Mainframe Security? It’s About the Processes

There is a lively discussion on LinkedIn right now about whether or not the mainframe is hackable. Some say no — not now, not ever — others say that, as with any technology ever created, of course it is.

I’ll leave that question open for debate.

The fact is big iron has a long history of rock-solid reliability and security. But the other fact is, the world is changing. The Internet, big data streams and big mobile device usage are all accessing a platform once tightly held in check. And it’s placing entirely new demands on the mainframe.

The mainframe, in other words, has had to adapt.

In April, Financial Times writer Paul Taylor published a Q&A with Kris Manery, senior vice-president and general manager of IT services firm Compuware. Manery provided an excellent example of how the banking industry has adapted the mainframe to its evolving needs:

Decades ago, only a handful of corporate personnel needed to access the mainframe’s data. Then that data became available to bank tellers, but still the number of users was small.

Next came ATM machines, and suddenly thousands of users per minute needed access. Of course, the web opened up the floodgates, and now mobile devices with complex apps are commonplace. People need more than the ability to view bank balances; they also expect to make transfers, pay bills, scan and deposit checks, or buy stocks. Since one of the great attributes of a mainframe is its flexibility, corporations have been able to adapt mainframes for these multiple uses.

But as the variety and complexity of today’s applications grow, companies are realising that a mainframe is no longer the “isolated citizen” it once was. The mainframe is an integral part of a larger application delivery chain, a complex system which stretches from the data centre all the way to the end user’s screen and back.

The question is, then, what can the mainframe’s inherent capabilities do to help IT shops keep up with the ever-increasing security demands of many users and multiple data streams accessing the platform?

In the words of Doug Balog, general manager for System z at IBM, it’s not just about the product. It’s about the processes that run the product.

“System z has a long heritage of being secure but I’ll never go so far as to say anything is unbreakable, because security is not just about the product itself. While it plays an important role, it’s also the corporation’s security practices related to their processes and the people that are part of those processes.”

The product side is a good place to start — but it’s not the only place to start.

But before we talk about process, a word about product: Balog pointed out that one of the main reasons that System z has such a good reputation for security is the “integration by design” philosophy and methodology it’s been built upon. From chip to software, security components are integrated.

That means deep encryption in the chip itself and then deep security features in the hardware, with cryptographic features in every processor.

“At no time is there data in flight that is unsecured,” said Balog.

Those cryptographic features are built into the hypervisor so that as clients virtualize their mainframes — and everyone does — the hypervisor equally leverages that system design and security features, which continue out to the middleware layer.

“Can you try to layer it on other architectures? You sure can,” says Balog. “You can layer on software products after software products after software products, but with every one of those layers you create points of interception.”

That’s where the process design comes in, which Balog says is critical to compliance.

While companies design their own processes — workflow is different in every organization —the mainframe’s integrated security features enable users to build simplified processes around access controls: access around corporate data, client data, employee data, customer data.

“You still need the processes,” says Balog. “But they’re much more natural and simplified, rather than trying to think through a multiple software-layered approach in a distributed architecture.”

On that note, IBM has recently added a more intuitive approach to z security in a product suite called…zSecure. It essentially creates a dashboard approach (with red, yellow and green dashboard lighting) that enables security admins to see if the platform is secure and in compliance. In the words of IBM marketing, zSecure “provides cost-effective security administration, improves service by detecting threats, and reduces risk with automated audit and compliance reporting.”

That’s where good process design comes in.

Recent Stories
Securing the Mainframe: Minding the Details

'Framing the Future: Part 1 – Seeking and Foundation

z/VM Virtual Switch: The Benefits of Network Virtualization for the Mainframe