Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

IBM System z Mainframe and Audit Logging

Posted by Patrick Townsend on Mar 1, 2016 9:11:00 AM

Because Townsend Security provides encryption for IBM System z Mainframes we often get asked about system logging for that platform. Our Alliance LogAgent solution provides system log collection for the IBM i (AS/400, iSeries) platform, so this is a natural question from Mainframe customers.

IBM z/os MainframeWe don’t have a solution for IBM Mainframe customers, but I am happy to report that our partner CorreLog does! IBM System z Mainframe users can deploy the CorreLog solution and get the same types of security event collection and SIEM integration that we provide in Alliance LogAgent. The two products are not exactly the same in terms of features, but CorreLog will give you the security event collection and SIEM integration that you need.

Like the IBM i platform the IBM Mainframe contains a lot of sources for security event information and the data must be transformed into a usable format and transmitted to a SIEM. This is a daunting task for even an experienced Mainframe developer, so this is a perfect area for a third party product. CorreLog has just the right solution to make this happen.

IBM has been enhancing the System z Mainframe to bring it into the modern Internet-connected world. This means you have more security attack points on this venerable platform, and need to deploy modern security tools to protect it. Active monitoring of security audit logs by a SIEM solution is a must-have for Mainframe shops and CorreLog has a great solution.

Infosef Myths DebunkedCorreLog provides their own SIEM solution, but they also integrate with a wide variety of other SIEM vendor solution. You can deploy CorreLog to send security events to IBM Security QRadar, LogRhythm, HP ArcSight, Dell SecureWorks, RSA Envision, and many other SIEM solutions! This also means that you are not locked into any one SIEM vendor and can easily migrate to a new solution if or when you want to.

Another big bonus of the CorreLog solutions is support for File Integrity Monitoring, or FIM. FIM is an integral part of many compliance regulations such as PCI Data Security Solutions, and with CorreLog you can address that need along with the rest of you security monitoring needs. Many IBM Mainframe applications use DB2 files to store configuration information, so the FIM module really helps meet the compliance requirements.

You can get more information about CorreLog here.


Topics: IBM z, Mainframe, logging

Mainframe Myth-Busting: File Integrity Monitoring is Only for Windows/UNIX Security Systems

Posted by Paul Taylor on Feb 16, 2016 8:41:00 AM

"This article was originally posted on CorreLog's blog. CorreLog is a high performance correlation, search and log management company and Townsend Security partner."

That’s the thing about myths: they’re only partly true.

IBM z/os MainframeYes, File Integrity Monitoring (FIM) has been part of the distributed computing landscape for a few years now. And yes, real-time enterprise security monitoring is harder to accomplish in a mainframe environment. But as attacks become more sophisticated, FIM needs to be a key component of the entire network, including your mainframe.

There’s a well-known software vendor that has an antivirus “sandbox” that is used to explode viruses in much like a police bomb squad would do with a suspicious package at a crime scene. After said software suspicious package is exploded, the software vendor adds the footprint to its database and the next time that package comes through the network, if it was clean the first time, it gets let through; if not, it’s blocked.

The tricky part of this story is that hackers are now smart enough to detect when they are about to be put into one of these sandboxes. When the A/V program starts to sandbox, the suspected virus, the virus goes into a cloaking mode to evade the sandbox. The A/V tool gives the executable a passing grade and there you have it; virus enters network.

Infosef Myths Debunked

Chances are you won’t have to worry about mainframe viruses anytime soon (though anything is possible these days). The point of the story here is the sophistication at which hackers are attempting to compromise corporate and government IP. For it is a much faster path to market to steal technology than it is to develop it. The same could be said for nation-state attackers who lack the subject matter expertise to develop their own IP, be it leading-edge technologies or schematics for nuclear reactors.

Having a Security Information & Even Management (SIEM) system with Data Loss Prevention (DLP), supported with antivirus detection and Identity/Access Management Systems (IAMS), gives you a fighting chance. Having a means for File Integrity Monitoring, especially on z/OS where the most strategic global banking and government data resides, further fortifies your security strategy and arms your information security team with another data point to determine the level of risk to your data.

FIM protocols are well established on the distributed side, but if you were to ask a mainframe sysprog (system programmer) if they have some type of FIM protocol in place for z/OS, they would look at you like you were speaking a foreign language. FIM on mainframe, or MFIM, must be addressed, at a minimum, to facilitate the Payment Card Industry Data Security Standard (PCI DSS) requirements 10.5.5; 10.6.1; 11.5; and 12.10.5. The standard and corresponding requirements can be found here, and we should note that this blog is not a review of the requirements. The takeaway in today’s blog is to understand that FIM is important to the Payment Card Industry Security Standards Council (and HIPAA, and FISMA, and IRS Pub. 1075, and others). PCI DSS lists FIM in four different requirements and it does not say “do this just on your Windows and UNIX systems.” The requirement says do this for all systems in your datacenter.

