By Marilyn P. Thornton
Here’s the headline: “White House Pushes for Companies to Take Ransomware More Seriously after High-Profile Cyberattacks.” That was three weeks ago, and the hits just keep coming. There has practically been a new White House statement and new headlines about ransomware every day since.
How bad is the threat? Here’s a quote from a CNN article on June 3 from the US National Security Council's top cyber official, Anne Neuberger: “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. We urge you to take ransomware crime seriously and ensure your corporate cyber defense matches the threat."
Not convinced? Did you see the Colonial Pipeline CEO testify before the Senate Committee on Homeland Security and Governmental Affairs? After confirming that Colonial wasn’t using multi-factor authentication (MFA) Senator Rob Portman, the ranking member of the committee said, “You're a victim and we understand that apparently this account didn't use multi-factor authentication which again is just a basic cybersecurity hygiene item.”
Given all the recent attacks, it’s as if we are suffering another pandemic, only this time the vaccine we all need is to protect our businesses, organizations, and infrastructure with “basic cybersecurity hygiene.” To help you accelerate your own “Z vaccinations,” I sat with the Program Director for IBM Z Security Solutions, Michael Zagorski, to get his advice for how we can all decrease “time-to-optimized-protection” in our mainframe environments.
Thornton: Michael, forgive me, I usually start these conversations with get-to-know-you banter for our readers, but because of the seriousness of this topic, I’m jumping right to the pointed questions. What’s your overall take on the ransomware pandemic and its potential impact on Z environments?
Zagorski: Clearly, given the number of recent attacks, it's a lucrative business for the bad actors. It's a seemingly easy avenue for them to take advantage of vulnerable systems. The impact on Z is no different. It's just a little more difficult for the bad guys to figure out how to do this, but certainly the risk is there.
Thornton: When you say, “figure out how,” it's because it's hard to replicate the environment?
Zagorski: Yes, not many people have a Z system in their basement. Whereas everybody understands the x86 environment very well. Plus, Z systems have vault-like protection features.
Thornton: If you were to give someone a recipe for protecting their mainframe environment, what would that recipe be? What's number one?
Zagorski: I would use the recent executive order as a guiding light. The President didn’t come up with that on his own. His cybersecurity people, likely some of the smartest in the world, said this is what we need to do to protect our technical infrastructure. Which implies that the lack of these technologies is why we saw successful attacks on SolarWinds, Colonial Pipeline, JBS and others.
For example, in the Z environment, we’ve been recommending a layered security approach for years, and with two relatively simple technologies at the foundation: pervasive encryption and MFA. Someone steals the data. With pervasive encryption, who cares, they can’t read it, no one else can. And MFA, especially when combined with sophisticated passwords will keep a large percentage of bad actors out of your network completely, certainly out of critical applications.
But the layer cake is incomplete without the icing and that’s zero trust. What started as buzz words in the industry has become a reality. A zero trust approach wraps security around every user, device, and connection, every time…and it takes into account the context: what you know about each of those variables on an up-to-date basis. Your current core security stack may not provide the requisite contextual connections.
We’re urging our clients to move from the tactical to a more strategic, more holistic approach. For example, unlike virtual public networks which grant complete access once inside, a zero trust approach to network-access would default to “deny,” providing access only to applications and information explicitly granted to each user at that time.
Thornton: Given the urgency caused by this perfect ransomware storm, are there ways to shorten product trial and implementation time?
Zagorski: Absolutely. Let’s take it from easiest to most difficult…
If you are ready to move forward with our “recipe,” start with data encryption. Relatively speaking, it has the least impact. Though the implementation can be a little nerve-wracking for IT and Security departments, if done right, end-users never know the difference. Pervasive Encryption for IBM Z enables extensive encryption of data both in-flight and at-rest to substantially simplify the encryption process, e.g., key management, algorithms, etc. Plus, like I said earlier, we have teams of encryption implementation experts that can come into your environment, help you run trials, design rollouts, and work your way through the implementation.
Next on the menu is Z MFA, leaning the other direction: a little easier for IT and security, but to most end-users considered a pain in the behind. You're going to tell people instead of using that password on its own, I need you to go to your phone and get a token, or use this key, or do this. A lot of people don't like change. The user community will push back. We hear stories where the workers will actually complain that they can't “do their job” because it takes them too long to log on. Yes, it’s kind of nonsense, but every IBM employee understands this, empathizes. Just a short time ago, we transitioned over 340,000 of our own employees and 100’s of thousands of IBMid customers to MFA in only a few months—now we’re all used to it. Heck, you can try Z MFA for yourself right here. Plus, you don’t have to transition everyone at once, you can do it in phases.
Still not sure where to start? The IBM Mainframe Security Workshops help you and your team prioritize your Z security checklist.
And the icing on the proverbial cake? Not that I am suggesting your readers should shy away from it, but trialing and implementing zero trust is a horse of a very different color. Most often, we recommend starting by replacing your VPN with a secure access services edge or SASE framework, but MFA and encryption are also in the mix, so if you start with those two, you’ll be ahead of the game. The good news is we have zero trust maturity assessments, IBM Garage (workshops) and acceleration services to help you get started down the best paths.
Sorry, that was a big answer to a big question. Hope I gave you enough without overwhelming.
Thornton: Thank you, Michael, this has been super helpful. For our readers, what are the very next steps?
Zagorski: Here are some options. If you’re convinced you need to modernize your overall approach to cybersecurity with the two foundational steps I talked about, or maybe you’ll be facing a security audit soon and need to move fast, talk to your IBM rep about the Z solutions for encryption and/or MFA…or visit the Shopz online store. If you need a technical drill down or demo, they could reach out directly to you, right Marilyn at firstname.lastname@example.org? If you want to learn more about zero trust, visit the new website to get oriented depending on your specific use case, and then talk to your IBM rep—they’re trained to be zero trust experts and will certainly get you with the right IBMers for deeper discovery and planning.
Thornton: Michael, this has been perfect. Yes, anyone can reach out to me with Z security questions or requirements. I’m happy to be a first stop. Thanks again for your time and for sharing your Z wisdom with us.