SENTRY GUARDIAN ™
Produits File Transfer Analytics & Management Sentry Guardian ™
The problem
z/ OS FTP provides access to all files, datasets and batch output resident on a z/ OS sys-tem. However, it runs with a very simplistic security model that is not adequate for protect-ing remote access to critical corporate data.
Access to datasets, files and batch output via the z/ OS FTP is controlled by the access authority of the TSO ID used to log onto FTP.
This security model is a holdover from the days when mainframe access was primarily through TSO, using connections secured on the corporate network. FTP connections can come from anywhere though (mobile devices, laptops, etc.). Any file or batch output that the TSO ID has read- access to can be downloaded to the FTP client, regardless of where it might be located (behind or outside the firewall). This creates an exposure to breach of sensitive company data.
Access to datasets, files and batch output via the z/ OS FTP is controlled by the access authority of the TSO ID used to log onto FTP.
This security model is a holdover from the days when mainframe access was primarily through TSO, using connections secured on the corporate network. FTP connections can come from anywhere though (mobile devices, laptops, etc.). Any file or batch output that the TSO ID has read- access to can be downloaded to the FTP client, regardless of where it might be located (behind or outside the firewall). This creates an exposure to breach of sensitive company data.
What does FTP/ Guardian do?
FTP/ Guardian enables a company to control exactly who can access z/ OS FTP, from where and what they are authorized do with it, by writing SAF security rules (RACF, Top Secret or ACF2).
FTP/ Guardian is in the middle of every request made from an FTP client to z/ OS FTP (connect, change directory, upload, download, delete, rename, etc.).
FTP/ Guardian checks with SAF to see whether the FTPclient is authorized to issue the request, taking into account the type of request and where the FTPclient is running (IP address).
SAF security rules can be written to allow some activity and block other.
FTP/ Guardian is in the middle of every request made from an FTP client to z/ OS FTP (connect, change directory, upload, download, delete, rename, etc.).
FTP/ Guardian checks with SAF to see whether the FTPclient is authorized to issue the request, taking into account the type of request and where the FTPclient is running (IP address).
SAF security rules can be written to allow some activity and block other.
- Access to sensitive data can be allowed to FTP clients running behind the company firewall and blocked to FTP clients running outside the firewall.
- Downloads of sensitive data can be blocked for some TSO IDs and allowed for others, even though they all have read- access authority for the datasets/ files.
- Downloads of job output (which can contain sensitive data) can be enabled from some users and disabled for others.
- Access to zFS folders can be controlled on a case- by- case basis and can take in account where the FTP client is running.
FTP Guardian enables implementation of a much more granular security model for access to corporate data via FTP clients.
Enhanced FTP, FTPS and SFTP Security
FTP Guardian works with IBM z/ OS FTP which supports FTP and FTPS connections.
It also supports the SFTP server Co:Z SFTP from Dovetailed Technologies. Co:Z SFTP is free, runs on z/ OS and provides a full- featured SFTP implementation.
The same security rules that you write for controlling access to and usage of z/ OS FTP will work with Co:Z SFTP without any modifications.
It also supports the SFTP server Co:Z SFTP from Dovetailed Technologies. Co:Z SFTP is free, runs on z/ OS and provides a full- featured SFTP implementation.
The same security rules that you write for controlling access to and usage of z/ OS FTP will work with Co:Z SFTP without any modifications.
Ce produit vous intéresse ?
Vous souhaitez en savoir plus sur Sentry System ™ ? N’hésitez pas à nous questionner.