The key to MFIM is to look at the mainframe counterparts to the Microsoft Windows install folder. One of these, SYS1.PARMLIB, or the PARMLIB concatenation, is the most important set of datasets on z/OS, listing system parameter values used by nearly every component of z/OS. You can’t just take a checksum "snapshot" of these files, as a SIEM would do with distributed systems, because they’re simply too big for that to be a practical approach.

The details of tracking mainframe event messages are far too many to get into here. Essentially, you need a way of connecting the mainframe and your distributed SIEM system for notifications in real time, and you need a software tool that will convert mainframe events to a distributed event log format — RFC 3264 syslog protocol — so your SIEM system can interpret the data as actionable information.

You can learn more about MFIM and its relevance to PCI DSS from CorreLog’s complementary whitepaper titled “InfoSec Myths Debunked: FIM is only for Windows/UNIX.”

Topics: IBM z, File Integrity Monitoring (FIM), Mainframe

PGP on IBM System z Mainframes

Posted by Patrick Townsend on Feb 10, 2015 7:38:00 AM

With the new z13 model, IBM announced another round of enhancements and improvements to the venerable IBM System z Mainframe. Focusing on mobile and social media integration, IBM is yet again modernizing and extending this high-end enterprise server.

PGP Encryption Trial IBM iWhile the IBM System z Mainframe has a well-earned reputation for security, how do Mainframe customers protect their data as they move towards more open, internet-based mobile and social media integration?

Pretty Good Privacy (PGP) is one path to provable and defensible security, and PGP Command Line is the de facto standard for enterprise customers.

PGP is one of the most commonly accepted and widely deployed whole file encryption technologies that has stood the test of time. It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets. And it runs on the IBM System z Mainframe!

For about a decade we at Townsend Security have been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

Incorporating the OpenPGP standard, PGP Command Line from Townsend Security and backed by Symantec, is compatible with a variety of open source PGP encryption solutions, while adding features to warm the heart of the IBM Mainframe customers. And this is the same PGP whose underlying PGP SDK has been through multiple FIPS 140-2 validations and which is FIPS 140-2 compliant today.

While retaining the core functions of PGP and the standards-based approach to encryption, we’ve been busy extending PGP specifically for the IBM Mainframe customer. Here are just a few of the things we’ve done with PGP to embrace the IBM Mainframe architecture:

  • Native z/OS Batch operation
  • Support for USS operation
  • Text mode enhancements for z/OS datasets
  • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
  • Simplified IBM System z machine and partition licensing
  • Support for self-decrypting archives targeting Windows, Mac, and Linux!
  • A rich set of working JCL samples
  • Free evaluation on your own IBM Mainframe

IBM Mainframe customers never have to transfer data to a Windows or Linux server to perform encryption, and in the process exposing data to loss on those platforms. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less.


PGP Encryption for IBM

Topics: IBM z, Mainframe, PGP

SHARE Mainframe Conference 2011 and PGP Encryption

Posted by Patrick Townsend on Mar 9, 2011 7:53:00 AM
SHARE ConferenceIt was a great time of year to be in Anaheim, California last week for the IBM System z Mainframe SHARE user conference. The rains had just passed through and the weather was balmy. The Anaheim convention center is right next door to Disneyland, a place that was paradise to me growing up in Southern California.  The juxtaposition was not lost on anyone – Mainframes being the really serious computing platform, and Disneyland being the silliest and most fun place on planet Earth. But there was fun at the SHARE conference, too.

The death of the Mainframe has been predicted for years, but it keeps chugging along as one of the workhorses of large organizations. IBM has invested a lot in the hardware technology to keep it up to date, and you get a lot of bang for the buck with one of these systems. You can now even run Linux under z/VM and there are some really big installations of Linux on this platform.  All in all, it’s an impressive system.

I was at SHARE to support our partner, Software Diversified Services as they are now our distributor for PGP on the Mainframe z/OS platform. They are doing a great job of bringing this important encryption technology to IBM’s largest server system. People are often amazed at what you can do with PGP on the Mainframe. Create an Apple Mac self-decrypting archive on z/OS??? You have to be kidding, right? Nope, the PGP solution on the Mainframe creates self-decrypting archives for Windows, Mac, Linux, and flavors of UNIX. Also, it integrates with PGP Universal key server for key management. Another feature is that it compresses data up to 98 percent for encrypted data files. Additionally, it supports Mainframe file systems like PDS, Sequential, and VSAM. So PGP is an impressive offering for Mainframe customers who need to encrypt data for compliance. It was great to talk to the Mainframe customers who were approaching PGP with some trepidation. They were a lot more comfortable knowing that they could run PGP using normal JCL scripts.

With the customer base holding steady at between 6,000 and 7,000 customers worldwide, and with IBM continuing to improve the platform and make it more affordable, I believe it will be an important computing platform for years to come.  We’ll be seeing a lot more of Mainframes and Mickey Mouse for years to come.

Click here for a free evaluation version of PGP for the Mainframe.


Topics: SHARE, Mainframe, PGP

The Definitive Guide to AWS Encryption Key Management
Definitive Guide to VMware Encryption & Key Management


Recent Posts

Posts by Topic

see all