Z Security

IBM Security zSecure 2.3.1

By Jeroen Tiggelman posted Mon September 17, 2018 02:14 PM

IBM Security zSecure Suite 2.3.1 was announced on July 17, 2018 with a planned availability date of September 14, 2018. You can read the US announcement letter here . This release provides extended coverage for z/OS pervasive encryption, DISA-STIG, and GDPR, extends integration with IBM QRadar SIEM and Micro Focus ArcSight, and provides currency with DISA-STIG 6.36 and ICSF HCR77C1.


Mainframes continue to be the home for mission critical information and essential  business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. The IBM z14 enables the ultimate data protection of pervasive encryption – while being open and connected in the cloud to speed innovation at lower cost. z/OS V2R3 is designed to provide new policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. The new encryption capabilities and policies apply both to data at rest and to data in flight.

Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).

IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.

IBM QRadar SIEM consolidates log source event data from thousands of devices, endpoints, and applications distributed throughout a network. IBM Security zSecure allows sending z/OS, RACF, ACF2, Top Secret, Db2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM enriched with information from the security database and system snapshot (CKFREEZE) information.
Micro Focus ArcSight Enterprise Security Manager is a Security Information and Event Management (SIEM) solution from Micro Focus.
zSecure's track record for integrating with SIEM solutions goes back to 1999. In 2012 integration into QRadar SIEM was made available both for events and for alerts. Integration of alerts into ArcSight was made available in zSecure 2.3.0 (2017). Near real-time capabilities were provided in zSecure 2.2.1 (2016) and enhanced in May 2018.

The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with information security controls documentation from IBM).
The General Data Protection Regulation (GDPR; effective since May 25, 2018) was adopted by the European Union to put general privacy protection in place for its citizens.


IBM Security zSecure 2.3.1 provides
* support for Integrated Cryptographic Service Facility (ICSF) SMF record type 82 subtypes 40-47 (key lifecycle, key usage, etc.);
* support for z Enterprise Readiness Technology (zERT) SMF record type 119 subtype 12 (zERT summary);
* support for auditing Coupling Facility encryption policies;
* additional pervasive encryption support as described for the May 2018 service stream enhancement (SSE);
* support for near real-time SIEM without the need to implement SMF log streams, as described in the same article;
* support for sending enriched SMF events to ArcSight;
* a new sensitivity type for GDPR data;
* comprehensive STIG compliance controls for RACF (and enhanced coverage for ACF2 and Top Secret);
* a redesigned AU.R (rule-based compliance) user interface menu for easier control configuration options;
* capability to O(verrride) automatically determined compliance status;
* capability to A(ssert) compliance status on the test or domain levels;
* a "zSecure Extra" standard (formerly "STIG plus") that includes compliance auditing for the Coupling Facility;
* a new report for identifying weak passwords that are encrypted with KDFAES (in AU.S RACF user);
* a new menu option RE.T(rusted) for ACF2 and many other ACF2 enhancements as described for the December 2017 SSE;
* a new report type DB2_ACCESS as also described for that SSE.

The STIG standard version level has been upgraded to 6.36.

zSecure 2.3.1 no longer ships the System Data Engine (SDE) component of the IBM Common Data Provider for z Systems (CDP) and no longer supports the CDP keyword on the ALLOCATE statement. If you use CDP for your near real-time integration with QRadar, you must adapt it to use either the z/OS SMF in-memory (INMEM) feature directly or the CKQEXSMF method first made available in the May 2018 SSE to zSecure 2.3.0 (which does not require SMF log streams) before you switch to this release.
zSecure 2.3 .1 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
Run the CKAZCUST job to add new compliance framework configuration members to your CKACUST data set. A few members have been renamed; these are copied automatically. The zSecure Collect component now automatically collects the FTPconfig resources; cleaning up the SIMULATE statements in the existing FTPCNFG member is recommended.
A number of compliance controls has also been renamed. Moreover, the GSD and PCI-DSS standards have been renamed. If you have SUPPRESS STANDARD= directives for these, you must adjust them. See the Release notes for details.

Further reading
What's new for zSecure 2.3.1

If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community. The current zSecure for z/VM release is 1.11.2. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.