What is most valuable?
Ease of use and robust automated security administration and reporting are features any mainframe shop needs and should have. The cost of investing in such products will usually offset the expense associated with the DB2 environment and the efforts to protect those data resources associated with it.
How has it helped my organization?
When new DB2 resources are introduced into the environment, the Vanguard Administrator product allows us to quickly build the required RACF security rules and access lists. There are features in the Administrator product that automate the tedious security administration efforts. The Vanguard Advisor product provides a mechanism for monitoring the RACF/DB2 environment, identifying and reviewing security violations that occur, etc. As stated earlier, we also use Vanguard Integrity Professional’s “Security Center” product for RACF DB2 administration. The Security Center has a direct GUI interface to RACF. As such, it does not require the RACF administrator to use TSO to define or change RACF security profiles associated with DB2.
What needs improvement?
It is worth noting that the RACF security product is used to safeguard the DB2 environment on the mainframe. This allows us to maintain all security rules for resources on the mainframe using the RACF security product. Some shops I have worked in do not use external security managers like RACF, Top Secret or ACF2 to protect the DB2 environment. I have seen instances where installations with DB2 use native internal security.
If an installation does not use an external security manager product like RACF, Top Secret or ACF2, then native internal DB2 security would have to be used to safeguard DB2 resources. This results in the DBA's being responsible for security profiles that protect DB2 resources. It's better to let the DBAs do the job they do best; that is, define the resources and then let the security team protect them accordingly, with their input of course.
For how long have I used the solution?
We have used this solution for approximately 10 years.
What do I think about the stability of the solution?
There were no stability issues.
What do I think about the scalability of the solution?
There were no real scalability issues. Features in the Vanguard RACF security products allow the installation to determine security policy for DB2 resources and build the security rules as needed.
How are customer service and technical support?
I think the Support Team at Vanguard Integrity Professionals is great. I have never had a problem with Support getting back to me in a timely manner with the information I need to resolve issues.
Which solution did I use previously and why did I switch?
We have not used any external security managers other than RACF to safeguard the mainframe DB2 environment. At one point I was involved in looking at IBM’s zSecure product as an alternative RACF security and audit tool.
How was the initial setup?
The initial setup of the automated security products like Administrator and or Advisor is straightforward. I highly recommend a Systems Programmer install the products to maximize the software investment a company makes.
What's my experience with pricing, setup cost, and licensing?
I am not directly involved with pricing and licensing, but I know that despite the associated cost of the software prudent and practical use of these products will be cost-effective. Mainframe software, after all, is expensive and you by strategically planning a security implementation up front will be beneficial in getting desired audit and security results.
What other advice do I have?
If your computing budget allows you to get automated security and audit products for your mainframe environment and the applications that run on it, you are fortunate. It is then your responsibility to maximize the software investment to insure all resources on the mainframe platform are adequately protected.
Truth be told, companies using mainframes spend a lot of money on not just hardware, but the software (DB2/RACF/etc.), that runs on it. It goes without saying that any mainframe installation with DB2 and RACF needs reliable security products to administer the environment provide security and audit reporting and streamline efforts to safeguard the environment.
From personal experience, I submit that software that enhances and automates security administration efforts for the mainframe and it isn’t cheap either. It’s important for a mainframe organization to maximize the financial investment in such tools.
In addition, an installation running DB2 and RACF needs to make an important decision. That is, who will be responsible for securing the environment. If RACF or another external security manager is not used than internal DB2 security will need to be employed for safeguarding resources. It’s important to have a security process in place to:
- Determine what DB2 resources need protection and identify who the users or groups are that need access, and the type of access (inquiry, update, etc.).
- Audit settings: What type of violations are being monitored and what is the process for reporting them.
- Security reporting: Periodic re-certification of security rules and access lists, etc. Things (access requirements) change over time.
- Change control: Security updates which need to be applied in the event of employee hiring, transfers and terminations. Managing a mainframe environment is difficult enough without having to also worry about security clutter.
Incidentally, this is only a partial list of things to consider when securing a DB2 environment. For example, this write-up doesn’t even address backup, recovery, and/or restoration issues (process/procedures).
In the many years I have been administering RACF and other security, I have come to conclude that there perfect security does not exist for any application or specific resource. A practitioner I once observed at a security conference summed it up by saying, "Computer security is a journey that never ends..." Ever changing new technological developments and access requirements mean you have to adapt accordingly from a security perspective.