CA Updates Mainframe Security Tools
Changes target regulatory compliance, auditing, and access controls
How do you audit your mainframe to ensure its access controls are current and effective and demonstrate mainframe security complies with regulations?
CA recently released new versions of three products for z/OS that can help: CA-ACF2 Security r9, eTrust CA-Top Secret Security r9, and eTrust Cleanup 2.2. According to CA, ACF2 and Top Secret “protect mainframe data sets from unauthorized access,” while eTrust Cleanup “automatically identifies and removes obsolete, unused, and rogue user IDs and access rights.” The latest version of Cleanup now also works with RACF.
One user of all three products is Boston University, which employs the tools to “more easily ensure that only authorized users have access to critical data, and that unused user IDs and access rights are deleted from the system,” says Joanne Kelly, the university’s senior information security analyst. The university, no stranger to compliance requirements, also uses the tools “to demonstrate compliance with a wide range of federal regulations, including the Family Educational Rights and Privacy Act, the Privacy Act of 1974, Gramm-Leach-Bliley, and HIPAA.”
Making Mainframe Identity Play Nice
All three products integrate with CA’s other identity and access management (IAM) products, to give security managers a consolidated view of security events. “We’re the only vendor that can provide that IAM configuration, enterprise-wide,” says Reg Harbeck, CA’s global mainframe solution manager. That’s essential since mainframes aren’t just a black box; they tie into numerous other applications and databases. “The mainframes have the majority of the world’s production data, but they still have to play nice.”
The updated IAM functionality further reflects how mainframes aren’t immune from current business and regulatory requirements. “The mainframe continues to be the platform for many of our customers’ most mission-critical business information and resources,” notes Michelle Waugh, who directs CA’s identity and access management product marketing. As such, the mainframe is often the place where data covered by regulations lives.
The new ACF2 and Top Secret features are aimed at “proving that the mainframe really is up to the compliance requirements that are being imposed on it,” says Harbeck. For example, beyond having multilevel security (MLS) permissions, a feature previously available in the products, it can now be audited. “What we recognized was it wasn’t good enough to just have that classification security, where you can’t access something above your classification level. Now we can prove that.”
Other new features simply provide mainframe parity with security capabilities already common in the non-mainframe world. Most notably, the tools now support longer passwords—up to 128 characters—to make it easier for security managers to implement a single, enterprise-wide password policy.
Harbeck says the revised products are also more stable and have better debugging capabilities. “Our biggest clients for ACF2 and Top Secret have millions of IDs, and often they’re using it not just for employees but as part of key production applications. You need to ensure everything performs properly, even when major changes are made.”
Scrubbing Mainframe Identities
CA’s Cleanup product tackles a different issue: untangling the user identities in the mainframe security database. “The problem is the average mainframe security database often has 20 years of security entries in it,” notes Harbeck. “People love to get access and hate to give it back.” Many people, of course, will have departed the company, or no longer need the passwords. Furthermore under the latest security rules and regulations, they may not merit them.
Cleanup can help by watching mainframe access for some period of time to build a picture of who’s accessing what. The product then generates reports which, beyond summarizing such activities, can go a step further and execute a variety of database commands. For example, a security manager can order it to delete user IDs that haven’t been used for a specified period of time. The IDs, however, are simply moved from the security database to a backup database, so they can be restored if necessary.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.