Cleaning House for the Next Generation: Security Minus Obscurity

by Reginald (Reg) Harbeck
April 1, 2006

So, what do organizations expect of their mainframe systems? The same thing they expected when they were first made available: consistency, integrity, and privacy of their data and processing. And when their expectations were explicitly spelled out, mainframe security software was created to meet those requirements.

But “the way we’ve always done it” approach is no longer acceptable (and really never should have been). Business needs and regulations change. What was sufficiently secure when a system was written years ago may no longer meet today’s requirements. It’s akin to having so many passwords you keep them on a sticky note under the keyboard, thus creating a workaround that undermines the objective.

If current business needs are forcing people to work around the system rather than following it, it’s not appropriately configured. It’s time to re-examine your needs, identify the exposures that auditors and organizational executives would be concerned about, and ensure they’re explicitly dealt with.

Consolidate diverse application internal security into the external security system: When properly done, external security (i.e., allowing a software product to handle security external to the application being secured) is a very effective approach for enabling a single set of administrators to administer all security accesses through a single interface. External security provides consistency across all applications. It also provides separation of duties, as the people in charge of applications, databases, or other systems aren’t the same ones in charge of securing them.

Separation of duties is important. It keeps people honest. For example, separation prevents those in charge of applications, databases and systems from making self-interested changes to data. It also protects people who are doing the right thing. Without this separation, your best technologists will be under a cloud of suspicion when problems arise.

And yet, it’s surprising how many applications and databases are still secured using internal tables instead of deferring to external security.

Take a look at your own organization. Are there any applications or databases that don’t have all their security handled exclusively by your external security product on your mainframe? If so, it’s time to convert those applications to use the Application Programming Interfaces (APIs) in your external security instead of their internal tables.

Otherwise, that’s a loose end that auditors are likely to be concerned about.

Clean out obsolete user IDs and access—and keep them clean: When employees have been with one organization for several years, they often learn there are two ways to get things done— the official way and the way that works. Often, this back-door “way that works” involves the employee collecting access to numerous computer systems and resource permissions and not giving it back when his/her role changes.