|
Mission critical
applications and data for most large organizations still reside on IBM
mainframes. Yet,
cybersecurity of the mainframe has largely
been ignored in recent years because of a common misperception that
the mainframe environment is stable and static. In reality, many
organizations never fully completed their cybersecurity implementations while others have not properly
maintained or updated controls to take advantage of recent enhancements. RSH Consulting's
professional services can be invaluable
in addressing these vital concerns.
SPECIAL NOTICE: IBM has
just announced September 30, 2024 is the End of Service (EOS) date
for z/OS 2.4. The race is now on to get SDSF under RACF control
beforehand because SDSF's internal ISFPARMS security features are no
longer supported in later releases of z/OS. Contact RSH today if you
need help with this task as it can be quite complex and prolonged,
especially if you not already protecting operator commands and JES
spool resources. Click
here for more information on
this effort.
We excel in
implementing and enhancing RACF. This has always been our core
service and is the area of greatest strength and depth in the
background and experience of our consulting staff. Follow the links below to
learn more about how RSH can help you:
|
Security Reviews & Audits |
Beat the auditors and regulators to the punch -- find and
fix the problem before they show up! |
|
Mentor & Advisor |
Unsure where to begin or how to tackle certain tasks -- let
us guide you. |
|
Policies & Management |
Give RACF a solid foundation and framework -- we can help
you develop the necessary policies, standards, and naming
conventions. |
|
Architecture & Automation |
Is your RACF cumbersome to administer -- let us help you
streamline your architecture and automate administrative
chores. |
|
Synchronize & Merge |
Trying to consolidate and harmonize RACF databases -- we have
the
tools and talent to help you get the job done. |
|
Post-Conversion
Assistance |
New to RACF and finding it
daunting
-- we can help with the transition. |
|
Enhancement & Assistance |
Don't have the time or expertise -- we can provide both. |
Security Reviews & Audits
An essential starting point in any effort to enhance
RACF is a thorough examination of your current implementation. Our
reviews encompass every aspect of RACF controls -- user
identification and authentication, dataset protection, monitoring,
general resource protection, and security administration.
Evaluating RACF options and profiles
is only a part of what RSH delivers. We
look beyond RACF to examine security policies, administrative practices
and procedures, and the security-related interfaces and
configuration parameters in other system software because they
substantially influence the effectiveness of RACF and your overall
mainframe security. We
are often able to identify and help resolve organizational and procedural roadblocks to the
implementation of sound controls.
For organizations subject to the
provisions of the Sarbanes-Oxley Act,
we focus on controls specific to your financial application along
with the overall RACF controls. Of particular
interest to us are the protections afforded databases, transactions,
and resources related to these systems.
Our review efforts are aided by an extensive set of
in-house developed software tools. However, we firmly
believe software alone cannot substitute for thoughtful analysis. A
hallmark of our reviews is the intense effort we devote to
thoroughly understanding the unique nature and complexities of each client's system environment
and implementation of RACF. This enables us to uncover subtle vulnerabilities that have left them
unknowingly exposed.
Our reports are unmatched for their
breadth and depth of information. We use them as a tool for
knowledge transfer. Every report offers both practical
recommendations and implementation advice. We also make it a point
to praise good control practices as well as identify concerns.
... return
Mentor & Advisor
Are you faced with
the task of trying to:
-
Lock down Started
Tasks
-
Implement
PROTECTALL
-
Curtail
OPERATIONS authority
-
Merge
RACF databases
-
Protect
z/OS Unix (a.k.a. Unix System Services)
-
Guard
CICS commands
-
Improve
RACF performance
-
Refine
storage administration authorities
-
Develop RACF exits
-
Control
JES and SDSF
-
Activate
the latest RACF features
-
Meet the
requirements of HIPAA, SOX, and PCI
-
... etc.
We can provide
just the right amount of timely, helpful advice, suggestions, and
guidance needed to kick-start your efforts, maintain your momentum,
and keep you on track. A few minutes with our knowledgeable staff
can save you hours of research and frustration. Plus, we can alert
you to potential problems and any pitfalls to avoid before you
stumble on them.
... return
Policies & Management
Ensuring everyone
understands the ground rules can make a huge difference in whether
RACF is properly implemented and maintained. It is not uncommon for
us to trace the source of technical control problems back to policy
deficiencies. We will work with your security, technical support,
and audit staffs to craft policies and standards that will encompass
your entire mainframe software environment and address everyone's
needs and views. Our extensive document templates and prior
experience can make short work of this effort.
