O mainframe proporciona um sistema seguro para o processamento de um

grande nmero de aplicaes heterogneas que acessam crtica

dados.
Built-in de segurana em toda a pilha de software significa que z / OS do
mainframe
devido ao seu design de arquitetura e uso de registros, no ir sofrer de
tampo
problemas de estouro
caractersticos de muitos

relacionadas

causadas

por

vrus

que

so

ambientes distribudos.
Hardware de segurana habilitado oferece proteo inigualvel para o
isolamento da carga de trabalho,
proteo de armazenamento e comunicaes seguras. Built-in de segurana
integrado
todo o sistema operacional, infra-estrutura de rede, middleware, aplicativo
e arquiteturas de banco de dados oferecer infra-estruturas seguras e de
negcio seguro
processamento, o que promove o cumprimento. Executa criptografia do
mainframes
em vrias camadas da infra-estrutura, que garante a proteco de dados
em todo o seu ciclo de vida.
O IBM System z junta mainframes IBM anteriores como somente servidores
do mundo
com o mais alto nvel de certificao de segurana de hardware, ou seja,
Common Criteria
Evaluation Assurance Nvel 5 (EAL5). O ranking EAL5 d s empresas
confiana de que podem executar diversas aplicaes rodando em
diferentes
sistemas operacionais, tais como z / OS, z / VM, z / VSE , z / TPF e
baseada em Linux
As aplicaes que contenham dados confidenciais, tais como folha de
pagamento, recursos humanos,
sistemas de comrcio eletrnico, ERP e CRM, em um System z dividido em
parties
que manter os dados de cada aplicativo seguro e diferente dos outros.

Security on z/OS

Objective: In working with z/OS, you need to understand the importance of

security and the facilities used by z/OS to implement it. An installations data
and application programs are among its most valuable resources. They must
be protected from unauthorized access both internally (employees) and
externally (customers, business partners, and hackers).
After completing this chapter, you will be able to:
_ Explain security and integrity concepts.

Security facilities of z/OS

In the following sections, we cover the facilities of z/OS that provide its high level
of security and integrity.
Data about customers is a valuable resource that could be sold to competitors.
So the aim of any security policy is to provide users with only their required level
of access and to deny non-authorized users access. This is one reason why
auditors prefer that users or groups are granted specific access, rather than
using universal access facilities. The traditional focus of mainframe security was
to focus on stopping unauthorized people from logging on to the system, and
then ensuring that users were only allowed access to data on a need-to-know
basis.
Chapter 18. Security on z/OS 597
As mainframes have become Internet servers, however, additional security has
been required. There are outside threats such as hackers, viruses, and Trojan
horses; the Security Server includes tools to deal with these threats.
However, the main threat to company data has always been from within the
company itself. An employee within a company has a much better chance of
obtaining data than someone outside. A well-thought-out security policy is
always the first line of defense.
Furthermore, z/OS provides a number of integrity features to minimize intentional
or accidental damage from other programs. Many installations run several copies
of z/OS and often do not permit general TSO/ISPF users to access the
production systems. z/OS security controls can protect the production
environment if they are properly configured and prevent a TSO/ISPF user (either
maliciously or accidentally) from impacting important production work.

_
_
_
_
_

Explain RACF and its interface with the operating system.

Authorize a program.
Discuss integrity concepts.
Explain the importance of change control.
Explain the concept of risk assessment.

The IBM Security Server

Many installations use a package called the IBM Security Server, which is
commonly referred to by the name of its most well-known component, Resource
Access Control Facility (RACF).

z/OS security provisions include:

_ Controlling the access of users (user ID and password) to the system
_ Restricting the functions that an authorized user can perform on the systems
data files and programs
For students who would like to learn more about the tools available to a z/OS
security administrator, here is a list of the security components of z/OS that are
collectively known as the Security Server:
_ DCE Security Server
This server provides a fully functional OSF DCE 1.1 level security server that
runs on z/OS.
_ Lightweight Directory Access Protocol (LDAP) Server
This server is based on a client/server model that provides client access to an
LDAP server. An LDAP directory provides an easy way to maintain directory
information in a central location for storage, update, retrieval, and exchange.
_ z/OS Firewall Technologies
This program is an IPv4 network security firewall program for z/OS. In
essence, the z/OS firewall consists of traditional firewall functions and support
for virtual private networks.
The inclusion of a firewall means that the mainframe can be connected
directly to the Internet if required without any intervening hardware and can
provide the required levels of security to protect vital company data. With the
VPN technology, securely encrypted tunnels can be established through the
Internet from a client to the mainframe.
_ Network Authentication Service for z/OS
This service provides Kerberos security services without requiring that you
purchase or use a middleware product such as Distributed Computing
Environment (DCE).
_ Enterprise Identity Mapping (EIM)
This program offers a new approach to enabling inexpensive solutions that
allows you to easily manage multiple user registries and user identities in an
enterprise.
_ PKI Services
This program allows you to establish a public key infrastructure and serve as
a certificate authority for your internal and external users, issuing and
administering digital certificates in accordance with your own organizations
policies.
_ Resource Access Control Facility (RACF)
This is the primary component of the z/OS Security Server; it works closely
with z/OS to protect vital resources.
The topic of security can be a whole course by itself. In this book, we introduce
you to the RACF component and show how its features are used to implement
z/OS security.

Security administration
Data security is the protection of data from accidental or deliberate unauthorized
disclosure, modification, or destruction. Based on this definition, it is apparent
that all data-processing installations have at least potential security or control
problems. Users have found, from past experience, that data security measures
can have a significant impact on operations in terms of both administrative tasks
and demands made on the user.
RACF gives the user defined with the SPECIAL attribute (the security
administrator) many responsibilities both at the system level and at the group
level. The security administrator is the focal point for planning security in the
installation and needs to:
_ Determine which RACF functions to use.
_ Identify the level of RACF protection.
_ Identify which data RACF is to protect.
_ Identify administrative structures and users.

z/OS firewall technologies

The traditional firewall functions act as a blockade between your intranet (a
secure, internal private network) and another (non-secure) network or the
Internet. The purpose of a firewall is to prevent unwanted or unauthorized
communication into or out of the secure network. The firewall has two jobs:
_ It lets users in your own network use authorized resources from the outside
network without compromising your networks data and other resources.
_ It keeps users who are outside your network from coming in to compromise or
attack your network.
606 Introduction to the New Mainframe: z/OS Basics
There are several ways a firewall can protect your network. A firewall can provide

screening services that deny or grant access based on such things as user
name, host name, and TCP/IP protocol. A firewall can also provide a variety of
services that let authorized users through while keeping unauthorized users out,
and at the same time ensure that all communications between your network and
the Internet appear to end at the firewall, denying the outside world to see the
structure of your network.