Mainframes are generally used by big organizations that have abundant data – confidential information, business logic, etc. It is very essential for an organization to secure such data and z/OS fulfills this need. It provides security at various levels like at data sets, programs, operator commands and programs that are ready to execute.
z/OS secures data sets
“Data set” is a group of logically related records or data. Each data set has a name. Along with the name, data sets also have profile of the owner of that data set, list of users who can access the data and how much data can be exposed and accessed by each user.There are external security managers (ESMs) in z/OS operating system that perform checks whenever any user tries to access the data. First, it checks whether the user is authentic or not by verifying login details (username and password). Second, it checks list of users who can access the data. If the user is there in the list of accessible users, it then checks how much data can be exposed to him and accessed by him. In this way, z/OS by default is very secured operating system.
It not only protects data from unauthorized users or applications, but also protects data from unintentional destruction of data sets by verifying with various users at different stages whether data can be deleted or not.
z/OS secures programs
Securing programs or applications of your organization is as important as securing the data of your organization because programs are nothing but a part of your business operation. Programs are better protected by z/OS operating system as it manages program libraries (location where all programs that are ready to execute are loaded).
There is a special feature in z/OS called “Authorized Program Facility” or APF. APF identifies and distinguishes system programs (programs that are predefined to z/OS) from user programs on the system. It does not allow user programs to access system’s sensitive information or functions. This is one of the major security features that no other operating system has.
z/OS secures ready to execute tasks/started programs
z/OS operating system provides security to the programs that are developed and ready to execute on the mainframe system. Such programs are called “started tasks”.
Whenever a task or a program ready to be executed is submitted to the mainframe system, it asks for the user ID. Using the user ID, it verifies whether user has all the privileges and rights on the program. If the user ID does not match, then programs are not executed – all programs need not necessarily be good to your organization. Some programs may be sent by attackers and execution of such programs may affect your organization badly.
Users can assign user ID to z/OS in two ways. One is by using procedure table that provides RACF identities to execute your program, and other is by using STARTED class of z/OS operating system.
z/OS secures operator commands
It is not only the data sets and the programs that z/OS protects, it also secures organizations from commands that may modify or destroy existing information and resources of your organization.
z/OS controls unauthorized users from entering and processing commands. z/OS restricts the users from entering the console and processing commands. External security managers (ESMs) available in mainframe system such as RACF, etc. prevent unauthorized users from processing commands to mainframe system and ESMs always alert administrators by telling them who entered the system and what commands they are issuing.
z/OS operating system is different and secured compared to other operating systems. It can provide strong security to data, programs, commands and resources of your organization.