White Paper. Regulatory Compliance and the IBM Mainframe: Key Requirements



Similar documents
How can Identity and Access Management help me to improve compliance and drive business performance?

CA Mainframe Security Management solutions helps you reduce costs, facilitate new business opportunities, address regulatory compliance requirements,

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

CA Top Secret r15 for z/os

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Data Management Policies. Sage ERP Online

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

Standard: Information Security Incident Management

CA point of view: Content-Aware Identity & Access Management

CA Compliance Manager for z/os

Strengthen security with intelligent identity and access management

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Payment Card Industry Data Security Standard

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Understanding Enterprise Cloud Governance

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Three significant risks of FTP use and how to overcome them

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Supplier Information Security Addendum for GE Restricted Data

ISO COMPLIANCE WITH OBSERVEIT

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Feature. Log Management: A Pragmatic Approach to PCI DSS

10 Steps to Establishing an Effective Retention Policy

Security Information Lifecycle

Self-Service SOX Auditing With S3 Control

Sarbanes-Oxley Control Transformation Through Automation

White Paper. Regulatory Compliance and Database Management

agility made possible

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Information Resources Security Guidelines

INFORMATION TECHNOLOGY SECURITY STANDARDS

CA Endevor Software Change Manager Release 15.1

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

HIPAA Security Alert

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Manage Security On A Networked Computer System

AlienVault for Regulatory Compliance

Stay ahead of insiderthreats with predictive,intelligent security

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Data Security Incident Response Plan. [Insert Organization Name]

TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control

CA Technologies Healthcare security solutions:

UPSTREAM for Linux on System z

ELECTRONIC INFORMATION SECURITY A.R.

Leveraging Privileged Identity Governance to Improve Security Posture

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

CA Tape Encryption Key Manager

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Securely Outsourcing to the Cloud: Five Key Questions to Ask

CA Technologies Solutions for Criminal Justice Information Security Compliance

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

How To Manage A Privileged Account Management

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Boosting enterprise security with integrated log management

Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER

Solving the Security Puzzle

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

SAS 70 Type II Audits

Information Security Policy

Leveraging a Maturity Model to Achieve Proactive Compliance

Securing and protecting the organization s most sensitive data

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

CA NSM System Monitoring Option for OpenVMS r3.2

CA Chorus for Security and Compliance Management Deep Dive

Implementing HIPAA Compliance with ScriptLogic

The Challenges and Myths of Sarbanes-Oxley Compliance

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

CA Process Automation for System z 3.1

IBM Tivoli Netcool Configuration Manager

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

March

FINAL May Guideline on Security Systems for Safeguarding Customer Information

The Impact of HIPAA and HITECH

FairWarning Mapping to PCI DSS 3.0, Requirement 10

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Transcription:

White Paper Regulatory Compliance and the IBM Mainframe: Key Requirements Reg Harbeck, Global Mainframe Solution Manager Sumner Blount, Director of Security Solutions February 2007

Table of Contents The Rise of Compliance as a Business Imperative.................................................................... 3 The Role of Frameworks in Mainframe Regulatory Compliance........................................................ 4 Key Controls for Mainframe Compliance............................................................................ 4 Controlling Access to Business Data and Functions................................................................ 5 Orphaned Accounts............................................................................................. 5 Excessive Entitlements.......................................................................................... 6 Control over Superuser Privileges................................................................................ 7 Separation/Segregation of Duties................................................................................ 7 Security Event Auditing......................................................................................... 7 Proper Data Classification....................................................................................... 7 Software Configuration Detection and Correction................................................................. 8 Encryption of Offsite Information................................................................................ 8 Key Technologies for Mainframe Compliance........................................................................ 8 Conclusion....................................................................................................... 10 The CA Solution for Mainframe Compliance........................................................................ 10 Key Compliance Requirements and CA Solutions.................................................................... 11 2

