Mar 4 ’10

Identity and Access Management on the Mainframe

by Richard Adhikari 

No longer solely the province of the mainframe, with its centralized repository and management, Identity and Access Management (IAM) has extended itself to distributed platforms such as UNIX, Linux, and Microsoft. As a result, enterprises are using multiple IAM systems on multiple platforms to manage identity and access. IT has to ensure it knows how to bring together all the IAM components running on desktops, LANs, the mainframe, and other platforms.

The increased emphasis on compliance, especially in the wake of the Wall Street meltdown and the almost-daily reports of massive data breaches, further complicates the IAM process.

IAM Market Share  

IDC’s figures show that IAM revenues worldwide totaled just over $3.38 billion in 2008, and IDC predicts these figures will increase at a compound annual growth rate of 7.2 percent to $4.8 billion by 2013. Figure 1 shows a breakdown of IAM revenues by platform for 2008 and IDC’s projections through 2013.

Market share alone doesn’t constitute the whole picture. The percentage of strategic information a platform supports shows how vital it is to an enterprise. Mainframes hold roughly 80 percent of machine-readable data worldwide. According to CA, in 2008, the total installed mainframe capacity worldwide was about 14 million MIPS, and mainframes hosted more than $1 trillion of critical application investments. That means the mainframe is a trusted platform, so it can be leveraged to perform more functions, including IAM.


IAM and the Mainframe

The point of having IAM solutions is to ensure your business is in compliance with various regulations. IAM is a key factor in achieving compliance, according to IDC analyst Sally Hudson. She recommends that companies implement an IAM architecture to cope with the growing worldwide demand for regulatory compliance with standards such as the:

“Enterprises will require a flowing automated system that allows for a strong security framework, including auditing, archiving, and storage for compliance purposes,” Hudson says. “Data must be easy to locate and produce for audit. A proactive automated system that doesn’t permit an out-ofcompliance action to occur is the goal.”

The mainframe will continue to play a vital role as companies look for ways to leverage their existing systems to keep costs down.

“Current mainframe customers are discovering that it’s more cost-effective to extend and reuse existing applications with Web services and/or appropriate middleware,” Hudson says. This is occurring primarily in the banking, financial, and insurance industries.

“While historically, mainframe IAM has been confined to products such as RACF, ACF2 and Top Secret, we see the area expanding as leading vendors in this space expand their product capabilities to include IAM software products for provisioning (which includes roles and entitlements) and Web access management interfaces and tools for mainframe environments,” Hudson says.

RACF is now a component of IBM’s Security Server offering, which controls access to all protected z/OS resources. The IBM Security Server components also include Lightweight Directory Access Protocol (LDAP), firewall technologies, Enterprise Identity Mapping (EIM), Public Key Infrastructure (PKI) services, and network authentication service for the z/OS environment. An IBM source told Hudson there are now more than 5,000 unique applications for the System z platform, almost half of which are Linux-based.

CA offers ACF2 and CA Top Secret for z/OS, z/VM and z/VSE, and includes z/OS UNIX and Linux for System z, according to Hudson. It also offers the CA Web Administrator for ACF2 and Top Secret. This is a browserbased Graphical User Interface (GUI) option for customers on CA ACF2 and CA Top Secret r12 for z/OS, which enables centralized management of remote or delegated administration, and can reduce the learning curve for new systems administrators. Hudson points out that CA’s recent acquisition of Eurekify lets it provide “strong roles management” on the mainframe.

Sevral other vendors offer IAM products that work on other platforms. Some vendors, such as Centrify, offer products that work on multiple platforms. The Centrify Suite offers a centralized IAM solution that leverages Microsoft Directory. Centrify also supports Red Hat Linux running on IBM System z.

Oracle Identity and Access Management 10g runs on Red Hat Enterprise Linux A Release 4, Update 5. Sun also offers IAM products for the mainframe, but, with its purchase by Oracle, it’s not yet clear whether these will be rolled into Oracle’s product line.

Novell is among the vendors offering IAM solutions that run on multiple platforms. Its Privileged User Manager works across UNIX and Linux. FoxT’s Enterprise Access Controls integrate IAM infrastructure over UNIX, Linux, IBM System z, and Windows-based servers. Quest Software offers its Vintela single sign-on solutions for the UNIX, Linux, Mac, and Java platforms.

