Mainframe Cybersecurity & Compliance

 View Only

  • 1.  ACF2/TSS User Group

    Posted May 14, 2025 12:00 PM

    Hello everyone, here are the notes from our last meeting. Our next meeting is scheduled for 18 June at 1000 hrs EDST. 

    Target end of June for next user group meeting

    Attendees:

    • Tom Breuer - Govt of Canada
    • Rose Alvarado - Former SW Area User group chair (TX, NM, AK)
    • Bob Dahlberg - Tech Director for advanced computing in State of VA - Virginia Beach
      • ACF2 Dev Manager
      • Worked for Fed Reserve where he implemented ACF2/TSS
      • Interested in using ZOWE
      • Interested in the Broadcom Vitality Program
    • Joe Denison
      • Access Solutions providing productivity tools via TSSAdmin Express for admin users
    • Bary Schrager
      • Started data security and original author of ACF2
      • CPT Global and Bank of New York Contractor
    • Brian Lesher
      • Broadcom tech expertise with ACF2
      • Worked with Credit Suisse
    • Colleen Springborn - St of MN

    General naming convention

    • Implementing a naming standard
      • Tom reviewed (high level) his Naming Standard for profiles and ACIDs
        • Goals were to make access management easier to understand (future VCAs) and review (for management)
        • For example, for their SCM tool (software code management), he broke up profiles so that they are aligned to proper business organization details so that new admins have an idea of how things are done and validated
        • There is a challenge on cleanning up things
      • Rose - Army Air force started with Y on ACID
        • Mohawk industries and she inherited a 27 page all record, and implemented standards and needed to cleanup
      • Bob - first letter of user id was district and then other naming convention within ACF2 is important for how company defines access
      • They have best practice library and do training as a way to educate
        • Hardest part is to keep the naming convention up to date - some of these things are in LDAP
          • system id, kiosk id, firecall id, application id
          • policy for login id does not work across the board and different naming convention
        • "how to guide" for administrators that was a "little bible" with naming standards
          • utilized pre-fixes for batch processing and starter tasks and tie that back to pre-fix for the shop
          • Need a directory to demystify and tribal knowledge
        • Auditors can also take advantage of the naming convention and document that gets defined
      • CONCLUSION: All agreed that having a naming standard was a best practice.

    Round table ideas for future topics:

    • Provide an education process and getting folks to the user group
    • Education: Someone from ProTech that offers training and they had them involved
    • Any demonstration that can be done with implementing security that is broad strokes and can apply across the board
    • General topics on z/OS security in general like SAF
    • Focused topics can be discussed using breakout groups across ACF2 and Top Secret
    • Bob implementing hybrid cloud using a variety of hardware and software including:
      • RACF
      • z16
      • Power10
      • Intel and NVIDA chips
      • Finding that RACF, Top Secret, and ACF2 are top security tools/systems in the world
      • Verify Access and Verify Privileged on Intel box to do security
        • SAF calls
          • Recommendation: make special rule that allow access to different environments
          • ACEE control block to connect to RADIUS
        • RADIUS calls to do login calls and checks
        • ZOWE is an opportunity to do that
      • Working with EMA and OpenMainframe project
        • "hate to lose the security system"
        • Top Secret and ACF2
          • ACF2 → looks at it from resource
            • "Data is a corporate asset…"
          • Top Secret → looks at it from the user

    #TopSecret