Secure Operations with the LzLabs Software Defined Mainframe

Ensuring data integrity and protection is undoubtedly a top priority for every organisation. In this technology blog, we will dive into the realm of security operations within the Software Defined Mainframe® (SDM). We will explore how the SDM enables secure administrative tasks, user access and permissions management, and seamless integration with legacy environments. 

Why is this relevant to the CIO? 

The SDM enables secure administration of legacy applications using standard Linux tooling, requiring less specialised skills, and enabling a higher degree of automation and integration into modern solutions. Using standard dashboard solutions provides improved visibility and deeper insight into your legacy applications, all in a more cost-effective way. 

Benefits of the SDM Compatibility 

One of the standout features of the SDM is its compatibility with standard Linux environments. This compatibility allows you to harness the power of Linux within your SDM operations. Here are some key benefits: 

  • Linux integration: From your Linux shell scripts, you can seamlessly interact with the SDM’s legacy application environment. For instance, you can submit and monitor jobs, query for job results, extract data sets, and transfer data between Linux and legacy environments. 
  • Legacy integration: The SDM also supports the integration of Linux into the legacy environment, enabling legacy applications to trigger Linux processes. You can extend JCL (Job Control Language) jobs with LZXSHELL steps to run POSIX shell scripts triggered by legacy applications. This integration streamlines your workflows and facilitates dynamic interactions between environments. 
  • Single sign-on: The concept of “authenticate only once” simplifies the user experience and enhances security. If you are already authenticated as an SDM user in the Linux environment, you will not need to re-authenticate when interacting with the SDM or legacy environment. 
  • Granular permissions: The SDM offers mechanisms like “surrogate” on the legacy side and “sudo” on the Linux side for temporary identity context switches when using multiple accounts per user, or service accounts. This minimises the need for repeated password entry while maintaining security. 

Building Blocks of the SDM’s Security 

Application Environment 

Understanding the application environment within the SDM is crucial. Here, you have much more fine-grained control over permissions and authorisation compared to typical Linux applications. Legacy applications often require complex authorisation checks, which LzVault efficiently handles. 

LzVault: Real-Time Database 

LzVault uses an in-memory, real-time database residing in shared memory on Linux. It optimises authorisation checks, ensuring rapid response times and optimal performance for legacy applications. By minimising LDAP queries, it streamlines authorisation processes. It is kept up to date by the SDM’s LDAP service. 

LzVault OTC: One-Time Credential Service 

For secure access to REST APIs within the SDM, the SDM provides LzVault OTC (One-Time Credential Service). This service generates time-limited, one-time-use credentials for authorised users. It eliminates the need to store passwords in scripts, enhancing security and automation. 

SMF Records: Auditing and Monitoring 

System Management Facility (SMF) records play a vital role in auditing and monitoring on the mainframe. The SDM supports SMF records for auditing purposes, allowing legacy applications to access and process them. These records provide valuable insights into user activities and system events and will enable the detection of unfolding security incidents. 

The SDM security tracks three primary event categories in SMF: 

  • Authentication Requests: Records login and logout events, enabling you to monitor user access to the SDM. 
  • Authorisation Events: Captures authorisation-related actions, such as queries and access requests within the legacy environment. 
  • Administration Events: Monitors changes to the security database, including user additions, modifications, and deletions. 

Administrative Tasks in the SDM 

To kick things off, let us delve into the core administrative capabilities within the SDM. Administrative tasks in the SDM involve logging in as an administrator via SSH or other methods, which lands you on the Linux command line of the SDM’s host. 

This Linux environment acts as your gateway to a wide range of possibilities. Here is where you can: 

  • Run automation scripts: The SDM provides full compatibility with standard Linux environments. This means you can execute automation scripts, including those written in popular modern languages like POSIX shell, Python, Perl, Lua, Ruby, and more. 
  • Inspect SDM: You have the power to investigate the SDM environment, understand its configurations, and monitor its activities. 
  • Perform maintenance activities: Carry out tasks like backing up and restoring your legacy application data, applying hotfixes or updates to Linux, the SDM or the legacy applications, and cleaning up stale data caches and temporary files, etc.  
  • Monitor Linux and legacy application activities: Stay on top of everything in your Linux environment, from system processes to user interactions. 

Operational Tasks in SDM Security 

In your day-to-day SDM operations, you will primarily focus on identity and authorisation management: 

  • Identity Management: Handle new user onboarding, temporary account disablements (e.g., leaves), and account terminations. Consider integrating the SDM with an Identity and Access Management (IAM) solution for streamlined processes. 
  • Authorisation Management: Define or modify profiles, access levels, and permissions—Utilise groups for efficient permission management, especially for role-based access control.  
  • Interactive exploration and rapid changes: The SDM user interface (UI) is valuable for interactive exploration and rapid one-off changes. It allows administrators to navigate user, group, and class configurations visually and troubleshoot security settings efficiently. 

Conclusion 

Security operations within the Software Defined Mainframe (SDM) are integral to maintaining a robust and secure data management system. The SDM’s compatibility with standard Linux environments, granular permissions control, and the integration capability with legacy environments empower administrators to manage identity and authorisation effectively. 

By understanding the intricacies of SDM security, you can navigate its complexities and ensure the integrity of your data while optimising operational tasks. Whether you are working within the Linux shell, interacting with REST APIs, or monitoring legacy applications, the SDM provides a secure and efficient environment for modernised legacy operations. 

 

Watch or listen to the replay of our webinar: Demystifying Mainframe Migration Security

Related articles.