q Provide full-time consultants to support the client CA-Top Secret environment
q Convert IBM-RACF subsystems to CA-Top Secret
q Modify the security environment to meet Sarbanes-Oxley requirements
q Using CA Cleanup, review security file data and report security not required and subsequent removal of unneeded security
q Implementation of Role Based Access Control (RBAC)
q Reviewed existing security implementation and analyze entitlement usage data
q Based upon analysis, create new security roles to replace existing security
q Review effectiveness of new roles and phase out older security rules
q Provide an in-depth analysis of mainframe security environment
q Conduct interviews with stake-holders and generate report data for analysis
q Analyze findings and create comprehensive findings report
q Formally present findings to client
q Developed “easy to read” management security access reports
q Allows client to specifically request access authority reports to ACF2 secured datasets and cross-reference to client specific application data
q Provides only the data that the client requires
q Developed all programs, JCL and processes required
Mainframe Systems Support
q Provide as-needed CA-Top Secret and mainframe networking support
q Perform security and network support and administration services
q Client has deferred hiring of additional staff
Mainframe Security File Cleanup
q Implemented and utilized CA Cleanup for Top Secret, CA Cleanup for ACF2 and CA Cleanup for RACF
q Reduce obsolete, excessive and redundant security by 50% to 90%
q Implement CA Cleanup from one (1) to eighty-eight (88) LPARS to track and monitor security usage
q Assist client in identification and removal of unneeded security
IBM-RACF to CA-Top Secret Conversion
q Using proprietary “Conversion Factory” process, converted client RACF to functionally equivalent CA-Top Secret security database
q Provided full-time high-level CA-Top Secret consultant to assist client in re-architecting application security to meet Sarbanes-Oxley requirements
q Provided high-level expertise in CA-Top Secret interfaces and operation with application software
q Crafted and executed CA-Top Secret commands to address security deficiencies and implementation of new application security architecture
Mainframe CA-Top Secret/VSE Implementation
q Provided expert assistance to client for installing and implementing CA-Top Secret for VSE
q CA-Top Secret for VSE was successfully installed on two (2) VSE images, two (2) CICS regions and one z/VM image.
q
Converted to
central mainframe security 12 TSO user attribute datasets (UADS) defining 55236
users
q
Cleanup &
Removal: 65% of users from 55236 to
18971, 47% of logon procedures from 900
to 474
q
Allowed
management of TSO user information via the site’s new user provisioning
software
q
End-user
transparent, identical access/enforcement maintained throughout, no
outage/production impact
q
Converted two systems and merged into an existing
larger security database supporting 11 businesses
q
Converted 8677 user IDs, 24277 file access rights,
12383 resource access rights
q
End-user transparent with identical user IDs,
passwords, access rights, enforcement
q
TSS search algorithm “override’’ analyzed and
conflicts resolved
q
Cleanup: 54% of users, 37% of groupings, 30% of
access rights.
q
Converted only active users and access… only a 10%
subset of the prior security database
q
DB2 security conversion from internal native DB2
security to external SAF-based security
q
Converted 22 DB2 environments comprising 42 DB2
subsystems
q
2,313,112 DB2 authorizations program-analyzed,
masked, grouped and reduced to < 50K permissions
q
End-user transparent, Identical access/enforcement
maintained throughout, No outage/production impact
q
Conversion of two systems sharing one security
database
q
59612 user IDs, 82902 file access rights, 85214
resource access rights
q
End-user transparent with identical user IDs,
passwords, access rights, enforcement
q
Extensive JES and S/390 security USERMODS and
interfaces (API’s)
q
Security cleanup over 50% and reduced TSO PROCS from
500 to 20
q
Converted
three S/390 systems sharing 91145 security entries incl. user IDs, access
rights, access groups
q
Transparent to end-users whose user IDs,
passwords and access rights remained identical
q
Security enforcement maintained (FAIL mode)
throughout
q
No unscheduled outage or production impact
q
Result:
Single, unified,
S/390 security product environment
Elimination of dual product training for security and
systems staff
Elimination of dual security product installation and maintenance by systems staff
Improved security responsiveness and problem resolution now given a consistent security system
Improved single-point security and auditing control
q
Converted security of three systems and merged into
an existing, larger security database
q
Result a single, unified security product and one
centrally shared security database
q
Zero fall-out, no cross-contamination, FAIL
enforcement throughout
q
End-user transparent with identical user IDs,
passwords, access rights
q
Initially 55000 security entries, cleanup (no
conversion) done for entries found obsolete:
30% of user IDs
80% of access
groups
60% of file
rights
30% of resource
rights
q
Converted single security product and database
q
End-user transparent with identical user IDs,
passwords, access rights
q
2501 of 7901 user IDs found obsolete and not
converted
q
506 of 2700 access groups found obsolete and not
converted
q
1632 of 3918 secured high-level qualifiers found
obsolete and not converted
q
112974 of 451888 access rights (permissions) found
obsolete and not converted
q
Conversion 12 weeks
q
Converted five systems using three security databases
q
10702 user IDs, 11216 file rights, 48350 resource
rights
q
Offsite conversion eight weeks followed by onsite
cutover over two weeks