IT Focus Area: infrastructure operations
September 8, 2021
Securing the Mainframe in the Age of Digital Transformation
Unlike the early days of digital transformation when the mainframe was often relegated to traditional roles such as transaction processing and large databases, IBM Z is now woven into the fabric of mobile, social and multicloud computing. The platform provides the massive processing power required for modern, resource-intensive workloads like blockchain, AI and big data, as well as unmatched features for security and control.
This changing nature of the mainframe’s role in wider enterprise computing means the platform is more exposed than ever. A vanishing perimeter and the continuing explosive growth of cloud-based applications and mobile devices are blurring old boundaries around organizations and networks—and between platforms.
While business applications now increasingly run on distributed, multiplatform environments, many of those environments require access to business data, which means the 65 – 70% of the world’s total business workload that still resides on a mainframe.
As a result, modern mainframe servers are increasingly:
- Connected to the Internet, serving data to customer-facing applications running on distributed systems.
- Performing more back-office workloads such as reconciliation and nightly batch processing for distributed systems.
- Executing more customer-facing applications directly on the platform (e.g., web servers and services, and heavy-duty Java-based workloads).
- “Opening the doors” to an ever-expanding array of end-user and Internet of Things (IoT) devices running software that is infrequently updated and inherently hackable.
- Running open-source applications to get business products to market faster, attracting and retaining staff who are proficient in open-source tools and methodologies but not as well-versed in mainframe-specific tools, applications and security features as veteran administrators.
The most securable platform, in an increasingly insecure world
IBM Z mainframes are the most securable standalone computing platform available, to the point that their security is often taken for granted. But all of IBM’s systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures and may require other systems, products or services to achieve the highest possible security posture.
That’s because the greatest vulnerabilities aren’t through systems or applications.
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like, and attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted, using social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past can fail to protect against these new classes of attacks. The result is increasingly severe security breaches happening more and more frequently.
As bad actors target individuals in an attempt to steal system logins and credentials, the mainframe is simply another server to be attacked.
This should be of serious concern, for three very important reasons:
- Around 80% of the world’s business-critical data resides on mainframe systems, and more commercial transactions are processed on mainframes than on any other platform.
- In today’s world, the mainframe seldom operates in a standalone environment, and must be viewed in the context of the enterprise security. It is in this broader context that the mainframe takes on a whole new set of vulnerabilities.
- The mainframe is a complex platform, and its built-in security features are not always implemented as designed.
Now more than ever, securing businesses and government agencies—particularly those in highly regulated spaces—means anticipating, detecting and responding to threats to mission-critical data and applications across all the platforms that they touch. Failure to protect data can result in vulnerabilities, audit failures, loss of reputation, system shutdowns, security breaches, legal culpability, and financial liability.
As the traditional network perimeter around the data center permanently dissolves, attackers are seizing on the gaps, vulnerabilities and weaknesses generated by the struggle of enterprise security teams to manage data security across complex hybrid and multicloud environments.
Likewise, data security tools for discovering, classifying, monitoring and protecting sensitive data are often designed for specific environments and narrow use cases. As a result, security teams are overwhelmed with limited data security visibility, fragmented compliance reporting, and disjointed workflows across their on-premises and cloud-hosted data stores.
Breaches can usually be tied back to one of four areas: people, data, applications, and infrastructure.
A holistic enterprise security strategy must focus on standardized countermeasures for all four of these, and the tools available to enforce them. Leveraging security and resiliency features built into the IBM Z platform—as well as complementary tools from IBM and third parties—is critical to protecting the “family jewels”: your mainframe, and the precious data and applications that reside on it.
4 countermeasures to secure the mainframe
- Identify: Identity is the foundation of deciding who gets in. User names are typically email addresses, which are public, and passwords are a relatively simple point of attack for hackers to exploit.
A robust identity and access management (IAM) strategy and toolset is essential to this first line of defense. Organizations must enforce strict password controls, provide user education, and implement IAM tools that will simplify security procedures for end-users (so they’re not tempted to side-step them) while making penetration much more difficult for bad actors.
A least-privileged strategy will allow access to data for the minimum necessary number of individuals, while actions like redacting, masking and blocking access to data can be executed when risks are identified.
- Authenticate: Now that the user has stated their identity, the system must prove it. This is where multifactor authentication (MFA) comes in.
The proof requires a response to a challenge that only the registered user can provide. The responses to this challenge are often grouped into three authentication categories: something you have (e.g. a registered cell phone or VPN device), something you know (e.g. one or more challenge questions), and something you are (e.g. biometrics).
- Encrypt: To ensure the maximum protection of data both at rest and in flight, it must be encrypted in such a way that it is kept private even in the event of a breach. This is more challenging than ever, as data is being accessed across platforms and by users on any number of devices.
On the mainframe, this functionality is provided by IBM Hyper Protect Data Controller (formerly IBM Data Privacy Passports) and pervasive encryption (PE), which extends the encryption of sensitive data only to authorized users wherever it may travel within or even outside an organization.
- Prepare: Exacerbated by changes to the IT landscape related to the pandemic, ransomware has emerged as the most aggressive cybersecurity threat to organizations. Criminals can lock out users and administrators, threaten release of confidential, proprietary or protected data, or steal data or access privileges for financial gain.
A comprehensive cyber-resiliency strategy focused on isolating (air-gapping) critical data and preventing or limiting potential damages is essential to preparing for what is looking more like an inevitability than a risk.
Build a resilient security strategy today
Without a comprehensive data security strategy, security teams lack an efficient way to assess their organization’s data security and compliance posture. Insufficient data security and compliance assessments—which can be exacerbated by the assessor being too close to or too fully invested in the existing infrastructure—often result in an inability to effectively prioritize investigation and response activities. The participation of an independent resource with extensive expertise in securing platforms, applications, data, networking and storage is essential to protecting your organization from the inevitable threats to your organization, your infrastructure and your data.
Interested in hearing more from Sirius Cyber Security Architect Julie Bergh? Registration is now open for our upcoming webinar on Tuesday, October 5.