The Rise of Compliance as a Business Imperative Recent corporate financial scandals and increased concerns over privacy of user information are factors that have led to a rise in governmental laws and industry regulations around financial reporting, security and data privacy. These factors create compliance pressures that place heavy burdens on internal IT groups. Failure to secure sensitive information can result in irreparable damage to the corporate reputation, and failure to achieve compliance has financial consequences as well. While governmental regulations cover a wide range of target areas, regulations that impact IT generally fall into one of three major categories: Governance. These regulations deal with issues related to the transparency and accuracy of financial records, the retention of records within the corporation, and requirements of disaster recovery and business continuity. Most notably with SOX, this type of regulation was heavily driven by corporate scandals and financial fraud cases. Privacy. These regulations are often specific to a single vertical market, and dictate how a user s personal information must be handled by the corporation. There are regulations that specify what type of personal information may be kept, how that information may be handled (including who, if anyone, it may be given to), and what actions are required in the event of a breach of established privacy restrictions. Security. These regulations are intended to protect a corporation s critical infrastructure, and specify how users will be identified, how their access to sensitive resources must be controlled, and how that access may be tracked and audited. Figure 1 illustrates these three primary areas of compliance, and highlights some of the major regulations in each area. Note that some regulations fall into multiple categories. While there are a large number and wide variety of regulations, each has unique requirements for compliance, many of which cannot be solved merely through technology and/or procedural changes. However, one element common to all regulations is the need for strong and effective controls over various enterprise business processes. A control is a set of procedures or steps that can be used to ensure the successful operation of a business practice or transaction. These controls ensure, for example, that private customer data is not accessed by unauthorized people, that platforms and systems are protected from breach, and that all data and applications are protected from inappropriate access. Internal controls can be weak, strong, or anywhere in-between. It is the job of compliance auditors to ensure and attest that these controls are effective enough to meet the requirements of the regulation. Figure 1. Classification of Regulations. 3

The Role of Frameworks in Mainframe Regulatory Compliance Generally, a governmental regulation does not specify what technology is required in order to meet its requirements. In fact, many regulations do not even specify any details of an effective internal control. Therefore, administrators and compliance officers are left to determine what methods they will use to meet the often vague requirements within each regulation. In the area of overall corporate governance, the internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has become widely adopted. Although COSO contains requirements for a range of areas of governance, there is little in the COSO framework regarding specific IT controls. Given this, management should either look to industry best practices, which are often subjective, or look to another controls-oriented framework from an authoritative source. To solve this problem, many companies have begun to look to the Control Objectives for Information and related Technology (COBIT) framework published by the IT Governance Institute, which is affiliated with the Information Systems Audit and Control Association (ISACA). COBIT contains a broad set of IT control objectives that provide statements of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. Among these IT controls are many that are directly related to security management processes and systems. Other IT frameworks exist (for example, ITIL, SAS 70, ISO 17799, and others), and their use is dependent on whether they can help establish (to the auditors) a strong case for successful compliance. Let s look at COBIT in more detail, since it has emerged as a widely adopted framework for IT controls. The COBIT control objectives are organized into four areas: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring. One of the key activities within the Delivery and Support area of COBIT is an activity entitled Ensure Systems Security. The purpose of this activity is to provide controls that safeguard information against unauthorized use, disclosure or modification, damage or loss through logical access controls that ensure access to systems, data and programs is restricted to authorized users. Within Ensure Systems Security there are a group of discrete control objectives that COBIT has identified, including: Manage Security Measures Identification, Authentication and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access Rights Management Violation and Security Activity Reports Incident Handling Re-accreditation Counterpart Trust Transaction Authorization Non-repudiation Trusted Path Protection of Security Functions Cryptographic Key Management Malicious Software Protection, Detection and Correction Firewall Architectures and Connections with Public Networks Protection of Electronic Value A detailed discussion of these controls is beyond the scope of this paper. The next section, however, discusses some of the key issues involved in implementing some of these controls on mainframe platforms. Key Controls for Mainframe Compliance By now, most organizations have recognized their responsibilities within regulations (such as Sarbanes- Oxley, HIPAA, and others) and have introduced some level of processes and procedures to comply with them. However, one area that often does not get adequate attention in many environments is the mainframe environment. Despite the past predictions by some people of the demise of the mainframe, it remains, and will continue to be, a critical computing platform for many enterprises. The mainframe is here to stay, and therefore it is a requirement to include mainframes when planning a broad IT compliance strategy. 4

