The Problem
z/OS FTP provides access to all files, datasets and batch output resident on a z/OS system. However, it runs with a very simplistic security model that is not adequate for protecting remote access to critical corporate data. Access to datasets, files and batch output via the z/OS FTP is controlled by the access authority of the TSO ID used to log onto FTP. This security model is a holdover from the days when mainframe access was primarily through TSO, using connections secured on the corporate network. FTP connections can come from anywhere though (mobile devices, laptops, etc.). Any file or batch output that the TSO ID has read-access to can be downloaded to the FTP client, regardless of where it might be located (behind or outside the firewall). This creates an exposure to breach of sensitive company data.
What does Sentry Guardian™ do?
Sentry Guardian™ enables a company to control exactly who can access z/OS
FTP, from where and what they are authorized do with it, by writing
SAF security rules (
RACF, Top Secret or
ACF2). Sentry Guardian™ is in the middle of every request made from an
FTP client to z/OS
FTP (connect, change directory, upload, download, delete, rename, etc.). Sentry Guardian™ checks with
SAF to see whether the
FTP client is authorized to issue the request, taking into account the type of request and where the
FTP client is running (
IP address).
SAF security rules can be written to allow some activity and block other.
- Access to sensitive data can be allowed to FTP clients running behind the company firewall and blocked to FTP clients running outside the firewall.
- Downloads of sensitive data can be blocked for some TSO IDs and allowed for others, even though they all have read-access authority for the datasets/files.
- Downloads of job output (which can contain sensitive data) can be enabled from some users and disabled for others.
- Access to zFS folders can be controlled on a case-by-case basis and can take in account where the FTP client is running.
FTP Guardian enables implementation of a much more granular security model for access to corporate data via
FTP clients.
Enhanced FTP, FTPS and SFTP Security
FTP Guardian works with
IBM z/OS
FTP which supports
FTP and
FTPS connections. It also supports the
SFTP server
Co:Z SFTP from
Dovetailed Technologies. Co:Z
SFTP is free, runs on z/OS and provides a full-featured
SFTP implementation. The same security rules that you write for controlling access to and usage of z/OS
FTP will work with Co:Z
SFTP without any modifications.