Solving Mainframe Entitlement Problems

Strong, effective IT security can be compromised by orphaned accounts and entitlements. We offer strategies to manage these expired accounts and entitlements.

by Carla Flores

Strong and effective IT security controls are essential for today's information-active enterprise. Such controls are indispensable for protecting high-value corporate information assets. They are also a requirement for compliance.

Unfortunately, many companies don't have the controls in place that they need to keep their computing environment secure. In fact, the fifth annual Global State of Information Security Survey 2007 by CIO magazine, CSO magazine, and PricewaterhouseCoopers shows that although the overwhelming majority of companies have invested in security infrastructure, most don't adequately audit or monitor user compliance with security policies -- and fewer than half have measured and reviewed the effectiveness of security policies and procedures in the last year.

This is clearly a problem. It doesn't matter how big a lock one puts on one's front door if one leaves a key to that lock under the welcome mat. IT security is as much about ensuring that people comply with prescribed policies and procedures as it is about implementing the latest intrusion detection system.

To fulfill compliance requirements, companies must be able to ensure and attest that internal controls are effective enough to meet regulatory requirements. In other words, it's not enough to simply protect the network. You have to be able to prove to an auditor that what you're doing is sufficient to protect the network, too.

One set of controls that is especially important -- and required by almost all security-related regulations -- is the set associated with the administration of user accounts and access rights. In particular, companies need controls that ensure that users and privileges are deleted in a timely manner when they are no longer needed. Failure to do so creates "account clutter" that can expose a company to serious security vulnerabilities and amount to a material compliance failure for SOX and other regulations.

Orphaned Mainframe Accounts and Accumulated Security Entitlements

Employees are hired, fired, promoted, transferred, and resign. Companies re-organize, acquire, merge, and close down operations. As a result of this constant business change, mainframe security databases wind up with clutter over time. This clutter includes user entitlements that are no longer needed or appropriate, obsolete user IDs, and entitlements that no longer serve any business purpose.

The problem of clutter can grow if the process of deleting accounts (such as when a person leaves the company) is manual. Manual deletions may not be performed in a timely manner -- and may sometimes not get done at all. The result is a number of "orphaned" accounts that have no owner but retain all the access rights of an actual employee.

The existence of these orphaned accounts and/or excessive entitlements creates both a potential security vulnerability and a substantive violation of federal regulations. The fifth annual Global State of Information Security Survey 2007 notes that this year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. If enough clutter accumulates, it can also impede the performance of IT security functions by driving up the utilization of I/O, memory, and CPU resources. Companies must therefore be vigilant about removing any security entitlements, user IDs, access rights, and access groups that aren't needed.

Identifying Obsolete Entitlements and IDs

Security databases accumulate unused and obsolete user IDs and entitlements for three primary reasons:

1. Users retain unneeded access to resources when they are no longer appropriate.

For example, when an employee is promoted or accepts a new job in a different department or division of the same company, that employee is usually given new entitlements. The old ones, however, are often not removed. This problem is exacerbated by a transition period during which the employee needs both the new and old sets of privileges -- making it unclear exactly when the old privileges can be safely deleted.

2. Changes to resources generate clutter in mainframe security files

  • Obsolete permissions remain in place for resources that have been retired or replaced
  • Complexities lead to non-legitimate permissions -- such as a user having access rights to a file that is used by an application that the user is not authorized to access
  • Redundant permissions are defined in multiple places

3. Accumulation of "special purpose" user IDs

  • Deletion of user IDs for departing employees may not catch every system and every secondary ID the user may have had
  • Clean-up is not done for IDs used for batch processing, system management tasks, CICS, and terminals; often these IDs are left in place because IT administrators are more worried about the potential catastrophe that could result if vital production IDs is accidentally deleted than they are about the consequences of not deleting an unnecessary ID
  • Companies forget to remove IDs and entitlements for consultants and contractors once their work is done

Clutter hampers both security systems and security administrators. When users have twice as many entitlements as they actually need -- or when an access group has twice as many entitlements as it needs -- the security system has to perform twice as much I/O to retrieve data, consume twice as much memory to store it, and use twice as much CPU time to search it. It has to repeatedly read, store, and step through data that will never be used. By eliminating this clutter, the performance of security systems can therefore be significantly improved.

Security administrators also benefit when they have to manage fewer users and entitlements -- and when they have a high degree of confidence that the entitlements currently in place are valid and actively used. The resulting time savings can be particularly compelling in IT organizations with limited staff and limited payroll budgets.

Strategies to Manage Orphaned Accounts and Entitlements

The first step in solving the clutter problem is to determine the extent of it. This can be done manually or automatically. If it is done manually, the IT organization needs to determine the number of IDs in its database. For a large corporation, that number may be in the millions. The IT organization also needs to look at the number of access permissions -- and it needs to have any incomplete or unclear data validated by individuals.

The staff time that ultimately will need to be invested in such a project therefore includes:

  • The time needed to develop a list of potential candidates for removal, based on available information
  • The time spent documenting what is being removed so a proper restore can be performed in case a privilege is mistakenly deleted
  • The time required to manually delete IDs and entitlements

The cost for performing these tasks is usually prohibitive and the time factor is often unreasonable. In fact, it may not even be possible to perform some tasks manually at all.

An automated process, on the other hand, can be practical and cost-effective. By implementing the appropriate technology, IT organizations can quickly pinpoint unused privileges and redundant security data. They can also automate the tracking of deletions, so that any errors can readily be restored and an audit trail of the deleted security definitions can be maintained.

Once such an effective automated process is in place, business rules can also be put in place to avoid the accumulation of inappropriate accounts and accesses. This is done through a centralized user provisioning system that automatically creates user accounts and assigns access rights when a new user is entered into the system. The same system can then de-provision these same accounts and access rights when a user's status changes. The result is a set of strong and effective IT security controls that address the issue of orphaned accounts and help ensure regulatory compliance.

An automated process can independently and passively monitor the security system for these problems. As security checks complete, an automated solution tracks the user ID, group, and permission used by the security system to determine which security definition was utilized. Although this information is always readily available, it is not often seen unless a security trace is active or large volumes of auditing information are scanned. Using a highly efficient process, an automated process takes this information and marks entries within its own tracking database that can be viewed and reported to identify and remove obsolete security information. This occurs without imposing additional security system requests or overhead.

By preventing the accumulation of obsolete and/or excessive access rights that can otherwise occur in a security file over time, the automation of mainframe security cleanup can help mitigate risk, optimize regulatory compliance reporting, and reduce system overhead. This automation is essential because of the scale of the problem and the fact that IT organizations cannot afford to allocate limited staff resources to these time-consuming administrative tasks. Every IT organization should evaluate available mainframe security "cleanup" solutions and implement the one most suitable for its particular needs.

- - -

Carla A. Flores is product manager for Mainframe Security at CA. She has more than 15 years of experience in mainframe security related to practices, policies, system analysis, user provisioning, and business process reengineering. You can reach the author at

Must Read Articles