For many, the mainframe can be a daunting subject – with misguided initial reactions of the platform as “legacy” technology that may be replaced by the cloud. Part of this angst and dismissiveness is because not everyone fully understands the true value of the mainframe. When you dive into what the mainframe is, however, you will soon realize that the mainframe is “legendary” and still extremely relevant – not only in it being actively used but key to the topics and outcomes organizations strive to achieve. In fact, the worlds of mainframe and distributed are more similar than you think…
In this video, get a 101 view into the mainframe discussing the properties of the platform as well as the similarities in outcomes between mainframe and distributed use cases.
In this blog, we will dive into the topic of Identity and Access Management (IAM), specifically focusing on three key things:
- The personas involved across IAM activities and the overall jobs to be done across distributed and mainframe systems.
- The use cases and mapping of commonly available products to those use cases, showcasing that IAM is IAM, and the needs and problem statements are equally relevant across distributed and mainframe systems.
- Examples of where distributed IAM and mainframe IAM tools co-exist to deliver consistent IAM within the enterprise
Persona Mappings Across Distributed and Mainframe Platforms
Although the individuals in an organization leading mainframe IAM and distributed IAM may be different people, the jobs to be done and the needs across both are similar. At the end of the day, mainframe and distributed IAM have the same thesis: “let in the right people at the right time to access the resources that they should have access to”. With this thesis comes the consideration of what activities these personas perform.
In both distributed and mainframe IAM use cases, ensuring the balance of best end user experience and implementing robust security are critical. The table below captures the similarities and differences in what each IAM stakeholder is responsible for – the jobs are not exhaustive, and the personas are grouped into three macro buckets but are intended to provide an example of the outcomes each persona is focused on.
The IAM admin sets up and manages the IAM system, effectively being the super admin of the IAM environment. The Application developer creates and builds applications that will be used by end users (employees) with native, built-in access controls – application developers want to focus on application building and experience IAM by default. The Employee (end user) simply wants to access the applications they need to so that they can perform their job. Users can be human users as well as machine identities. Although we focus on human users, machine identities are both relevant to mainframe and distributed use cases. Machine identities also need access to resources and data but do so in a less “interactive” manner and on behalf of a service, person, and/or process.
| Persona | Distributed IAM tasks | Mainframe IAM tasks |
| IAM Admin | Create, update, delete, etc. users and groups and ensure this information remains in sync and up to date. SCIM is a standard to allow for cross system identity management.Onboard applications to allow for login and single sign-on, using standards such as OIDC, SAML, etc.Create, update, delete, etc. access policies.Define delegation and relationship hierarchy.Define application entitlement workflows.Define and set what multi factor authentication users should use.Mange identity sources and directories that are sanctioned by the enterprise which store and contain the necessary user information.Set the access requirements such as defining password policies and reset passwords.Integrating third party tools, for example ID Proofing, risk scoring, mobile device manager, and more.Identify and clean up entitlements of users and applications that may not be used or may not be required anymore. Approval of entitlements to applications and perform lifecycle management of access requests.Gain visibility into the activities that are happening across identities, applications, and other identity related activity.Remove unused identities and entitlements/permissions. | Create, update, delete, etc. users and groups and ensure this information remains in sync and up to date.Onboard applications to allow for login. In the case of the mainframe, the IAM interface (OIDC and SAML in distributed) is System authorization facility calls.Create, update, delete, etc. access policies.Define delegation and relationship hierarchy.Define application entitlement workflows.Define and set what multi factor authentication users should use.Mange databases and directories that are sanctioned by the enterprise which store and contain the necessary user information, such as the External Security Manager (ACF2, Top Secret, RACF) databases.Set the access requirements such as defining password policies.Identify and clean up entitlements of users and applications that may not be used or may not be required anymore. Approval of entitlements to applications and perform lifecycle management of access requests.Gain visibility into the activities that are happening across identities, applications, and other identity related activity. |
| Application developer | Build applications using application development frameworks like NodeJS, SpringBoot, .NET, Swift, and more. Onboard and integrate applications with IAM system to secure who can access the application and enforce access controls, using the standards of OIDC, SAML, and others.Using SDKs to simplify integration with their application and the IAM system. | Build applications using application languages such as COBOL and frameworks such as CICS.Onboard and integrate applications with IAM system to secure who can access the application and enforce access controls. |
| End user | Typing in their password to access an application so they can do their job, such as filing a claim, approving money transfer, providing help desk support, and more.Managing and performing multi factor authentication. Doing a self-service password reset. | Typing in their password to access an application so they can do their job, such as filing a claim, approving money transfer, providing help desk support, and more.Managing and performing multi factor authentication. Doing a self-service password reset. |
In the distributed world, in addition to employee access management, there are use cases for consumer identity and access management – these are end users that access commercial services provided by organizations. With the consumer IAM use case, there are additional stakeholders that are relevant such as the data privacy officer, who may want to capture, view, and need to audit all the consents that a consumer has made to comply with certain data privacy regulations such as GDPR.