The COBIT controls described earlier can be instrumental in supporting compliance with most of the major regulations that organizations are facing today, such as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, among others. On the mainframe, there are some specific controls that are essential yet often overlooked. These controls are focused on the following mainframe security issues: Controlling Access to Business Data and Functions Orphaned Accounts Excessive Entitlements Control over Superuser Privileges Separation/Segregation of Duties Security Event Auditing Proper Data Classification Software Configuration Detection and Correction Encryption of Offsite Information Let s look at each of these areas in more depth. Controlling Access to Business Data and Functions Controlling access to critical IT resources (files, applications, databases, etc) on the mainframe is an absolute requirement for regulatory compliance. Not only must unauthorized individuals be prevented completely from accessing these resources, but even authorized users must be able to perform only those operations and actions for which they have been explicitly approved. In many cases, these authorizations need to include external factors such as the day of the week, time of day, the user s organizational unit or role, and the like. Some accesses, for example, might be allowed during work hours but need to be prevented during off-hours. In addition, a key element of regulatory compliance is policy-based controls. In other words, a security administrator should not have to understand the underlying technical details of a system in order to set up a permission that responds to a simple requirement in all cases. Therefore, it is essential to externalize security outside of applications, so that it can be enforced centrally based on a set of security policies defined for the complete IT environment. These security policies are generally based on a set of user roles defined for the entire user population. It is also important for an organization to be able to determine, at any point in time, the existing user roles that they have defined, and the access rights assigned to each such role. And, auditors will want those roles to be consistent, well-defined, and have as little overlap as feasible. An organization with well-defined roles and access requirements will be much better-aligned with regulatory requirements than one in which everyone has their own individual set of access rights, built up whenever they encounter a new need, but rarely removed when the need no longer exists. Orphaned Accounts Mainframes have become a victim of their own reliability and security in regards to orphaned accounts. A mainframe running in a production environment may have been implemented thirty plus years ago. During that time frame, thousands, sometimes even millions, of employees and customers have been provisioned to the mainframe. Often, those accounts are not removed, and orphaned accounts accumulate. Orphaned accounts also occur when a user simply stops using an account for any reason the account remains valid even though it is not being actively accessed. Until the regulatory controls were established focusing on the need to maintain these accounts and have controls in place to manage, report on, and enforce compliance for them, they often went almost unchecked by many organizations. Any unused account represents a security, and therefore compliance, risk. Some organizations utilize manual processes for the provisioning and de-provisioning of mainframe accounts. This process is error-prone, and does not provide a welldocumented method for ensuring proper entitlements. Others developed applications internally to help manage these accounts. The underlying problem still existed, though to a lesser degree. These solutions typically don t or can t address the problem of ensuring that all existing accounts have proper owners. Figure 2 illustrates this important problem. The line represents entitlements granted to (and removed from) a typical user over their lifecycle. It illustrates that entitlements are often not removed until the user actually leaves the organization. And, when this happens, some accounts are often missed and not removed appropriately. This creates the problem of orphaned accounts, and is represented by the bottom right corner of the graphic. 5

Figure 2. User Entitlement Compliance Issues. Beyond user accounts, utility accounts (accounts used for testing or background tasks) often exist from previous projects. Default accounts, while less common on the mainframe than other platforms, can also be overlooked and not deleted or disabled, opening up the opportunity for an unauthorized individual to access information inappropriately. The problem is compounded when applications attempt to enforce their own security policies, rather than externalizing security to a centralized service. This causes these types of accounts to increase in number, and the management of them becomes much more difficult. The security of these applications should be externalized, taking advantage of the security software package running on the mainframe. Examples of such accounts include: UNIX (USS) and Linux native security accounts, defined to the OS and not to external security DB2 accounts, if DB2 is not fully externally secured Internal application controls not externalized Excessive Entitlements Figure 2 also illustrates another common problem that can impact your compliance efforts. Similar to the problem of obsolete accounts, people also tend to accrue access rights over the course of their identity lifecycle, but generally do not ask to have them removed when no longer needed. As a result, most users accumulate unneeded access rights so that the line representing their access entitlements is monotonically increasing over time. This hampers compliance because critical IT resources can often be accessed by users who have no valid business need to do so. In fact, a common back door to many computer systems and applications is to go to a person who has retained old access but is in a new role that has no official need of that access. This violates the integrity of a system in a way that is almost certain to contradict corporate guidelines. It would also render a system out of compliance with respect to many regulatory mandates today. 6

