This article was inspired by the following question on a Mainframe Security Gurus online forum: "MAINFRAMERS! What is your primary mainframe security package?"
PRIMARY mainframe security is, most importantly, well-designed corporate security policies with strong management support. That includes making cooperation with those policies part of individual job performance reviews. Careless or gullible end users are the greatest security holes. Enough said.
In the following, I can only speak from prior experience, as I've been a full-time, independent consultant since 1984, working at many companies, and I've been "on the beach" for a while (no contracts, that I know of, are currently available in Northern California for mainframe security experts). I'm actively looking for a new contract in information security or z/OS systems programming (any help out there?).
My first true work with mainframe security was in 1977 as Product Manager for a security product developed by Tesseract and later sold to Boole & Babbage (who marketed it as "Secure"). In 1981, when I was the newly-hired, Lead IBM Systems Programmer in a large corporation which had outgrown Burroughs' biggest mainframes and was converting to an IBM mainframe, I had the unique opportunity to select all of their system software, including security.
Almost immediately, I eliminated any security software that didn't directly interact with IBM's MVS security interface, as that interface/API would obviously be a huge part of future MVS software. RACF* was only a few years old, and most data centers had no mainframe security at all. ACF2* was actually a better security system at that time, and Top Secret* was only at Release 1.1. Neither ACF2 nor TSS** had yet been acquired by Computer Associates. RACF was the most expensive product then and for many years.
IBM had, of course, included RACF in their proposed system configuration, but my initial review determined that ACF2 (one of the products I already had some experience with) would be as secure as RACF and then, as now, require less security administration time than RACF. Before I made a final decision, CGA Software, the developer of Top Secret, sent their #2 TSS techie to visit me and make a presentation. After seeing how TSS worked and how its architecture was oriented toward business structures, better than RACF's implementation and unlike ACF2, whose architecture is resource-centric, I was convinced TSS's implementation and administration would be much easier than either alternative. Eventual results proved Top Secret Security to be an excellent, easy-to-administer, security system.
Since that time (1981), I've worked with MVS's old Password Security, CICS security, RACF, CA-ACF2 and CA-Top Secret Security in several different shops. The latter three all can do the job of data security well if properly implemented, but I've come to prefer CA-TSS for several reasons.
CA-TSS is somewhat like RACF in its end-user orientation, but requires fewer and less complex commands to accomplish the same things for IT security. Compare, for instance, what needs to be done in security admin for SDSF under both packages.
Although excellent if implemented correctly, ACF2 is VERY difficult to implement properly without extensive up-front research and careful planning in designing the order of elements in the security string, many of which depend on the enterprise's specific business security needs -- there are a huge number of design tradeoffs that can't be corrected easily once implemented. Often, ACF2 implementation flaws which hamper proper security administration of IT resources won't be apparent until weeks or, sometimes, months or years after implementation.
IMHO, RACF has always had a huge learning curve, as IBM's documentation of it outside of a few IBM Red Books, has always been insufficient and unclear in many areas (as a "techie" and ex-IBMer, I was always disappointed by that). Resource names are long and confusing to many, and the documentation often assumes reader knowledge of IBM's usage of certain terms while providing no useful definitions of those terms.
Sometimes I felt like the authors wanted to display their erudition instead of just explaining things. Often, I had to learn by experimentation, simply because the manuals were unclear (and I usually enjoy reading technical manuals).Proper RACF security implementation and administration require a much deeper understanding of the operating system than does either CA-ACF2 or CA-TSS. It's hard to train a non-techie to be a good RACF security administrator, and admin requires a bit more time than for CA-ACF2 and much more time than for CA-TSS.
Top-notch security administrators need to straddle that difficult line between IT and standard business management, two worlds which seldom understand each other. Thus, a business case should be made here.
I assume that I've probably stirred up a hornet's nest, since I know RACF is the most popular product (partially because of good IBM marketing, but mainly because IBM bundled RACF into OS/390 packaging several years ago). I should reiterate that I'm an ex-IBMer and long-time, independent consultant who is both a fan and a critic of both IBM and CA for different reasons at different times. I'm no shill for CA — my experience just tells me that CA-TSS is the best security product for IBM mainframes. I hope that I have made a good case for my conclusions. Constructive criticism is nevertheless welcome.
President & Chief Technologist
* RACF is a registered trademark of IBM Corp. CA-ACF2, CA-TSS and Top Secret Security are registered trademarks of Computer Associates.
** CA-TSS was originally named simply Top Secret, but the U.S. Government refused to consider using it anywhere until CGA Software renamed it Top Secret Security and abbreviated it as TSS in its code comments and printed documentation (to prevent unnecessary false alarms from auditing programs regarding classified documents).
Last update: 3/4/09 09:37 PST
|Content Copyright ©2009
All Rights Reserved.
|COST-EFFECTIVE SOLUTIONS Inc.
"Solving business problems with technology"