We can also help
you establish or improve your overall security management program.
Our services include developing general security policies,
establishing data ownership, designing naming conventions, and
helping to justify additional security staff and resources.
... return
Architecture & Automation
Ill-conceived or haphazardly
maintained group architectures and naming conventions can be a
nightmare to administer. We can unscramble the current structure and
devise a new one that eases your burden. We are especially adept at
redesigning and refining large-scale implementations of RACF using
role-based access control concepts.
This effort ordinarily involves
determining resource ownership, defining a group hierarchy
compatible with your organizational structure, establishing or
revising profile naming conventions, migrating existing users into
the new architecture, and adjusting group administrator authority.
To support new or existing
architectures, we can create automated tools to assist you with RACF
administration and help to maintain quality assurance. This often
includes building software interfaces with your Human Resources
system to automatically manage user creation, termination, transfer,
and authority. This service is particularly valuable if you are
planning to implement user provisioning software as it prepares your
RACF for an easier installation.
We can also develop RACF reports
unique to your organization to assist with common administrative
tasks and control monitoring. Our favorite software tool is REXX,
which facilitates rapid development and is simple to maintain.
... return
Synchronize & Merge
Regardless of
whether you are planning to consolidate RACF databases or implement
RACF Remote Sharing Facility (RRSF), the effort to synchronize and
harmonize independent RACF databases and implementations can be
a complex process. It requires identifying and resolving differences
and mismatches in RACF tables, SETROPTS options, group structures,
profiles, segments, and permissions. It may necessitate changes to
such items as Started Task USERID assignments, Unix System Service
permissions, and configuration parameters within JES and other
system software.
RSH has both the experience and
software to
help you complete this effort successfully and with a minimum of
difficulties. We can assist you every step of the way -- from
initial planning and analysis to implementation of changes and final
activation. We have software tools designed to pinpoint critical
profile differences, and we can offer you effective recommendations
for addressing them.
The experience
we have gained in past projects allows us to recognize potential
roadblocks in advance and determine which situations may turn out
to be more complex than anticipated. This enables us to help you set
realistic milestones and to reach those milestones on time and
within budget.
... return
Post-Conversion Assistance
If you are about
to convert to RACF from another security product, you will soon be
entering a period of frustration as you struggle to meet normal work
demands while trying to learn and adjust to RACF. Rather than
spending hours and hours researching and troubleshooting issues, let
us help you. With just a quick phone call or email, our RACF experts
can give you an instant answer to a question, time-saving advice,
and one-on-one training on anything from command syntax to safely
making major changes that could impact system operations. It usually
only requires a few hours a week, and many issues can be resolved in
minutes. We will help you make best use of your time while you get
up to speed on RACF.
Once you are past the initial adjustment period, you are likely to
notice your new implementation of RACF is far from ideal. The
typical conversion builds a RACF that simply mimics the behavior of
the prior product and rarely takes full advantage of RACF's security
capabilities and performance enhancing features. Let RSH assist you
with refining your new implementation to bring it into proper
alignment with RACF best practices. We can even expand the
implementation to cover resources that may not have been fully
protected under your prior product.
... return
Enhancement & Assistance
We can help you with almost any RACF
implementation task imaginable and our role and services can be very
flexible to meet your specific needs. Moving beyond mentoring and
advising, our staff can assume responsibility for specific projects
to implement new controls or refine existing ones. We can perform
the work entirely on our own or as members of a team combined with individuals from your
staff. Whatever the role, one of our primary objectives is knowledge
transfer. We want you to have a clear understanding of what we did
and why so that you can maintain the controls thereafter.
Protecting z/OS Unix involves a
complex blend of FACILITY BPX-prefixed profiles, UNIXPRIV profiles,
PROGRAM profiles, SURROGAT profiles, OMVS UIDs and GIDs, SETROPTS
logging options, PARMLIB BPXPRMnn parameters, /etc configuration
file parameters, and permission bits, extended Access Control Lists
(ACLs), and audit bits for Unix files and directories. Few
organizations fully comprehend how these controls function or how
best to implement them. As the leading specialists in
protecting z/OS Unix, we can help you properly configure Unix and
RACF to provide the level of protection your organization requires.
... return
|