Control over Superuser Privileges One of the most exploited and costly vulnerabilities on many systems is the superuser account ( Root in UNIX and Linux, including on the mainframe). Superusers can generally do whatever they want to, without restriction and often without adequate audit and tracking. Because of the unlimited power of this account, no file, device or command is off-limits. Even the auditing services on the system are not immune from this account, and the integrity of system audit logs is therefore vulnerable to inadvertent or malicious actions. This issue is amplified when superuser access is not rolebased, and a common password and user id is shared among administrators and developers. This creates a serious accountability problem. This situation often makes it very difficult, if not impossible, to determine specifically which person performed a particular destructive act, since there is no authentication of superusers as individuals. Effective compliance requires that users, especially Root-level users, have only the level of privilege that they actually need. For this reason, more granular access and administrative rights are required than are generally offered by the native operating system. In addition, compliance requires that all users be individually identified, so that multiple users would not be using the same account in such a way as to make them effectively anonymous in the audit log. Separation/Segregation of Duties A key principle inherent in a regulatory-compliant and audit-proof environment is separation of duties (aka segregation of duties). As a general principle, this means that the person who initiates a given transaction cannot also be the person who approves that transaction. For example, a situation in which someone could create a new vendor record as well as approve a payment to that vendor would constitute a segregation of duties violation. Another, possibly more common, example occurs when a single person can both install and maintain applications as well as administer their security. Why is this an issue? There are two problems that these types of situations create. First, there is insufficient oversight and visibility for potentially fraudulent activities. In the example cited above, someone could create new vendor records and then approve payments to those vendors, possibly escaping detection for a long time. The second problem is that this situation makes security auditing much harder because it is difficult if not impossible to identify who might have performed an improper or malicious operation on critical data. Security Event Auditing Regulatory compliance is effectively impossible without the ability to prove compliance. IT Auditors want to be able to view proof that all your internal security controls are not only comprehensive and consistent, but are also functioning correctly and effectively. This requires the ability to uniquely identify the specific individual responsible for each security event or operation. Not only is this required for compliance, but it is also essential for immediately stopping any improper or suspicious activity that might have occurred. One possible example of this would be the case where someone attempted successively to login to different user accounts. In some environments, successive failed attempts to access a given account would result in the immediate suspension of that account. If these accounts are in different departments, it may never occur to anyone that they could be related and that a serious breach is being attempted. However, with strong auditing records (such as generated by CA ACF2 and CA Top Secret ) and a powerful correlation and reporting engine (such as provided by CA Security Command Center), it becomes possible to discover: 1. That there were a number of suspensions around the same time coming from the same location (because an automatic alarm was generated) 2. That it therefore seems likely that a single individual has been trying to access the system by guessing at passwords until the accounts were suspended 3. Whether any accounts have been successfully accessed yet, and which ones 4. Whether the behavior in question is still continuing, in which case the perpetrator may be easily located Without this ability, it is possible that someone may gain illicit access to the system and abuse the authorities of the accounts they access, a clear violation of system integrity and related regulatory requirements. In short, in order to achieve compliance, you need to be able to be alerted when security is being challenged, identify sources of potential compromise, and demonstrate that your security controls are effective. Proper Data Classification A common criterion in data classification is need to know. When information is classified within an organization, determining appropriate levels of access can be a challenge. It is often true that access to business critical data is granted as a result of a person s job responsibilities. 7