IAM Use Cases Across Distributed and Mainframe With Example Product Mappings
Now that there is a bit more understanding of the commonalities of the IAM needs, personas, and tasks across distributed and mainframe security, we can now map the products that are used to meet the needs of the use cases.
In both distributed and mainframe IAM use cases, ultimately there are data, resources/applications, and users. Resources/applications are the processes that hold the business logic that users access to perform their job and access (potential personally identifiable) data. The IAM Software stores and holds the business logic an organization defines to broker user access to data and resources/applications.
- Access management in the mainframe IAM world, similar to the distributed IAM world, is all about the access controls that are needed to ensure the right users get in, while ensuring the users that shouldn’t have access do not get in.
- Identity management in the mainframe IAM world, similar to the distributed IAM world, is all about managing users, user attributes, user group membership, user credentials, user permissions, and more.
- Identity governance in the mainframe IAM world, similar to the distributed IAM world, is all about managing the entitlements, lifecycle, provisioning/deprovisioning, end user access requests, and more. These are for both regular users but also users that are deemed to have privileged access or authority.
- Reporting, visibility, monitoring, and threat detection in the mainframe IAM world, similar to the distributed IAM world, is all about having the necessary insights into all the activities that are IAM related. This is also for compliance and auditing requirements.
| Use cases | Distributed IAM product mappings | Mainframe IAM product mappings |
| Access management | Single sign-on/login and access policies – these are capabilities that allow a user to login with a username and password, certificates, federated identity providers (using OIDC or SAML). Single sign-on also allows users to not have to continue entering their credentials as they access many resources/applications, rather they can use an existing session from which they have successfully logged in. Additionally, business logic via access policies can be defined to decide which users should have access to resources/applications (ex: users in department = sales can access sales app, while users in department != sales cannot access sales app). Tools such as Broadcom, IBM Verify and Okta provide these capabilities.Multi factor authentication and device posture – these are capabilities, depending on the business logic from access policies, users may be required to perform multi factor authentication before they can access the application. Additionally, in the distributed world, given that users may login from various devices, needing to understand and validate that users are using sanctioned devices to login is critical in ensuring trusted and secure logins. In a more modern experience, passkeys are a way to provide phishing resistant, modern authentication – this is seen as passwordless authentication. Tools such as Broadcom, IBM Verify and Okta provide these capabilities.Risk based authentication – these are capabilities that evaluate the user context such as what browser, what internet service provider, what device, what time of day, what location, and more the user is logging in from. Based on an analysis of the user context, a risk score of a user can be calculated to determine if the user is a risky or non-risky user to decide what access policy business logic is used to perform MFA, block, or allow a user to login. Tools such as Tools such as Broadcom, IBM Verify and Okta provide these capabilities. | Login – these are capabilities that allow a user to login with a username and password, certificates, and more. Additionally, business logic via access policies can be defined to decide which users should have access to resources/applications (ex: users in department = sales can access sales app, while users in department != sales cannot access sales app). Tools such as ACF2 and Top Secret, and RACF provide these capabilities.Multi factor authentication – these are capabilities, depending on the business logic from access policies, users may be required to perform multi factor authentication before they can access the application. Similar to the distributed world, MFA options such as SMS OTP, Email OTP, TOTP, hardware security keys, and authenticator apps via push and biometric are factors that can be leveraged. Passkeys; however, are not suited for mainframe IAM given the web required nature of passkeys. Tools such as Advanced Authentication Mainframe provide these capabilities. |