IAM solutions running on non-mainframe platforms tend to tie back into the mainframe, or should, for an enterprisewide view. That’s one reason IDC’s Hudson contends a comprehensive IAM architecture is necessary. Another reason is the growing mobility of the workforce.

“The IAM architecture must extend [out] to incorporate remote users accessing corporate data via laptops, cell phones, PDAs and so on,” Hudson says. “Identity assurance must be end-to-end—and the ends keep changing so the architecture must be both flexible and secure.”

Extending IAM to Other Platforms

The mainframe’s high costs mean it isn’t always the most cost-effective choice for running IAM applications, such as user provisioning, access management, and administrative functions, according to Gartner vice president Earl Perkins. However, running IAM applications on the mainframe’s specialty processors won’t affect the Million Service Units (MSUs) for the general processor. For instance, Tivoli Identity Manager (TIM), Tivoli Access Manager (TAM), and Federated Identity Manager (FIM) can run on the Integrated Facility for Linux (IFL), while TIM and FIM can run on the System z Application Assist Processor (zAAP).

“Consider identity management as having two layers,” Perkins says. “The bottom layer is access—all the things an identity management application must do to enforce access to an application or service and manage access to them. The top layer is administration. Administration involves all the things required to perform such tasks as create an identity, get approval for that identity, and do analysis for that identity. To create, maintain, get rid of, or report on identity is the top layer’s responsibility. The mainframe has predominantly been focused on the access layer as the gatekeeper, making sure the right people get access to its resources.

”Mainframes would be especially appropriate for IAM in special circumstances such as in cloud computing,” Perkins adds.

“When you have a use case or a situation such as having large volumes of people or having to be available 24x7, that makes running IAM on the mainframe a good idea,” he says.

However, there’s no one-size-fits-all solution, and running IAM on the mainframe can be effective when specialty processors are leveraged.


Multiple IAM Systems in the Enterprise

All those extensions of IAM systems to other platforms point to one thing—that enterprises have several IAM systems in their computing environment.

“You rarely run into companies having only a single identity management solution; they usually have several that have to be managed to work together,” Burton Group senior analyst Kevin Kampman says. “It’s very challenging and expensive.”

Often, users have several identities on different platforms, and roles are defined differently on different platforms, or when there’s more than one system; especially in merger or acquisition situations, IT must conduct asset search and discovery as part of an effort to rationalize the enterprise’s IAM systems and eliminate overlap.

“It’s not the technology leading the conversation, it’s the business process,” says Ian Glazer, senior analyst, IdPS, at Burton Group.

Still, few enterprises will get by with only one IAM system if only because of the existence of several different computing platforms. So, IT must understand how to reconcile them all beneath a common perspective.

“You have to understand how IAM is initiated in different technologies, but you need to have a common view of entitlements and identities to accommodate all that,” Kampman says.

This isn’t easy because several ways of viewing entitlements and identities must be reconciled. First, IT must reconstitute the entitlements of compliance applications, which often have been on the corporate mainframes for years. That’s no small task.

“Organizations I’ve talked to say cleaning up mainframe entitlements and getting out some of the dead wood added a year to their access certification process,” Glazer says.

To succeed, IT must tap the business side.

“The enterprise must involve business principals, usually managers or line of business operatives who are familiar with those applications or resources,” Kampman says. “The problem belongs primarily to the business side, and isn’t unilaterally owned by IT; it’s part of role management.”

Consolidating the various IAM applications in the enterprise so they work together is challenging, but necessary. “Getting different systems vendors’ products to work together is a big issue, although progress is being made,” says Kirk Willis, vice president of CA’s Mainframe Business Unit.

“Standards such as LDAP and SOAP help. The major vendors offering provisioning, role management, as well as identity and access governance all work well with the mainframe,” Glazer says. “Support for RACF and ACF2 is the minimum requirement; now you have a burgeoning LDAP presence in the mainframe environment, so you have a fairly accessible environment for identity management technology,” he says.

“It’s important these standards evolve, because that will lessen the burden of management and regulatory compliance,” Willis says.

