Tip

Mainframe security changes as Web services arrive

One key reason to convert mainframe applications to Web services is to make them available more broadly -- often including end users outside of the organization and the consumer market. In many cases, these users expect access in which there is a single sign-on,

    Requires Free Membership to View

with some privacy as to the identity or characteristics of the user. Because of the features of Web services, it may be that this new classes of end users will attempt to access the mainframe application frequently, requiring flexible adjustment by mainframe security software.

Web services on non-mainframe platforms that link to the mainframe may be more vulnerable, so that a PC application that has been be a trusted internal consumer of mainframe services becomes a new pathway by which a hacker can attack key corporate data on the mainframe.

At the same time, the Web service allows users to define corporate-standard security that is automatically applied in each access to the Web service. This, in turn, means that by creating an SOA (service-oriented architecture), organizations can enforce mainframe-level security across the entire organization. And this standardization also makes it easier to mesh the RACF (Resource Access Control Facility) and encryption facilities of the mainframe with the Kerberos and firewall capabilities of other platforms.

The key to success in adapting mainframe security to Web services is to take advantage of the opportunities and thereby solve the problems. In other words, by defining the right corporate standard for security, based on mainframe security, and implementing it in an SOA, the user will actually reduce security risks as it moves to adopt Web services.

For an introduction to SOA, read this tutorial on Web service technologies.

Web services and security

Web Services impact an environment in which the main focus of security has been prevention of access to key proprietary information by unauthorized users. Enterprises may have accomplished prevention by disguising data (encryption), by erasing data as soon as possible, by removing data as soon as possible to a secure facility (archiving), or by controlling access to the data (access control, firewalls, and so on). In other words, security has emphasized keeping people outside a carefully chosen circle away from information; an SOA (along with other new technologies such as business compliance) emphasizes giving new people outside that circle (and outside the enterprise) access to information.

Table 1 below shows the potential evolution of security due to Web services in each of these areas of security.

Table 1: Impact on security of web services

Security typeNew Web service requirementResulting Change in Security
Disguising dataProvide differentiated access to undisguised data to some new classes of users (e.g., customers to products, regulators for business compliance), ensure data's safety from malicious attackAllow encryption on data sent across organizational boundaries, improve encrypt/decrypt speed
Erasing dataSave data of all types (structured accounting data, semi-structured email, unstructured media files) for many years, both because historical data is valuable to new classes of users (turn old products into collectibles) and because it is needed for business compliance, provide rapid access to the dataInstead of erasing data, archive in a secure but comprehensive, robust, and rapidly accessible manner such as an SOA
Placing (older) data in secure facilityEnsure and demonstrate data's safety from disaster and malicious attack, provide rapid access to all types of older dataCombine archiving with disaster recovery, add reporting and Web security (firewall, encryption) mechanisms, preferably as part of a disaster-recovery-site SOA
Controlling data accessEnsure and demonstrate data's safety from malicious attack, extend right to access to new online customers, investors, the press, regulatory and legal authoritiesIntegrate access-control and data-access (reporting, querying) mechanisms as part of a corporate-standard SOA security mechanism, make data stored on secure media available outside the enterprise

Note that the result of these changes is actually to make security better than before -- with less performance overhead, more comprehensive and integrated across all enterprise information, more applicable to inter-organization communication, better integrated with risk management and disaster recovery. Thus, as Web services arrive, security is harder to do; but, once done effectively, delivers more benefits.

IBM's response

IBM's approach to mainframe security stresses MultiLevel Security (MLS) for z/OS, a multiple-layer approach in which perimeter defense (e.g., firewalls, anti-virus, intrusion detection, cryptography via eServer Cryptographic Coprocessor) operates as a first "access checkpoint" for broad threats from outside. A control layer (e.g., RACF, Tivoli Access Manager, Tivoli Identity Manager) applies more fine-grained criteria to determine whether a particular user can carry out a particular function on the mainframe. An an assurance layer carries out "service level fulfillment" tasks related to business compliance, auditing, risk management, and security-event response.

