What is most valuable?
Authentication and authorization. It is a security manager, so it has to validate all accounts that use the mainframe. In terms of authorization, it controls what access those accounts have with the two resources on the mainframe. That's the primary function of the product.
How has it helped my organization?
By securing the mainframe platform and the data that's on it.
What needs improvement?
I've got about 20 or 30 items. I would like to see the ability to create a CFILE backup from a backup. A CFILE is a sequential version of what you've got on your database. If you do it against your live database, you impair performance. I want to be able to create that from a backup of the database. That's one of our primary items that we need. Another item that we need is more capabilities around two-factor authentication (2FA). They are working on two-factor authentication and have been making good progress. It's not quite where it needs to be for us yet.
What do I think about the stability of the solution?
We push it harder than any other organization in the world. We're a very large organization and we run it harder than anybody should. We tend to find its limits. I would say that we're at the forefront of finding issues of scalability. To that extent, we often break it.
What do I think about the scalability of the solution?
There are scalability issues for extreme size. We are extreme. I think last month in terms of security calls, what they call "rock route calls", we executed 165 billion of them.
How is customer service and technical support?
We have an ongoing relationship with technical support. They are excellent.
How was the initial setup?
I've been involved in the setup of multiple CA security systems. Getting it going is very straightforward. To configure it to do what you want, you have to have an extreme knowledge of the z/OS operating system. I wouldn't say the software is hard to setup, but to configure it properly takes much more knowledge than just knowing the software. I've been doing this for 30-some-odd years now.
What other advice do I have?
When selecting a vendor, make sure they can keep up with you. The ongoing development, security, is an ever-changing item and they need to have sufficient development staff and capabilities to keep up with the industry. That is an area where I have a concern, because I don't see them keeping pace with what we're doing. Admittedly, we're at the forefront of a lot of stuff. It's all about the configuration. It's how you use it.
There are only three players in mainframe security. There is RACF from IBM, there's ACF2 and Top Secret from CA. Each has its strengths and weaknesses. RACF is very robust at this point in time, but it takes third-party tools or an extreme knowledge of the z/OS operating system to use it properly.
Top Secret is probably one of the easiest to use, but it's not quite as easy to customize. ACF2 is very, very easy to customize, it takes less technical knowledge than RACF but more than Top Secret. It's really a matter of finding a product that is suited to the way your organization does business. If it's a small organization with little in-depth security expertise, I would recommend Top Secret. If it's a very, very large organization, I would recommend something like RACF or ACF2.