Latest issues
Security
Home >
Security > Privileged Users and the Mainframe
 SUB DEPTS
Compliance
Access Security

TCS

Privileged Users and the Mainframe



by Rob van Hoboken
January 1, 2007

As ISO17799 points out, “Inappropriate use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) can be a major contributory factor to the failures or breaches of systems.”

Auditors and regulators are concerned, too. In one Sarbanes-Oxley (SOX) audit after another, the message is clear: Get control over your privileged users.

The Mainframe Challenge The old, reliable mainframe (a.k.a. Enterprise Server) is alive and kicking, but the mainframe provides a unique privileged user challenge. One of the cost-saving aspects of z/OS systems— the high “users to technicians ratio”— opens up new challenges for data center managers. Additional efficiency improvements in security management have allowed data center management to reduce the size of security management teams down to the level where conventional separation of duties is no longer feasible. Today, each staff member wears multiple hats, even if that violates good change management and audit policy. Smaller shops may run with one security administrator and use the systems programmer as backup and technical consultant. Even in large mainframe installations, there’s typically only one security administrator who really understands z/OS, the legacy applications, and how these are defined to the security product.

In such installations, the lead security administrator may have tasks ranging from:

  • Defining the security structure for new applications
  • Granting authority
  • Cleaning up obsolete structures
  • Keeping house when the help desk can’t shoulder the load
  • Identifying data exposures
  • Fixing misconfigured parameters
  • Investigating and escalating incidents.
Since the lead security administrator is the only person who understands the ins and outs, he becomes an untraceable, self-supervising agent. In a typical environment, he would have the ability to change any security rule or parameter, and simultaneously bypass those rules. In a RACF system, he might have system special and operations and might even require the auditor attribute to run some standard reports. In CA-ACF2, he might have the security attribute and bypass rule validation. In Unix, he might need UID(0) to create new home directories. When all these authorities accrue to the same person, you have a Super User.

Just as in the “X-Men” movie, the all-powerful person may become dangerous when motivated by the wrong priorities. When your security administrator decides the situation merits drastic actions, you may find yourself in the scene where Magneto moves the Golden Gate Bridge to get to Alcatraz. But unlike the visual effects we see in the movie, your security administrator may be completely invisible to others because he’s the only person who looks at the logs.
< Previous Page 1 2 3 4 Next Page >
This article has no comments. Be the first to comment!
 COMMENT ENTRY
Name:
Email:
Location:
Website:
Comments:
Remember my personal information
Notify me of follow-up comments?
Please enter the word
you see in the image below:
   
 SPONSORS
 SEARCH DEPTS
 MAINFRAME JOBS
Mainframe Programmer (CACS) Collections
USAA:A/c,IT,Marketing,Other
San Antonio, TX, US
Mainframe Programmer
General Dynamics Information Technology
Towson, MD, US
Mainframe Programmer
TSR Consulting Services, Inc.
New York, NY, US
Mainframe Programmer
HP
Baltimore, MD, US
Mainframe Developer (Cobol, PL1, JCL)
USAA:A/c,IT,Marketing,Other
San Antonio, TX, US
Mainframe System Programmer
General Dynamics - IT
San Mateo, CA, US
Mainframe System Programmer
General Dynamics - IT
Eagan, MN, US
Technical Associate - Mainframe Programmer
Charles Schwab
Phoenix, AZ, US
Mainframe Computer Operator
100-DST Systems, Inc.
Kansas City, MO, US