| Identity management | Directory and user repository – these are the set of tools needed to store and manage user records and group membership. These can be LDAP, Active Directory, or even in more modern experiences cloud-based directory services. Additionally, the tools needed help ensure synchronization across the directory and user repositories with a single “representation” as needed. Tools such as Tools such as Broadcom, IBM Verify and Okta provide these capabilities. Attribute, user, and group management – these are a set of tools needed to manage the specific artifacts within a directory or user repository structure. Extending a user profile attribute schema with custom attributes, associating and managing group membership, and more are tools needed to deliver identity management experiences. Tools such as IBM Verify and Okta provide these capabilities. | Directory and user repository – these are the set of tools needed to store and manage user records and group membership. External security modules (ESM) have their own native databases that serve as directories to store information like user ids, role and access policy, and more. The formats of the files used to store this information are VSAM or BDAM. Additionally, LDAP can be used optionally to query the ESM databases. Attribute, user, and group management – these are a set of tools needed to manage the specific artifacts within a directory or user repository structure. Extending a user profile attribute schema with custom attributes, associating and managing group membership, and more are tools needed to deliver identity management experiences. Tools such as ACF2, Top Secret, and RACF provide these capabilities. |
| Identity governance | Governance and lifecycle management – these are the set of tools needed to define roles, permissions, mapping of users to roles and permissions, allowing users to request access to resources/applications, provisioning/de-provisioning identities to resources/applications, access delegation, proactive cleanup of over entitled or inactive users, and more. Additionally, the idea of wanting to define “separation of duty” is also critical to limit over privilege accounts and access. Tools such as Tools such as Broadcom, IBM Verify, Saviynt, and SailPoint provide these capabilities.Privileged access management – these are the set of tools needed to classify and enforce users that access and interface for highly valuable resources/applications. Additionally, there may be needs to record the activity a user is doing on the screen after login, have the user get just in time approval from another privileged user before accessing an application, checkout a temporary secret or token that is used to access an application with a pre-defined expiration, and more. Tools such as Tools such as Broadcom, Delinea and CyberArk provide these capabilities. | Identity cleanup and compliance – these are the set of tools needed to ensure that orphaned, unused identities are cleaned up in the system. Additionally, if entitlements exist but are not being used, these can be cleaned up and removed to ensure that users are not accidentally given entitlements that are no longer relevant/needed. Identities and entitlements can be recertified. The idea of wanting to define “separation of duty” is also critical to limit over privileged accounts and access, which is based on the audits/events emitted by ACF2, for example. Tools such as Cleanup provide these capabilities.Privileged access management – these are the set of tools needed to classify and enforce users that access and interface for highly valuable resources/applications. Additionally, the need to define which resources and what business logic needs to be met to access privileged resources is critical – this can entail that privileged users accessing privileged resources are required to re-enter a password. This is done by being able to granularly define which users and resources are deemed privileged. Tools such as Trusted Access Manager for z provide these capabilities. |
| Reporting and visibility | Audit trails of all the admin activities to have a track of which modifications were made in the IAM environment and by whom.Authentication activity to see all the users that are logging into the system and which resources/applications those users are accessing.MFA activity to see which users are using MFA and for which resources/applications those users are using MFA to login into. Threat detection activity to see if there are anomalous users accessing the system or if users are using compromised, stolen credentials. Also considering the fact if there are password spray or user enumeration attacks. | Audit trails of all the admin activities to have a track of which modifications were made in the IAM environment and by whom.Authentication activity to see all the users that are logging into the system and which resources/applications those users are accessing.Gaining insights and access the security posture of the mainframe while providing remediation steps for risky configurations.Connectivity to other tools like an SIEM tool to stream and send information across hybrid IT environments. Threat detection activity to see if there are critical changes and data breaches in the mainframe environment.Tools such as Compliance Event Manager and Security Insights provide these capabilities. |
Deliver Consistent IAM Within the Enterprise
Even though mainframe and distributed IAM tools are aligned to their specific domain, there are synergies and business problems that require both tool sets to work together. This ensures the enterprise has a consistent IAM across all identity types and platforms.
Take one use case, for example, where you want your mainframe identities to be treated as “privileged users.” These mainframe identities, deemed as “privileged users”, need to “checkout” their passphrase/password. This use case is facilitated by a distributed PAM tool, for example CyberArk, so that the passphrase/password used by these “privileged” mainframe identities are rotated and checked out with enterprise-wide privileged controls. Here CyberArk and ACF2, for example work together to deliver business value and security controls.
