Enterprise Knights of IBM Z Community Blog

IBM Z and LinuxONE Community - All Blog Entries

UNIX Superusers

By Sneha Kanaujia posted Tue October 31, 2023
The UNIX superuser Introduction Attackers prefer to target highly privileged users. On a UNIX operating system, the preferred target is a superuser , often referred to as the ‘root user’. By definition, a superuser is one with a UID value of 0. On z/OS UNIX, that definition is extended to include started tasks with the TRUSTED or PRIVILEGED attribute. The design of RACF supports separation of duties. For example, a user with the OPERATIONS attribute is allowed to access data, but not manage that access. A user with the SPECIAL attribute is allowed to manage security, including access to resources, but is not (directly) allowed ...

UNIX Users and Groups

By Sneha Kanaujia posted Mon October 30, 2023
z/OS UNIX System Services Users and Groups Introduction In my previous articles, I discussed file and file system security. We saw the concept of a user owner and a group owner for files and directories. In this article, I discuss what those owners are, how they are represented in UNIX, and how they are defined to RACF. I then cover some hints and tips on managing the assignment and the de-provisioning of these IDs. My next article, “ UNIX Superusers ”, will cover the extremely important topic of the highly privileged UNIX superuser. UNIX users Say you have a RACF user ID named SNEHA with a default group of EKNIGHTS. How ...

UNIX File Security

By Sneha Kanaujia posted Fri October 27, 2023
z/OS UNIX System Services File Security Introduction In my previous article “ UNIX File System Security ”, I discussed file system security, concentrating on security controls available at the file system aggregate level. In this article, I discuss file security. That is, security controls around individual file and directory access and logging. Because it gets tedious to constantly type (and to read) “file and directory” security, I will shorten this to “file” security throughout this article, unless I need to specifically discuss directories (and I will). If it makes you feel better, however, a directory is a just a special type of ...

UNIX File System Security

By Sneha Kanaujia posted Thu October 26, 2023
z/OS UNIX System Services File System Security Introduction We in z/OS development often get questions like: “How do I secure UNIX System Services?” It’s a difficult question to answer since z/OS UNIX is an entire operating system within an operating system. It’s akin to asking: “How do I secure z/OS?” You won’t get a quick and easy answer. But we must start somewhere. In the past, I’ve written presentations that try to separate UNIX security into managing identities and managing the file system. For this article, I’ll focus on the file system. But even that is a very broad topic. So, I’ll start at the top and limit myself ...

IBM zSystems Cybersecurity Insights Badge

By Sneha Kanaujia posted Fri November 18, 2022
At the beginning of this year we held our 2nd free and virtual Enterprise Knights Days conference where we had many wonderful presentations given by our renowned SMEs on a variety of cybersecurity and resiliency topics. We've since published their Knights Insights PDFs and videos in this user group within the library section and in a collection of blog posts respectively. I'm happy to announce we now have a course and badge where you can prove your understanding of the risk-mitigating solutions you can learn about in these Knights Insights presentations! This course is for students, clients, IBMers, and anyone interested in learning about recent cybersecurity ...

IBM Z Xplore Cyber Security Takeover Week

By Sneha Kanaujia posted Fri October 07, 2022
Hello and happy Friday! I'd like to introduce our collaborative event taking place next week: IBM Z Xplore's Cybersecurity Takeover Week! In this coming week, IBM Z Xplore will be releasing self paced educational content on their platform ( https://ibmzxplore.influitive.com ) which includes learning from 5 Enterprise Knights Insights videos each day and demonstrating understanding of the material by earning an 80% or higher on each of the related quizzes. Additionally, there will be a fun online Cyber Security MUSE card game leaderboard contest that will be announced next week, and an event on Thursday, October 13th, from 12:30 - 1:30pm EST featuring a live ...

