You are previewing Security on the IBM Mainframe: Volume 1 A Holistic Approach to Reduce Risk and Improve Security.
O'Reilly logo
Security on the IBM Mainframe: Volume 1 A Holistic Approach to Reduce Risk and Improve Security

Book Description

This IBM® Redbooks® publication documents the strength and value of the IBM security strategy with IBM System z® hardware and software. In an age of increasing security consciousness, IBM System z provides the capabilities to address the needs of today's business security challenges. This publication explores how System z hardware is designed to provide integrity, process isolation, and cryptographic capability to help address security requirements. This book highlights the features of IBM z/OS® and other operating systems, which offer various customizable security elements under the Security Server and Communication Server components. This book describes z/OS and other operating systems and additional software that leverage the building blocks of System z hardware to provide solutions to business security needs.

This publication's intended audience is technical architects, planners, and managers who are interested in exploring how the security design and features of System z, the z/OS operating system, and associated software address current issues, such as data encryption, authentication, authorization, network security, auditing, ease of security administration, and monitoring.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. IBM Redbooks promotions
  4. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  5. Part 1 Direction and architecture
  6. Chapter 1. Introduction: Why these books are being written
    1. 1.1 Scope of these books
      1. 1.1.1 In scope
      2. 1.1.2 Out of scope
    2. 1.2 Enterprise security
    3. 1.3 IBM Security Framework and IBM Security Blueprint
    4. 1.4 Horizontal functions
    5. 1.5 Structure of preferred practices
    6. 1.6 Risk-based approach
    7. 1.7 Structure of this IBM Redbooks series
    8. 1.8 Conclusion
  7. Chapter 2. Foundation of a holistic security architecture
    1. 2.1 IBM Security Framework
      1. 2.1.1 Advanced Security and Threat Research
      2. 2.1.2 People
      3. 2.1.3 Data
      4. 2.1.4 Applications
      5. 2.1.5 Infrastructure
      6. 2.1.6 Security Intelligence and Analytics
      7. 2.1.7 Security Maturity Model
    2. 2.2 IBM Security Blueprint
      1. 2.2.1 Foundational Security Management
      2. 2.2.2 Security Services and Infrastructure
      3. 2.2.3 Architectural principles
    3. 2.3 Conclusion
  8. Chapter 3. Mainframe security architecture in the enterprise
    1. 3.1 History of the mainframe
      1. 3.1.1 Late 1960s
      2. 3.1.2 Early 1970s
      3. 3.1.3 Late 1970s
      4. 3.1.4 Early 1980s
      5. 3.1.5 Late 1980s
      6. 3.1.6 Early 1990s
      7. 3.1.7 Late 1990s
      8. 3.1.8 Early 2000s
      9. 3.1.9 Late 2000s
      10. 3.1.10 The mainframe today: 2010 onwards
      11. 3.1.11 Strengths of the mainframe
    2. 3.2 Workloads on the mainframe
      1. 3.2.1 Batch processing
      2. 3.2.2 Online transaction processing
      3. 3.2.3 Modern day classification
    3. 3.3 Virtualization
      1. 3.3.1 Virtualization on System z
      2. 3.3.2 Goals and benefits of virtualization
    4. 3.4 Overview of mainframe security architecture
      1. 3.4.1 Hardware and microcode design
      2. 3.4.2 Software design
    5. 3.5 Role of the mainframe within an enterprise security architecture
      1. 3.5.1 Risk and Compliance Assessment
      2. 3.5.2 Command and Control Management
      3. 3.5.3 Security Policy Management
      4. 3.5.4 Identity, Access, and Entitlement Management
      5. 3.5.5 Data and Information Protection Management
      6. 3.5.6 Software, System, and Service Assurance
      7. 3.5.7 Threat and Vulnerability Management
    6. 3.6 Statement of Integrity and certification levels
      1. 3.6.1 Evaluation Assurance Levels
      2. 3.6.2 Certification levels for the mainframe
      3. 3.6.3 Statement of integrity
    7. 3.7 Conclusion
  9. Chapter 4. Hardware components
    1. 4.1 System components
      1. 4.1.1 The complete picture
      2. 4.1.2 Microcode
      3. 4.1.3 Processor
      4. 4.1.4 Storage
      5. 4.1.5 Coupling Facility
