It seems that not a week goes by where there isn’t some story in the news about a data breach. From major retailers to the U.S. Postal Service no organization, despite available safeguards, is immune. The most recent data breach currently making worldwide headlines involves a major entertainment company and a few of the news articles have included screenshots of a terminal emulation green screen with sensitive data in full display. In this instance, the company’s employee list was compromised, salaries of all of their employees were leaked and other confidential information including social security numbers were stolen. Ultimately, this data was shared on the Internet via file sharing networks. The breach even forced the company to resort to pen and paper for a few days while virtually all of their computing environments were shut down.
I’ve been a mainframe guy for many years so the aforementioned shots of the green screens caught my eye and got me thinking about what companies are doing holistically to secure their corporate systems.
As organizations talk about updating their systems to protect sensitive corporate data, particularly those in industries that must comply with regulatory standards such as PCI DSS and HIPAA, the focus is often on bringing modern systems such as web applications and databases into compliance. Meanwhile, the large, legacy mainframe environment which houses the bulk of sensitive corporate data – the proverbial elephant in the room – does not receive the attention it deserves. More mission-critical applications have been developed for the mainframe than for any other platform, which means that more sensitive customer and business data is stored in these screen-based legacy applications than anywhere else.
Slowly, the tech industry is waking up to the risks of neglecting the mainframe when developing compliance policies and for many the January 1deadline to comply with new Payment Card Industry Data Security Standard (PCI DSS) 3.0 forced the issue. A recent article by K3DES executive Mike O. Villegas discusses best practices relating to mainframes and PCI DSS. The article sheds light on the importance of assessing the security technologies protecting critical corporate data stored in legacy computing environments. Still, there is much that needs to be done to educate CIOs and IT organizations about the risks of not taking their mainframe environments into consideration when discussing compliance.
Addressing the elephant in the room head on by taking a comprehensive approach to mitigating risk across all of your computing systems can make the difference between upholding your organization’s reputation or becoming another data breach statistic.