Securing z/OS FTP with RACF
The Problem
z/OS FTP provides access to all files, datasets and batch output resident on a z/OS system. However, it runs with a very simplistic security model that is not adequate for protecting remote access to critical corporate data. Access to datasets, files and batch output via the z/OS FTP is controlled by the access authority of the TSO ID used to log onto FTP. This security model is a holdover from the days when mainframe access was primarily through TSO, using connections secured on the corporate network. FTP connections can come from anywhere though (mobile devices, laptops, etc.). Any file or batch output that the TSO ID has read-access to can be downloaded to the FTP client, regardless of where it might be located (behind or outside the firewall). This creates an exposure to breach of sensitive company data.
What does Sentry Guardian™ do?
Sentry Guardian™ enables a company to control exactly who can access z/OS FTP, from where and what they are authorized do with it, by writing SAF security rules (RACF, Top Secret or ACF2). Sentry Guardian™ is in the middle of every request made from an FTP client to z/OS FTP (connect, change directory, upload, download, delete, rename, etc.). Sentry Guardian™ checks with SAF to see whether the FTP client is authorized to issue the request, taking into account the type of request and where the FTP client is running (IP address). SAF security rules can be written to allow some activity and block other.- Access to sensitive data can be allowed to FTP clients running behind the company firewall and blocked to FTP clients running outside the firewall.
- Downloads of sensitive data can be blocked for some TSO IDs and allowed for others, even though they all have read-access authority for the datasets/files.
- Downloads of job output (which can contain sensitive data) can be enabled from some users and disabled for others.
- Access to zFS folders can be controlled on a case-by-case basis and can take in account where the FTP client is running.
