IBM Destination Z - Group home

Rethinking Mainframe Security

By Destination Z posted Mon December 23, 2019 03:43 PM


IBM continues to tout the mainframe as the most secure platform, hands down. And it’s right: Reports of security breaches on System z are rare, and when they do occur, the breach can usually be traced back to an authorized insider who deliberately or unwittingly compromised access. The security breach was a human failure, not a machine failure. The mainframe remains what it always has been—seemingly unassailable from a security standpoint.

Or is it? As recently as two years ago, IBM managers were signaling new threats that might force rethinking of mainframe security. As part of a 2011 briefing, a Tivoli manager noted, “new security threats, from both internal and external sources continue to make security management a difficult undertaking.”

Yes, many organizations still run their most critical applications on mainframes because of its reputation as the most secure platform in the enterprise. Users can utilize mainframes to centralize operations with shared data to enable secure collaboration. Others have consolidated multiple disparate systems on mainframes, often as a result of mergers and acquisitions or for operational efficiency and security. The resulting scope and complexity of security operations on the mainframe, the Tivoli manager continued, requires state-of-the-art security policy capabilities coupled with automated analysis and compliance reporting, in order to stay ahead of new threats.

The mainframe’s rock-solid security rests on its powerful authentication and authorization capabilities as delivered by RACF and ACF2. But now the threats are beyond the direct control of the mainframe.

For example, reporting at IBM Pulse 2013, Vikram Gulati, market manager, Tivoli and Cloud on System z, said, “several customers reported that they are now moving their mission-critical enterprise workloads to the cloud, and they are looking for an infrastructure that can provide high levels of reliability, availability, security and scalability.” Sounds a lot like the System z platform.

And the security issue came up again this past summer at the SHARE Boston conference when one session described a new mainframe security maturity model to face this growing and evolving set of threats. The Internet has become “a highway into the enterprise that didn’t exist 20 years ago,” said Vanguard Chief Strategy Officer Paul de Graaff.

To start, mainframe data centers aren’t just facing the usual hackers and other troublemakers. Today, threats are coming from terrorists, state-sponsored hackers and organized crime. Even the hackers have changed; many are driven to be misguided Robin Hoods. Malicious insiders have changed, too. Oftentimes, they are looking to profit from your data, not just vandalize it. Each raises the threat level.

And the nature of the threats has changed. Advanced persistent threats (APT) subtly embed themselves into the hidden workings of the system while unobtrusively culling information from it and avoiding efforts at detection by altering logs and erasing their tracks.

Basic security strategy, a layered approach, remains solid but should be refocused in view of different types of attacks from a new generation of sophisticated attackers operating within an expanded threat landscape. Previous mainframe managers never had to consider mobile users or the possibility of devices containing sensitive data and login details falling into unknown hands.

The traditional layered approach—protection, detection, correction—hasn’t changed, but in 2013 Data Breach Investigations Report from Verizon, the authors suggested sharpening the focus for better and faster detection. Of course, they want you to do this without deemphasizing the other layers.

A new mainframe security model based on security intelligence was introduced at SHARE Boston by Vanguard. The four-step model starts with identity and access management, and progresses through operational excellence, policy enforcement and risk analysis.

Step 1 addresses identity and access management (I&AM). All mainframe data centers do this. It suggests a new I&AM framework with role-based access models.

Step 2, dubbed operational excellence, calls for a security operations monitoring framework that effectively monitors the z/OS environment for intrusions and misuse of resources. Again, you are probably doing this already.

Step 3, policy enforcement, defines a security policy for z/OS to ensure policy is enforced at all times to protect the integrity of the z/OS platform. You probably already have policies, but to enforce them rigorously you need automation.

Step 4, risk analytics, processes the data to determine unusual usage patterns that may be an indication of a security breach or fraud. Again, this must be automated to be effective.

IBM has stayed right on top of this changing mainframe security landscape with its IBM Security Framework, which is focused on security intelligence. The framework addresses key areas of security and compliance risk—people, data, applications and infrastructure—and ties the framework capabilities to other common capabilities for security intelligence and analytics. Then it adds a slew of products including QRadar SIEM, IBM zSecure and Guardium.

The new mainframe security maturity model shouldn’t be that different from what a competent System z shop should have been doing all along. The difference will be an expanded scope to include mobile, cloud, social and all the new ways users interact with the mainframe; expanded automation; and more analytics. The key point in all of this is that RACF, the gold standard for security, no longer is enough. Mainframe shops have to think in broader terms. It is a dangerous world out there and getting more so.

Alan Radding is a Newton, Mass.-based freelance writer specializing in business and technology. Over the years his writing has appeared in a wide range of publications including the New York Times, CFO Magazine, CIO Magazine and Information Week. He can be reached through his website,