Is Your Mainframe an Unguarded Fortress?
Why too many organizations fail to implement adequate security measures on their mainframe operations and how to effectively guard your IBM Z
Imagine the mainframe is a fortress, surrounded by a moat. It’s impenetrable. No invaders could possibly breach its defenses!
At one time, pre-internet, that was a pretty good metaphor. “Back in the 60s and 70s, there was no internet so no one could connect to the mainframe,” says Carle “Chip” Mason III, director of product management, mainframe security, CA Technologies, a Broadcom company. “You had to pay the phone company to run a wire to connect. You knew who was connected to your network, and you had really good access control.”
Continuing with the impenetrable fortress metaphor, the internet is the equivalent of a dried-up moat, and each connection is a door into the fortress. The fortress is riddled with doors, and in far too many enterprises, many of the entrances are unguarded.
“Assume the bad guys are in your network and through your firewall, and they are accessing your network with whatever credentials they can steal,” says Ray Overby, chief technology officer and co-founder, Key Resources, Inc. Overby notes that with each new connection, any given network is less secure. “People just assume the mainframe is secure, but I could get into it using my refrigerator.”
Balancing Convenience and Security
The idea that an organization could suffer a breach through a kitchen appliance seems, at first blush, laughable. On closer inspection, it seems more like a nightmare than a joke. Happily, securing IBM Z servers is really no different from securing anything else. Most enterprises already know what needs to be done, because they implement security protocols for cloud applications. “You can’t have 70s thinking and 70s security practices in the 2020s,” says Mason. “You have to think about how you’re guarding your fortress.”
Some of the most basic security practices, such as user behavior monitoring, two-factor authentication, proper configuration and performing due diligence are overlooked when it comes to the mainframe, even when they’re used elsewhere in the enterprise. This is partly because of the notion that the fortress is impenetrable, but also because a single drawbridge across the moat means you have to walk all the way around the castle. It’s inconvenient.
Organizations must balance convenience and security. “It’s entirely possible to manage mainframe so that it’s vulnerable to everything. It’s equally possible to make it totally impenetrable,” says Mason.
The trade-off between convenience and security holds true regardless of what part of a company’s operation is being secured. Finding the balance is the key.
“Part of my job is making people understand risk,” says Overby, noting that cutting security to improve convenience creates risk. “It’s OK to do risky things, but you should understand the consequences. Then, if things go sideways, you know.”
Most people are unaware of how often they unknowingly use the mainframe, but they do know when their trust is violated. For example, an average customer may not know that their bank deposits are processed on IBM Z, but they won’t hesitate to take their business elsewhere if there’s a breach at their bank.
In the 1980s, AT&T experienced an outage. “One day out of 40 years, and everyone suddenly hated them,” says Mason, making the point that customers don’t care about how companies make things work, they just expect the services they pay for to function. The same is true with security. Customers simply assume their personal information is secure—by their bank, their doctor’s office, their credit card company and anywhere else they do business. When organizations don’t keep that information secure, Mason says, they risk violating the customer’s trust.
Educating Executives on Mainframe Security
Both Overby and Mason say one problem is that often, people who are in positions to make decisions that impact the security of the enterprise don’t have a background that includes a deep understanding of the mainframe. “Part of the reason is that people think of the mainframe as legacy. ‘It’s legacy, we’re not going to spend money on it, we’ve stabilized it, or whatever,’ ” Mason says. “But what they don’t realize is that it’s running a lot of their business, housing a lot of their data and it isn’t going away, even though they also have Windows and other things.”
Broadcom, Mason’s company, is working to educate executives regarding the risks of not securing the mainframe. “The enterprise is every platform you depend on,” Mason says. “You need to consider them all and make sure they are being secured, according to the scope of risk and the content they contain.”
Overby’s company, Key Resources, helps organizations identify mainframe vulnerabilities that would allow the user to bypass the security controls through an exploit. “While you probably won’t ever see us mentioned on a 5 o’clock news report, we find these things all the time,” he says, adding that although the company can’t advertise their successes, “people are starting to see that the mainframe is vulnerable if the rules aren’t followed.”
Locking the Mainframe Fortress Doors
Implementing basic security measures across the enterprise is a good first step for any organization looking to secure their fortress, but additional methods exist to improve the security of IBM Z.
Overby recently taught a class regarding security, and listed off what a mainframe security architect should do on a day-to-day basis. Someone in the class said that he was struggling to get his bosses to approve hiring a mainframe architect part-time, because they didn’t think there was enough work to keep even a part-time employee busy.
“How could you not have someone in there looking after your business?” asks Overby, recalling the incident. “They needed to hire a mainframe security architect, and they needed to make sure he was in the right place on the organizational chart.” A person who is tasked with making change, such as a mainframe security architect, needs to have the power to bring about that change. Companies need to have someone there every day whose job is “to secure and manage, and not compromise,” says Overby.
“In most any kind of executive position, there are those who are managing and those who are doing,” says Mason. “I don’t expect a CEO or manager of engineering to be the one pushing the buttons on the mainframe.” However, he does think that having those people on staff is critical.
Broadcom hires people who want to be mainframe experts through the Mainframe Vitality Program. Once people graduate from the program, they go to work within Broadcom, then are made available to customers to hire as mainframe experts. Customers can also send employees for the training. “We also do workshops with customers at a lower level, and invite a broad spectrum of folks from executives to technicians, and take them through mainframe security,” says Mason.
Enterprise security is not a new concept, and although applying security protocols to the mainframe may take some adjustments and require a budget, the result is well worth the effort and expense. Simply locking all of the doors could prevent the fortress from being plundered.