Knights Insights Presentations - Day 4 of Enterprise Knights Days 2022

By Sneha Kanaujia posted Fri March 25, 2022
Below we have some great content from our recent, free, virtual Enterprise Knights Days conference. If you weren't able to attend, or wanted to review the technical information you learned about, you're in luck! Here are 4 of the Knights Insights presentations we had on day 4 of our conference, specific to the topic of "Encryption and Data Privacy". "Why Is There Trusted Key Entry?" by Garry Sullivan ( PDF ) "Data Set Encryption & the Ecosystem" by Ceci Carranza Lewis ( PDF ) "EKMF Web: Keys for the Hybrid Cloud" by Max Weiss ( PDF ) "Enforcing Network Encryption Strength" by Chris Meyer ( PDF )

Knights Insights Presentations - Day 3 of Enterprise Knights Days 2022

By Sneha Kanaujia posted Thu March 24, 2022
Below we have some great content from our recent, free, virtual Enterprise Knights Days conference. If you weren't able to attend, or wanted to review the technical information you learned about, you're in luck! Here are the 5 Knights Insights presentations we had on day 3 of our conference, specific to the topic of "Resiliency". "Parallel Sysplex Foundations" by Dave Surman ( PDF ) "Availability and Resiliency with GDPS on IBM Z" by Dave Clitherow ( PDF ) "System Recovery Boosted!" by Jake Snyder ( PDF ) Check out our detailed FAQ to learn all you need to know about System Recovery Boost: https://www.ibm.com/downloads/cas/1NWEJKOX ...

Knights Insights Presentations - Day 2 of Enterprise Knights Days 2022

By Sneha Kanaujia posted Wed March 23, 2022
Below we have some great content from our recent, free, virtual Enterprise Knights Days conference. If you weren't able to attend, or wanted to review the technical information you learned about, you're in luck! Here are the 5 Knights Insights presentations we had on day 2 of our conference, specific to the topic of "Authentication and System Integrity". "MFA on Linux on Z!" by David Rossi ( PDF ) "Digital Certificate Diagnostics in Communications" by Matt Talbot ( PDF ) "Kerberos, the 3-Headed Watchdog" by Sudha Dhanwada ( PDF ) "Software Update for Recommended PTFs, including SECINT!" by Marna Walle ( PDF ) "Vulnerability ...

Knights Insights Presentations - Day 1 of Enterprise Knights Days 2022

By Sneha Kanaujia posted Mon March 21, 2022
A big thank you to everyone who participated in our Enterprise Knights Days virtual conference! If you weren't able to attend, or wanted to review the technical information you learned about, you're in luck! Here are the 5 Knights Insights presentations we had on day 1 of our conference, specific to the topic of "Managing access and logging". "IBM Z & Zero Trust" by Mike Jordan ( PDF ) "Zero Trust in RACF: Moving Toward Least Access Privilege" by Mark Nelson ( PDF ) "For the Shell Seekers: Securing z/OS UNIX" by Ross Cooper ( PDF ) "Crypto Usage Tracking" by Eysha Shirrine Powers ( PDF ) "Securing Configuration for Compliance" ...

Thwarted by IBM Z! - Episode 10

By Chris Meyer posted Mon November 01, 2021
Good Networking - six z/OS network security technologies you should know about I've had multiple conversations with z/OS administrators and system programmers who figured that, between using TLS on z/OS and their company's firewalls, their z/OS systems had plenty of protection from a network security perspective. Each time, I've explained that while firewalls and TLS are extremely important, they alone do not constitute iron-clad network security for z/OS. So what other measures can be taken? Glad you asked! Here are six z/OS TCP/IP network security technologies that you should know about and explore. And make sure to check out the link at the bottom ...

Thwarted by IBM Z! - Episode 9

By Eysha Shirrine Powers posted Fri October 15, 2021
The Key Web UI What is the life of a cryptography key? Is it 1 day, 1 month, 1 year, 5 years? To truly answer this question, you must step back and ask a better question… What is the life of the data protected by the key? A single financial transaction may take less than a second. An insurance document may exist for decades. The life of a cryptographic key must match the life of the data that it protects. What are operational and application keys? Operational keys, such as z/OS data set encryption keys, can be differentiated from wrapping keys (including master keys). Operational keys are utilized for various cryptographic operations ...

Thwarted by IBM Z! - Episode 8

By Cecilia Carranza Lewis posted Tue October 12, 2021
With the introduction of pervasive encryption in 2017, many clients have embarked on their journey to protect their enterprise data with z/OS data set encryption in an attempt to help satisfy regulatory compliance and to help mitigate the risk of a data breach. I have disk hardware level encryption. Isn’t that sufficient? There are different layers of encryption for data at rest: full disk and tape encryption; file or data set encryption; database encryption; and application encryption. Hardware level encryption is still recommended for all storage devices where supported. Full disk and tape encryption provides 100% coverage for data at rest at the ...

