In the early ’70s, mainframe access control became a frequent topic of discussion. The SHARE Security Project was formed in 1972, and its membership was, interestingly enough, comprised of mainly universities, service bureaus, and Department of Defense installations. Big business and financial institutions were noticeably absent.
But this group of installations had a pressing problem: to segregate data between persons or groups and to control how that data was disclosed or updated. Up until then, there really was no usable method for achieving this—dataset passwords were the only control and they were difficult to administer and enter for access permission.
So the SHARE Security Project met over a period of a year and came to the conclusion that to provide true data security, the operating system (at that time it was OS/MVT) must provide an assurance of system integrity; this was defined as the inability of a user to bypass the formal interfaces of the operating system to obtain access to data, alter the operation of the computer system, etc.
In late 1973, IBM announced OS/ VS2, which included an operating system integrity statement that let the project concentrate on data access control issues and develop requirements for IBM such as:
- A centralized installation replaceable security system through which all system and application delivery systems such as CICS could call for authorization requests (implemented by IBM as its external security manager)
- Dataset protection by default (first introduced by ACF2 in 1978)
- Algorithmic grouping of users and resources (implemented by ACF2 pattern masking and RACF generic profiles)
- Protection of logical resources (CICS transactions, etc.)
- Designated interface programs (RACF PADS [Program Access to Data Sets], ACF2 Program Pathing)
- Secure journaling facility (SMF)
- Support for additional identification processes (OIDCARD, secure ID cards, etc.).
When RACF was introduced in 1976, many of these requirements were lacking. ACF2 was developed and introduced in 1978 in order to provide for these features, and eventually, RACF also incorporated this functionality. Top Secret was introduced in 1981. Currently, both ACF2 and Top Secret are owned by CA and are named CAACF2 and CA-Top Secret.
These security systems provide a centralized service that all system and application services can invoke for authorization and authentication requests. With all invokers using this centralized service instead of providing their own security mechanisms, there is only one security image that has to be administered and controlled for the entire z/OS system.
These systems established the precedent for today’s data security standards and set extremely high standards as to what level of security could be achieved.
Unfortunately, IT has changed over the last 25 to 30 years. Back then, these systems had hundreds of users, thousands of datasets, and hundreds of megabytes of data storage. Mainframes were the data processing vehicle for companies. Now, many systems have more than 100,000 users, millions of datasets, and terabytes of data storage. In many companies, there are thousands of Linux, Unix, and Windows servers both processing information and passing requests through to the mainframe processors.
Not too long ago, some believed the mainframe was quietly going away. Obviously, that isn’t the case. Mission critical applications still run on the mainframe and are servicing e-commerce. In fact, according to recent IBM financials, mainframes are experiencing greater than a 15 percent growth in installed capacity. However, as we detail in the following paragraphs, there are many issues facing today’s security officer:
No one remembers why a security officer or administrator did something 20 years ago: There’s no built-in documentation or incident support in existing security systems, and these people have retired or moved on to other jobs in other companies. Nothing can be done about the past, but mainframes aren’t going away. What assurance is there that this problem won’t continue to persist?