    2. 4.2 Devices
      1. 4.2.1 Channel connectivity
      2. 4.2.2 Adapters
      3. 4.2.3 Controllers
      4. 4.2.4 External storage
      5. 4.2.5 Terminals
      6. 4.2.6 Printers
    3. 4.3 Conclusion
  10. Chapter 5. Software components
    1. 5.1 Operating systems
      1. 5.1.1 z/OS
      2. 5.1.2 z/VM
      3. 5.1.3 Linux on z
      4. 5.1.4 z/VSE
      5. 5.1.5 z/TPF
    2. 5.2 z/OS functions
      1. 5.2.1 Initial program load
      2. 5.2.2 Master scheduler
      3. 5.2.3 The link pack area
      4. 5.2.4 System parameters
      5. 5.2.5 Linklist
      6. 5.2.6 Job entry subsystem
      7. 5.2.7 Job Control Language
      8. 5.2.8 Procedures and tasks
      9. 5.2.9 Time Sharing Option
      10. 5.2.10 ISPF
      11. 5.2.11 Data sets
      12. 5.2.12 Catalog
      13. 5.2.13 Input/output processing
      14. 5.2.14 Storage management
      15. 5.2.15 SDSF
      16. 5.2.16 System Management Facility
      17. 5.2.17 Resource Measurement Facility
      18. 5.2.18 System logger
      19. 5.2.19 UNIX System Services
      20. 5.2.20 Software delivery
      21. 5.2.21 SMP/E
      22. 5.2.22 Cross-system coupling facility
      23. 5.2.23 z/OS Security Server
      24. 5.2.24 Language Environment
    3. 5.3 Network functions
    4. 5.4 Application software
    5. 5.5 ISV/OEM software
    6. 5.6 Conclusion
  11. Chapter 6. Security solutions for IBM System z
    1. 6.1 IBM InfoSphere Guardium for z/OS
    2. 6.2 IBM Security zSecure Suite
      1. 6.2.1 Administration management with Security zSecure Suite
      2. 6.2.2 Security audit and compliance with Security zSecure
    3. 6.3 IBM Security QRadar
      1. 6.3.1 IBM Security QRadar Log Manager
      2. 6.3.2 IBM Security QRadar SIEM
      3. 6.3.3 IBM Security QRadar Risk Manager
      4. 6.3.4 IBM Security QRadar QFlow for network and application activity monitoring
      5. 6.3.5 IBM Security QRadar VFlow for virtual activity monitoring
      6. 6.3.6 IBM Security QRadar Vulnerability Manager
      7. 6.3.7 IBM Security QRadar Network Anomaly Detection
      8. 6.3.8 Integration of QRadar SIEM with z/OS
    4. 6.4 IBM Security Key Lifecycle Manager
      1. 6.4.1 Security Key Lifecycle Manager components and resources
      2. 6.4.2 Encryption-enabled 3592 and LTO tape drives
      3. 6.4.3 Enterprise storage: IBM System Storage DS8000 (2107, 242x)
      4. 6.4.4 Managing encryption
    5. 6.5 IBM Enterprise Key Management Foundation
      1. 6.5.1 The solution architecture
      2. 6.5.2 Centralized key management using the IBM Enterprise Key Management Foundation
      3. 6.5.3 Certificate management
    6. 6.6 Encryption Facility for z/OS
      1. 6.6.1 Encryption Services Feature
      2. 6.6.2 IBM Encryption Facility for z/OS Client
      3. 6.6.3 DFSMSdss Encryption
      4. 6.6.4 Encryption Services batch programs CSDFILEN and CSDFILDE
      5. 6.6.5 Encryption Facility for OpenPGP
    7. 6.7 IBM Security AppScan
      1. 6.7.1 Main editions of IBM Security AppScan
    8. 6.8 IBM Security Access Manager
      1. 6.8.1 Security Access Manager architecture
      2. 6.8.2 IBM Security Access Manager for Enterprise Single Sign-On
    9. 6.9 IBM Security Identity Manager
      1. 6.9.1 IBM Security Identity Manager entities
      2. 6.9.2 Security Identity Manager key functions and logical architecture
      3. 6.9.3 The Security Identity Manager logical architecture
      4. 6.9.4 The Security Identity Manager RACF adapter
    10. 6.10 Federated Identity Management
    11. 6.11 Conclusion
  12. Part 2 Guiding principles for IBM System z security
  13. Chapter 7. Organizing for security
    1. 7.1 The mainframe infrastructure does not exist alone
      1. 7.1.1 Defense in depth: The castle approach
      2. 7.1.2 The analogy
    2. 7.2 Security policy definition and implementation
    3. 7.3 Security design
      1. 7.3.1 Threats change over time
    4. 7.4 Continuous improvement
    5. 7.5 System z audits
    6. 7.6 Monitoring, alerting, and forensics
    7. 7.7 Access creep
    8. 7.8 The purpose of security
      1. 7.8.1 Maintaining the integrity of the operating system
      2. 7.8.2 Maintaining the security of application data
      3. 7.8.3 Maintaining the separation of applications, virtual machines, and networks
