In previous columns, I described a structured approach to evaluating your mainframe security, starting with controls over access to the system. I also described how your security software (RACF, ACF2, or Top Secret) can control system access for each of several paths, including TSO, started tasks, and batch jobs.

Here we continue our discussion of security over each path into the system and consider started tasks and consoles. When an operator at a console in the computer room types the command “START MARY” and hits ENTER, the system finds the Job Control Language (JCL) named MARY and executes it. The JCL for MARY, with an EXEC statement specifying what program to execute and DD statements defining what data sets to make available to that program, looks similar to a batch job. However, it’s a started task, representing yet another path into the system.

Here we continue our discussion of security over each path into the system, considering more complications over system access through batch jobs. With z/OS, the security comes from SAF; that is, the security software—RACF, ACF2, or TopSecret. We will examine some less well-known ways a user can submit a batch job that runs with some other userid, including through CICS submissions, Network Job Entry (NJE), and IBM’s Sterling Connect:Direct.

I was a kid in the ’60s, a decade of war, protests, and constant challenges to authority and propriety. Some activities—such as the civil rights movement and women’s rights—were deadly serious. But some were downright fun, such as the censorship-testing TV show “Laugh-In.”

Do you remember the first time you saw somebody famous? I do. I was five, and my little sister was four, and we were going to visit Mr. Green Jeans from the children's TV show “Captain Kangaroo.” What a thrill! Now imagine my shock and surprise when I realized I was mistaken. We were visiting Aunt Liz and Uncle Eugene. Oh, I will never forget that disappointment. But what followed was equally memorable. Dear Uncle Eugene, who thought the situation was hysterical, decided we should put on our very own kids show on their front porch. He assembled all the adults and they watched my sister and me sing “The Alphabet Song.” When we were done, they clapped like it was the most brilliant thing they’d ever heard.

Mitigating security issues in a mainframe environment remains a hot topic. Mainframe security isn’t new or unique; we’ve all benefited greatly from the relative safety and security inherent in the mainframe architecture. Once it’s set up, we can almost stop worrying altogether, but where does a new installation start? How can they lock down the mainframe and protect the corporate jewels? Detailed answers to those questions could fill volumes, but the path to security nirvana can be easier to follow if you adopt the four “baby steps” to compliance outlined here.

Continuing our discussion of paths into the system, here we consider security over system access through batch jobs. You want to ensure that only users defined to the security software (RACF, ACF2, or TopSecret) can submit batch jobs, both to prevent unauthorized use of your system and to protect sensitive data.

Here we consider TCP/IP under z/OS, a path into the system we need to control for effective security. Using tools provided with z/OS, this can be the most secure TCP/IP you’ll find anywhere. We’ll summarize how TCP/IP works under z/OS, discuss its security risks, and examine how you can manage those risks. References to security software here mean RACF, ACF2, or TopSecret.

Corporate IT organizations and mainframe security professionals face the challenges of  minimizing costs, maintaining compliance with industry and government regulations, addressing increased workloads, and adapting to decreasing mainframe skillsets as “baby boomers” start to retire in significant numbers. Fortunately, technology is being developed to make products easier to learn and use; it’s also facilitating knowledge transfer from first-generation users to next-generation users. This technology needs to address daily tasks, but the job isn’t just about routine, daily duties such as assimilating new employees. The solution must cover the entire role.

Your mainframe may be the most secure computing platform in your organization, but did you know it’s also at high risk for security breaches and regulatory non-compliance?