Comparing the Three Major IBM Mainframe Security Products

by Bruce Grant, Chief Technologist
COST-EFFECTIVE SOLUTIONS InfoTech, Belmont,CA 94002, 650-595-5961
www.cesols.com

This article was inspired by the following question on a Mainframe Security Gurus online forum: "MAINFRAMERS! What is your primary mainframe security package?"

Introduction

PRIMARY mainframe security is, most importantly, well-designed corporate security policies with strong management support.  That includes making cooperation with those policies part of individual job performance reviews.  Careless and/or gullible end users unwilling to follow reasonable security practices are the greatest security holes.  That is not, however, the focus of this article.  Enough said.

Personal Experience in IT Security (1977-present)

My first true work with mainframe security was in 1977 as Product Manager for a security product developed by Tesseract and later sold to Boole & Babbage (1966-1999, acquired by BMC Software in 1999), who marketed it as "Secure".  At the time, its only competition was IBM's MVS Password Protect, a very much limited and basic product included in the MVS Operating System.

In 1981, when I was the newly-hired, Lead IBM Systems Programmer in a large corporation which had outgrown Burroughs' biggest mainframes and was converting to an IBM mainframe, I had the unique opportunity to select all of their system software, including information security.

Almost immediately, I eliminated any security software that didn't directly interact with IBM's by-then, well-developed, MVS Security Interface, as that interface/API would obviously be a huge part of future MVS software.  RACF®* was only a few years old, and most data centers had no mainframe security at all.  ACF2®* was actually a better security system at that time, and Top Secret™* was only at Release 1.1.  Neither ACF2 nor the soon-to-be-renamed Top Secret Security®* had yet been acquired by Computer Associates.  RACF was the most expensive product then and for many years.

IBM had, of course, included RACF in their proposed system configuration, but my initial review determined that ACF2 (one of the products I already had some experience with) would be less expensive, as secure as RACF and then, as now, require less security administration time than RACF.  Before I made a final decision, CGA Software, the developer of Top Secret, sent their #2 TSS®* techie to visit me and make a presentation.  After seeing how TSS worked and how its architecture was oriented toward business structures, better than RACF's implementation and unlike ACF2, whose architecture is resource-centric, I was convinced that TSS's implementation and administration would be much easier than either alternative.  Eventual results proved Top Secret Security to be an excellent, easy-to-administer, security system.

Since that time (1981), I've worked with CICS security, RACF, CA-ACF2 and CA-Top Secret Security®* in several different shops.  The latter three all can do the job of data security well if properly implemented, but I've come to prefer CA-TSS for several reasons.

Security Administration Comparisons

CA-TSS is somewhat like RACF in its end-user orientation, but requires fewer and less complex commands to accomplish the same things for IT security.  Compare, for instance, what needs to be done in security admin for SDSF under both packages.

Although excellent if implemented correctly, ACF2 is VERY difficult to implement properly without extensive up-front research and careful planning in designing the order of elements in the security string, many of which depend on the enterprise's specific business security needs -- there are a huge number of design tradeoffs that can't be corrected easily once implemented.  Often, ACF2 implementation flaws which hamper proper security administration of IT resources won't be apparent until weeks or, sometimes, months or years after implementation.

IMHO, RACF has always had a huge learning curve, as IBM's documentation of it outside of a few IBM Red Books, has always been insufficient and unclear in many areas (as a "techie" and ex-IBMer, I was always disappointed by that).  Resource names are long and confusing to many, and the documentation often assumes reader knowledge of IBM's usage of certain terms while providing no useful definitions of those terms.

Sometimes I felt like the authors wanted to display their erudition instead of just explaining things.  Often, I had to learn by experimentation, simply because the manuals were unclear (and I usually enjoy reading technical manuals).

ROI (Return On Investment)

Top-notch security administrators need to straddle that difficult line between IT and end-user business management, two worlds which seldom understand each other.  Thus, a business case should be made here.

