Whether Santa just brought you a zEnterprise System or your workload is happily humming along on a previous—still very productive and cost-effective—technology generation, the arrival of a new year is always a good time for mainframers to review and renew essential security resolutions.
The most fundamental resolution is to understand that technology represents only part— perhaps less than half—of your infrastructure, network and database vulnerabilities. The other, often neglected, risks arise from human actions and frailties.
A key resolution spanning technology and human issues is to involve the mainframe's top-to-bottom management structure in security awareness, understanding and support. You needn’t tell them about every OS security patch applied but this does involve educating them on long-time inherent mainframe strengths and how your overall infrastructure, policies and practices avoid compromising them.
And now, some specific to-do resolutions:
It shouldn't be surprising that sensitive, proprietary, valuable and personal information must be encrypted. But the devil—and value—is in the details. Ad hoc self-service encryption is haphazard and error prone, so don’t just rely on a "Thou shalt encrypt" edict. Centralize encryption and key management, and push mandatory encryption to end-point devices wherever data originates, resides or arrives. That’s the only way to avoid problems when laptops, USB drives, smartphones and tablets go astray, and ensure end-to-end protection of data both at rest and in motion.
2. Track and apply security-related software and hardware patches.
This too should already be standard operating procedure. But ensure you're receiving centralizing and processing notices and updates/patches from all vendors with a mainframe presence. That is, don’t let individuals responsible for mainframe components black-hole warnings or patches.
3. Defend the perimeter.
As the employee “bring your own technology” (BYOT) trend launches a tidal wave of random gadgets connecting to the mainframe, layered security becomes ever more essential. Like the military strategy medieval castles are based upon, use multiple nested perimeters to resist attack. Centralized measures alone—passwords, encryption, processor features such as storage protection keys and software protections like a resource access control facility (RACF)—aren’t adequate. A malware-contaminated USB drive casually connected to a computer inside network protections can launch devastating attacks damaging or destroying resources, and compromising data. An unpatched or misconfigured firewall or router can be a welcome mat instead of a raised drawbridge.
The best intentions, technology, policies and practices lose effectiveness if they’re not monitored and refreshed. Too often, measures implemented after a security review fade away as complacency sets in. Periodic informal, internal and external audits can reveal gaps, shortcomings and new areas needing attention. Don't fall into the "us vs. them" mindset regarding auditors; it’s much better to hear bad news from them than your CEO, the news media or law enforcement.
5. Establish, enforce and review coherent and consistent policies.
The more straightforward employee instructions are, the better they’ll be followed. And keeping them updated to track technology/infrastructure changes ensures they're meaningful and less likely to be ignored. But keep them broad, indicating goals and strategies, rather than describing settings of specific device front panels, for example; address these sort of issues with easier-to-change operational instructions. Don’t muddy long-term strategic policies with transient tactical details.
Start simple and remind people that security matters. This needn’t be heavy-handed or draconian. But it really is everyone’s job to implement and preserve security. In different ways, everyone—application developers, network engineers, system administrators, managers, procurement/contracts staff—should do their jobs with security in mind and immediately report anything that might compromise it.
Don't think that "Be secure!" exhortations suffice. Help staffers learn what's needed in their jobs to support security and to understand their activities in the broader enterprise context. This can involve continuing education, certifications, webinars, user groups, professional societies, etc. A stellar information protection and IT security resource is InfraGard.