Posted by Sebastian DEWAR
April 28, 2021
1 000 reasons why your mainframe isn’t as secure as you think
Well, not really, in our opinion here are the top 4.
When companies think about their mainframe, they often do so with the assumption that it is an inherently secure environment. The recent rise of ransomware and cyberattacks seem to be a distant threat that cannot affect the mainframe. As such, mainframe security management is often considered an exception to the company’s general policy.
This is a dangerous practice, becoming increasingly visible as the CISOs put mainframe teams under closer scrutiny. That is why it is imperative that we recognize and work to eliminate this false sense of security. Here are 4 reasons why your mainframe is not as secure as you might think it is.
Security concerns were different when the mainframe first appeared.
30 years ago, the mainframe’s sole connection to the outside world was the SNA network. There was little concern for hackers or cyberattacks at the time since this network was mainly used by large companies over proprietary, obscure, and dedicated nonpublic links.
In the ’90s, as the Internet Protocol (IP) became the standard and was, from the outset, completely open, IBM had to comply and start using this protocol. In '95 TCP/IP was not inherently secure, and this was not a consideration when the mainframe world implemented it at first.
Therefore, security concerns for the mainframe are very different today, and knowing so, IBM offers the standard built-in security.
However, these security mechanisms are often overlooked. Some companies still have the mindset that the mainframe’s in-built security is good enough (after all, it never failed them in the past). Others may simply lack the human resources with enough expertise to effectively implement these mechanisms. In some cases, system programmers may not have the reflex to use these solutions because they do not instinctively think about security.
The mainframe’s technology is state of the art, but not always used correctly.
We are not criticizing IBM here. To their credit, they have gone to great lengths to make the mainframe as securable as possible. But that is the keyword here: « securable ». In theory, the mainframe’s cryptographic hardware and SSL/TLS layers are more than enough to protect the data effectively.
Even now, mainframe users still get by with only 8 character passwords even though the ability for 100 character passphrases has been around for years. Without even considering the multitude of MFA solutions available today.
However, like any other computing platform, it’s up to the IT teams to keep the hardware and software up-to-date. Too often, companies don’t pay enough attention to IBM’s OS patches and unknowingly expose themselves to external vulnerabilities. This is a dangerous situation for a company to be in.
The usual reason is that installing an update requires the mainframe to shut down for a few hours. Some companies (especially smaller-scale ones with no cluster solutions) just cannot afford to have their services unavailable for that long. The mainframe is the star of their show and the show must go on.
Mainframe security has been marginalized.
Company security is by design separated from IT operations and especially so with the mainframe. “Z” systems live in a completely different ecosystem with their own rules and customs.
Because security teams would not necessarily have a background in mainframes, they would exclude mainframe teams from security discussions or request changes that were technically impossible to make. Of course, things are changing and security experts can now rely on public mainframe guidance like STIGs or CSRC.
Mainframe teams are used to a certain way of doing things where they are essentially masters of their own domain. It is often seen as an intrusion when a security expert comes and tells them to abide by some new rules. Moreover, mainframe teams have more and more to do with fewer resources even without the extra burden of security management. Unfortunately, this situation reinforces the idea that the mainframe is somehow exempt from company security rules. Thankfully, this divide should be narrowing nowadays.
Third-party mainframe security tools exist but are not well known.
We mentioned before that the standard tools IBM offers require a significant level of knowledge about the platform. This knowledge gap is accentuated when it comes to third-party tools. These providers often have multiple products which makes it hard to know which one to choose, where to start and how to implement them effectively. Even though more and more publishers offer all-in-one software packages to simplify mainframe security. You can check out Vanguard and SDS.
Moreover, it is often hard to find the right mainframe expert as they do not all have the same experience. Finding a RACF mainframe expert who also has extensive knowledge of cybersecurity for instance is no easy task. Once again, the continuing reduction of mainframe skills threatens its long-term viability
In conclusion, the mainframe is securable, we just have to make it secure. It is not the impenetrable fortress everyone imagines. After all, when you put more doors on a fortress, it becomes that much more vulnerable. In today’s climate of increasingly disruptive ransomware and cyberattacks, it is crucial to put the mainframe at the center of the discussion.
Unfortunately, because of its reputation, companies trust that the mainframe was and always will be secure. But even when companies realize that the mainframe needs more security, they often lack resources (human and financial) and political will to make that change happen.