IBM System z security offerings also include PKI (Public Key Infrastructure) support to manage digital certificates, Crypto Express2 to allow easier migration to higher levels of mainframe cryptographic security such as anti-fraud security, z/OS Intrusion Detection Services, and SSL (Secure Sockets Layer) with improved performance.

Table 2, below, shows the ways in which Infostructure Associates believes that the IBM System z has built on past strengths to address the needed changes in security.

Table 2: IBM's response

Security typeNew web service requirementResulting change in securityIBM offering
Disguising dataProvide differentiated access to undisguised data to some new classes of users (e.g., customers to products, regulators for business compliance), ensure data's safety from malicious attack Allow encryption on data shared with partners, authorities, improve encrypt/decrypt speedEncryption Facility for z/OS 1.1, allows storing data on secure tape/disk for sharing with partners, extends data encryption, allows compression for faster data access; Crypto Express 2
Erasing dataSave data of all types (structured accounting data, semi-structured Save data of all types (structured accounting data, semi-structured email, unstructured media files) for many years, both because historical data is valuable to new classes of users (turn old products into collectibles) and because it is needed for business compliance, provide rapid access to the data Instead of erasing data, archive in a secure but comprehensive, robust, and rapidly accessible manner such as an SOA Instead of erasing data, archive in a secure but comprehensive, robust, and rapidly accessible manner such as an SOA IBM business compliance solution combines IBM reporting, information integration, security and archiving software and hardware (e.g., information lifecycle management), and provides Web service interfaces.IBM business compliance solution combines IBM reporting, information integration, security and archiving software and hardware (e.g., information lifecycle management), and provides Web service interfaces.
Placing (older) data in secure facilityDemonstrate data's safety from disaster, provide rapid access to all types of older dataCombine archiving with disaster recovery, add reporting and Web security (firewall, encryption) mechanisms, preferably as part of a disaster-recovery-site SOAIBM solution combines IBM reporting, business compliance, disaster recovery, information integration, security and archiving software and hardware, plus extensive Web service conversion and creation tools and platforms.
Controlling data accessEnsure and demonstrate data's safety from malicious attack, extend right to access to new online customers, investors, the press, regulatory and legal authorities Integrate access-control and data-access (reporting, querying) mechanisms as part of a corporate-standard SOA security mechanism, make data stored on secure media available outside the enterprise Extension of Crypto Express2 features to ATMs/POS devices and to support PKI (public-key) data protection plus better DES (Data Encryption Standard) to non-IBM key exchange, allowing wider availability of secure zSeries media; RACF; IBM Information Integrator; Tivoli Access Manager; Tivoli Identity Manager.

In other words, IBM is extending System z security to Web services primarily by:

  • Integrating security with expanded business compliance and disaster recovery solutions that can support Web services and outside users;
  • Expanding security offerings to improve performance and widen the scope of users employing System z security (e.g., to more users outside the enterprise); and
  • Offering extensive Web service conversion and creation tools and platforms that allow extension of mainframe security to an organization-wide SOA.

    This allows IBM to differentiate its System z security solutions especially well in two ways. Experience -- no one else has IBM mainframes' track record in security, based on technologies like RACF. Comprehensiveness -- no one else offers an information integration product that allows users to apply the same data-access security scheme across all of an enterprise's data stores, no matter what type.

    IBM's approach also allows users to incorporate extensive, standard, and robust security products not only into mainframe Web-service applications but also across a cross-platform SOA.

    The advent of Web services means not merely another architecture expanding the organization's security risks by allowing new points of attack, but also a rare opportunity to improve both security and the benefits derived from it, by extending mainframe security to an organization-wide SOA.

    About the author:Kernochan is president of Infostructure Associates.

    This was first published in July 2006

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.