Isolated technical measures alone, even when operating in real-time, are not enough. Commercially offered systems for recording SMF records in real-time, such as RACF SMF records, are a good example. You have a good objective, but this is simply not enough, since the whole system must be comprehensively and systematically protected against manipulation. A simple scenario supports this argument. If a professional attacker manipulates his or her authorization and breaks the audit trail, he can easily disable any SMF records. This is a mere “bit” of effort. The old law of physics also applies here: “Nothing comes from nothing” – no cause, no effect. Missing SMF records will not bring up detection and notification even in a real-time live-evaluation and cannot be used for an automatic reaction.
In this context, some hard questions regarding “malicious code” arise:
• What exactly are all the APF-authorized modules, which come from so many different software vendors, doing?
• To what extent can these programs be misused for other purposes? Can they be misused for such actions as suppressing and deactivating SMF protocolling by dynamic (memory) manipulation?
• Which undocumented, security-critical functions can specialists uncover in the program code of modules when using corresponding analysis tools?
• To what extent can the development departments create and use authorized modules?
The questions are endless. Nevertheless, one thing is certain: no one z/OS user can clearly answer them, even when the software is installed properly with SMP/E. Conclusion: All processes running in the system must be monitored in real-time for “improper behavior”.
Another important legal aspect concerns the requirements and conditions for proper operations, transparency and completeness, especially in the areas of bookkeeping and financial data processing. In short, you require an invulnerable audit trail for the purpose of audit data completeness and authenticity. This is your primary concern. In addition, new concerns involving risk precautions and prevention require that this complete and correct audit data is not merely archived, but analysed immediately and properly as well.
What solution do we suggest?
As developers of SF-Sherlock, whose comprehensive z/OS real-time monitoring technology is unique to the market, we can gladly propose the successful way of implementing z/OS security and quality automation. The SF-Sherlock solution not only entirely complies with basic legal requirements and recommendations, but also accomplishes much more to keep your company on the right track. Apart from security concerns, SF-Sherlock also supports the goal of constant availability, for example, with its IPL simulation, parmlib syntax and semantic checking and many more quality checks. We supply connection kits that further enable SF-Sherlock’s integration into comprehensive cross-platform solutions, such as those of Symantec, Tivoli, CA, etc.
By using SF-Sherlock, you can eliminate the technical risks as well as successfully achieve the required automatic control and monitoring required by legislation. Both improve your rating significantly and thus lower costs. In this way, SF-Sherlock gives an increased added value to your company.
The concepts of automatic and complete monitoring, as well as the plug&play implementation, let you reach this goal with minimal time and cost. Our effective installation and implementation concept will convince you.
Leading banks, insurance companies, industrial companies and IT service providers have been successfully securing their mainframe platform for years with SF-Sherlock. Our company, our technology, our services, and our “value added”-based pricing have the references to prove that improving security and reducing costs are no longer contradictory.