For example, it may be very appropriate to grant update access for the payroll files to a payroll clerk role. However, it is not appropriate for that payroll clerk to be able to copy or write that data to another file such as one that may begin with a common high level qualifier that other employees have access to, thus allowing them access to the data beyond what their role and business responsibilities prescribe. This is known as a write down and is a potential exposure of the business critical data. Such an exposure would certainly be detected in a compliance audit. With MLS (Multi-Level Security), classification levels can be assigned to data such that an individual with a certain level can access data, while those without, cannot. This would also prevent the copying or writing of data down to a lower classification level as described in the above example. Software Configuration Detection and Correction Mainframe operating systems are notoriously complex. These complexities have made auditing the actual operating system very time consuming and difficult. Any operating system, even on a mainframe, can be subject to security exposures due to errors on configuration, installation, or administration of all software components. Computer worms, Trojan horses, and trap doors of all kinds would threaten the security of the entire mainframe and all its applications. Malicious (or at least unintentionally destructive) procedures, configurations and programs can be introduced to the mainframe, either by authorized individuals actions that are not in the organization s best interest, or by skilled intruders. Therefore, strong and effective security controls should include a complete review and audit not only of all datasets and applications, but also of the operating system that physically controls these resources. Traditionally, only experienced auditors or specialists with a systems programming background could perform such an extensive operating system review. Much of the work was manual, and low-level tools available were difficult to use and not comprehensive enough to truly audit the system. A z/os review, for example, might take weeks or months to perform. However, higher-level software exists today to ease this burden and enable a more complete and simple approach to this important task. Encryption of Offsite Information An important element of several recent regulations is the requirement to inform an individual if their personal data has been exposed to unauthorized third parties. An example of this type of regulation that has achieved significant publicity recently is California bill SB 1386. This bill requires any organization doing business in California to notify any customers if there is a significant chance that their personal information has been disclosed inappropriately. A situation where this requirement would be applicable would be the loss of a backup tape containing this personal information where the data was stored on the tapes in plaintext. Other regulations may not address the issue of public disclosure, but nonetheless require strict protection of confidential consumer information, with encryption being a common technique for doing this. Is the solution to avoid sending such personal customer data off-site? Hardly. Sending these tapes off-site is generally part of a healthy disaster recovery program and data archiving practice. It may also be a key part of certain established electronic commerce practices. Key Technologies for Mainframe Compliance The security issues described above require comprehensive mainframe solutions, in order to achieve regulatory compliance. In attempting to address these issues, there are several critical technology areas that can assist you. More specifically, when planning compliance initiatives on your mainframe, the following approaches and technology solutions should be considered. 1. Centralized Access Control On today s mainframe, no application should be running with internal security. Attempting to enforce security within each application greatly increases your security administration costs, complicates your application development and maintenance effort, and potentially reduces your overall security due to inconsistent policy enforcement across applications. Externalizing security enforcement in a central service eliminates these problems, as well as making it much easier to validate compliance to your IT auditors. The essential way to implement a mainframe control on user access is a software solution that can effectively provide access control for all mainframe data and applications. It should allow easy, policybased controls to be created that will ensure that all access is controlled according to these policies. In addition, it should leverage and integrate with existing directory, auditing, and access management solutions on distributed platforms in order to make compliance activities more consistent across platforms. 8

External security solutions such as CA Top Secret and CA ACF2 allow for the complete externalizing of application and database security. This provides the ability to centrally control all access to critical mainframe resources and enforce security policies relating to these resources. 2. User Provisioning Centralized user provisioning provides an automated way to create user accounts and assign access rights when a new user is entered into the system. It can also provide an automated technique for deprovisioning these same accounts and access rights when the user is removed from the system. Both capabilities are important for achieving strong and effective IT security controls. In particular, User Provisioning can help avoid the creation of excessive entitlements, as well as orphaned accounts, since entitlements and accounts are immediately removed as a user s role changes, or when that user departs the organization. This is done according to specific security policies defined by the IT Administrators, and can be a completely automated process. Provisioning solutions can also help answer one of the most important questions asked by your compliance auditors: Who has access to What resources? Without the ability to easily answer that question, your compliance efforts will be greatly hindered. In addition, a comprehensive identity management and provisioning solution should be capable of providing information or reports about potentially problematic overlapping role or access right definitions. This information, along with clearly defined internal processes, can help highlight and correct existing or potential segregation of duties violations. 3. Host Access Management Excessive entitlements for superusers, and the inability to uniquely identify each superuser can be significant problems on UNIX and Linux systems. A Host Access Management external security solution (for mainframe Linux and USS, for example) can be used to provide fine-grained entitlements for superusers so that each such user only has the privileges that they absolutely need. In addition, it can uniquely identify users so that audit logs can associate each administrative event with a specific person. 4. Automated cleanup of Inactive Accounts Inactive (orphan) accounts, and unused entitlements, are significant problems on mainframes and can reduce your compliance effectiveness. Tools such as CA Cleanup are available today to monitor and report on entitlements (and IDs) that are not used within the mainframe security database. The removal of such leftover accesses eliminates loose ends and the accompanying security and regulatory concerns, while aligning the security environment for consistent rolebased provisioning and de-provisioning. 5. Automated Software Configuration Analysis Effective regulatory compliance requires controls over the entire mainframe configuration, including both hardware and software components. These controls should start with an automated analysis of all relevant configuration information so that potential anomalies (such as unpatched system vulnerabilities) can be identified and quickly remediated. This analysis should provide information on the current status and settings for such key system elements as: Software and hardware configurations and versions Hardware errors Administrative consoles System Management Facility (SMF) information System customization variables for key system libraries, system catalogs, and parameter libraries System executables Critical programs JES environment File usage Compliance requires that effective controls over all critical system components be in place and functioning effectively. Tools such as CA Auditor for z/os and CA Security Command Center can greatly simplify and expedite these important tasks. 6. Centralized Auditing and Monitoring A centralized auditing mechanism can aggregate, filter, and analyze all security events within the entire IT environment, highlighting those that need priority attention. Such a solution also has very significant cost savings and productivity benefits. Manually reading system log files to search for serious security events is not only time-consuming, but very error-prone. And, it is virtually impossible to manually correlate security events that might, when taken as a whole, constitute a potential security breach. A comprehensive auditing solution such as CA Security Command Center (CA SCC) can automate this process, not only saving massive amounts of system administrator time, but also reducing security risk because critical events can be more correctly identified for further administrator analysis and remediation. 9

