For most data centers, disk data sets have been nice and secure for years. Today, most data centers have enabled some form of “protect all” level of security for disk data sets, so no data set can be created without a rule in place to protect it. However, just because disk data is protected doesn’t mean tape data is equally secure. Here are the four most basic aspects of security protection of a tape library:
1. Standard security checks during OPEN processing for tape data sets
2. Control over who can bypass the tape management system with EXPDT=98000
3. Control over who can update the tape management system’s database and control of the tape library staff to change the data set name field
4. Who can shut down the tape management system and how that’s controlled.
Standard Security Checks
The first aspect of security protection is the simple data set level access check during OPEN processing. There are three different ways basic security checks can be activated for tape data sets:
1. There are options in external security products such as CA ACF2, CA Top Secret, and IBM’s RACF.
2. Starting with z/OS 1.8, there are now options in SYS1.PARMLIB that can allow security to be activated (in the DEVSUPxx member).
3. Some tape management systems also have an option to perform basic security checks during OPEN processing.