IBM Announces New z/OS Multilevel Security

Big Blue hopes to snare workloads from Unix, Windows as RACF morphs into z/OS Security Server

Last week, IBM Corp. announced an updated security feature for its zSeries mainframes. The company says customers will now be able to to tap Big Iron hardware to eliminate redundant servers, databases, and networks.

Jim Porell, IBM's chief strategist on the IBM zSeries, says the new security feature enables a single point of control for managing multilevel security environments—that is, across different government agencies, or among business units or divisions in a company. The idea, Porell says, is that customers can tap z/OS and Big Blue’s DB2 database to support a single repository of data that can be managed at the row level and accessed by individuals based on their need to know. One upshot of this, he notes, is that some workloads could move from Unix or Windows systems to Big Iron.

IBM is initially positioning the new offering for use primarily in government accounts, Porell says.

“What we’ve been asked to do on behalf of the government is come up with a multilevel security capability, because what they have is compartmentalized data across multiple agencies, and so this eliminates a lot of redundancy,” he comments. “In doing this, what we’ve deployed is a single security manager, basically the z/OS Security Server, what used to be called RACF.”

The difference, Porell explains, is that the multilevel security technology permits greater granularity than is possible with RACF. The new feature lets administrators give users access to information based on their need to know, or consistent with their security clearance level. Its extra granularity is said to prevent users from accessing unauthorized—or potentially classified—information if they do not have the appropriate level of clearance.

The new multilevel security technology can be hosted in a separate z/OS image or hosted on a dedicated machine. The new feature can be implemented without any changes to existing application code and can be configured to support any application or operating environment that also exploits DB2. “It is dependent on DB2, yes. It doesn’t work, or, rather, hasn’t been tested with, Oracle,” he confirms. “I don’t believe any code changes are necessary. It’s just a question of whoever hosts that application through the database administration and the security administration can provide the compartmentalization through our services.”

Although Big Blue initially is targeting government customers, Porell says that IBM will market the multilevel security technology to commercial customers as well. “The neat thing about this type of compartmentalization is that I don’t have to write application-specific security clauses in SQL [to take advantage of it], so really it’s appropriate for commercial customers, too,” he writes.

The new technology also has applications for hosted computing, Porell confirms. “So something like an SAP, a PeopleSoft, or a Siebel could actually provide a level of compartmentalization so that some kind of outsourcer—an IBM, an EDS, or whatever—could host a departmental-level application so that a mom and pop store, for example, could ask them to securely host their data with data from other customers on the same database.”

The new multilevel security technology for z/OS 1.5 will be available in March, according to Porell.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.