Bah! Mainframes will be Safer When Sailboats Sail Boats!
Automation, Integration, Offense, Defense…Z System Security is More Advanced than Ever, Captain
By Marilyn P. Thornton
Remember that commercial featuring “the world’s most interesting man?” That wasn’t him. I know the world’s most interesting man. His name is David Rossi and I just interviewed him.
David is a wizard who can diagnose and repair almost any mechanical or electronic gizmo in the world. We’re talking anything from antique juke boxes and pinball machines to large home appliances. Plus, he’s one of our foremost experts in protecting IBM Z Systems. And he’s sailed around much of the world—not all in one go, in multiple adventures—but the kicker is he didn’t really have to do much “sailing” at all.
Whether you’re a seasoned old salt, you’ve taken lessons, or maybe you’ve just watched a sailing movie a time or two, you have a pretty good feel for how complex it can be. That has changed. Yes, you can still go totally manual and bark out orders like “Coming about!” “Trim that mainsail!” or my fave, “Batten down the hatches!” But the latest sailboats enable sailors to take to the high seas with a crew of just one and sails that automatically adjust to stay on course.
It’s not fool-proof, but with the right charts and automation, sailboats can now sail boats, and according to David, with the right strategy and automation, and if you balance your defense and offense effectively, mainframes can protect mainframes.
“There are many complementary controls you can add to Z environments to help mitigate risks—we call this depth and defense.” The wizard talks the way he thinks, a mile a minute, and I’m trying to keep up. “For example, you encrypt your disks to protect the data at rest. You have encryption in flight to protect your data, but if you’re signing into a system, you want to protect your credentials as well—you don’t want them going over the wire exposed. From a governance POV, you manage identity and access to protect your data and apps. But all of this is defense. Not enough people in the mainframe world are looking to be proactive, to be more offensive in their approach to security.”
What does offensive security look like?
Wait, did I see visions of schematics scrolling cross his glasses as he thought about his answer? “Being more offensive means, instead of waiting for someone to attack, you look for potential attackers before the “big strike” as they probe for weaknesses. “If the enterprise has been compromised in one department, chances are the attacker will try in other departments, or through other channels. Being more offensive means instead of working in defensive siloes, you aggregate the security data you’ve gathered with all the security data from across the enterprise, enabling you to hunt threats, not fear them. And as cybercrimes get more sophisticated, we’re going to need even more depth to our offense. This is where it starts getting interesting. Are we set up today to prosecute suspected attackers before they attack? It doesn’t feel like it, especially when those attacks come from outside our borders. We could all use some help here, after all the government is in the same boat.”
Should security leaders be prosecuted for leaving their organizations vulnerable?
“I don’t think so. We need the self-reporting transparency. Prosecuting security leaders would motivate bad, secretive behavior. We can’t catch the attackers if we don’t share the threat intelligence—it’s the modern-day equivalent of the wanted poster tacked to a tree. We can’t afford to humiliate organizations for being attacked; we must be able to focus on the attackers. Now, if an organization is repeatedly, successfully attacked multiple times, yeah maybe there should be legal ramifications, especially if they are losing PII each time, but for the most part, transparency makes everyone stronger.”
And taking on a certain level of risk is today’s cost of business?
“It is. You could have the most secure business on the planet if you disconnect all systems and employees from the internet. You’ll never get breached. Obviously, cybercrime risks are built into the cost of doing business, but minimizing those risks is the key.”
How would you advise CISOs as far as prioritizing their security choices?
“Security doesn’t live in a vacuum. It should always be tied to and balanced with the needs of the business. At the C-level, the CISO must (1) develop and decree security policy based on the needs of, and the risks to, the business, (2) establish acceptable benchmarks even down to the system level, then (3) trust the implementation to the technologists who have an even deeper understanding of those platforms and the risks.”
But often a breakdown in communication gets in the way?
“Yes, especially in a Z Systems environment, we often see a break in this process. The mainframe insiders expect the security organization to fully understand their world and then instead of interpreting and enforcing the CISO’s policies, the technologists are pushing back, maybe stalling, by asking for more implementation guidance—it’s a bit of a filibuster tactic. We get called into these situations quite often as the shuttle diplomats. The CISO wants our help understanding the mainframe risks. What does a significant cyberattack look like in that world? What are the best solutions? And the technologists want our help clarifying the CISO’s strategy and policy.”
Are the CISOs tempted to step into the tactical waters?
“They are, but for strategic reasons. We have a tool, IBM Security zSecure Alert, that out-of-the-box monitors for over 80 types of cyber-events significant enough that the CISO understands them and they love it. Just by seeing the tool’s capabilities, they are exposed to an accessible list of the major event types, the foundation for most Z system security conversations. Then, we can more comfortably talk about aggregating cyber-events from across the enterprise.”
Are there model citizens out there for mainframe security, companies that get it right?
“I know of a lot of companies that push the envelope regarding Z system security. This notion of zero trust is about hardening and locking down your systems. It’s about asking at every stage whether an individual needs or should have access, and not trusting that they do. The old days of just testing credentials at the firewall are long gone for mainframe just as they are for all other systems. We recommend RACF to our Z system customers precisely because it offers amazingly surgical identity and access management capabilities. A lot of our mainframe customers have adopted RACF and continue to ask for even more control in future product releases to help them keep their Z systems locked down.”
Last question. In my January blog I addressed jobs in the Z system world. Would you advise young people to explore the possibilities?
“Absolutely. I think security is going to evolve. Right now, we seem to be in a bit of a security crisis. We feel more vulnerable now than we did yesterday. It feels like the more security we implement, the more sophisticated the attacks. We must get ahead of that curve. The demand to solve security issues is high and I don’t think that demand will change. We need fresh eyes and fresh ideas. Adding smart passionate young people to our pool could be the perfect shot in the arm.”
Well, that’s it. Hope you found the real world’s-most-interesting-man helpful. I had more questions and I’m pretty sure that Mr. David Rossi could have gone on into the night—he could put the Energizer bunny to shame—but we’ll save it for a future installment.
Thank you for reading.
As always, if you have any questions or comments, use the comment box below or email me at mpthornt@us.ibm.com. And if your organization needs an IBM Z Security Workshop to help you prioritize your Z system security checklist, we’ll determine your organization’s risk factors, review your existing security approach, identify vulnerabilities, and provide recommendations…all for no fee.
David’s Basement – Pinball Heaven
