IBM Security Z Security

 View Only

IBM Security zSecure Enhancements for Data Encryption and SIEM Feeds

By Jeroen Tiggelman posted Thu May 17, 2018 12:00 AM

On May 16, 2018 a new service stream enhancement (SSE) to zSecure 2.3.0 has become generally available, providing enhancements for data encryption, data classification, and Security Information and Event Management (SIEM) feeds.



Mainframes continue to be the home for mission critical information and essential  business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. The IBM z14 enables the ultimate data protection of pervasive encryption – while being open and connected in the cloud to speed innovation at lower cost. z/OS V2R3 is designed to provide new policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. The new encryption capabilities and policies apply both to data at rest and to data in flight.

Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and Resource Access Control Facility to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. IBM Security zSecure Audit and IBM Security zSecure Alert also support the security package CA-ACF2. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.

IBM QRadar SIEM consolidates log source event data from thousands of devices endpoints and applications distributed throughout a network. IBM Security zSecure allows sending z/OS, RACF, ACF2, Top Secret, Db2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM enriched with information from the security database and system snapshot (CKFREEZE) information.

zSecure has a very long track record of integrating with Security Information and Event Management (SIEM) solutions, starting with Consul/Enterprise Audit 2.1 in 1999 (a predecessor of Tivoli Security Information and Event Manager). In 2012 a similar integration was established between zSecure Audit and IBM QRadar SIEM. This integration was enhanced to allow real-time operation in zSecure 2.2.1 (2016). A complementary real-time integration between zSecure Alert and IBM QRadar SIEM had already been available since 2012 as well.

The General Data Protection Regulation (GDPR; will be effective as of May 25, 2018) was adopted by the European Union to put in place general privacy protection for its citizens.



Notable benefits include:

  • Support for new function recently shipped in the service stream by DFHSM for key labels for data set encryption (APAR OA52810);
  • Additional data set encryption information from SMF record type 42 subtype 6;
  • The capability to provide a near real-time feed for Security Information and Event Management (SIEM) solutions without the need for SMF log streams.
  • The capability to use mask specifications on the RESOURCE keyword of SIMULATE CLASS=DATASET statements to identify groups of sensitive data sets;
  • A new sensitivity type for GDPR data;
  • Ability to audit Coupling Facility structures;
  • Additional support for Integrated Cryptographic Services Facility (ICSF); in particular, SMF record type 82 subtypes 40-47 key lifecycle and usage records;
  • Currency with ICSF level HCR77C1;
  • Additional reporting on z Encryption Readiness Technology (zERT) information status and configuration (SMF record type 119 subtypes 11 and 32-43);
  • User interface support for searching application data in RACF profiles;
  • A new parameter for the DEBUG command of zSecure Alert to provide details on what SMF record types have been buffered.


Furthermore, this update includes fixes for the following APARs:

  • OA55449 - Support for multiple data set sensitivities for TYPE=SMF;
  • OA54528 - zSecure Alert must retain triggers for simulated sensitivities after an environment refresh.


This update primarily applies to zSecure Audit and zSecure Adapters for SIEM. zSecure Admin, zSecure Alert, and zSecure Command Verifier are also affected.

Documentation updates have been provided in a Technote.


To fully benefit from these enhancements the following is required:


This service stream enhancement enables a new menu option (RE.K.C for Coupling Facility structures), and therefore has a different National Language Support table level. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.


Further reading

If you have any questions, please ask them here or on the zSecure support forum. YThe current zSecure for z/VM release is 1.11.2. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.