Skip to main content

Mainframe Security in the Age of AI

In theory, mainframe security should be easy—mainframes use RACF or similar products to control who can do what. However, security has never really been that easy, and today it definitely isn’t easy at all.

The Challenges of Modern Mainframe Security

First, mainframes aren’t little islands of computer processing anymore. They are intimately connected to the cloud, to mobile and to web-based applications. APIs (application programming interfaces) can be used to connect parts of mainframe applications to parts of other applications on any number of other platforms to create new and easily usable applications. In effect, that means there is no longer a metaphorical castle wall and a moat wrapped round your mainframe applications and data; there is just a sponge holding everything in place. And, by its very nature, that metaphorical sponge is full of holes.

So, what’s the solution? You can try to get every activity to send a message to SIEM (security information and event management) software, which could be running off the mainframe. That could pick up messages from the mainframe and the other platforms you’re using—all the security team need to do is to watch out for any unusual messages and then immediately take steps to deal with the security breach. After all, you have SMF (system management facility) running on the mainframe. It will be very easy to find where the problem occurred on the mainframe from that, won’t it?

The trouble is that with so many messages coming to the SIEM, it’s very easy for someone from the security team to miss the important message. And, as anyone who has had to search through SMF data knows, finding the right bit of information can take time.

What else can you do? FIM (file integrity monitoring) software is a useful solution to the problem.  Mainframe-based file integrity monitoring (FIM) software can keep a checksum in a virtual secure vault so that it can tell if data, parameter files or applications have been altered. If that alteration was planned by onsite staff, it can be told not to set off alarms. Otherwise, security staff are alerted that a ransom attack or other data breach has occurred. And it can take steps to remediate the situation. FIM software can suspend users, quarantine files or whatever is needed to secure the system. It can also check the backups are OK, create the appropriate restore job and verify that the restored file itself is uncorrupted.

AI-Driven Security Solutions

If you’re not using FIM software on mainframes and other platforms, what else can you do? You could use artificial intelligence (AI) software and natural language processing (NLP). One thing that AI is very good at is identifying patterns, or things that don’t fit an expected pattern. It has been used in medicine to identify the earliest signs of disease, like Parkinson’s.

Off the mainframe, Microsoft, Azure OpenAI and a company called Rubrik are working together to offer a “truly actionable use of AI” to reduce the time required to investigate and determine responses to cyber events, ultimately providing an overall boost in cyber resilience. In a press release, Rubrik Zero Labs reported that only 56% of IT and security leaders developed or reviewed an incident response plan in 2022, although security teams get hundreds or thousands of alerts each day that take hours to sort through and prioritize. By using AI, Rubrik hopes that IT security teams will be able to identify and stop attacks faster than ever before.

IBM now has IBM Security QRadar SIEM as a service on AWS. QRadar SIEM, which uses AI and network and user behaviour analytics with built-in threat intelligence, federated search and case management to provide analysts with more accurate, contextualized and prioritized alerts.

In addition, the Telum chip used in the z16 mainframes can analyze transactions at near real-time speeds to identify potential frauds in financial and healthcare transactions. It can do this because it has an AI accelerator built onto the silicon of the chip and all of the cores.

IBM also tells us that users can bring TensorFlow models trained anywhere and deploy them close to their business-critical applications on IBM Z, leveraging IBM Integrated Accelerator for AI seamlessly. Users can also access a library of relevant open-source software to support AI and machine learning (ML) workloads with the Python AI toolkit. Users can compile popular compatible AI models into onnx format and run them on IBM Z with minimal dependencies, also leveraging IBM Integrated Accelerator for AI seamlessly.

Then there are mainframe organizations that are using AI to identify other patterns in the data generated from these online activities. They are combining AI and operations to give AIOps.

Due in the third quarter, Version 3.1 of z/OS will support technologies intended to enable deployment of AI workloads co-located with z/OS applications.

The Importance of Mainframe Security

What I’m saying here is that the mainframe is all over AI and ML, not just for security.

But the security use case is vital. Corporate data is important, and its loss can be catastrophic for the reputation of the affected company. Plus, a data breach can be very costly, whether a company pays the ransom or not. In addition, now that everyone has had a play with ChatGPT and other AI engines, we can predict with nearly 100% certainty that the bad actors out there are looking at AI as a way of accessing the computing platforms at large and small organizations. Once they get into one device, maybe an edge computing device, they can get into the main servers and then work their way up and down the supply chain until they access your mainframe. Or they may target the shadow IT at an organization and begin the process that way. Whatever method they use, if the black hats are using AI, then mainframe security teams need to be using AI and ML countermeasures.