Comparing the Three Major IBM Mainframe Security Products

This article was inspired by the following question on a Mainframe Security Gurus online forum: "MAINFRAMERS! What is your primary mainframe security package?"

PRIMARY mainframe security is, most importantly, well-designed corporate security policies with strong management support.  That includes making cooperation with those policies part of individual job performance reviews.  Careless or gullible end users are the greatest security holes.  Enough said.

In the following, I can only speak from prior experience, as I've been a full-time, independent consultant since 1984, working at many companies, and I've been "on the beach" for a while (no contracts, that I know of, are currently available in Northern California for mainframe security experts).  I'm actively looking for a new contract in information security or z/OS systems programming (any help out there?).

Personal Experience in IT Security (1977-present)

My first true work with mainframe security was in 1977 as Product Manager for a security product developed by Tesseract and later sold to Boole & Babbage (who marketed it as "Secure").  In 1981, when I was the newly-hired, Lead IBM Systems Programmer in a large corporation which had outgrown Burroughs' biggest mainframes and was converting to an IBM mainframe, I had the unique opportunity to select all of their system software, including security.

Almost immediately, I eliminated any security software that didn't directly interact with IBM's MVS security interface, as that interface/API would obviously be a huge part of future MVS software.  RACF* was only a few years old, and most data centers had no mainframe security at all.  ACF2* was actually a better security system at that time, and Top Secret* was only at Release 1.1.  Neither ACF2 nor TSS** had yet been acquired by Computer Associates.  RACF was the most expensive product then and for many years.

IBM had, of course, included RACF in their proposed system configuration, but my initial review determined that ACF2 (one of the products I already had some experience with) would be as secure as RACF and then, as now, require less security administration time than RACF.  Before I made a final decision, CGA Software, the developer of Top Secret, sent their #2 TSS techie to visit me and make a presentation.  After seeing how TSS worked and how its architecture was oriented toward business structures, better than RACF's implementation and unlike ACF2, whose architecture is resource-centric, I was convinced TSS's implementation and administration would be much easier than either alternative.  Eventual results proved Top Secret Security to be an excellent, easy-to-administer, security system.

Since that time (1981), I've worked with MVS's old Password Security, CICS security, RACF, CA-ACF2 and CA-Top Secret Security in several different shops.  The latter three all can do the job of data security well if properly implemented, but I've come to prefer CA-TSS for several reasons.

Security Administration Comparisons

CA-TSS is somewhat like RACF in its end-user orientation, but requires fewer and less complex commands to accomplish the same things for IT security.  Compare, for instance, what needs to be done in security admin for SDSF under both packages.

Although excellent if implemented correctly, ACF2 is VERY difficult to implement properly without extensive up-front research and careful planning in designing the order of elements in the security string, many of which depend on the enterprise's specific business security needs -- there are a huge number of design tradeoffs that can't be corrected easily once implemented.  Often, ACF2 implementation flaws which hamper proper security administration of IT resources won't be apparent until weeks or, sometimes, months or years after implementation.

IMHO, RACF has always had a huge learning curve, as IBM's documentation of it outside of a few IBM Red Books, has always been insufficient and unclear in many areas (as a "techie" and ex-IBMer, I was always disappointed by that).  Resource names are long and confusing to many, and the documentation often assumes reader knowledge of IBM's usage of certain terms while providing no useful definitions of those terms.

Sometimes I felt like the authors wanted to display their erudition instead of just explaining things.  Often, I had to learn by experimentation, simply because the manuals were unclear (and I usually enjoy reading technical manuals).

ROI (Return On Investment)

Top-notch security administrators need to straddle that difficult line between IT and standard business management, two worlds which seldom understand each other.  Thus, a business case should be made here.

• All three products use the same IBM operating system interfaces, making them equally secure with proper implementation and administration, so none has any true advantage in that arena.  The two real issues, which translate eventually to dollars, are: (1) ease/difficulty of implementation and (2) ongoing security administration time.
• My experience has been that, of the three, CA-ACF2 requires the most up-front time to properly implement, but is somewhat simpler than RACF to administer, long-term.  It does, however, have some major traps for security administrators who don't first study it thoroughly.  Resources can unintentionally be unprotected in efforts to allow an end user the correct access level to those resources which he/she needs in his/her job.  Additionally, CA-ACF2's resource-centric architecture requires a security administrator to mentally approach security in a way that is counter to what is the best approach under RACF or CA-TSS and also counter to what almost anyone but a knowledgeable CA-ACF2 security administrator would understand.  This can sometimes lead to conflicts or, at the least, long conversations with systems programmers and department managers.
• Since CA-TSS has the most user-friendly, easily understood, security architecture, oriented towards both company structure and individual job definitions (divisions, departments, job profiles, etc.), its proper implementation results in a shorter learning curve for security administrators than the other two products.  Parallels to actual enterprise organization simplify auditing and make it easier to get accurate security requirements from end user business entities.  Also, the time to add, delete or modify user privileges or resource protections, on a daily basis, tends to almost always be shorter.  For a large enterprise, this means that, under CA-TSS, fewer security administrators are needed for the same level of protection, and they are productive sooner.  It even means that CA-TSS is cheaper than the "free" RACF on a long-term basis.

Summary

I assume that I've probably stirred up a hornet's nest, since I know RACF is the most popular product (partially because of good IBM marketing, but mainly because IBM bundled RACF into OS/390 packaging several years ago).  I should reiterate that I'm an ex-IBMer and long-time, independent consultant who is both a fan and a critic of both IBM and CA for different reasons at different times.  I'm no shill for CA — my experience just tells me that CA-TSS is the best security product for IBM mainframes.  I hope that I have made a good case for my conclusions.  Constructive criticism is nevertheless welcome.

* RACF is a registered trademark of IBM Corp. CA-ACF2, CA-TSS and Top Secret Security are registered trademarks of Computer Associates.

** CA-TSS was originally named simply Top Secret, but the U.S. Government refused to consider using it anywhere until CGA Software renamed it Top Secret Security and abbreviated it as TSS in its code comments and printed documentation (to prevent unnecessary false alarms from auditing programs regarding classified documents).

Last update: 3/4/09 09:37 PST

Content Copyright ©2009 Cost-Effective Solutions. All Rights Reserved.

COST-EFFECTIVE SOLUTIONS Inc. "Solving business problems with technology"