7. Information Encryption Solutions, such as CA s BrightStor Tape Encryption, exist today to encrypt the data that is written to tapes. If this is done and the tape is later compromised, it will not be readable without the required keys to decrypt the data. This, of course, also requires appropriate key management functionality (such as provided by the above product) to ensure that they keys don t fall into the wrong hands or get lost, making critical data unavailable. Conclusion As the number and variety of regulations increases, today s organizations are faced with daunting challenges to comply with all relevant mandates. These challenges include not only actually meeting the specific requirements of each regulation, but also doing so in a cost-effective and sustainable way. Unless an organization can achieve continuous compliance, their compliance costs and efforts will continue to remain unacceptably high. The mainframe is a critical element in any IT compliance initiative. It often houses some of the enterprise s most critical IT assets, both data and applications, and therefore must have strong and effective controls over use of these assets. Without a consistent and auditable set of controls across all major system platforms, an organization will not be able to achieve regulatory compliance in a costeffective manner. The final section of this paper will highlight some CA solutions that can help you achieve sustainable and continuous compliance on your mainframe platforms. The CA Solution for Mainframe Compliance CA offers the broadest set of security solutions on the mainframe today that can greatly enable your compliance activities as part of an integrated, enterprise-wide approach. Specifically, the CA Mainframe Identity and Access Management suite is the most comprehensive and integrated platform on the market today. It enables enterprises to efficiently and securely manage the digital identities and access rights of users, devices and applications. This includes ensuring that only properly authorized identities can access your critical IT resources. It provides a complete and proven platform for protecting your IT assets across all platforms and environments within your enterprise, thereby helping you achieve continuous compliance across your mainframe and connected platforms. The CA mainframe security and compliance solutions include: CA ACF2 and CA Top Secret. Providing leading-edge security for the z/os, z/vm and z/vse business transaction environments including z/os UNIX as well as authentication for Linux for zseries (using the included PAM component). Built-in, comprehensive administrative and reporting tools, along with detailed event logging capabilities, simplify the management of users and their access rights. These solutions give you the tools to monitor the efficiency of your security policies and provide end-to-end security for the enterprise when deployed with other CA solutions. CA Cleanup for ACF2, CA Cleanup for Top Secret, CA Cleanup for RACF. Offers easily automated, continuous and unattended security file cleanup by monitoring security system activity to identify security definitions that are currently unused. Specifically, CA Cleanup solutions identify accounts and access unused beyond a specified threshold and generate commands to remove unused user IDs, entitlements, permissions, and profile and group connections that each user has but does not use. These solutions effectively resolve the accumulation of obsolete and excessive access rights that otherwise occurs within a security file over time, a key requirement for compliance with many regulations. CA Cleanup deploys easily and can enable you to: Identify and remove individual user entitlements and access groups that are no longer used. Identify entitlements (such as permissions and rules) actually used and create commands to remove those that are unused. This includes user-defined resources. Identify user IDs actually used and create delete commands for those unused. This is based on actual security usage, not reported last-use dates, which are often unreliable. Identify the IBM RACF Groups and Profiles that each ID actually uses and create the RACF Commands to remove those that are unused. Produce reports detailing both used and unused entitlements. Generate commands to enact or restore security cleanup. 10

