Managing Compliance with Ease on IBM Z
Simplifying and automating the compliance process.
In recent years, regulatory compliance requirements have been rapidly changing across business functions all over the world. Satisfying those regulatory requirements is a moving target; deviating from them can compromise critical information and data in addition to damaging reputations and bringing hefty fines to the enterprises. IBM Z® is a premium platform that is on the forefront when it comes to cybersecurity and protecting mission-critical data and applications. A range of technologies from Pervasive Encryption to Hyper Protect Data Controller demonstrated the strength and importance of security on IBM Z. Now with IBM z16®, demonstrating regulatory compliance posture is much easier with a new compliance solution called the IBM Z Security and Compliance Center.
The IBM Z Security and Compliance Center (ZSCC)
The IBM Z Security and Compliance Center (ZSCC) is an offering available on IBM z16 that automates the collection and validations of IBM Z software and hardware configurations against regulatory and cybersecurity controls. It is a set of container-based microservices that provides analytics capabilities to give detailed insights on compliance posture and drift. IBM has mapped technical capabilities to regulatory and security frameworks, which helps reinforce the current practices of interpreting the regulatory requirements using guidelines from IBM Z. Insights about compliance deviations, scores, and details about different scans are provided in a modern dashboard.
Figure 1: How posture management components work together
Key terminology for ZSCC
The IBM Z Security and Compliance Center uses the following key terminology:
A goal is a specific technical check that can be run on data to produce a result such as pass/fail. For example, a goal might be to check whether only authorized users can access Db2® from CICS®.
A control is a group of goals around a common theme that typically maps to a defined rule.
A profile is a group of controls that are matched to an applicable regulatory or security framework.
Figure 2: A regulatory profile mapping in IBM Z Security and Compliance Center
Figure 3: A goal detail page in IBM Z Security and Compliance Center
All about scopes in ZSCC
A scope is an abstraction in ZSCC. It can either refer to a set of systems that have a common requirement to scan against or to a set of systems that are located in a similar environment. In ZSCC, any operation related to compliance scans can be performed only on defined scopes. A typical ZSCC user with appropriate roles can create scopes and manage compliance posture of systems under that scope. The scope would gather an inventory of systems with our Auto Discovery functionality. The inventory can be the sysplex information in the case of z/OS® or Linux® virtual machines in the case of Linux on IBM Z.
Figure 4: Scope view
The IBM Z Security and Compliance Center automates compliance scans on a defined scope and provides insights on the posture of your systems. A posture is a set of scan results based on regulatory or cybersecurity policy. The validation can be done on historical facts or a point in time to get near real-time compliance scores.
Figure 5: Fact collection view
Figure 6: Posture view
Figure 7: Drift view
Bring your own custom profiles
IBM ZSCC validation is based on predefined profiles or custom profiles. With ZSCC, you can build custom profiles by selecting any subset of goals from our goal library of 300+ goals (as of 1H22). This gives flexibility on defining controls and goals based on the enterprise requirements. With custom profiles, you can also export the profiles as .xls or pdf.
The IBM Z Security and Compliance Center can help your enterprise in automating compliance and will play a crucial role in your audit preparation and day-to-day compliance process.
About the authors
Jessica Doherty is the IBM Z Principal Security Product Manager, with 19 years of experience in IBM Z. She is known for driving brand growth and maximizing operational excellence. Jessica has experience working across organization boundaries to successfully achieve the desired outcome and is currently the overall Product Manager, leading the strategy for security on IBM Z.
Matthew Meck is the Product Manager for the IBM Z Security and Compliance Center and helps drive other products in the Security portfolio. These projects require cross-divisional strategic partnerships with Security, Cloud, Research, and IBM Z. Matt started with IBM on the AI and Analytics team where he helped prepare for the transition of DB2AA workloads to the LinuxONE platform which helped optimize Db2 transactional performance. Matt has his MBA from SUNY New Paltz in the Hudson River Valley area, which he is happy to call home. In his free time, Matt enjoys planning for his wedding, hiking, skiing, and taking care of his two yellow labs.
Pradeep Parameshwaran is the Lead Architect for, Security & Compliance on IBM Z & LinuxONE. Currently he leads a global team of developers working on compliance aspects on IBM Z and owns the Product Design and Architecture of IBM Z SCC. Previously, he was a Security Architect with Hyper Protect Services on IBM Cloud. He started his career at IBM as Software developer for z/VM. Pradeep holds an MS degree from University of Stuttgart, Germany in Computer Hardware and Software Engineering.
Frank Bellacicco contributed to the editorial review.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis.