Securing FTP with z/OS Security Profiles

Maintaining control over who accesses the data on mainframe systems is crucial. IBM’s RACF and CA’s ACF2 and Top Secret can keep a system fairly secure. But by themselves they are not adequate to protect against dangerous FTP functions. As mainframe handles critical business data and applications, it is very important to have security measures and controls in place. Especially, with z/OS FTP, there are high probabilities of data snooping, which can be avoided using a suitable security software.

FTP with traditional RACF dataset protection
Traditional RACF rules regarding dataset security may restrict users to read-only access. But with FTP, if users can read a file, they can offload that file for their personal use. They can copy your data to a flash drive, or email it anywhere in the world. Thus, restrictions on dataset access fall short of what is needed when standard FTP is available on the mainframe.

Snooping issue with FTP session
Traditionally, mainframe users are a small number of trusted people whose activities are limited by the applications they use. But with standard FTP, almost anyone with a user ID can get on the mainframe and snoop around. Any hacker who manages to get a user ID can use a ‘/u’ command, for example, to list the contents of that user’s workspaces, and maybe retrieve files.

The SITE command and the issues
z/OS FTP SITE commands are not standardized; they vary from server to server. They are useful for handling things like file permissions and group memberships. However, they can also allow dangerous operations over the network. For example, with the FILETYPE=JES command, an FTP client can submit jobs to, and pull reports from, the JES queue. SITE can also be used to change permission bits for a file, or to list detailed information about the storage devices on the network.

Treating FTP functions as protectable resources
Thus, basic protection mechanisms are not enough to secure z/OS FTP and make it a true enterprise-class protocol. You can solve that problem, however, by implementing software that wraps around FTP resources and protects them with RACF security profiles. It will create a link between z/OS FTP servers and z/OS security that will restrict the usage of unwanted FTP commands.

By using security software for z/OS FTP, the mainframe administrator can selectively restrict access to FTP functions and commands. He can allow FTP users to transfer the files they need, while preventing them from using FTP to snoop around. Thus you can make RACF into a complete security solution for protecting your mainframe system from malicious behavior through FTP.