System z’s Portfolio of Security

System z®’s Portfolio of Integrated Security Solutions

The inherent security, availability, scalability and reliability of the System z platform make it a great base from which to launch and build security capabilities for the entire enterprise. Its security features can be extended to other platforms that are the tenants of its partitions and to the processes crossing its borders and can be leveraged by the greater hosting IT environment.

System z and z/OS offer an exceptional portfolio of integrated security solutions based on well-advanced, matured and tested enterprise-grade capabilities and breadth of platform’s security and the granularity of its controls. The portfolio supports true end-to-end enterprise security:

  • IT Access Control

    IT access control covers control of applications, processes, data, and network. A wide range of authorization rights are implemented to set limits on what each application, process or user can access and do. The highly secure logical partitions (LPARs) of system z protect the images such as Linux’s that coexist with z/OS on the same footprint. Internal IP communications in system memory (HiperSockets) can be applied to establish fast and ultra secure connections between the various images. As such the virtual servers are secured with the same severity as the physical systems.

    RACF® (Resource Access Control Facility) is the security system that supplies access control and auditing capabilities for the z/OS and z/VM operating systems. RACF exerts all the security control points built into the System z architecture and the z/OS to enforce policies and provide the security of the environment. Applications must go through and be approved by RACF to access resources, and RACF and z/OS can log the usage to allow for auditing and charge-back computing. Resources are allocated to all processes, and although these allocations can be adjustable, processes can be assigned limited authorities to specified system assets. RACF is the utmost mature and scalable security system in the industry with some unique features that are not available in Microsoft Windows or UNIX. RACF supports modern security features including digital certificates and public key and infrastructure services. System z hardware collaborates with RACF to provide extra security such as integrating into the hardware tamper proof cryptographic processors to hold and protect digital certificates. The key subsystems running on system z employ RACF to supply multi-level security.

    IBM’s Tivoli Identity Manager, Tivoli Access Manager, and Tivoli Federated Identity Manager®, working with RACF, integrate identity and access management across mainframes and distributed applications, and enhance security of web services. IBM’s Tivoli zSecure® suite provides cost-effective efficient RACF security management, policy enforcement, automated audit, alerting and compliance reporting.

  • Defense

    System z supports true end-to-end encryption and has key management and certificate authority capabilities that enable businesses to efficiently apply encryption across the entire enterprise to protect data equally at rest and in transit. The z/OS’s Integrated Cryptographic Service Facility (ICSF) secures the keys and guarantees their integrity. z/OS supports internet-based commerce with VPN, SSL, TLS, IPSec, OpenSSH, and PGP, besides several symmetric and asymmetric encryption techniques. System z can be the single Certificate Authority for all of your IT platforms across the enterprise. System z Crypto-Express2 hardware also allows credit card processing and verification capabilities for providing advanced antifraud security. IBM also offers high speed tape drive encryption.

    The z/OS TCP/IP stack supports integrated intrusion detection capabilities that search for and detect attack patterns for requests by applications accessing data within the larger enterprise environment.

  • Monitoring

    System z leverages superior auditing, alerting and monitoring capabilities of RACF. The Consul zSecure Suite enables great management and leverage of such collected security information. zAudit works with RACF to generate an audit trail of a resource or a user. zAdmin, zVisual, zToolkit and zLock make RACF administration much easier and efficient.

    Consul InSight translates audit logs from different systems and platforms and integrates them into a compliance dashboard that can track processes in their leaps crosswise the entire enterprise (mainframe, UNIX, and Windows environments) and generate alerts when security violations and business policy exceptions occur. This permits all IT platform players and members to partake in a whole unified enterprise security strategy.

Enterprise Security

System z® is the most inherently secure platform with great levels of controls, isolations and protections built into all layers - the hardware, operating systems, middleware, management, LPAR & virtual machines workloads and internet-attached Web Services. The platform security capabilities were further advanced to satisfy compliance to new business policies, external regulations and enforcement of security governance.

System z well-advanced, matured and tested enterprise-grade capabilities allow you to attain superior security, regulatory compliance and governance without constraining your business performance. The breadth of z security and the granularity of its controls could sway you to reevaluate the way you go about the how, what and where in deploying your enterprise’s security.

Leveraging IBM security products and solutions portfolio, we work with you to provide you with services, software and hardware solutions to support your efforts in addressing and deploying enterprise security capabilities for your business. We assist you in developing a roadmap that aids you in designing and deploying security solutions in your own organization.

 

The Big Picture of Security Requirements & Initiatives

First you need to capture the big picture of your enterprise security requirements, and then you must address them in sync with your operational business requirements. Meeting the needed levels of service and providing the sufficient security must be done both and done well. Your challenge is to serve applications and data well and safeguard them, the users, and your infrastructure.

The four pillars of enterprise security are risk assessment, access control, monitoring, and defense. These four areas must be effectively addressed without constraining the business.

Risk Assessment:

Risk assessment should be robust and broad enough to be certain that the entire scope of enterprise security concern is covered and addressed with consistent policies. You must determine where security is required and develop a roadmap to help you in designing and deploying integrated security solutions across your organization. A working security strategy for large expanding enterprise can be achieved by protecting everything under one set of mutual but wide-range security policies and by applying a high level of security to all components. Then the degree of such protection and some constraints can be contracted and reduced on particular applications, processes, users, and resources where business requirements can qualify and allow such exceptions and certain authorizations need to be granted.

A business-driven holistic approach that weighs the business goals and performance in joint with the technical requirements and constraints for security enforcement is required to assess and manage the business risks.

Access Control:

Access control is crucial for securing the enterprise because prohibited access is a doorway to utmost risks. Identity authentication and access management must be enforced across the entire enterprise and be coordinated among its separated divisions and parts.

Monitoring:

Even with well enforced access controls and robust risk assessment, monitoring capability is required because security breaches can happen with authorized users and new security threats will suddenly appear as business processes expand and leap. The enterprise should have a broad intelligence and feel of what is happening within its IT environment borders through auditing and capabilities for collecting more widely useful and actionable security information and identifying of what is unusual. Monitoring, audit and alert capabilities can enforce limits on what IT administrators and systems programmers can do and can observe processes in their leaps across the business firm and can alert on security violations and business policy exceptions.

Defense:

Safeguards and layers of defense such as encryption, intrusion prevention services and web application vulnerability scanning should be added to defend against and mitigate many risks that cannot be avoided. Such safeguards are crucial for ensuring that all the internet-based business processes are reliantly secure and efficient.