CA Auditor for z/os. CA Auditor for z/os (CA Auditor) is an industry leader in automated review and auditing for z/os operating system integrity and verification. It provides important information about system security, integrity and control mechanisms, which are extremely difficult to obtain from other sources. CA Auditor helps identify and control security exposures, trap doors, Trojan horses and logic bombs that can destroy production dependability and circumvent existing security mechanisms. All of these exposures can exist in the form of improper or misused operating system code, supervisor calls (SVCs), exits, libraries, functions and facilities. Through the use of proficient system techniques and an English-language interface, information that is otherwise difficult or time-consuming to obtain can be instantly provided. In addition, CA Auditor identifies potential problems, makes suggestions and, with the dialog feature, answers your questions. CA Access Control (on mainframe Linux). CA Access Control delivers consistently strong access control across distributed platforms and mainframe operating systems. This solution provides policy-based control of who can access specific systems, applications and files; what they can do within them; and when they are allowed access. It also provides capabilities for management of Root privileges across mixed platforms (Linux, UNIX, Windows) for greater administrative security and easier compliance. It also enhances compliance auditing because all Root users are uniquely identified so that all security actions can be associated with their originator. CA Access Control also extends the security capability of the native operating system, across heterogeneous platforms throughout the entire IT environment so that security can be managed in a consistent way across all platforms. This includes the ability to propagate password changes and status (i.e. suspended/unsuspended) across the enterprise, including to the mainframe. This reduces administrative effort and cost, and provides easier compliance. CA Identity Manager. CA Identity Manager provides a graphical, integrated identity management and user provisioning platform that automates the creation, modification, and suspension of user identities and their access to resources, enterprise-wide (including the mainframe), to increase security levels and compliance, while reducing administration costs and enhancing the user experience. In addition, Identity Manager provides auditing services that can be used by both internal and external auditors to help determine if the entitlement granting practices of the organization are in control and effectively keeping private data private. CA Security Command Center. CA Security Command Center (CA SCC) is essential to proactively managing the complexities of an organization s security environment. It helps you discover and prioritize relevant security data to effectively manage your security risks in real time. By correlating security risks to assets, you can take corrective action and investigate security incidents through a centralized command and control center. CA SCC can also process security events generated by mainframe access management products, so that events across the entire IT environment can be analyzed more effectively. CA SCC will not only enabled easier compliance for your IT environment, it can also reduce your administrative costs and reduce the risk of undetected security issues. Key Compliance Requirements and CA Solutions The following table lists the key compliance solution areas discussed in this paper, along with specific CA mainframe solutions that can provide you with these compliance capabilities. For more information on any of these solutions, feel free to visit ca.com or contact your local CA representative. 11

Compliance Capability Centralized Access Control User Provisioning Host Access Management Automated cleanup of inactive accounts Automated Software Configuration Analysis Separation/segregation of duties Centralized Auditing and Monitoring Information Encryption CA Mainframe-related Solution(s) CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Identity Manager CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Auditor for z/os CA ACF2 and CA Top Secret, plus their DB2 Options CA Access Control on mainframe Linux CA ACF2 and CA Top Secret, plus their DB2 Options CA Auditor for z/os CA Security Command Center BrightStor Tape Encryption About the Authors Reginald (Reg) Harbeck is CA s Global Mainframe Solution Manager. In the two decades since he received his Bachelor s Degree in Computer Science he has worked with operating systems, networks, security and applications on mainframes, UNIX, Linux, Windows and other platforms. Reg has been with CA for nine years, during which time he has met with and presented to IT management and technical audiences in Europe, the Middle East and many locations across North America, including at Gartner, IBM zseries, CMG, SHARE and CA World user conferences. Reg is the published author of several whitepapers and articles which are also available online. Sumner Blount is the CA Director of Security Solutions. He has worked in a variety of Product Management and Engineering roles, including managing the development of all large operating systems at Digital Equipment and Prime Computer, and managing engineering and product management groups at other companies. He is also the author of a number of industry articles, and has spoken at many industry conferences in the past. Copyright 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP310670207

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information