But that’s not all; beyond implementing the standards, IT will still have to provide for consistent and uniform risk definitions. “If you don’t have consistent risk definitions, you don’t have consistent risk enforcement,” Willis explains.

Unfortunately, it just isn’t feasible to come up with one set of definitions.

“Depending on who the constituents are, you’ll have different solutions,” Burton Group’s Kampman says. “You’ll have multiple processes coming together … and you have to aggregate them by community—internal users, external users, contractors, and so on.”

Virtualization poses another challenge. “When you’re collapsing the virtual environment to the mainframe environment, you have to manage the virtualized environments as well as the mainframe,” Burton Group’s Glazer says.

New Initiatives

A solution to the problem of users having multiple identities to access different applications is at hand, through

OpenID and the Kantara Initiative, two new identity initiatives now being worked on. Membership in the communities for both standards often overlaps, with many enterprises and bodies being represented in both. OpenID is an open, decentralized standard for user authentication and access control that lets users employ one digital identity to log onto many Web services. Log in once, access many services. An OpenID is a unique URL authenticated by the user’s OpenID provider—the entity hosting the URL. Authentication can be made through various technologies, including smart cards, biometrics, or passwords. OpenID providers include AOL, IBM, the BBC, Google, Microsoft, MySpace, PayPal, VeriSign, Yandex, Ustream, Yahoo, and Orange (a European wireless carrier). The OpenID Foundation was established in June 2007 to manage intellectual property and brand marks, as well as foster the growth of OpenID. Board members include representatives from JanRain, Six Apart, Plaxo, Yahoo, Facebook, Google, IBM, Microsoft, PayPal, and VeriSign.

One of the first enterprises to leverage the single sign-on capabilities provided by OpenID is Sears, which is leveraging OpenID as a marketing tool. In July, the retail giant launched the OpenID platform for Sears Communities. Using a single sign-on, this will connect the more than one million visitors hitting Sears’ Websites each month to major social media through MySears and MyKmart sites. Consumers will be able to share information on products, services, and solutions. In the future, consumers will be able to share their posts and product reviews with their Facebook friends.

The Kantara Initiative, meanwhile, is a global organization formed in June after about a year of planning. It aims to bridge enterprise, Web 2.0, and Web-based identity initiatives. Funding comes from the Concordia Project, the Data Portability Project, the Information Card Foundation, the Internet Society, the Liberty Alliance,, and

All output from the Initiative will be based on open standards. Solutions built under the Initiative could be based on one or a combination of several standards. The Kantara Initiative is governed by a board of trustees that includes representatives from Oracle, the Internet Society, AOL, British Telecom, CA, Intel, Fidelity Investments, Novell, NRI, NTT, PayPal, and the New Zealand government.

Where OpenID and Kantara Fit Into IAM and the Mainframe

Because the mainframe focuses on the access, or bottom layer of the identity management cake, its role when OpenID or the Kantara Initiative are brought into the enterprise is to receive the OpenID or Kantara identity, give it the access it needs to work, and then, when the task is over, get rid of that identity.

OpenID and the Kantara Initiative both create a dynamic, standard environment to deal with authentication, Perkins says. “If I wanted to provide identity management to many companies working together, how would I set up a system to work when they don’t have the same hardware, don’t abide by the same policies?” he asks. “You could define everybody in the world by one company’s mainframe or you could set up a system to dynamically create and trust an identity, allow it to be used and then, when it’s no longer required, it goes away.”

With orphan user accounts being a huge security problem, can IT be sure OpenId or Kantara Initiative technologies will ensure identities are erased when no longer needed? “They’re working on it,” Perkins says.

“OpenID, Kantara, and other identity initiatives want to set up standard rules for enforcement, commissioning and deprovisioning identities,” he says. “They do the basic job of handling deprovisioning, but providing more detailed and granular levels of access in the form of authorization haven’t yet been perfected.”

So far, there are no standards for establishing or enforcing granular levels of access, but OpenID and the Kantara Initiative are working on this, according to Perkins. The issue may be moot anyway.

 “When you want granular access, you wouldn’t go to OpenID or Kantara, you would go to the company you’re working with and they’ll give you a proprietary manual form of access,” Perkins explains. ME