ebook img

z/OS Basic Skills Information Center. Security on z/OS PDF

26 Pages·2010·0.096 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview z/OS Basic Skills Information Center. Security on z/OS

(cid:1)(cid:2)(cid:3) z/OS Basic Skills Information Center Security on z/OS (cid:1)(cid:2)(cid:3) z/OS Basic Skills Information Center Security on z/OS Note Beforeusingthisinformationandtheproductitsupports,readtheinformationin“Notices”onpage13. Thiseditionappliestoz/OS(productnumber5694-A01). Weappreciateyourcommentsaboutthispublication.Pleasecommentonspecificerrorsoromissions,accuracy, organization,subjectmatter,orcompletenessofthisbook.Thecommentsyousendshouldpertaintoonlythe informationinthismanualorproductandthewayinwhichtheinformationispresented. Fortechnicalquestionsandinformationaboutproductsandprices,pleasecontactyourIBMbranchoffice,yourIBM businesspartner,oryourauthorizedremarketer. WhenyousendcommentstoIBM,yougrantIBManonexclusiverighttouseordistributeyourcommentsinany wayitbelievesappropriatewithoutincurringanyobligationtoyou.IBMoranyotherorganizationswillonlyuse thepersonalinformationthatyousupplytocontactyouabouttheissuesthatyoustateonthisform. SendyourcommentsthroughthisWebsite:http://publib.boulder.ibm.com/infocenter/zoslnctr/v1r7/ index.jsp?topic=/com.ibm.zcontact.doc/webqs.html. ©CopyrightIBMCorporation2006,2010. USGovernmentUsersRestrictedRights–Use,duplicationordisclosurerestrictedbyGSAADPScheduleContract withIBMCorp. Contents Overview of security on z/OS . . . . . v Chapter 3. z/OS and system integrity . . 7 Whatistheauthorizedprogramfacility? . . . . . 8 Chapter 1. Roles in z/OS security. . . . 1 Whatisstorageprotection? . . . . . . . . . 9 Whoisthesecurityadministrator? . . . . . . . 1 Controllingcross-memorycommunication . . . . 9 Whoisthesecurityauditor? . . . . . . . . . 2 Whoisthesystemoperator? . . . . . . . . . 2 Chapter 4. Security for z/OS UNIX . . . 11 Chapter 2. Security facilities of z/OS . . 3 Notices . . . . . . . . . . . . . . 13 WhatisSAF? . . . . . . . . . . . . . . 3 Programminginterfaceinformation . . . . . . 14 WhatisIBMSecurityServer?. . . . . . . . . 4 Trademarks . . . . . . . . . . . . . . 14 WhatisRACF? . . . . . . . . . . . . . 5 ©CopyrightIBMCorp.2006,2010 iii iv z/OSBasicSkillsInformationCenter: Securityonz/OS Overview of security on z/OS An installation's data and application programs must be protected from unauthorized access — both internally (employees) and externally (customers, business partners, or hackers). In working with z/OS®, you need to understand the importance of security and the z/OS facilities used to implement it. Over time, it has become easier to create and access computerized information. No longer is system access limited to a handful of highly skilled programmers. Information can now be created and accessed by almost anyone who takes a little time to become familiar with the newer, easier-to-use, high-level inquiry languages. More and more people are becoming increasingly dependent on computer systems and the information they store in these systems.As general computer literacy and the number of people using computers has increased, the need for data security has taken on a new measure of importance. No longer can the installation depend on keeping data secure simply because no one knows how to access the data. Making data secure encompasses more than just making confidential information inaccessible to those who should not see it. It also includes preventing the inadvertent destruction of files by people who may not even know that they are improperly manipulating data. Good data security practices reduces the likelihood of unauthorized persons accessing, modifying, or destroying data, either inadvertently or deliberately. Access, in a computer-based environment, means the ability to do something with a computer resource (for example, use, change, or view something).Access control is the method by which this ability is explicitly enabled or restricted. Computer-based access controls are called logical access controls. These are protection mechanisms that limit users' access to information to only what is appropriate for them. Logical access controls are often built into the operating system, or may be part of the logic of application programs or major utilities, such as database management systems. They may also be implemented in add-on security packages that are installed into an operating system; such packages are available for a variety of systems, including PCs and mainframes.Additionally, logical access controls may be present in specialized components that regulate communications between computers and networks. ©CopyrightIBMCorp.2006,2010 v vi z/OSBasicSkillsInformationCenter: Securityonz/OS Chapter 1. Roles in z/OS security Mainframe environments tend to be well-structured, with formal roles, such as systems programmer, security administrator, and auditor, that are assigned to separate individuals. This separation of duties is a cornerstone of security and mainframe management. In essence,Ability should not exceedAuthority. Asignificant difference to note, when deploying a