Johannesburg, 25 Nov 2020
Is the mainframe expected to be secure in its own right? An interesting question. In prior years, the mainframe was physically removed from the rest of the organisation’s infrastructure, so it was considered secure. However, with the modernisation of the mainframe environment – both the hardware and the applications around it – is it still safe to continue to exclude it from the rest of the ICT infrastructure’s modern security controls?
Seph Robbertse, Senior Solutions Architect at Micro Focus South Africa, says: “The mainframe is no longer a physically separate entity. Advances such as hybrid IT, data centre consolidation and automation have required that it become accessible to other infrastructure within the business. The question is, has the focus on mainframe security been adapted to keep up the pace with modernisation of the mainframe itself?”
Robbertse says: “All business-critical applications run on the mainframe, and even with modernisation happening, you need to ensure you’re making your own life easier in world full of breaches and hacks. So it’s essential to extend enterprise security to the mainframe. And while this might be a priority, we aren’t there yet. Businesses need to have the level of control that you see in the rest of the organisation applied to the mainframe.”
Kevin Kemp, Business Development Manager: Application Modernisation at Micro Focus South Africa, says the primary challenge is possibly a concern that mainframe testing will interrupt the business flow. “The mainframe is the heart of the business and because of the nature of the systems that run on it, downtime can’t be risked. Over and above that, finding the expertise to do that testing could be a challenge.”
He also refers to new regulatory requirements such as GDPR and POPIA that apply to data on core systems on the mainframe. “The requirements of the various regulatory policies require the business to consider measures like multi-factor authentication and data masking, over and above encryption. Sensitive data needs strong security, and traditionally, that isn’t the same discussion in the mainframe world.
“Then there’s the TN3270 protocol, where data isn’t encrypted by default, which means that anything travelling on the network can be viewed or recorded. Finally, mainframe access requirements usually allow an eight-character password, which is no longer secure enough.
Robbertse advises that enterprise-level controls are required in the mainframe at three levels: Access control, data privacy and on the endpoint accessing the mainframe applications.
1. Access control
Access control by definition needs to combine authentication and authorisation measures. In simple terms, authentication proves who you are. The more authentication factors required, the stronger the authentication. For instance, a mainframe has an eight-factor password; if this is combined with an OTP via SMS, an access card or biometrics, this will be considered a strong authentication measure.
Authorisation is about granting or revoking data access rights. It’s important to apply the principle of least privilege, according to Robbertse. The mainframe should be part of other corporate security frameworks so that the same principles and measures apply.
2. Data privacy
Data at rest is generally encrypted, but it’s also necessary to protect data in transit. “Data protection doesn’t just involve encryption, it also required redaction of certain data. The concept of least privilege comes to the fore here, where we need to examine what sensitive data is displayed to people and redact some of that data, where required. The original data remains in place, it is just redacted when it is displayed to people who don’t require access to it. When used in conjunction with encryption, this is a great way to be compliant.”
3. Endpoint hardening
Another attack surface that requires attention is the devices used by people to access the mainframe. “Having a remote workforce increases vulnerability to endpoint attack, so we need to secure these systems. Consider whether remote workers are using VPNs, if they have the latest security patches and if the app they are using to connect is secure. Centralised management of access software is a must,” says Kemp.
Robbertse adds: “There’s no silver bullet that can protect the enterprise from a breach, but the more security measures you deploy, the better. What’s required to secure the mainframe and the data is a multi-layered defence plan with all the controls just discussed.”
As a closing thought, he says that today’s organisation also needs to defend against robots connecting to the mainframe, and not just human beings. “We need to cater for this more recent development. A robot can be seen as an identity and that’s why it’s key to integrate the security you have in place for the mainframe with a modern identity and access system.”
Tell us about the status of your mainframe security by participating in this survey.
Share