Thwarted by IBM Z! - Episode 7

By GREGG ARQUERO posted Thu September 30, 2021
As the security landscape and compliance requirements continue to evolve, it is imperative that your ICSF environment is configured correctly. Below are some potential ICSF misconfigurations, the risks involved, and recommendations to remediate them. Not SAF protecting the ICSF Key Data Sets The ICSF Key Data Sets (KDS) contain the CCA keys or PKCS #11 objects used to perform cryptographic operations within ICSF services. While usage of the keys can be restricted using either the CSFKEYS class for CCA keys or the CRYPTOZ class for PKCS #11 objects, access to the Key Data Sets themselves should also be protected using the DATASET class. Risk While ...

Thwarted by IBM Z! - Episode 6

By DIANE STAMBONI posted Thu September 23, 2021
What is the IBM z/OS Authorized Code Scanner (zACS)? The IBM z/OS Authorized Code Scanner is an optional priced feature designed to help users protect the integrity of their z/OS system. The scanner targets program call and supervisor call routines which may be run by unauthorized callers, and alerts users to potential integrity vulnerabilities within these routines. Here is a quick rundown of the importance of zACS and how you can get started using it today. What is System Integrity? System integrity is the inability of any program not authorized by a mechanism under the installation’s control to circumvent or disable store or fetch protections, access ...

Thwarted by IBM Z! - Episode 5

By Peter Spera posted Thu September 16, 2021
Introduction How do I secure thee, let me count the ways? Well, one critical step is making sure you have a solid enterprise patch management strategy that includes your IBM Z. IBM Z includes not only your operating systems, such as z/OS, z/VM, Linux on IBM Z, etc., but also the middleware and application deployment environments, such as CICS, DB2, and Java. And let us not forget that IBM Z hardware and firmware need to be monitored for possible security patches or mitigations as well. This means you need a plan to ensure all the latest service is applied to your system, which includes security and integrity service, in addition to HIPERs and regular maintenance. ...

Thwarted by IBM Z! - Episode 4

By Michael Zagorski posted Fri September 10, 2021
IBM Z solutions can process billions of high-value transactions per day. The platform is built to be reliable, scalable, and securable for the enterprise’s most critical data. “Securable” includes choices: business decisions related to mitigating risk - and if you’re authenticating users with passwords alone, it may be time to go multi-factor. What Is Multi-Factor Authentication? Multi-Factor Authentication (MFA) is a technology that provides more than the secret knowledge of a password or passphrase to complete a user’s authentication to the system. How does it do this? MFA inspects multiple identifying factors associated with a specific user ...

Thwarted by IBM Z! –Episode 3

By Ross Cooper posted Fri September 03, 2021
Authentication is one of the pillars of cybersecurity. It’s crucial that installations have a high level of confidence that users ‘are who they say they are’ before they gain access to a system and to the critical data and processes it manages. There are many considerations and configuration options regarding authentication on z/OS that can have a real impact on an installation’s security posture. z/OS authentication features have been advancing and evolving for decades. Today’s systems can authenticate users with traditional passwords and password phrases and more advanced mechanisms like Multi-Factor Authentication (MFA), PassTickets, JSON Web Tokens (JWT), ...

Thwarted by IBM Z! - Episode 2

By Mark Nelson posted Sat August 28, 2021
It's no secret that protecting your security data base is one of the most important foundational security actions that you can take. It’s essential that only a very small number of users and jobs have access to your security data base, most likely for backup and recovery purposes. Do you have the same level of control on all of the copies of your security data base, including those which you use to audit and monitor your security controls? It's not unusual to find installations which have less restrictive controls on these copies and in some cases, these security databases have been offloaded to other systems and other platforms for "ease of access and analysis". ...

