Trends > What's New

IBM Consul Acquisition Boosts Mainframe Security

Building a secure information system starts with a secure and correctly configured operating system. Arguably, z/OS offers a starting point to construct a secure system from the ground up. However, users of z/OS systems can’t afford to start from scratch, so they look for ways to improve security in their current systems. Having the right tools is half the work, so over the years z/OS users have turned to Consul for z/OS-specific security management and compliance solutions. IBM recently acquired Consul risk management to strengthen IBM’s Service Management offerings, providing z/OS users the benefits of improved data governance and compliance monitoring capabilities. Consul’s products will be added to the Tivoli brand as part of IBM’s Service Management solutions.

This article focuses on the six products (shown in Figure 1) that form the basis of the Consul zSecure Suite and how they help customers manage RACF security and administration.

Getting Rid of the Debris

RACF is a powerful “External Security Monitor” (i.e., a database with definitions of users, resources and authorities). However, due to its command language interface, managing RACF definitions can be difficult. Unless an installation uses rigid standards or has only implemented RACF recently, chances are the RACF database is rife with obsolete definitions, such as userids for people who left the company, permissions fitting previous job-roles and profiles protecting data that no longer exist. In some installations, the number of obsolete definitions exceeds the number of active profiles.

A cleanup of the RACF database clears up a lot of confusion. Consul’s RACF administration tool, zAdmin, may be used to remove obsolete and redundant definitions quickly and efficiently. zAdmin presents RACF definitions in a friendly manner, making RACF administration easier, more efficient and less prone to mistakes. It allows a company to delegate parts of the security administration to non-technical staff, resulting in separation of duties and technicians no longer being involved in day-to-day security administration, which is one of the goals of many compliance projects.

Last but not least, zAdmin supports a “model” based means of RACF administration, where new profiles are created as copies of existing (or model) profiles. This speeds up security administration and creates predictable, standardized definitions for user, group and resource profiles.

Delegating Security Administration

zAdmin, zVisual and zToolkit offer options to delegate, or decentralize, part of the security administration to non-technical staff. There are cost savings and improved separation of duties when business units are allowed to perform their own (limited) security administration. The three products offer a friendly RACF administration and reporting interface for users of TSO/ISPF, Windows and CICS.

Next page: >>