• All three products use the same IBM operating system interfaces, making them equally secure with proper implementation and administration, so none has any true advantage in that arena.  The two real issues, which translate eventually to dollars, are: (1) ease/difficulty of implementation and (2) ongoing security administration time.
• My experience has been that, of the three, CA-ACF2 requires the most up-front time to properly implement, but is somewhat simpler than RACF to administer, long-term.  It does, however, have some major traps for security administrators who don't first study it thoroughly.  Resources can unintentionally be unprotected in efforts to allow an end user the correct access level to those resources which he/she needs in his/her job.  Additionally, CA-ACF2's resource-centric architecture requires a security administrator to mentally approach security in a way that is counter to what is the best approach under RACF or CA-TSS and also counter to what almost anyone but a knowledgeable CA-ACF2 security administrator would understand.  This can sometimes lead to conflicts or, at the least, long conversations with systems programmers, applications programmers, and department managers.
• Since CA-TSS has the most user-friendly, easily understood, security architecture, oriented towards both company structure and individual job definitions (divisions, departments, job profiles, etc.), its proper implementation results in a shorter learning curve for Security Administrators than the other two products.  Parallels to actual enterprise organization simplify auditing and make it easier to get accurate security requirements from end user business entities.  Also, the time to add, delete, or modify user privileges or resource protections, on a daily basis, tends to almost always be shorter.  Moving end users from one department or division to another is straightforward, as is moving departments between divisions to correspond with corporate re-organizations (we've all suffered through those).  For a large enterprise, this means that, under CA-TSS, fewer Security Administrators are needed for the same level of protection, and they are productive sooner.  It also means that CA-TSS is cheaper than the "free" RACF on a long-term basis.

Summary

I assume that I've probably stirred up a hornet's nest, since I know RACF is the most popular product (partially because of good IBM marketing, but mainly because IBM bundled RACF into OS/390 packaging several years ago).  I should reiterate that I'm an ex-IBMer and long-time, independent consultant who is both a fan and a critic of both IBM and CA for different reasons at different times.  I'm no shill for CA – my experience just tells me that CA-TSS is the best security product for IBM mainframes.  I hope that I have made a good case for my conclusions.  Constructive criticism is welcome.

About the Author

In the above, I can only speak from prior experience, as I've been a full-time, independent, IT consultant since 1984, consulting at many companies.  My Information Technology career began in 1969, when I.T. was still called Data Processing, and I worked for IBM Field Engineering in San Francisco, primarily at client sites fixing bugs in Operating System/360 (MVT, MFT, PCP) and occasionally assisting in IBM hardware installations.

In 1972, I left IBM for a Senior Systems Programmer position at Wells Fargo.  In the ensuing years, my career advanced as I was recruited for more advanced positions at other companies.  In 1982, a corporate re-organization at Raychem Corp. led to my department being moved to another division, and my excellent boss resigning.  After 18 months in a very depressing environment, I left there to start COST-EFFECTIVE SOLUTIONS INFOTECH.

* RACF is a registered trademark of IBM Corp.
  CA-ACF2, CA-TSS, CA-Top Secret Security, TSS, and Top Secret Security are registered trademarks of Computer Associates.
  ASA/TSS is a trademark of Cost-Effective Solutions.

** CA-Top Secret Security was originally named, simply, Top Secret, but the U.S. Government refused to consider using it anywhere until CGA Software renamed it Top Secret Security and abbreviated it as TSS in its code comments and printed documentation (to prevent unnecessary false alarms from auditing programs regarding Classified documents).

original: 3/4/09 09:37 PST   last update: 9/28/13 17:55 PDT

Content Copyright ©2009-13 Cost-Effective Solutions. All Rights Reserved.***

COST-EFFECTIVE SOLUTIONS InfoTech "Solving business problems with technology"

*** Please contact us for free permission to re-publish this article elsewhere with reasonable attribution.