Secur­ing z/​OS FTP with RACF

The Prob­lem

z/​OS FTP pro­vides access to all files, datasets and batch out­put res­i­dent on a z/​OS sys­tem. How­ever, it runs with a very sim­plis­tic secu­rity model that is not ade­quate for pro­tect­ing remote access to crit­i­cal cor­po­rate data. Access to datasets, files and batch out­put via the z/​OS FTP is con­trolled by the access author­ity of the TSO ID used to log onto FTP. This secu­rity model is a holdover from the days when main­frame access was pri­mar­ily through TSO, using con­nec­tions secured on the cor­po­rate net­work. FTP con­nec­tions can come from any­where though (mobile devices, lap­tops, etc.). Any file or batch out­put that the TSO ID has read-​access to can be down­loaded to the FTP client, regard­less of where it might be located (behind or out­side the fire­wall). This cre­ates an expo­sure to breach of sen­si­tive com­pany data.

What does FTP/​Guardian do?

FTP/​Guardian enables a com­pany to con­trol exactly who can access z/​OS FTP, from where and what they are autho­rized do with it, by writ­ing SAF secu­rity rules (RACF, Top Secret or ACF2). FTP/​Guardian is in the mid­dle of every request made from an FTP client to z/​OS FTP (con­nect, change direc­tory, upload, down­load, delete, rename, etc.). FTP/​Guardian checks with SAF to see whether the FTP client is autho­rized to issue the request, tak­ing into account the type of request and where the FTP client is run­ning (IP address). SAF secu­rity rules can be writ­ten to allow some activ­ity and block other.
  • Access to sen­si­tive data can be allowed to FTP clients run­ning behind the com­pany fire­wall and blocked to FTP clients run­ning out­side the firewall.
  • Down­loads of sen­si­tive data can be blocked for some TSO IDs and allowed for oth­ers, even though they all have read-​access author­ity for the datasets/​files.
  • Down­loads of job out­put (which can con­tain sen­si­tive data) can be enabled from some users and dis­abled for others.
  • Access to zFS fold­ers can be con­trolled on a case-​by-​case basis and can take in account where the FTP client is running.
FTP Guardian enables imple­men­ta­tion of a much more gran­u­lar secu­rity model for access to cor­po­rate data via FTP clients.

Enhanced FTP, FTPS and SFTP Security

FTP Guardian works with IBM z/​OS FTP which sup­ports FTP and FTPS con­nec­tions. It also sup­ports the SFTP server Co:Z SFTP from Dove­tailed Tech­nolo­gies. Co:Z SFTP is free, runs on z/​OS and pro­vides a full-​featured SFTP imple­men­ta­tion. The same secu­rity rules that you write for con­trol­ling access to and usage of z/​OS FTP will work with Co:Z SFTP with­out any modifications.

Next Steps

FTP/​Guardian Datasheet

FTP/​Guardian Tech­ni­cal Back­ground

Con­tact us for more infor­ma­tion

Want to know more?