Turning from user identification to access control, we see similar difficulties in cross-platform security.
Access control is complicated by the fact the names of files and resources that require protection can also have different standards for length, content, and organization. File names with z/OS are all uppercase and are subdivided into pieces called qualifiers, using a period as the separator character. The qualifiers are used to organize files together (e.g., all data sets whose high-level [left-most] qualifier is SYS1…). UNIX and Windows filenames are separated by slashes, often lower- or mixed-case, and organized into directories and sub-directories.
There can be types of resources on one platform that don’t exist on others (e.g., UNIX pipes or mainframe JESSPOOL and TSOPROC).
A final problem results from the different software approaches to user identification and access control. With z/OS, these are provided by one of three security software packages—IBM’s RACF, CA-ACF2, or CA-Top Secret—each with its own logic and architecture. On Windows computers, these functions are built into the operating system using a different architecture. These functions are also built into the UNIX and iSeries operating systems but with yet different architectures.
Each security software has its own set of privileges that seldom neatly match other security software’s privileges.
As we examine some of the possible solutions, here are some basic, simplifying, principles to keep in mind:
• Assume each platform is responsible for protecting the files and resources that live on that platform. Any other approach is impractical.
• A user’s identity can only be validated by the platform where the user is defined.
• Platforms will need a means of trusting each other.
• The only widely used communication protocol all platforms support is TCP/IP. This set of rules and formats to let different types of computers communicate with each other started out in UNIX and spread to the Internet. Microsoft adopted it for Windows when its proprietary protocols were found incapable of effective security. IBM adopted TCP/IP and supports it fully on mainframes, iSeries, and AIX. Any cross-platform security solution will likely rely on TCP/IP.
The several different cross-platform solutions developed typically use one or more of the following approaches:
• Userid coordination, maintaining a list on each platform of its userids and their corresponding userids on other platforms
• Agent software on each platform that handles userid administration and communicates with the agent software on other platforms and also with the security software on its own platform
• Role-Based Access Control (RBAC) using groups of users, each of which represents a role such as all the users who need to be Accounts Receivable clerks
• Upside-down trees with examples you know already, including the directory tree on your hard drive and the organization chart for your company
• Cross-platform security standards supported on all platforms.
Each of these approaches has pros and cons. The first two involve adding hardware resource usage, administrative overhead, and control information. The last three involve using tools already on your computers.
Userid coordination can add significantly to hardware and network resource usage, encryption requirements, and administrative effort needed. An example of this approach is the RACF mainframe security software feature called RACF Remote Sharing Feature (RRSF).