    9. 7.9 Types of security controls
      1. 7.9.1 Preventive controls
      2. 7.9.2 Monitoring controls
      3. 7.9.3 Detective controls
      4. 7.9.4 Forensic controls
      5. 7.9.5 All controls
    10. 7.10 Standards-based approach
      1. 7.10.1 Need for a standards-based approach
      2. 7.10.2 Challenges with a standards-based approach
      3. 7.10.3 “Standards-plus” approach
    11. 7.11 Security engineering
      1. 7.11.1 Business and application development
      2. 7.11.2 Audit and external compliance
      3. 7.11.3 Security management and operations
      4. 7.11.4 Technology and infrastructure capabilities
      5. 7.11.5 Other responsibilities
      6. 7.11.6 Security engineering and data ownership
    12. 7.12 Conflicts of interest
      1. 7.12.1 Conflict of availability versus security
      2. 7.12.2 Conflict of cost versus security
    13. 7.13 Proving that security controls work
      1. 7.13.1 Testing individual controls
      2. 7.13.2 Regular security control scans
      3. 7.13.3 Penetration testing
    14. 7.14 IBM services to help you
      1. 7.14.1 Preventive maintenance
      2. 7.14.2 The IBM System z Security Portal
      3. 7.14.3 IBM Emergency Response Services
    15. 7.15 Decision time
    16. 7.16 Conclusion
  14. Chapter 8. IBM System z hardware
    1. 8.1 Physical access controls
    2. 8.2 Hardware Management Console and Support Element
      1. 8.2.1 Considerations for multiple Hardware Management Consoles
      2. 8.2.2 HMC guiding principles
    3. 8.3 Input and output configuration
    4. 8.4 Terminals and printers
    5. 8.5 Storage devices
    6. 8.6 Tape libraries and removable media
    7. 8.7 Network adapters
    8. 8.8 Other peripheral devices
    9. 8.9 Logging and auditing for hardware
    10. 8.10 Conclusion
  15. Chapter 9. IBM z/OS security
    1. 9.1 Introduction
      1. 9.1.1 Finding security gaps
      2. 9.1.2 The magic ingredient
      3. 9.1.3 Third-party software
    2. 9.2 z/OS settings
      1. 9.2.1 Consoles
      2. 9.2.2 System Management Facility
      3. 9.2.3 MVS commands
      4. 9.2.4 Program Properties Table
      5. 9.2.5 Subsystem definitions
      6. 9.2.6 PROG00
    3. 9.3 z/OS system routines
      1. 9.3.1 Supervisor calls
      2. 9.3.2 Program Call routines
      3. 9.3.3 System exits
      4. 9.3.4 I/O appendages
    4. 9.4 z/OS component protection
      1. 9.4.1 UACC
      2. 9.4.2 RACF database
      3. 9.4.3 Master catalog
      4. 9.4.4 SYS1.PARMLIB
      5. 9.4.5 System data sets
      6. 9.4.6 System page data sets
      7. 9.4.7 System dump data sets
      8. 9.4.8 SYS1.STGINDEX
      9. 9.4.9 SYS1.LOGREC
      10. 9.4.10 SMF data sets
      11. 9.4.11 System linklist
      12. 9.4.12 System LPALIST
      13. 9.4.13 APF-authorized libraries
      14. 9.4.14 System log
    5. 9.5 The IBM Health Checker for z/OS
      1. 9.5.1 Managing your health checks
    6. 9.6 RACF settings
      1. 9.6.1 INITSTATS
      2. 9.6.2 SAUDIT
      3. 9.6.3 CMDVIOL
      4. 9.6.4 OPERAUDIT
      5. 9.6.5 AUDIT classes
      6. 9.6.6 GLOBAL classes
      7. 9.6.7 Enhanced Generic Naming
      8. 9.6.8 BATCHALLRACF
      9. 9.6.9 PROTECTALL
      10. 9.6.10 Tape data set protection
      11. 9.6.11 Erase on scratch
      12. 9.6.12 Inactive user ID revocation
      13. 9.6.13 Password management
      14. 9.6.14 GENERICOWNER
      15. 9.6.15 Multi-level security options
    7. 9.7 JCL procedures
    8. 9.8 UNIX System Services
      1. 9.8.1 z/OS UNIX security
      2. 9.8.2 UID 0
      3. 9.8.3 BPX profiles
      4. 9.8.4 Sharing IDs
      5. 9.8.5 UNIX file system security
      6. 9.8.6 Access control lists
      7. 9.8.7 APF and other privileged bits in the FSP
      8. 9.8.8 Sanction lists
    9. 9.9 DFSMS
      1. 9.9.1 Placing data sets
      2. 9.9.2 Naming standards for data sets
      3. 9.9.3 Managing storage volumes
      4. 9.9.4 Backup and recovery processes for data sets
      5. 9.9.5 Removing unwanted data sets
      6. 9.9.6 Migrating data sets on a use frequency basis
      7. 9.9.7 Installing storage devices and migrating data sets to those devices
      8. 9.9.8 Disposing old storage devices
    10. 9.10 JES and SDSF
      1. 9.10.1 JES command security
