With the mainframe's reputation as a rock-solid vault for storing data, you might think it wouldn't be fruitful to discuss mainframes and the data security issues that commonly plague distributed servers. Even the National Institute of Standards and Technology's controls don't talk much about mainframe security.
But is this perception due to blissful ignorance, or is it based on conclusive evidence?
One rarely hears about a mainframe being involved in a major data security breach, but there was the infamous TJX Companies Inc. hacking case, the largest data security breach to date. In 2007, the retailer announced the discovery of a computer system's breach and the possible loss of millions of credit card records. As the world would learn later, the breach involved more than 45 million customer records and had gone undetected for a number of years.
The exact chronology and precise nature of the breach, understandably, was never made public. But the following 2 007 Web posts give you the sense that even knowledgeable observers were left to guess what happened based on the available evidence:
- "It's not clear when information was deleted, or who had access to what, and it's not clear whether the data kept in all these files was encrypted, so it's very hard to know how big this was," wrote Deepak Taneja, the CEO of Avesco.
- "Numerous companies still have not secured data for various reasons, some of them technical," said Payment Card Industry-certified auditor Nigel Tranter. "Encrypting data on a mainframe is difficult."
- "How many [companies] have a challenge system that must be passed before the account can be reactivated, and includes mandatory change of password?" asked Steven Thompson, who also noted, "But where does it say that a mainframe was specifically the portal through which the cracking took place?"
These statements go to the heart of the debate: Mainframes are so impenetrable that no one knows for sure what goes on inside them.
Since the advent of mainframes, security paradigms have changed dramatically. With the inclusion of privacy considerations in the information security discipline, the new paradigm forces us to deal with risks that apply to any and all computing platforms including mainframes. I will detail some of these risks later.
With thousands of mainframes still processing data around the world, the topic of mainframe security can hardly be ignored. So, what is being done to protect this data? That's a question compliance officers should be asking themselves, given their responsibilities for regulatory compliance laws including the Federal Information Security Management Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act.
Hopefully, by now compliance officers realize security is not just about the technology but also about the integration of technology with business processes and human beings. The proverbial security cracks are almost always at the seams, also known as "integration points." And with mainframes increasingly integrating with Web services, there are many integration points to consider.
Mainframe security was the focus of a recent study conducted by the Stevens Institute of Technology in Hoboken, N.J. That study concluded that "enterprise (mainframe) computing suffers from the same risks as midrange computing, especially in today's webcentric computing environment."
As mainframes become a major component in service-oriented architectures because they can store the vast amounts of data collected over years, they are increasingly exposed to malware and other vulnerabilities related to HTTP, the HTML standard and the Simple Object Access Protocol. The introduction of Web services on the mainframe has had a significant impact on security.
For those still not convinced about the need to focus on mainframe security, a partial list of potential vulnerabilities from the Information Systems Audit and Control Association might do the trick:
- Disclosure of privileged information
- Loss of physical assets
- Loss of intellectual property
- Loss of competitive advantage
- Loss of customer confidence
- Violation of regulatory requirements
- Disruption of the computer infrastructure resulting in the inability to perform critical business functions
- Use of the computer system as a launch pad for malicious activity against other entities (and the potential to be held liable for damaging them)
So, what steps can compliance officers take to better assure the security of their organization's enterprise computing?
First, they should educate themselves better about mainframes by understanding the various mainframe components, particularly those responsible for providing access control, managing configuration control, and securing data. They should also try to understand the monitoring and management posture of the mainframe, reviewing available reports and sitting down with their mainframe system administrators and asking them to describe the system's security posture. What those administrators have to say could prove to be revealing.
Compliance officers also should conduct a mainframe compliance audit. The following checklist can be very useful:
- Use of secure channels for data exports (FTP vs. SSH FTP)
- Use of strong authentication for mainframe logins
- Storage of sensitive data sets
- Access controls and password policy
- XML code filtering for malicious code
- Patching mainframe software
- Direct access from the Internet
- Security settings in the Parameter Library data set
- Mainframe system security settings, such as IBM's Resource Access Control Facility
- Database security
- Insider threats, including the possibility of collusion
As compliance officers realistically assess the security posture of their enterprise computing platform, they should ensure that tools and the other technologies they deploy to prevent desktop and midrange computing vulnerabilities are extended to include mainframes. For example, if audit events are collected from midrange computers, they also should be collected from mainframe computers.
More often than not, enterprise computing shops react to mainframe risks by deploying piecemeal solutions. Gaining a full and current view of one's mainframe security, however, helps provide a clearer picture of what it should look like to satisfy regulatory requirements and keep data secure.
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies Inc. and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and teaches at the University of Maryland University College.