With the mainframe online and connected to apps that people use every day, the proximity of users on the mainframe has never been closer. So how should businesses think about security in the application economy?
David Hodgson, August 20, 2015
I recently discovered an app that dials you into conference calls without the hassle of having to dig up phone numbers and participant codes. All you have to do is put your network ID and password into the app once and you’re off.
This begs the question: What is being done with this data and is it secure? What if at the other end is someone sitting in a café halfway around the world, calmly sipping a latte while receiving data from the app and using it to access your company’s network or maybe even the mainframe.
In a white paper I recently authored: “Mainframe Reframed for the Application Economy,” I explore the implications for the mainframe in today’s application economy and the need to reframe the mainframe for this new era’s demands. I point out that as this digital transformation is occurring, where we’re interacting with companies more through the palm of our hands than face to face, there’s pressure mounting on all areas of IT, including the mainframe platform.
The curse of connectedness
The application economy is driving the need for transparency, availability and reliability to meet customer demand in an always on, 24-7 world.
That very connectedness which makes apps like the one referenced above possible in the application economy is also shrinking the proximity of people to enterprise systems, including the mainframe, exposing businesses to unprecedented security risks.
With many high profile security breaches of late, the old “fortress” security mentality of keeping the bad guys out is no longer the prevailing approach to guard against the bigger risk – the people inside your organization, who often times do not realize they are creating vulnerabilities, or sometimes are themselves the threat.
Security is now more about detection and compliance than it is locking people out. More specifically, that is:
- Knowing who is in your network
- What they are doing
- Whether they should be doing that.
A savvy auditor is certainly going to ask you how you would know if someone accessed data they were not supposed to.
In these days of rampant identity theft, people are not always who they appear to be. Once hackers have phished someone’s credentials the only way you detect a breach is when they start doing something anomalous. Social engineering is now much more sophisticated and your ‘trusted’ mainframe expert in the data center is as susceptible to social engineering as anyone else.
Remember also that as mainframe experts retire the very lack of skills and know-how left in their wake could inadvertently open new doors if proper transition plans aren’t put in place. That way, businesses can take action early when they know something is amiss.
Security breaches haven’t seen anything yet
While to-date, relatively few security hacks involve the mainframe, think of the impact of something such as the recent breach of U.S. computer systems for visas and passports and how much worse that would be if it was the mainframe of a major bank or airline, for example.
A recent MIT Technology Review article discusses how the mainframe, which has been around since the 1960s and houses some of our most precious data from banks, airlines and governments, has been put online, exposing it to a previously unknown world of cybercrime. The article goes on to quote security researcher Phil Young, who said he has found around 400 mainframes on the Internet prompting a login screen to anyone who connects.
Mainframe modernization or exposing the classic system of record data to new services means that the data is no longer isolated on the mainframe – the world is now “unknown, unknown.” We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than batch or transaction applications.
Think of the potential and, more importantly, the scale of damage. We’re not just talking about one database of customers of a retail chain – this would be something more far reaching than we could ever imagine.
How to catch a thief before they act
So how can organizations build the ability to detect problems before they arise into the mainframe platform? I came across this post by bigendiansmalls.com that shows how to use USS shell script to create a C program that can be piped over a network to run on z/OS. Fundamentally, it’s the same as how you’d do it for any other platform, just that you have to generate z object code and call different system devices.
While this is simply one vector into a system, it’s possible to create a product (or put it into an existing product such as CA Auditor for z/OS) that can scan for these vulnerabilities on a system, plug them and report on the number of times these attempts were blocked.
Last but not least, such news about technical exploits helps, but there is a huge cultural and communication barrier for mainframe security professionals in getting the broader organization and the rest of the security community to understand the risk. There is still a culture of denial or, “Wait my mainframe has never been compromised.” This is why we believe the mainframe reframed discussion is a timely and thoughtful conversation we need to have as a community.
If you want to find out more about how the mainframe is being reframed to handle the new security threats in the application economy, join us at CA World ’15. We will be giving a number of talks about security across platforms – including mainframe security in sessions such as “Castle Walls under Digital Siege – Risk Based Security for the z/OS.”
You will learn how identity can be applied to engage, serve and protect customers while they interact with your digital business – and make the connectedness we all enjoy in the application economy a blessing rather than a curse.