect data from Linux on IBM Z, ensure you have met the necessary prerequisites for using a Linux-based compliance data provider. Refer to the 'Prerequisites' and 'Planning' sections for further information.

Overview

Once you have configured IBM Z Security and Compliance Center, and have installed and configured all essential IBM Common Data Provider components, there are a variety of tasks you may be looking to complete.

Define a scope: a subset of resources from which you will collect information

You can define a scope in the Scopes page. Defining a scope will allow you to collect information from only a subset of resources, defined at the system/LPAR level.

View and create profiles

IBM Z Security and Compliance Center comes with pre-defined profiles, or sets of IBM Z security controls, that were created for various regulations, such as PCI DSS and NIST SP800-53. In Profiles, you may view these profiles, as well as create new ones.

View compliance data to identify non-compliant system settings

IBM Z Security and Compliance Center provides a way for IBM Z teams to quickly view their system data and determine which aspects of their systems are out of compliance. Go to Scans to initiate a new scan. Scans can be configured to automatically repeat for any interval of time.

Communicate non-compliance to your security team

Given that non-compliance remediation is a task dispersed among many stakeholders, it's important that you are able to quickly communicate discrepancies to your security team.

In the Scan Results page, you can see a list of all of the controls that were validated in the scan. You can also see resources that have passed and failed.

Provide reports to the security auditor

When it comes to completing an audit of your IBM Z system, IBM Z Security and Compliance Center provides user friendly reporting to easily understand your organization's standing against compliance benchmarks. For automatically recurring scans, a Compliance Drift graph shows how compliance posture has changed over time. Detailed and delta reports can be generated and exported easily.

Learn more General questions

Yes, this solution requires the use of the IBM z16.

Yes, this solution requires the use of OpenShift Container Platform on Linux on IBM Z.

Yes. See this page for more detail about running Red Hat OpenShift Container Platform on zCX.

Yes, as long as you are running z/OS 2.4 or later.

IBM Z Security and Compliance Center simplifies the overall enterprise compliance process for organizations running workloads on IBM Z.

With a modern, easy-to-use interface, users can mitigate the risk of manual errors, save significant time spent in audit preparation, and augment the abilities of their teams to better manage the compliance process.

The application utilizes an intuitive dashboard and can produce reports to demonstrate the standing of an IBM Z system's capabilities against regulatory controls. At a glance, you can see the current compliance posture, summary of controls passed/failed, resources used, and drift on posture over time.

Users can run the application iteratively to improve their compliance posture over time, or correct drifts that occur when regulations are updated.

Additionally, IBM Z Security and Compliance Center comes with over 300 pre-built goal validations and allows for customizability, offering the flexibility needed to account for a range of regulatory frameworks.

The initially available version of IBM Z Security and Compliance Center will feature predefined 1-to-1 mappings of IBM Z controls to requirements specified in the following standards:

  • PCI DSS v3.2.1
  • NIST SP800-53
  • CIS Benchmarks
  • Further standards will be provided predefined mappings in the future based on significant user feedback across industries and geographies.

Yes, you can create your own profiles and groups of controls using a selection of hundreds of technical checks that IBM Z Security and Compliance Center can perform out of the box. You can also import an extensive set of predefined mappings as a basis for your security procedures.

Through this process, the application may be used to prepare your organization for regulatory frameworks not covered by initially available predefined mappings, as well as for internal requirements that are specific to your organization.

Yes. For z/OS systems, you can select which LPARs will be in the scope of your scan.

IBM Z Security and Compliance Center automates the collection of compliance relevant data on IBM Z and Linux on IBM Z.

The application contains predefined 1-to-1 mappings of security controls written for IBM Z components (such as RACF, Db2, IBM CICS, IBM IMS, and IBM MQ) to requirements from regulatory frameworks (such as PCI DSS). These mappings were defined by the IBM Z Security team, and have been validated with auditors.

Additionally, IBM Z Security and Compliance Center includes an interactive, customizable dashboard displaying the security controls validated for each requirement, as well as which resources passed and failed. The application also reports on compliance drift: how compliance posture has changed from one point in time to another.

Yes. You can view detailed scan results in IBM Z Security and Compliance Center dashboard or a report generated by the application.

For each technical check, you can view a list of all the IBM Z resources that have passed and failed across multiple sysplexes.

You may also view the logic of each scan performed by the application to see exactly what it checked.

IBM Z Security and Compliance Center is equipped with a microservice which sends an ENF signal to all compatible IBM Z components, triggering them to generate compliance data in an enhanced SMF record that has been custom built for this application.

For z/OS: RACF, CICS, Db2, Comm Server, IMS, MQ, SMS, USS, SSHD, INETD, Consoles, SMF, ICSF

For Linux on IBM Z: Oracle, PostgreSQL

IBM Z Security and Compliance Center also comes with CPACF usage tracking.

Documentation IBM Z Security and Compliance Center Documentation

Access technical documentation for the planning, installation, enablement, and use of the solution.

Read the documentation
Technical resources Deployment and Operator YAML Files

Download the YAML files used to install and deploy the microservices for IBM Z Security and Compliance Center.

New Access the files
Solution brief

Fight compliance drift and accelerate audit readiness on IBM Z

Read the brief
Related solutions zCX Foundation for Red Hat OpenShift

Deploy containerized Linux-on-Z applications in a Red Hat OpenShift cluster on z/OS with zCX.

Hyper Protect Data Controller

Protect your data as it moves throughout the enterprise and beyond.

Pervasive Encryption for IBM Z

Enable extensive encryption of data in-flight and at-rest.

What's new

The Documentation section was added, and technical resources have been updated to include a link to the Deployment and Operator YAML files for the solution.

Rate this content solution