Excessive Access on the Mainframe

Excessive access opens organizations up to all kinds of risks, from increased attack vectors to compliance issues. Organizations need to take steps to mitigate this risk, incorporating validation into regular security processes. Checking for excessive access issues is an essential component of a modern mainframe security strategy.

Key Resources provides compliance assessment software and services to organizations that need to address excessive access issues. z/Assure® Compliance Assessment Manager™ (CAM), using our proprietary algorithms, determines excessive access based on an organization’s electronic security policy or the DISA STIGs, enabling organizations to verify compliance and stay on the right track with ongoing assessments.

excessive access on the mainframe

The work from home effect

The increasing number of work-from-home employees has led to broad adoption of collaboration and real-time networking tools, such as Microsoft Teams, Zoom, and LinkedIn. This has created a massive attack surface with huge risks for enterprises, which only compounds the threat of excessive access.

These communication channels are rapidly outpacing the use of email, but unfortunately, they are also much more exposed to attacks than email. While there has always been a lack of understanding of the threats posed by these channels, the inclusion of remote users on home networks accessing their enterprise IT networks remotely creates a massive security liability. Cybercriminals and nation-state actors are very aware of these weaknesses and are using spear-phishing, ransomware, and other forms of cyberattack, to gain access to enterprise mainframe data.

It’s all the more reason why organizations need to be vigilant about threats like excessive access and ensure that IT users stay compliant with security best practices.

What is excessive access on the mainframe?

Excessive access means that there are user accounts that have unnecessary access to information on the mainframe. In other words, those accounts have privileges that extend far above and beyond the level of access that is appropriate and essential for their role.

Where do excessive access issues come from?

Excessive access usually crops up inadvertently and can be both internal and external. For example, internal developers who needed access to sensitive data to build an app might maintain access even after that work is complete, or external contractors may still have access to data. This unnecessary inroad into an organization creates avoidable exposure for that data.

Why do we need privileged access management?

By providing users access to only the data they need, organizations can reduce their attack vectors. As excessive access increases so do the risks to the organization, because it means there are highly privileged accounts that could be exploited if they were to fall into the wrong hands. Access to sensitive data must be periodically reviewed and defined by the organization’s security policy.

How do you manage privileged accounts and check for excessive access issues?

Start with an evaluation to determine the extent of excessive access issues. Then, set up a process to check for issues on a regular basis. Along with excessive access checking, organizations need to accurately inventory, classify, and define data ownership in order to develop the right policies and security controls.

How does excessive access checking help organizations maintain compliance?

Checking for excessive access isn’t just a security issue – it’s also required by compliance regulations like DISA STIGS and GDPR. By establishing a process to check for issues on an ongoing basis, organizations can minimize potential compliance issues.

How can automation help resolve excessive access?

Excessive access checking can uncover hundreds of thousands of findings, which the organization then must address. Resolving these issues can be time consuming when done manually. Automation speeds up the process and enables organizations to drill down to the user level to get a detailed report of who has access to what.

Learn more about how excessive access checking fits into a modern mainframe security strategy.

vulnerability scanning software for the mainframe

z/Assure® Vulnerability Analysis Program (VAP)

z/Assure VAP is the only software that automatically scans for and identifies vulnerabilities in OS code, providing the information needed to protect systems.

compliance assessment software for the mainframe

z/Assure® Compliance Assessment Manager™

z/Assure CAM, our automated compliance assessment solution, helps protect sensitive data by enabling organizations to enforce security policy across critical mainframe and ESM systems.

mainframe integrity assessment services

Integrity Assessment Services

Without operating system integrity, there can be no system security. An integrity assessment from Key Resources focuses on the health and security of the mainframe operating system.

conversion software for RACF, ACF2 and Top Secret

External Security Manager (ESM) Conversion Services

Key Resources offers expert ESM conversion services, relying on proprietary tools – z/Assure SCU and z/Assure SMU – to manage conversions for all major ESMs: RACF, Top Secret, and ACF2.

DB2 database security software

Db2 to RACF® Security Conversions

Using our proprietary z/Assure SCU4DB2 tool, Key Resources can help you convert from Db2 security to RACF® to take advantage of its stronger security capabilities.

ESM password conversion software

Password Propagation Support

Using z/Assure PPS, our proprietary password propagation software, Key Resources can quickly and securely transfer existing passwords over to your new security package.

Talk to Key Resources to find the right mainframe security solution for your business.