Protecting sensitive mainframe data with CA Data Content Discovery



How a new software solution from CA announced recently at CA World can help your business conquer the mainframe data mountain and protect your organization’s most sensitive data.

 LittleBlogAuthorGraphic David Hodgson, December 8, 2015

Your mainframe has been collecting data for years — probably decades — and you rely on it to run your business and the apps that serve your customers. But over the years, its collected mountains of records and files, many of which contain sensitive data that require special controls stipulated by government regulations.

With so much information residing in your mainframe, it’s hard to locate regulated or sensitive data when you need it (and takes up far too much time). You may not be limiting internal access appropriately, and copies may end up somewhere else, without proper access control. At last count, 400 mainframes worldwide are connected directly to the Internet and accessible to anyone via a login screen.  So yes, while mainframe remains the most securable platform – it isn’t 100 percent immune to data breaches.

Recently at CA World in Las Vegas, CA Technologies announced two new mainframe solutions to help organizations become more agile. One of these new solutions, CA Unified Infrastructure Management for z Systems, supports our DevOps portfolio and helps customers accelerates problem resolution with a unified view across mainframe and distributed systems.

In this blog I’d like to focus on the new solution, CA Data Content Discovery that supports our Security portfolio. Bottom line, if you don’t know where your sensitive data is, you can’t protect it. CA Data Content Discovery scans your mainframe data to identify the location of data that matches regulations such as PCI, PII or HIPA, so you can make business decisions around securing, encrypting, archiving or deleting those records.

This isn’t just good business sense; it will help you address potential audit findings and risks.

If it ain’t broke, why fix the mainframe?

But why now? After all, the adage “if it ain’t broke, why fix it” often applies to mainframes. But these days, mainframes are not only tied to mission-critical applications, but those applications now face your customers through the web and mobile apps.

In the application economy, the mainframe plays a key role in how apps perform — and how happy your customers are.

Unknown unknowns: trust isn’t a strategy 

The stakes for mainframe security have changed.  In a recent blog post, Jeff Cherrington offers a colourful history lesson and metaphor comparing mainframe security to the evolution of fortifications of medieval castles.

The plain fact is today’s application economy puts different demands on the mainframe data – everyone wants in!  The Chief Digital Officer wants access to systems of record for his pet big data project or some backup project didn’t follow all the necessarily controls – the fact is mainframe data is moving off the platform when it shouldn’t be and if it needs to – let’s at least know about the location of that sensitive data and apply the right controls.  Companies that make security a priority understand that blind trust and “nothing will happen” isn’t the solution.

With the right tools and processes, you can be confident to leverage the mainframe as part of your digital transformation while safeguarding sensitive and regulated data. CA Data Content Discovery has three distinct advantages:

  • Find: You can locate regulated and sensitive data using data-pattern scanning, helping to gain insight into the magnitude of potential data exposure on z Systems.
  • Classify: Once you’ve found the data, you can prove to auditors that you’re compliant with regulations (controls are checked by data type and content).
  • Protect: Critical data never leaves the z/OS platform. Integration with CA ACF2, IBM RACF and CA Top Secret for z/OS means you can quickly visualize who has access to regulated or sensitive data.


For more details, check out the Data Content Discovery page.

It’s not enough these days for organizations to embrace software — they need to use it strategically. And that includes the mainframe.

In the era of digital transformation, organizations need to be more agile — and this is possible, even with legacy systems. With the right tools, people and processes, it’s possible to bring your mainframe along on the digital transformation journey.


How security can be the key to your castle


In the application economy does security help or hinder your business?

LittleBlogAuthorGraphic  David Hodgson, September 23, 2014

Traditionally people view security like a castle moat. That is a great start but while a firewall with strong authentication is good it is not enough. Conceptually it does not go much further beyond: “Stop, who goes there?”

We are constantly seeing examples of people finding ways under, over or around our moats and in the current digital era this problem is getting worse. The fortress mentality just doesn’t work well in our highly connected world.

A wholly, more sophisticated approach is needed. One that keeps our resources secure, but doesn’t involve the ‘clunkiness’ of heavy security that ends up hindering your business.

With this post I complete the four-part series about navigating your journey in the application economy – exploring the topic by drawing allusions with my daily walk to work and back. The four principles I have suggested are:


In this post I’ll cover the topic of security.

Untethered capability

I quickly found out that wearing a tie while walking to work in Manhattan is a killer – I need much more air circulation around the neck area when moving at speed, particularly in the warmer summer months. So now I keep some ties at the office.

Keeping that tie in the office is a security feature for me in case I feel the need to put one on for an important meeting. Now I don’t have to slow down my walk and secure at work.

If your security slows down your employees or your customers it is holding your business back. In today’s connected world a well thought and thorough security strategy is critical.

We cannot deny the benefits of the cloud, but we need policies and tools that enable BYOD and the use of tools like Dropbox, not a police-state mentality that blocks useful activity. Security in the application economy must allow seamless application experiences while being sure that only authorized people are using the services.

The answer for the application economy is content-based data placement and content-based access to data, coupled with a much stronger concept of identity. We need a stronger sense of who is doing what and a stronger definition of how to do it.

However, it must not be restrictive to the user experience, because today’s user of both internal IT and consumer apps has choices, and if one service is slow or hard to use, they will use another that is easier and faster.

Who goes there and why?

At CA Technologies we have solutions for single sign-on and two-factor authentication. We also have the leading solution for credit card authorization that can dynamically detect anomalies and decide if a greater degree of authorization is required.

And new for the mainframe, we are developing content based access control that will allow you to set up policies to control access, changes and movement of data based on what it is rather than what container it is in. This will maximize usage and streamline management while ensuring good control and compliance with regulations.

The possibilities for this are awesome and much needed in today’s Hybrid Cloud infrastructures. Our new Cloud Storage for System z (CS4z) allows applications to seamlessly place tape data onto on-premise, private storage clouds or at public providers like Amazon and Google.

This is an incredible break-through in flexibility for the mainframe. But how do you manage that data placement? How do you stay in compliance with the latest regulations? Do you even know for sure what is on those 10-year-old tapes?

Awareness of data content allows both policy based data-placement and policy-based access control. So old reports that don’t contain personal information can be stored on Amazon Glacier but confidential information must stay in-house.

And if you connect identities to roles, you can limit access to data not only by a file name but also by the metadata that describes the sort of data that the file contains. This is an approach that will be safer, more adaptable and will expand securely to your business needs.

Arriving Home

The best part of my daily commute is of course the walk home. I hope you found value in this series and it helps you along your journey into the application economy.

We are right at the start of our journey and we are all learning from each other. I’d love to hear your stories. What security challenges have you bumped into along the way?

If you have solutions that help Development integrate tightly with Operations, I would love to hear about them too. Just leave a comment below and I’ll be sure to reply.

And I hope our paths will one day cross somewhere along our travels.

Image credit: Ashitaka San