Thwarted by IBM Z! – Episode 1

By KATHRYN VOSS posted Fri August 20, 2021
This blog series will be covering a variety of topics around security and IBM Z. But before we go too far, let’s take a step back and review the foundation of architectural authorization for z/OS. What does it mean for a program to be authorized, how does it become authorized, and how do you mitigate risk from these authorized programs? Authorized programs Let’s start with three types of authorization. APF-authorization The Authorized Program Facility (APF) is used to identify programs that are allowed to run authorized. Authorized libraries are defined in an APF list or in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA). ...

Thwarted by IBM Z! - Episode 0

By Christopher DeRobertis posted Fri August 13, 2021
Hello! This is Chris DeRobertis, known to most as Dero. I’m the Chief Product Owner of IBM z/OS Security and Secure Engineering. I’m also a threat modeling subject matter expert, an IBM Master Inventor, and a relentless advocate of “good” security hygiene. In my experience, “good” security hygiene is the foundation of an enterprise’s security ecosystem and can be understood in terms of three dimensions. 1 – WHAT is security hygiene [i] ? In a nutshell, it’s the basic, fundamental, and baseline security policies, practices, and procedures that help protect data, information technology assets, and personnel from common types of threats and attacks. In addition ...

Thwarted by IBM Z! - Trailer

By Sneha Kanaujia posted Fri August 06, 2021
Welcome one and all to the Enterprise Knights of IBM Z User Group! My name is Sneha Kanaujia and I'm the new Associate Product Manager for z/OS Security at IBM. I joined IBM last summer, in the midst of the global pandemic, after completing two summer internships with the RACF team. In my new role, I quickly found that there is a lot to learn when it comes to security on the z/OS platform. Since joining, I've been making the journey to develop my skills and knowledge with a goal of paving better avenues for others to learn as well. In the spirit of sharing knowledge, at the beginning of 2021, we kicked off our very first Enterprise Knights Days virtual conference, ...

Knight-Errant Knowledge Badge

By Sneha Kanaujia posted Thu June 03, 2021
Knight-Errant Knowledge Badge Our original set of Enterprise Knights videos, launched back in 2017, have been relocated to the IBM Media Center, with a fully automated quiz now available at IBM Training to qualify for the Knight-Errant Knowledge badge. Enjoy this collection of system integrity topics, security component overviews, and encryption concepts covered in this introductory series. IBM Z Security Portal Common Vulnerability Scoring System Three Properties of Authorization ETDEF Untrusted Registers of PC and SVC Target Routines Untrusted Indirect Parameters Authorized QNames Control Block Masquerade Buffer Overflow ...

Trusted Key Entry (TKE) Wizards

By Sneha Kanaujia posted Tue April 13, 2021
Have you ever wondered what the Trusted Key Entry (TKE) product is or what the fastest way is to learn about it? If so, read on. But before you can talk about Trusted Key Entry, you have to understand the basics of Hardware Security Modules (HSMs) on IBM Z and LinuxONE servers. IBM sells FIPS-evaluated Hardware Security Modules, or HSMs. You may know them as the Crypto Express cards or modules. They are installed in IBM Z and LinuxONE servers. Each HSM has up to 85 domains. Each domain has a set of master keys and settings that control what services or capabilities may be used by applications. HSMs are mission critical when running applications or various offerings ...

M.U.S.E. CUES

By Sneha Kanaujia posted Tue March 30, 2021
M.U.S.E. CUES is an online card game designed to advocate a stronger cyber security and resiliency posture on IBM Z through informed risk mitigation decision making. The goal of the game is to mitigate risks and maximize your score in a set number of turns. Play the game now: www.ibm.biz/musecues See our in depth overview and instructions on the game here: M.U.S.E. CUES Instructions Comment below your thoughts on the game or your highest score yet!

Enterprise Knights Days

By Sneha Kanaujia posted Thu March 04, 2021
Thank you very much to everyone who participated in our first ever Enterprise Knights Days conference, hosted in two different time zones this quarter! During this conference we started each day off with a challenge or two of the Secure Z Escape Room. We covered a variety of topics relating to the “M.U.S.E.” categories: ( M )anaging Access and Logging, ( U )ser Authentication and Analytics, ( S )ystem Integrity and Availability, and ( E )ncryption and Data Privacy. We had SME Lightning Talks, Security Guru Game Shows, and Ask-Me-Anything sessions with these SMEs. And along the way, we shared collectible customized cards from our new cyber security & resiliency ...