      2. 9.10.2 NODES profiles
      3. 9.10.3 JESINPUT profiles
      4. 9.10.4 JESJOBS profiles
      5. 9.10.5 SURROGAT profiles
      6. 9.10.6 WRITER profiles
      7. 9.10.7 SDSF protection
    11. 9.11 TSO/E
      1. 9.11.1 Regulating access to the system
      2. 9.11.2 Limiting the use of TSO/E commands
      3. 9.11.3 Limiting access to data sets
      4. 9.11.4 Summary of TSO/E resources that are protected by using RACF
      5. 9.11.5 IKJTSO00
    12. 9.12 Integrated Cryptographic Service Facility
      1. 9.12.1 Protecting ICSF keys and APIs
      2. 9.12.2 Protecting key data sets
      3. 9.12.3 Keystore Policy
      4. 9.12.4 Trusted Key Entry Workstation
      5. 9.12.5 Access Control Points
      6. 9.12.6 Disabling SAF checks for improved performance
      7. 9.12.7 Special Secure Mode
    13. 9.13 Started procedures
      1. 9.13.1 Assigning RACF user IDs to started procedures
      2. 9.13.2 Authorizing access to resources
      3. 9.13.3 Setting up the STARTED class
      4. 9.13.4 Using the started procedures table (ICHRIN03)
      5. 9.13.5 Started procedure considerations
    14. 9.14 Special procedures for privileged users
    15. 9.15 Multiple LPARs and shared DASD
    16. 9.16 Conclusion
  16. Chapter 10. IBM z/VM security
    1. 10.1 Overview of z/VM security
      1. 10.1.1 The principles of guest isolation
      2. 10.1.2 The principles of hypervisor security
    2. 10.2 Securing the virtual machine
      1. 10.2.1 Privilege classes
      2. 10.2.2 Assigning a new privilege class to a VM
      3. 10.2.3 LOGONBY
      4. 10.2.4 The COMMAND directory statement
    3. 10.3 Hypervisor security
      1. 10.3.1 Default settings
      2. 10.3.2 Command restructuring
      3. 10.3.3 Observers and secondary users
      4. 10.3.4 Virtualized hardware cryptographic features
    4. 10.4 Secure connectivity
      1. 10.4.1 TCP/IP
      2. 10.4.2 Guest LANs and Virtual Switches
      3. 10.4.3 HiperSockets
    5. 10.5 External Security Managers
      1. 10.5.1 Reasons to use an ESM for z/VM
      2. 10.5.2 Control of privileged VM commands
      3. 10.5.3 Auditing of security operations
      4. 10.5.4 Security zones and multi-tenancy
    6. 10.6 Features and extensions to z/VM
      1. 10.6.1 DirMaint
      2. 10.6.2 Single System Image clustering
      3. 10.6.3 Systems Management APIs
    7. 10.7 Preferred practices in z/VM security
      1. 10.7.1 Defining and deploying a security policy
      2. 10.7.2 Examining audit trails periodically
      3. 10.7.3 Applying recommended services
      4. 10.7.4 Data integrity
      5. 10.7.5 Installing and deploying an ESM
    8. 10.8 Conclusion
  17. Chapter 11. Linux on System z security
    1. 11.1 Security checklist
    2. 11.2 Securing the logical access to z/VM
      1. 11.2.1 z/VM user passwords
      2. 11.2.2 Choosing the z/VM privilege class
      3. 11.2.3 z/VM network connection
    3. 11.3 Securing the data
      1. 11.3.1 Securing your minidisks
      2. 11.3.2 Reducing the intrusion points with shared disks
      3. 11.3.3 Protecting the data with encrypted file systems
    4. 11.4 Securing the network
    5. 11.5 Access control
    6. 11.6 Authentication
      1. 11.6.1 Improving security for SSH key pair
    7. 11.7 User management
      1. 11.7.1 Centralized user repository
      2. 11.7.2 Securing connections to the user information repository
    8. 11.8 Audit
    9. 11.9 Separation of duties
    10. 11.10 Conclusion
  18. Related publications
    1. IBM Redbooks publications
    2. Other publications
    3. How to get Redbooks publications
    4. Help from IBM
  19. Back cover
  20. IBM System x Reference Architecture for Hadoop: IBM InfoSphere BigInsights Reference Architecture
    1. Introduction
    2. Business problem and business value
    3. Reference architecture use
    4. Requirements
    5. InfoSphere BigInsights predefined configuration
    6. InfoSphere BigInsights HBase predefined configuration
    7. Deployment considerations
    8. Customizing the predefined configurations
    9. Predefined configuration bill of materials
    10. References
    11. The team who wrote this paper
    12. Now you can become a published author, too!
    13. Stay connected to IBM Redbooks
  21. Notices
    1. Trademarks