geolocation-mobile.jpg

Data Location Awareness

 

Technical Details -

  • DataLenz runs on IBM Z mainframes with supported releases of z/OS. 

  • Installation of the DataLenz z/OS agent is simple and straight-forward, along with limited network configuration.

  • DataLenz supports all z/OS data types.

  • Data access start and end events are recorded for specified datasets, and kept in mainframe-based logs, accessible for reporting and real-time monitoring and alerting through the graphical interface.

  • The administrative and reporting interface runs as a workstation client, with secure access to your IBM Z mainframes running the DataLenz agent.

The patent pending DataLenz technology tracks the location of your employees, partners, contractors, and rogue actors, with the actual IP address of the device they are using, even if they are going through VPN or using NAT.

Remote access to IBM Z mainframe applications & data: in-depth security

Now that the coaxial access cord has been cut and mobile devices and laptops can enter your internal network with dynamic, virtual connections, security in-depth must expand its reach. Here are the layers you likely already have in your environment:

security.png
  • Mainframe authentication: at least with a userid and password, but preferably with at least two, or more, factors, such as one-time passcode generators or fingerprint or retina scanners – i.e. Multifactor Authentication (“MFA”). Digital certificates may also be used in place of, or parallel to, MFA access. This is normally the last point of sign-on when accessing the mainframe, though there are sometimes additional applications and systems which may have additional authentication requirements.

    There may also be some applications that are accessed from client or server software which does a “bind” to a mainframe system, either on behalf of, or in the place of, mobile or workstations users, saving a sign-on step when accessing mainframe functionality and data.

  • Mainframe access control to applications and resources: any of the three ESMs (External Security Managers – IBM’s RACF® and Broadcom’s CA ACF2™ and CA Top Secret®) provide the ability to specify which resources (such as datasets – mainframe files) and applications may be accessed by a given authenticated user. 

  • Mainframe network access control: both the ESM and the TCP/IP stack can be configured to limit which ports and IP addresses have access to which applications and facilities via TCP/IP – i.e. intranet and/or internet access.

  • Intranet Security: subnetting, routers, network address translation, and even internal firewalls are all part of securing a corporate intranet to ensure that only legitimate devices have access to servers such as IBM Z mainframes. This may also include authentication to ensure the user of a device is legitimately allowed access, and that authentication may be synchronized with the mainframe authentication using mechanisms such as LDAP. It is also likely to employ MFA.

  • Virtual Private Network (VPN) access: in order to give access to users and their devices that are not directly connected to your corporate network, special encrypted “tunnels” are often used to send data privately between user devices and computers outside the corporate network and the applications and servers inside the intranet. Digital certificates, or at least public/private asymmetric key pairs, are generally used to establish these encrypted tunnels which operate using more efficient symmetric encryption.

  • Firewalls: at the edges of your intranet, controlling the traffic going between the internet and your intranet, are your firewalls, which may include mechanisms for authenticating users to the corporate network, either invoking or in addition to the intranet security, and which work with other network security mechanisms to monitor for and block intrusions from untrusted rogue actors.


    The location of the firewall is generally where network address translation (NAT) takes place as well, changing the apparent IP address of a device visible to servers from an external one to a trusted internal one, and then translating it back as data are conveyed back through the firewalls. This is a security feature, because only legitimately-acquired internal IP addresses are generally allowed to wander around the intranet. It is also practical, as there are insufficient IP v4 addresses for every device on Earth to have one, and IP v6 is still in early stages of adoption – with no predictable completion date.

  • Mobile device and workstation access: laptops, mobile phones, and other external devices may include userid, pin-based, biometric, or MFA authentication, possibly including proximity indicators such as the presence of an RFID access card. It is common for such devices to automatically lock when inactive or the user is absent, and unlocking them generally consists of reauthenticating them.

  • Anti-virus and other local security controls: mobile devices and workstations often have additional security controls installed to prevent such malware as viruses and trojan horses, as well as fraudulent intrusions.

  • App access from mobile locations: as any user of a banking app knows, individual apps on a remote device often include additional authentication such as userid or account number, pin or password, and/or biometrics. The client portion of the app on the remote device will also be written to provide secure access to the data and functionality on the server of record such as IBM Z mainframes containing customer banking information.

However, none of the above layers of security are guaranteed to prevent someone from using trusted equipment, apps, and IDs from accessing corporate data from an untrusted geography.

Would you like to know more about DataLenz? Send us a message.