z/OS FTP provides access to all files, datasets and batch output resident on a z/OS system. However, it runs with a very simplistic security model that is not adequate for protecting remote access to critical corporate data. Access to datasets, files and batch output via the z/OS FTP is controlled by the access authority of the TSO ID used to log onto FTP. This security model is a holdover from the days when mainframe access was primarily through TSO, using connections secured on the corporate network. FTP connections can come from anywhere though (mobile devices, laptops, etc.). Any file or batch output that the TSO ID has read-access to can be downloaded to the FTP client, regardless of where it might be located (behind or outside the firewall). This creates an exposure to breach of sensitive company data.
What does Sentry Guardian™ do?
Sentry Guardian™ enables a company to control exactly who can access z/OS FTP
, from where and what they are authorized do with it, by writing SAF
security rules (RACF
, Top Secret or ACF2
). Sentry Guardian™ is in the middle of every request made from an FTP
client to z/OS FTP
(connect, change directory, upload, download, delete, rename, etc.). Sentry Guardian™ checks with SAF
to see whether the FTP
client is authorized to issue the request, taking into account the type of request and where the FTP
client is running (IP
security rules can be written to allow some activity and block other.
- Access to sensitive data can be allowed to FTP clients running behind the company firewall and blocked to FTP clients running outside the firewall.
- Downloads of sensitive data can be blocked for some TSO IDs and allowed for others, even though they all have read-access authority for the datasets/files.
- Downloads of job output (which can contain sensitive data) can be enabled from some users and disabled for others.
- Access to zFS folders can be controlled on a case-by-case basis and can take in account where the FTP client is running.
Guardian enables implementation of a much more granular security model for access to corporate data via FTP
Enhanced FTP, FTPS and SFTP SecurityFTP
Guardian works with IBM
which supports FTP
connections. It also supports the SFTP
server Co:Z SFTP
from Dovetailed Technologies
. Co:Z SFTP
is free, runs on z/OS and provides a full-featured SFTP
implementation. The same security rules that you write for controlling access to and usage of z/OS FTP
will work with Co:Z SFTP
without any modifications.