mainframe as opposed to a distributed server environment, is the way in which job definitions and roles are defined and how the IT staff is assigned duties, as explained here: v In a distributed environment, people often handle multiple duties in the interest of efficiency. For example, an operator who has the authority to shut down the system might also have the ability to delete user IDs. However, giving staff the authorization for many tasks, while in one sense efficient, opens the door for abusing this power. For example, a database administrator who sold a corporation's information to its competition might have the ability to hide these actions from auditors. v In a mainframe environment, by contrast, skills are generally more focused on a specific responsibility. That is, there tends to be more separation of duties. Each mainframe support person is a specialist, yet mainframes usually operate with fewer support personnel relative to the size of the user community because of the centralized nature of mainframe management tools. The efficiency derives from the platform architecture, not from people sharing duties. In the past, it was the mainframe system programmer who, working with management, decided the overall security policy and procedures. Today companies are seeking higher levels of security, so they often appoint a separate security manager. The system programmer might not have direct responsibility for security, other than advising the security manager about new products. Separation of duties is necessary to prevent any one individual from having uncontrolled access to the system. Who is the security administrator? The security administrator is the focal point for planning security in the installation. RACF® gives the security administrator (that is, the user defined with the SPECIALattribute) many responsibilities both at the system level and at the group level. The security administrator is responsible for: v Determining which RACF functions to use v Identifying the level of RACF protection v Identifying which data RACF is to protect v Defining administrative structures and users. Asystem administrator assigns user IDs and initial passwords and ensures that the passwords are non-trivial, random, and frequently changed. Because the user IDs and passwords are so critically important, special care must be taken to protect the files that contain them. ©CopyrightIBMCorp.2006,2010 1 In z/OS, the security administrator can use RACF Remote Sharing Facility (RRSF) to administer and maintain RACF databases distributed throughout the enterprise. This facility: v Provides improvements in system performance, system management, system availability, and usability v Helps to ensure that data integrity is retained across system or network failures and delays v Informs you when key events have occurred and returns output to view at your convenience. Who is the security auditor? Security audits are a way of examining a system, policy or process for violations and exposures. Auditing is the process of ensuring that the information processing system (hardware, software, liveware, middleware, policies, and procedures) complies with the installation security policy.Auditing may be: v Aone-time project such as a snap inspection, or v An ongoing process pursuant to policies. Security audits are a catch-all that have been used for actions ranging from checks on physical security to implementation of the information security plan. The two types of information security audits can be termed preemptive and reactive.As their names indicate, preemptive audits test security controls. Reactive audits respond to potential security breach events. Who is the system operator? Console security means controlling which commands operators can enter on their consoles to monitor and control z/OS. How you define command authorities for your consoles, or control logon for operators, enables you to plan the operations security of your z/OS system or sysplex. In a sysplex, because an operator on one system can enter commands that affect the processing on another system, your security measures become more complicated and you need to plan accordingly. When implementing console security, the installation can control which commands operators can enter on their consoles to monitor and control z/OS. To do so, the installation uses RACF and the CONSOLxx member in PARMLIB. For multiple console support (MCS) consoles, you can use the following to control whether operators can enter commands from a console: v TheAUTH keyword on the CONSOLE statement of CONSOLxx v The LOGON keyword of the DEFAULT statement and RACF commands and profiles. For extended MCS consoles, you can control what an authorized SDSF or TSO/E user can do during a console session. Because an extended MCS console can be associated with a TSO/E user ID and not a physical console, you might want to use RACF to limit not only the z/OS commands a user can enter, but from which TSO/E terminals the user can enter the commands. 2 z/OSBasicSkillsInformationCenter: Securityonz/OS

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.