Chapter 28 Key Takeaways: Mainframe Security for COBOL Developers
Threshold Concept
Security is an architecture decision, not a bolt-on. Security permeates every layer — network, system, dataset, DB2, CICS, MQ, and application code. Designing it in from day one is architecture. Adding it later is rework.
The Seven-Gate Security Model
Network → System → Dataset → DB2 → CICS → MQ → Application
(AT-TLS, (RACF (RACF (DSNR + (TCICSTRN, (MQQUEUE, (code-level
IP filter) auth, profiles, GRANT/ resource MQPROC, checks,
MFA) encryption) REVOKE) security) RESLEVEL) masking,
audit log)
Key insight: Each gate is independently configured, independently audited, and independently logged. An attacker must defeat every gate. Configure every gate — not just the outer ones.
RACF Essentials
| Principle | Implementation |
|---|---|
| Default deny | UACC(NONE) on all profiles; SETROPTS PROTECTALL(FAILURES) |
| Least privilege | Explicit PERMIT for each userid/group to each resource |
| Separation of duties | Separate userids for batch, CICS, DB2, MQ started tasks |
| Performance | SETROPTS RACLIST(classname) for all active resource classes |
| Auditing | AUDIT(ALL(READ)) for sensitive resources; AUDIT(FAILURES(READ)) for everything else |
Critical resource classes for COBOL architects:
| Class | Protects | Must RACLIST? |
|---|---|---|
DATASET |
Datasets | N/A (always active) |
TCICSTRN |
CICS transactions | Yes |
FCICSFCT |
CICS files | Yes |
DSNR |
DB2 connections | Yes |
MQQUEUE |
MQ queues | Yes |
CSFKEYS |
Encryption keys | Yes |
FACILITY |
System facilities | Yes |
SERVAUTH |
TCP/IP stack access | Yes |
Encryption Architecture
| Layer | Technology | CPU Cost | Application Change? |
|---|---|---|---|
| Data at rest (datasets) | z/OS dataset encryption + CPACF | Zero (hardware) | None |
| Data at rest (DB2 columns) | DB2 ENCRYPT_AES/DECRYPT_AES + ICSF | Zero (hardware) | Yes (SQL changes) |
| Data in transit (network) | AT-TLS (TLS 1.3) + CPACF | Zero (hardware) | None |
| Data in transit (MQ) | MQ channel SSL/TLS | Zero (hardware) | None |
Key insight: Encryption on z/OS is free in CPU cost. CPACF runs on dedicated hardware coprocessors not measured for software licensing. The "encryption is too expensive" argument does not apply to z/OS.
Key management rules: - Master keys: dual control, annual rotation - Data encryption keys: ICSF CKDS, quarterly rotation, RACF CSFKEYS protection - TLS certificates: RACF keyrings, annual renewal - Never embed keys in COBOL source or copybooks
Secure COBOL Coding Rules
SQL Injection Prevention
| Pattern | Secure? | Rule |
|---|---|---|
| Static SQL with host variables | Yes | Always preferred |
| Dynamic SQL with parameter markers (?) | Yes | Use for variable WHERE clauses |
| Dynamic SQL with STRING concatenation | NO | Never concatenate user input into SQL |
Buffer Overflow Prevention
- Always validate reference modification offsets and lengths before use
- Use OVERFLOW clause on UNSTRING to detect unexpected delimiters
- Use COUNT IN to verify data lengths after UNSTRING
- Validate container data length before EXEC CICS GET CONTAINER
Audit Logging
- Write audit record before the business action (update result after)
- Capture: who (userid), what (action, data), when (timestamp), where (terminal/IP), outcome (success/failure)
- Write to RACF-protected transient data queue or dataset
- Log both successful and failed operations
Data Masking
- Externalize masking decisions to RACF (FACILITY class check)
- Never hard-code user lists for masking decisions
- PAN: show last 4 only (
****-****-****-1234) - SSN: show last 4 only (
***-**-6789) - Mask at the earliest point where you know the consumer's authorization level
PCI-DSS Compliance Map (Summary)
| Requirement | Primary z/OS Control |
|---|---|
| 1. Network security | z/OS IP filtering, AT-TLS, VLAN segmentation |
| 2. Secure configurations | PARMLIB hardening, Health Check utility |
| 3. Protect stored data | Dataset encryption, DB2 column encryption |
| 4. Encrypt transmissions | AT-TLS (TLS 1.3), MQ channel SSL |
| 5. Anti-malware | z/Architecture (inherent resistance), APF, PROGRAM class |
| 6. Secure development | Secure coding standards, automated code scans |
| 7. Access control | RACF profiles, DB2 GRANT/REVOKE, CICS transaction security |
| 8. Authentication | RACF passwords/passphrases, MFA, PassTickets, certificates |
| 9. Physical security | Data center controls, tape encryption |
| 10. Logging and monitoring | SMF types 80/102/110, application audit logs, SIEM |
| 11. Security testing | Health Check, IRRDBU00 analysis, penetration testing |
| 12. Security policies | Documented policies, incident response plan, training |
HIPAA Compliance Essentials
| Safeguard | z/OS Control |
|---|---|
| Access control | RACF + DB2 column-level GRANT + CICS transaction security |
| Audit controls | SMF (all access to ePHI, not just failures) + application audit trail |
| Integrity controls | RACF write protection + DB2 constraints |
| Transmission security | AT-TLS + MQ SSL |
| Person/entity authentication | RACF authentication + MFA for privileged access |
HIPAA Safe Harbor: If ePHI is encrypted (AES per NIST standards) and the key is not compromised, a security incident is NOT a breach — no 60-day notification obligation.
Security Monitoring Tiers
| Tier | Response Time | Events/Day | Examples |
|---|---|---|---|
| 1 — Immediate | Minutes | 3-5 | SPECIAL attribute added, mass failed logins, RACF DB access |
| 2 — Same Day | Hours | 50-100 | New PERMITs, NOTAUTH on sensitive transactions, unknown MQ connections |
| 3 — Weekly/Monthly | Days | 10,000+ | Normal access patterns, routine operations |
Incident Response Framework
Detection (0-15 min) → Containment (15-60 min) → Investigation (1-24 hr)
→ Eradication (1-48 hr) → Recovery (1-72 hr) → Lessons Learned (2 wk)
Severity 1 rule: Contain first, investigate second. ALTUSER userid REVOKE before forensics.
Rules of Thumb
- UACC(NONE) on everything. If you can't justify UACC(READ), you don't need it.
- SETROPTS PROTECTALL(FAILURES). An unprotected dataset is an uncontrolled dataset.
- RACLIST every active resource class. The 1,000x performance difference is not optional.
- Never STRING user input into dynamic SQL. Host variables or parameter markers. Always.
- Validate all reference modification bounds. Every. Time.
- Audit successful access to sensitive data, not just failures. Compliance requires it.
- Encrypt all ePHI/cardholder data at rest and in transit. CPU cost is zero on z/OS.
- Separate batch userids by function. Shared userids are shared risk.
- Rotate encryption keys quarterly. Document the rotation.
- Test the incident response plan quarterly. An untested plan is not a plan.
- Security debt compounds. Fix it when you find it, not when the auditor finds it.