LongEx Mainframe Quarterly - November 2009
These auditors see two options: get someone else to audit the z/OS systems, or don't audit them at all. With constricting budgets and increasing compliance workloads on other systems, it's easy to choose the second option. After all, z/OS is the most secure operating system on the planet.
But the reality is that because of their importance, z/OS systems need to be audited at least as often as other systems, if not more. With far more users, administrators, applications and databases, the risk of an internal security incident is higher. Companies that have outsourced some or all of their mainframe operations and support are even more at risk, having surrendered control to a third party.
But why is z/OS such a brute to audit? And more importantly, how can it be done without blowing the budget?
Why is z/OS So Difficult to Audit?
Like an old house that has undergone countless renovations and modifications, z/OS is a complex mixture of what was needed before, what is needed now, and what is needed to get the two to work together. Original features that were essential 40 years ago are still supported today, and have been added to with functionality like UNIX Systems Services (a POSIX shell for z/OS), cryptographic features, TCPIP, and new languages such as Java, C, PHP and Perl. Other software written for z/OS has undergone similar changes. Software like RACF, IMS and CICS are very different to what they were twenty years ago to make them relevant to the needs of today.
To make things more difficult, most organisations with a mainframe have been running the same applications for decades: applications that have had to undergo similar transformations to the systems software under which they run. Business units have been reformed again and again, constantly changing security access requirements, and how they are administered and monitored.
z/OS provides remarkable recording features requiring minimal processor overhead, based on the System Management Facility (SMF). SMF can record every logon, file and application access, rule change, and security failure. Such recording provides an enormous number of records that needs software (such as CA-MICS, Tivoli Decision Support or SAS/MXG), and technical knowledge of this software to process.
All of this adds up to an incredibly complex mixture of features, functionality and administrative tools that is difficult for a subject matter expert to keep track of, far less someone new to the z/OS world.
How Can You Audit z/OS?The easiest way to audit z/OS is to get an external company to do it. However this isn't the only answer - or the cheapest. Although a security audit of z/OS is a large project, it is not impossible to do it in-house, even for an auditor new to the platform. However two things are essential:
1. A technical expert
No auditor will have the z/OS technical expertise to perform a comprehensive audit of z/OS. An expert with current, in-depth knowledge of z/OS and other systems software is essential: a systems programmer. This systems programmer will:
Companies that have not outsourced their mainframe operations will have in-house systems programmers available. However auditors will prefer an external consulting systems programmer that is independent from the groups being audited. An in-house audit with such a consultant will cost far less than hiring an external company to do the whole project. Additional advantages include keeping control, and retaining mainframe-related skills gained during the project.
2. A CAAT
As z/OS is so complex, the number of parameters, rules and records to analyse in an audit can quickly get out of control. Anything more than the most minimal audit will need the use of commercial software for most of the 'leg work' - Computer Aided Audit Tools (CAATs).
These tools run on z/OS, and typically analyse the
From this, the software can identify potential security exposures, and even recommend how to eliminate them. A big advantage of CAATs is that they can ease the pain of creating a work program.
Some popular CAATs for z/OS include (in no particular order):
These CAATs are invaluable when performing a detailed audit, however they can't check everything. For example, they won't check the security of ISV products that provide powerful system utilities and features like operator commands.
Nor are CAATs a replacement for technical expertise. A z/OS expert is still needed to setup this software, identify what reports are needed, analyse those reports, and look for reasons behind the report findings. Resist any urge to rely blindly on the reports generated from this software.
Some Hints When Auditing
Set a Reasonable Scope
Few audits will attempt to audit the entire z/OS system in one hit. Most will break the problem up into easier pieces: audit the base z/OS systems one year, DB2 databases the next. Its important not to underestimate the work involved in a z/OS audit, and bite off more than you can chew.
Of course this scope may be set for you by compliance requirements such as Sarbanes-Oxley, CLERP 9 and ISO/IEC 27001/27002. Some of the resources mentioned below can help determine your audit scope.
Setup Ongoing Procedures
Most z/OS audits are one-off projects, however it's no surprise to any auditor that ongoing, regular checks are far more effective. The fact is that most of the work required to produce regular audit reports will be done during any one-off audit. A systems programmer can quickly prepare regular, automatically submitted batch jobs to prepare audit reports for review by auditors and security administrators.
There's no reason to be afraid of z/OS. Although an audit is a large project, it's not impossible to perform, and will become easier the more often it is done. Hiring an external company to perform the entire audit is a valid option, however auditors on a tight budget will want to consider performing the audit in-house using an external z/OS technical expert and audit software.
Auditors new to z/OS will need to find their feet fast:
IBM also provides copies of its technical manuals free online. Unfortunately these manuals are not an easy read, especially for beginners.
Three invaluable resources are::
Other z/OS security related resources include:
This article was updated in Dec-2011 to update the available CAAT software