Zero-Trust Network Access on IBM z/OS: Applying BeyondCorp Principles to Mainframe Perimeter Architecture
DOI:
https://doi.org/10.70917/ijcisim-2026-2915Keywords:
Zero-Trust Network Access, IBM z/OS Security, BeyondCorp Architecture, Mainframe Perimeter Security, RACF Access Control, z/OS Connect API SecurityAbstract
Traditional perimeters for IBM z/OS depend on trusted zones, virtual private networks (VPNs), firewalls, and security assumptions that are static in nature. Hybrid cloud integration, z/OS Connect APIs, z/OSMF administration, and DevSecOps pipelines, however, have expanded the IBM z/OS attack surface. In this study, a conceptual Zero-Trust-Network-Access approach for IBM z/OS, including BeyondCorp and incorporating it into the mainframe perimeter architecture, is proposed. The design process adopted a mixed-method approach, dominated by qualitative methods such as document analysis, control mapping, gap analysis, architecture synthesis, and expert review. Evidence comprised practitioner, technical, academic, and standards documents, complemented by a purposive selection of key practitioner, technical, and standards documents and selected key mainframe security, IAM, and network security professionals. BeyondCorp principles could be applied to six z/OS security domains: identity verification, device posture, encrypted transport, session authorization, API mediation, and monitoring. RACF, SAF, MFA, AT-TLS, z/OSMF, z/OS Connect, SMF records, and SIEM integration provide strong foundations, while device posture scoring and adaptive access remain weak areas. The study provides a multi-layered modernization model that enables access to the mainframe while improving existing z/OS controls. The framework should be validated in future research through production-like tests that measure measurable latency, compliance, reliability, and risk-reduction parameters in enterprises.