Comparing the Three Major IBM Mainframe Security Products

by Bruce Grant, Chief Technologist
COST-EFFECTIVE SOLUTIONS InfoTech, Belmont,CA 94002, 650-595-5961


  Personal Experience in IT Security  
Security Administration Comparisons
ROI (Return On Investment)
About the Author

This article was inspired by the following question on a Mainframe Security Gurus online forum: "MAINFRAMERS! What is your primary mainframe security package?"


PRIMARY mainframe security is, most importantly, well-designed corporate security policies with strong management support.  That includes making cooperation with those policies part of individual job performance reviews.  Careless and/or gullible end users unwilling to follow reasonable security practices are the greatest security holes.  That is not, however, the focus of this article.  Enough said.

Personal Experience in IT Security (1977-present)

My first true work with mainframe security was in 1977 as Product Manager for a security product developed by Tesseract and later sold to Boole & Babbage (1966-1999, acquired by BMC Software in 1999), who marketed it as "Secure".  At the time, its only competition was IBM's MVS Password Protect, a very much limited and basic product included in the MVS Operating System.

In 1981, when I was the newly-hired, Lead IBM Systems Programmer in a large corporation which had outgrown Burroughs' biggest mainframes and was converting to an IBM mainframe, I had the unique opportunity to select all of their system software, including information security.

Almost immediately, I eliminated any security software that didn't directly interact with IBM's by-then, well-developed, MVS Security Interface, as that interface/API would obviously be a huge part of future MVS software.  RACF®* was only a few years old, and most data centers had no mainframe security at all.  ACF2®* was actually a better security system at that time, and Top Secret™* was only at Release 1.1.  Neither ACF2 nor the soon-to-be-renamed Top Secret Security®* had yet been acquired by Computer Associates.  RACF was the most expensive product then and for many years.

IBM had, of course, included RACF in their proposed system configuration, but my initial review determined that ACF2 (one of the products I already had some experience with) would be less expensive, as secure as RACF and then, as now, require less security administration time than RACF.  Before I made a final decision, CGA Software, the developer of Top Secret, sent their #2 TSS®* techie to visit me and make a presentation.  After seeing how TSS worked and how its architecture was oriented toward business structures, better than RACF's implementation and unlike ACF2, whose architecture is resource-centric, I was convinced that TSS's implementation and administration would be much easier than either alternative.  Eventual results proved Top Secret Security to be an excellent, easy-to-administer, security system.

Since that time (1981), I've worked with CICS security, RACF, CA-ACF2 and CA-Top Secret Security®* in several different shops.  The latter three all can do the job of data security well if properly implemented, but I've come to prefer CA-TSS for several reasons.

Security Administration Comparisons

CA-TSS is somewhat like RACF in its end-user orientation, but requires fewer and less complex commands to accomplish the same things for IT security.  Compare, for instance, what needs to be done in security admin for SDSF under both packages.

Although excellent if implemented correctly, ACF2 is VERY difficult to implement properly without extensive up-front research and careful planning in designing the order of elements in the security string, many of which depend on the enterprise's specific business security needs -- there are a huge number of design tradeoffs that can't be corrected easily once implemented.  Often, ACF2 implementation flaws which hamper proper security administration of IT resources won't be apparent until weeks or, sometimes, months or years after implementation.

IMHO, RACF has always had a huge learning curve, as IBM's documentation of it outside of a few IBM Red Books, has always been insufficient and unclear in many areas (as a "techie" and ex-IBMer, I was always disappointed by that).  Resource names are long and confusing to many, and the documentation often assumes reader knowledge of IBM's usage of certain terms while providing no useful definitions of those terms.

Sometimes I felt like the authors wanted to display their erudition instead of just explaining things.  Often, I had to learn by experimentation, simply because the manuals were unclear (and I usually enjoy reading technical manuals).
Proper RACF security implementation and administration require a much deeper understanding of the operating system than does either CA-ACF2 or CA-TSS.  It's hard to train a non-techie to be a good RACF security administrator, and admin requires a bit more time than for CA-ACF2 and much more time than for CA-TSS.

ROI (Return On Investment)

Top-notch security administrators need to straddle that difficult line between IT and end-user business management, two worlds which seldom understand each other.  Thus, a business case should be made here.


I assume that I've probably stirred up a hornet's nest, since I know RACF is the most popular product (partially because of good IBM marketing, but mainly because IBM bundled RACF into OS/390 packaging several years ago).  I should reiterate that I'm an ex-IBMer and long-time, independent consultant who is both a fan and a critic of both IBM and CA for different reasons at different times.  I'm no shill for CA – my experience just tells me that CA-TSS is the best security product for IBM mainframes.  I hope that I have made a good case for my conclusions.  Constructive criticism is welcome.

  Bruce Grant
  President & Chief Technologist

About the Author

In the above, I can only speak from prior experience, as I've been a full-time, independent, IT consultant since 1984, consulting at many companies.  My Information Technology career began in 1969, when I.T. was still called Data Processing, and I worked for IBM Field Engineering in San Francisco, primarily at client sites fixing bugs in Operating System/360 (MVT, MFT, PCP) and occasionally assisting in IBM hardware installations.

In 1972, I left IBM for a Senior Systems Programmer position at Wells Fargo.  In the ensuing years, my career advanced as I was recruited for more advanced positions at other companies.  In 1982, a corporate re-organization at Raychem Corp. led to my department being moved to another division, and my excellent boss resigning.  After 18 months in a very depressing environment, I left there to start COST-EFFECTIVE SOLUTIONS INFOTECH.

* RACF is a registered trademark of IBM Corp.
  CA-ACF2, CA-TSS, CA-Top Secret Security, TSS, and Top Secret Security are registered trademarks of Computer Associates.
  ASA/TSS is a trademark of Cost-Effective Solutions.

** CA-Top Secret Security was originally named, simply, Top Secret, but the U.S. Government refused to consider using it anywhere until CGA Software renamed it Top Secret Security and abbreviated it as TSS in its code comments and printed documentation (to prevent unnecessary false alarms from auditing programs regarding Classified documents).

original: 3/4/09 09:37 PST   last update: 9/28/13 17:55 PDT

Content Copyright ©2009-13
Cost-Effective Solutions.
All Rights Reserved.***
"Solving business problems with technology"

*** Please contact us for free permission to re-publish this article elsewhere with reasonable attribution.