Are we taking modern security on the modern mainframe seriously enough? I don’t think so.
In part one of this blog, I explained how the mainframe was operating in silos from a security, governance and compliance perspective. This means the platform is not routinely hooked-in to identity management systems, privileged access management (PAM) solutions, and security information and event management (SIEM) tools when most other platforms in the enterprise are.
You wouldn’t exempt a Windows server or Oracle database from inclusion in such tools, so why the mainframe? My central point was that this position is no longer acceptable or defensible. We can and should integrate these tools with the mainframe. And getting set-up can be relatively fast.
On a previous project, for instance, integrating a PAM solution to control privileged users was quick, including things like session recordings, and making sure passwords are rotated daily. The processes of onboarding users to the solution can be what takes time; it can also be controversial, as it can be seen as extra red tape that slows you down in your daily work. When you weigh up the extra protection of your privileged account with enhanced monitoring, and look at the bad actors that are out there, I know which option I would choose! (By the way, this project was driven by an audit finding around the need to improve controls over privileged users.
Equally, hooking up an identity management solution was fairly fast. Following this, we then had to map entitlements and other issues to applications and systems, which took time, so when a line manager does a review they have the data to make decisions on whether someone retains access or not. In both cases, the benefits of such an approach were clear, and needed to be clearly communicated, because these are business problems as well as technology issues to resolve.
Ultimately, applications serve lines of business, and while the application owners may be on the technology spectrum they are also business facing. I consistently hear mainframe security people say “Oh, the business doesn’t understand it”—but that’s not good enough any more. Something has to be done so they do understand, using the language they know.
For example, rather than jargon around RACF, we should be working with the business to improve data that is used to make decisions. For example, “Read access to G#CICTRN profile CUSTENQ” should be translated into “Provides the call centre with enquiry access to retail customer records.” We should talk about “avoiding regulatory investigations” and “avoiding audit failings”, using the language of business and finance in terms of risks. You need to do this to avoid penalties, or to be compliant, or you must do this as part of your licensing as a bank or insurer. Such language can help close the gap between tech failings that might open up security issues and the needs of a business to have robust governance and compliance.
I digress slightly. The point, and again it comes back to the silo issue, is that it’s incumbent on the business and other stakeholders to work with the technology teams to get these much-needed solutions over the line. And I’ve started to see it happening.
Of course, you also need to gain that all-important senior leadership buy-in and sponsorship. The technology stream will fail if it doesn’t have that support from the top to drive it on, whether that’s regulatory or compliance/audit driven.
While the mainframe continues to operate in silos, it will never have the widespread and consistent visibility that it needs—and as part of a wider enterprise technology estate—to be managed and secured in the most effective ways. If a user has access to many systems, you want one place, a single dashboard, to see what they can access across the estate (including mainframes) and be in a position to make decisions on what they can and can’t do. As well as seeing any emerging threats fast.
This is not about ‘mainframe systems’ or ‘enterprise systems’—it’s about good control and visibility, strong governance, and security best practice. The mainframe cannot benefit from all of those if people continue to believe it sits in splendid isolation somewhere. And it can feel like we’re stuck in the 1990s sometimes. But the mainframe today is simply another server, like a Linux or Windows server. We have to look at the mainframe as a production server. It may hold a special place in the hearts of mainframers, and it remains remarkably powerful, but it no longer has special status in terms of security, governance and control. Just ask a hacker.
Hooking up the mainframe to these tools opens a lot of doors, with knock-on effects including process improvements and efficiency gains: automatic provisioning and deprovisioning, for example. You can integrate the mainframe into the leavers process so HR activity triggers user IDs being deleted from multiple systems including the mainframe.
If you consider regulatory mandates and audit demands, the mainframe simply can’t operate in silos any more. It has to be integrated to further improve governance and compliance. So when external or internal auditors come knocking on your door, maybe the identity management solution really can be that central point of control? For enterprise and mainframe users alike, and all their access rights and entitlements, all visible and manageable from a single dashboard. Something to aim for?
Jamie Pease CISA, CISM, CDPSE, CISSP, CITP, MBCS – Chairman of the GSE UK Security Working Group
Disclaimer: The views, thoughts and opinions expressed in this article, belong solely to the author and not necessarily to GSE, or any other organisation.