|
 MVS Security Reviews - Background
For historical and legal reasons the MVS operating system itself does not include Access Control functionality.
The MVS system is responsible for protecting the operational environment from technical compromise, but does not concern itself with user authentication or control over which resources a given user may access. A separate Access Control product is installed and maintained to take care of these ‘minor details’.
During the 1980's most IBM mainframe installations implemented an access control product (RACF®, CA ACF2® or CA TopSecret®) to provide the required system and resource access control. Each of these products can provide a high level of systems security when appropriately used and effectively administered.
Maintaining the level of protection afforded to a large environment is not simple. In addition to the complex choice of security options within the product itself, over time a variety of special privileges become assigned to users and systems tasks; special access is given for some special project and more third party software products are installed. Few sites have the manpower to effectively track all of these changes to the environment and ensure that in all cases temporary accesses are removed and the installation of new software has not left a ‘gap’ somewhere.
Cronos Consulting has carried out over 50 reviews of the security on mainframe systems, mostly in Europe but also as far away as Malaysia and Brazil.
== Results ==
- In only two installations was the security found to be without any significant exposures.
- In one case the company involved could have saved considerable operating and staff costs by removing the security product which was achieving nothing of value!
- At two sites the corrective work carried out by the client following the report recommendations exposed ongoing long-term frauds which might have continued indefinitely otherwise.
There are two separate components to a review of a mainframe installations overall security - the base system and the Access Control Software. These can be reviewed as a combined environment, or each can be reviewed separately. In general a combined review is recommended, but individual circumstances may dictate otherwise. For example in an F.M. or out-sourced environment the system integrity becomes primarily the responsibility of the vendor organisation, the client may have no right under their contract to review this critical component.
Further details of each type of review:
Prior to contracting to have such reviews carried out it is suggested that the client be sure of the reasons for doing so. Often a review is intended to produce a ‘warm and comfortable’ feeling for some level of management rather than to determine if exposures exist. For the ‘warm and comfortable’ feeling it is recommended to use the services of your current ‘Big 4’ external audit company. A review by the consulting division of the security vendor (I.B.M. or C.A.) is perhaps more likely to discover potential exposures; but there exists a conflict of interest in that they just might prefer to not report any thought to be due to software limitations or to interaction with third party products. If the intention is truly to identify as many as practical of the existing problems then consider using the services of a completely independent organisation. There are several of these around, operating in different countries, mostly in the USA. Obviously we at Cronos Consulting believe we are the best for this, but that is only one opinion and we will not be the ‘right’ solution for everyone.
DB2 Security Review for RACF sites.
IBM’s DB2 database system is used by almost all MVS installations for storing and processing business related data. DB2 has it’s own internal security system based on SQL type ‘GRANT’ statements giving access to the DB2 resources such as databases and their tables etc. This security environment is completely independent of the external Access Control Software. It is usual to GRANT access to RACF/ACF2 users or to so called ‘Secondary Authorisation IDs’. In RACF the secondary authorisation ID may be any RACF defined GROUP. In ACF2 (without the DB2 component) a separate ‘cross reference group’ (XREF record) is used to define the users related to each such ID.
The security environment is set up and maintained by the DB2 ‘DBA’, generally the same technician as is responsible for maintaining DB2 itself. Security maintenance by technicians has been known to be a poor way to manage security since the early 1980’s, but IBM have provided no alternative for DB2.
In the mid 1980’s SKK (the original authors of ACF2) released an ACF2/DB2 component which allowed a site with ACF2 to move the DB2 security out from the technicians to the security administrators. A similar facility was eventually introduced by IBM for RACF installations some 20 years later.
As the RACF DB2 option is very recent few installations have yet migrated to it, relying instead on the very difficult to manage, and almost impossible to audit, internal DB2 security. Over a period of many years the definition held in DB2 tend to become out of date and most often contain definitions which, by accident, allow access to critical business data which is much wider than best practice would suggest and most Security Policies allow.
As a result of requests from RACF clients Cronos Consulting has developed and can now offer an analysis of the internal DB2 security definitions mapped to the RACF user and group structure. This review will highlight a number of suspect situations in the DB2 definitions for further manual review and follow-up by the client. In particular :
- GRANT’s to ‘PUBLIC’ (i.e. anybody)
- GRANT’s to RACF users or GROUP’s which do not exist in RACF
- GRANT’s to REVOKED RACF users
- GRANT’s to users or groups which appear to be inappropriate
- Inappropriate access to Database datasets outside of DB2 control
A more detailed description of the DB2 Security Review
Due to lack of demand no equivalent review process has yet been developed for ACF2 sites not using the ACF2/DB2 component.
Top of page
|
