Security

Mainframe Security: Back to the Future?

In the early ’70s, mainframe access control became a frequent topic of discussion. The SHARE Security Project was formed in 1972, and its membership was, interestingly enough, comprised of mainly universities, service bureaus, and Department of Defense installations. Big business and financial institutions were noticeably absent…

Read Full Article →

The encryption of mainframe tape data is a top priority today for more than 1,500 major U.S. enterprises that rely on mainframe systems for fault-tolerant, mission-critical, transaction- intensive data processing. Most of these organizations are in the financial, healthcare, and government sectors—the same industries coping with privacy and identity theft regulations that mandate encryption of sensitive client, patient, and employee information…

Read Full Article →

Enterprise environments are composed of thousands of distributed IT systems that include various operating systems, business applications, and hardware devices. While the systems themselves are connected through the network and generally work as one, the security remains separate and unique. From the security perspective, each IT system remains an independent security domain that requires individual administration, reporting, management, and maintenance—with all the associated cost this requires. This approach creates security risks and exposures because it requires replication of control information on multiple disparate systems that must be synchronized. With so many different technologies, it becomes extremely difficult, if not impossible, to be compliant…

Read Full Article →

When Rodney King pleaded, “Can we all just get along?” following the Los Angeles area riots in the spring of 1992, he had no idea the impact his words would have. Replayed countless times again on TV and reprinted in newspaper articles, these words became an iconic call for harmony— harmony in the face of the tension that can grow when groups with diverse backgrounds, challenges, and goals must learn to communicate, collaborate, and live together…

Read Full Article →

Most large organizations continue to rely on the z/OS mainframe platform for support of their mission-critical core businesses and internal administration. So the security of the mainframe remains vital. Many z/OS installations rely on IBM’s RACF to protect their systems. RACF is a feature-rich product that can fully protect mainframe resources if implemented properly…

Read Full Article →

Privileged Users and the Mainframe

There’s always been debate in the security community about whether the largest threat is internal or external. It appears auditors and regulators have cast their vote: The insider threat has become the hot topic of audits. The threat that’s most concerning is that of the privileged user, and their (usually) unintentional but harmful mistakes. When you consider this threat and the auditors’ focus in the context of a mainframe-specific challenge, you’ll realize why you’ve been so busy lately. With great power comes great responsibility. Do you know who’s being responsible on your mainframe? Can you not afford to find out? You must. Here’s how.

Read Full Article →

Web-Exposed Databases

Increasing scrutiny of database activity, fueled by regulatory requirements, is exposing a rarely discussed hole in database activity auditing: invisible users. This blind spot is especially troublesome for organizations that must comply with regulations that mandate database access auditing, including section 404 of the Sarbanes-Oxley Legislation, section 10 of the PCI (Payment Card Industry) standard, and Title II, Security Rule, and Administrative Safeguards of HIPAA. Native DB2 for z/OS audit logs have no awareness of specific user identities  accessing sensitive database information via Web applications. This includes Web-enabled commercial packages such as SAP, Oracle EBusiness Suite, PeopleSoft, etc. Therefore, when audit logs reveal fraudulent database transactions, there’s no link to the responsible user. The problem isn’t unique to DB2; the issue applies to all database platforms. That’s because the problem isn’t with the database technology itself, but with the design of most Web applications.

Read Full Article →