zSecure Licensing: Metrics, Costs, Renewal Levers.

IBM Security zSecure is a suite of mainframe security and compliance tools that administer and audit the External Security Managers on IBM Z, namely RACF, ACF2, and Top Secret. The suite spans administration, automated audit and compliance reporting, real time alerting, and command verification. It does not replace the security manager, it sits over it to make administration faster and to evidence compliance. Because it is priced against the capacity it protects, its cost tracks the size of the z/OS estate, not its own footprint.

zSecure is licensed under IBM's International Program License Agreement, or IPLA, not the Monthly License Charge model. That means a one time charge for the license plus an annual Subscription and Support stream that is the part you renew. Capacity is measured in MSU and converted to Value Units through the applicable Value Unit Exhibit, where the per MSU rate falls as capacity rises. Where sub-capacity terms apply, the basis can be the sub-capacity MSU rather than full machine capacity.

Directional summary. The exact Value Unit Exhibit and capacity basis depend on machine model and contract terms.

Three drivers set the zSecure number. The licensed MSU capacity, because the Value Unit charge is converted from the capacity the suite is entitled against, which usually tracks the protected z/OS environment rather than zSecure's own workload. The component set, because Admin, Audit, Alert, Visual, Command Verifier, and the CICS and adapter pieces are entitled separately, so scope creep across modules lifts the bill quietly. And the annual Subscription and Support stream, which compounds year over year and is the line that actually shows up at every renewal even though the license was a one time charge.

The recurring traps are structural. Licensing against full machine capacity when a sub-capacity basis would apply, which can overstate the Value Units materially on a large frame. Capacity growth from a hardware refresh that is never rebaselined, so the entitlement quietly inflates with the box. And component sprawl, where Audit, Alert, or Command Verifier get switched on beyond the entitled set. Because IPLA capacity is a stated figure rather than a metered monthly peak, an estate that has consolidated or shrunk often keeps paying for Value Units it no longer uses, and only a review surfaces it.

The structural lever is the capacity basis: rebaseline the licensed MSU and Value Units against the capacity zSecure actually protects today, and move to a sub-capacity basis where eligible. The scope lever is component consolidation, paying only for the modules in genuine use. The contract levers are a cap on the annual Subscription and Support uplift and aligning the renewal term with the wider IBM negotiation, so the security suite is one lever in a larger deal rather than an isolated renewal the vendor controls. Credible third party RACF administration and compliance tools exist, and naming a real alternative is itself leverage even when migration is not the plan. This is the buyer side work we do on IBM cost optimization.

Publisher hub: IBM mainframe licensing. Related products: z/OS licensing and z/VM licensing. Related metric: MSU explained. Put it to work: IBM cost optimization.