In-Depth
CA Upgrades Security for z/OS
New versions more about people than features.
- By Chris DeVoney
- 10/23/2007
CA announced on Monday new versions of five security products for the IBM z Series and z/OS. Although the products incorporate a range of improvements for security analysis and compliance, some important improvements in these products, available now, were driven by their competition and changes in the IT work force.
Leading the way are revised versions of the access control management tools, specifically ACF2 r12 and Top Secret r12 for z/OS external security managers. One of several improvements includes Web-based administration for controlling user accounts, entitlements, and options. The tools have externalized security controls for CICS, UNIX system services, IMS, and optional centralized DB2 security. Both products take advantage of a variety of features new to z/OS 1.9.
A new Compliance Information Analysis feature enables complete analysis and reporting of user entitlements, groupings, and administrative privileges. The addition reflects the changing role of the security administrators in compliance efforts that ensure policies are pushed out and enforced.
Additionally, the managers offer command propagation, allowing one console connected to a mainframe to control many other mainframes. Additionally, both products can push data to and from any platform that understands LDAP directories.
CA Auditor r12 extends its maturity in automating in-depth IT auditing functions with the CA external security managers ACF2 or Top Secret, or IBM’s RACF manager. The product runs in either TCO, batch, or as a started task Using baseline and delta snapshots of the operating environment, CA Auditor r12 examines the system’s integrity looking for problems such as breaches in APF authorizations or undefined SVCs in libraries. The product further helps auditors determine compliance and risk by adding FIPS-200-compliant baseline analysis functions and analysis support for z/OS and UNIX/Linux system services running on the z Series.
CA Cleanup r12 provides automation that addresses outdated access rights, a common deficiency sited by auditors. The product scans resources for usage, finds accounts, resources, and profiles that have not been used within a specific time period, and reports and creates command scripts to delete the access rights. The new version of Cleanup also creates a contingency command set to reverse inadvertent access right deletions. New reporting features track specific compliance and security activities and enable the use of CA Cleanup data in support of entitlement re-certification, as recommended by ISO 270001 2005 A.11.2.4.
Responding to the increased regulation demanding greater protection of data such as consumer financial or health information, CA Tape Encryption r12.5 simplifies and automates cryptography management of removable media. This version now supports tape selection based on external security manager criteria for enhanced control and flexibility. Given the large number of tapes used with mainframes, the increased use of outside services such as Iron Mountain for offsite archiving and storage, and the increased consequences of the loss of non-encrypted protected data, the product is virtually mandatory for the financial and health-care industries, among others.
Markets, Staffing Drive Improvements
Kirk Willis, senior vice president at CA, sees changes in the market providing some philosophical overview for the new products. He notes that companies are trying to keep FTE counts down on mainframe resources and more security people are doing a 50-50 (or higher) split between compliance activities and security (including security enforcement).
Richard Ptak, president of analyst firm Ptak Associates, sees many of the changes in the product as significant and worthwhile. However, he doesn’t think "any stores are going to stay open till midnight," referring to the enthusiasm of the iPhone or the Xbox’s Halo 3.
"The management tool market for the mainframe went through a period of quiescence. In the last couple of years, with the beginning of the z Series, the number of mainframes upticked due to a new interest by a new generation and new geographies in different companies and countries. Combined with a number of open-source providers who saw opportunities in the mainframe management tool area, the result is an upgrade in the capabilities and integration of the tools to manage the mainframe, and that is a good thing for users."
Ptak, along with much of the rest of the mainframe industry, also sees the problem in employee skill sets. The system engineers, administrators, programmers, and operators of mainframes are mainly baby-boomers and are rapidly graying and retiring, causing a shortage of skilled IT personal. He notes that IBM, BMC, and CA are seeking and funding training efforts for the next generations, but notes humorously, "When you talk in three-letter acronyms, their eyes glaze other. Unlike the previous generation, they have no idea of what you are talking about."
He sees the improvements in the user interface and other efforts to expose program features and make operations more intuitive as very important to help those with less experience and training in mainframes be successful.
Overall, the new products are important acknowledgments of a changed mainframe marketplace that needs to do more with fewer experienced people, integrate more into heterogeneous operating environments, and handle the increased security and compliance needs of enterprises and institutions. Although no champagne corks pop with the announcements, corporations and institutions will see improved operations with the new versions.