Continuous Security Hardening and Monitoring for IBM® z/OS® Mainframes and Databases Using Qualys Policy Compliance

Anu Kapil

Mainframes are a key infrastructure component for many enterprises worldwide. Arguably the most secure, reliable, and efficient computing platform, mainframes hold some 70% of the world’s business-critical data. Even though they are highly secure and resilient, it’s a common misconception that mainframes are not exposed to security risks. In fact, however, they are susceptible to many of today’s most sophisticated threats.

With the rise in modern cyberthreats and ransomware attacks, as well as increasing regulatory mandates, organizations need to implement robust security measures to protect the critical resources that reside on mainframes and ensure regulatory compliance. To do so requires overcoming mainframe security challenges, which is the subject of this post.

Mainframe Security Challenges

  • Manual audit methods are not scalable — Many organizations are not assessing their IBM z/OS architecture mainframes and Db2 databases for configuration compliance, or if they are, they are doing so manually. Manual audit methods are not scalable and are very time consuming.
  • Customized script updating — Using internally developed scripts may work at first. However, as an organization’s needs change, it may lack the resources required to update the scripts in a timely manner in order to meet its configuration check requirements.
  • Using point solutions that don’t do what needs to be done — If an organization’s legacy solutions don’t provide a consolidated view of its data resources and its constantly changing IT environment, the organzation is unlikely to meet its regulatory requirements.

Qualys z/OS Mainframe Security Solutions

Organizations are looking for a trusted and reliable solution that enables them to assess configuration compliance in their environment and review the results, all from a single platform. Qualys is now meeting the challenge, providing a new and improved, innovative solution. Qualys Policy Compliance (PC) has expanded its agentless scanning capabilities by adding coverage for the z/OS 2.3 and 2.4 systems with RACF (Resource Access Control Facility) and Db2 11 and 12 instances running on z/OS. Adding this capability to the PC module enables organizations to scan configuration settings, proactively assess for configuration weaknesses, and prioritize remediation activities to better align with their organization’s configuration standards — all in one place.

Further, with Qualys Policy Compliance (PC), internally developed scripts can be replaced leveraging an agentless scanner and Qualys library policies and controls. The agentless scanner can be configured to authenticate and retrieve control settings based on any scheduled or ad-hoc requirement. This ensures that recommended hardening guidelines are configured, logged, and tracked to ensure consistent and continual security across all digital assets.

Assess with Out-of-Band Configuration Assessment (OCA)

If it isn’t feasible to perform authenticated scans on any z/OS servers because of the criticality of the data that they process, Qualys lets you assess z/OS configuration compliance using the Qualys OCA sensor. Qualys OCA allows you to export the z/OS configuration manually, upload the configuration to Qualys, and assess configuration compliance using Policy Compliance. OCA effectively evaluates a mainframe’s compliance in a step-by-step manner, presenting a clear picture of the assessment status with the help of widgets on your Qualys dashboard.

Mainframe Compliance Assessment with Qualys Policy Compliance

Identify z/OS Assets Comprehensively

Qualys CSAM (CyberSecurity Asset Management) provides a comprehensive view of your Inventory and makes it easier to identify all IBM z/OS assets. Once the assets are identified, they can easily be grouped together with a dynamic tag (e.g., IBM z/OS). Tagging makes the grouped assets available for managing, querying, and reporting throughout the Qualys Cloud Platform, as shown below.

Content-Rich Library for z/OS and Db2 Policies

Qualys PC’s content-rich library provides ready-to-use security policies that are highly scalable and easy to deploy. Qualys’ controls and compliance checks are capable of pointing to vulnerabilities as well as potential weaknesses in microservices with absolute precision. By simply importing policies for IBM z/OS Security Server or z/OS Db2 databases, you can assign dynamic tags and continue your assessments.

Authenticated Scanning

Qualys leverages SSH to connect to z/OS and uses the OS shell to perform authenticated compliance scans for z/OS target systems. A new PC target option called IBM z/OS Security Server RACF has been added to Unix Authentication Record. By selecting this target type option while creating a Unix Authentication Record, you can perform a compliance assessment on z/OS by launching a PC scan.

Qualys performs Db2 scanning by connecting to a remote port that the database server is listening in on. The z/OS target needs to have an external IP and have the Db2 database port bound to that IP. Qualys has provided a set of scripts to help you set up an account and the privileges that need to be established prior to running scans. These scripts require an administrative account. Online Help provides scripts, tips, and best practices for setting up IBM Db2 for z/OS authentication for compliance scans.

Insights into the Current Posture of Assets and Controls

The compliance posture of Controls and Assets with z/OS and databases running on z/OS can be viewed under the Posture tab as shown below. The posture tab enables you to track compliance posture based on assets, criticality, technologies, and other factors in order to prioritize and remediate high-risk assets.

With unified, customizable dashboards, you can quickly analyze compliance and risk posture across the entire organization and all of its business units. Customizable widgets make it easy to drill down into the posture of assets, identify compliance drift from best practices, and prioritize remediation action to fix misconfigurations based on criticality and other factors.

Monitoring and Reporting Against Compliance Mandates

It’s imperative to collect and analyze data for compliance and configuration management activities. Qualys PC’s comprehensive reports provide all the details you need to make informed compliance and risk decisions in order to prevent security audits and risks. Qualys PC provides in-solution reporting with suggested remediation steps as well as a robust API to import the information into external systems. You can customize and schedule reports weekly or monthly per business needs.

Mandate-based reporting simplifies the process of reporting on the compliance posture of assets to help comply with external regulations and multiple security mandates. With mandate-based reporting you can choose a mandate that you want to comply with and get your organization’s compliance score in terms of several selected mandates, including PCI DSS, STIG, GDPR, and many more.

Enhanced Security and Assessment

To reduce the attack surface and strengthen your organization’s security posture and ensure compliance, all mainframe systems and running applications must be continuously assessed for misconfigurations or vulnerabilities. Qualys provides a single pane of glass to monitor configuration compliance for multiple technologies. The depth and breadth of Qualys PC helps organizations gain deep visibility through compliance assessments.

Start your Qualys Policy Compliance trial today to assess and secure assets in your environment.

Dig deeper: Assessing Mainframe Compliance While Minimizing Operational Impact

Share your Comments


Your email address will not be published.