Another use case that showcases how mainframe and distributed IAM work together is allowing users to request specific permissions via mainframe roles, while additionally enforcing approvals. In this case, a user can request a mainframe role via a distribute IGA too, for example Sailpoint, which would govern permission requests and perform the necessary provisioning/deprovisioning activities with the mainframe ESM as the target system, allowing for lifecycle operations on the defined mainframe IAM roles. Here, Sailpoint and Top Secret, for example work together to deliver business value and security controls.
Distributed and Mainframe Platform Use Cases Are Similar
When it comes to security and IAM for distributed and mainframe platforms, even though the platforms are different, the use cases and outcomes are similar – security leaders and practitioners can start to understand and map the IAM and security needs for the mainframe and realize the business needs are no different than what is required in the distributed world. When you think of the distributed IAM world, the mainframe IAM world has a similar representation, with similar products. So, the next time you think of IBM Verify or Okta, you can equally think of ACF2 or Top Secret and the like across the security use case needs.
In a later blog, we will demystify the terminology between distributed IAM and mainframe IAM. A few examples of what this entails:
| Artifact | Distributed term | ACF2 term | Top Secret (TSS) term | RACF term |
| Tool names | Access management tool | External security managers (ESM) | External security managers (ESM) | External security managers (ESM) |
| User/identity/machine | User = user identity Machine = machine identity (api client, webhook, OIDC client, etc.) | Logon ID (LID) LID can be a user or a machine/service | Accessor ID (ACID) ACID can be a user or machine/service | User ID |
| Resource protocol / framework calls | OpenID Connect, SAML, FIDO2, etc. | System authorization facility (SAF) | System authorization facility (SAF) | System authorization facility (SAF) |
| User credential (secret) | Password | Password (8-character limit) Passphrase (to support more than 8 characters) | Password (8-character limit) Passphrase (to support more than 8 characters) | Password (8-character limit) Passphrase (to support more than 8 characters) |
| Password criteria | Password policy | Global system options (GSO) password record | Password options in TSS SECFILE | SETROPTS Password Options or password exit |
| One-time, unique code | One time password (Email OTP, SMS OTP, etc.) | Passticket (8-character code to replace password) Additionally, SMS and Email OTP can be supported with Advanced Authentication Mainframe, as an example. | Passticket (8-character code to replace password) Additionally, SMS and Email OTP can be supported with Advanced Authentication Mainframe, as an example. | Passticket (8-character code to replace password) Additionally, SMS and Email OTP can be supported with Advanced Authentication Mainframe, as an example. |
| Multi factor authentication | Multi factor authentication via methods such as Email OTP, SMS OTP, TOTP, biometrics, user push, magic link QRcode, passkey, and more. | Multi factor authentication via methods such as Email OTP, SMS OTP, TOTP, biometrics, user push, and more. This is enabled by Advanced Authentication Mainframe, as an example. | Multi factor authentication via methods such as Email OTP, SMS OTP, TOTP, biometrics, user push, and more. This is enabled by Advanced Authentication Mainframe, as an example. | Multi factor authentication via methods such as Email OTP, SMS OTP, TOTP, biometrics, user push, and more. This is enabled by Advanced Authentication Mainframe, as an example. |
| Access policies | Access policies (Initial access to applications, etc.) Fine grain authorization/entitlement (write, read, delete, etc.) within resources that user must satisfy to get access/authorization | Resource rules (programs, commands, and other artifacts that are not data sets) Data set rules (strict access to data sets, which are like files) Access is granted to LIDs via their User Identification (UID) string or a ROLE. | Resource rules (programs, commands, and other artifacts that are not data sets) Data set rules (strict access to data sets, which are like files) Access is granted to ACIDs via access to a PROFILE, which holds a collection of access. | Resource rules (programs, commands, and other artifacts that are not data sets) Data set rules (strict access to data sets, which are like files) Access is granted to User IDs via GROUP membership. |
| Logs / audits | Log or audit records | System management facility (SMF) records | System management facility (SMF) records | System management facility (SMF) records |
| User launchpad to list all applications and login across applications | User launchpad or end user dashboard | Session managers (ex: TPX) | Session managers (ex: TPX) | Session managers |
| Directory, identity store | LDAP, Active Directory, Cloud Directories, etc. | Virtual Storage Access Method and Basic Direct Access Method Databases | Virtual Storage Access Method and Basic Direct Access Method Databases | Virtual Storage Access Method and Basic Direct Access Method Databases |
For questions, comments, or even suggestions on the similarities and differences between distributed IAM and mainframe IAM, you can reach out to me, milan.patel@broadcom.com or find me on LinkedIn.