Business-critical mainframe systems are accessed daily by millions of users. Industry expert Ron LaPedis takes a hard look at the security risks, and explores how to plug the major gaps
A variety of Terminal Emulation solutions enable millions of users to access their mainframe computer systems. The choice of terminal emulation solutions ranges from thin hardware clients, to thick software clients, to thin software clients running in a browser. Most of these clients interpret the data streams being passed back and forth from the host using protocols such as 3270, 5250, VT, X-windows, T27, UTS, or 6530, and reformat it for display on more modern devices such as PCs and tablet devices.
These more modern devices are all connected to the mainframe using standard Internet Protocols – which means that the data can be sniffed or even modified. And not only that, depending on how old the mainframe code is, Personally Identifiable Information (PII) might be displayed. In some cases, this is in violation of HIPAA, PCI DSS, EU Data Protection laws, or other rules and regulations that didn’t exist when that code was written.
As a result of serious vulnerabilities within SSL and early TLS, organizations can be put at risk of data breach. In fact, the Payment Card Industry Security Standards Council (PCI SSC) mandated that data communications are to be protected by TLS 1.1 or later (as of June 30, 2016). Even though NIST deprecated (killed off) SSL as of 2014, the 2016 deadline was moved to 2018 to give member organizations extra time; which of course gives hackers extra time too. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.
Can we talk about passwords for a moment? Most applications were written in simpler times when 8-character passwords were the norm. And Multi-factor authentication? Forget it!
The chances are that critical mainframe applications (and administrator accounts) are not only limited to 8-character passwords, but 8-character passwords which contain only letters and numbers – taking less than six hours to crack.
And then there are question marks around the use of Java due to its vulnerability-of-the-week history. Many browser-based Terminal Emulation software clients require a specific version of Java running on a specific browser version – which may have its own vulnerabilities. It’s not unreasonable to say that Java is somewhat notorious as a security trap door.
Defending the Estate
Mainframe security matters. Today’s terminal emulation software packages need to be secure, manageable, and easy to use. It doesn’t matter whether users are on thin clients, PC, Mac, or mobile devices. And large number of terminal emulation protocols, along with specialized host software (such as airline reservation systems), must be supported.
Whether internal policy requires a management server on a Linux partition within the mainframe or on an external Host Access Management and Security Server (or MSS), modern mainframe security solutions need to:
- Centrally manage terminal emulation access to your host systems by using your existing Identity and Access Management systems
- Easily update terminal emulation user configurations to meet evolving security requirements
- Quickly validate compliance of terminal emulation for securing sensitive information
- Ensure that end users could not make changes to their user configuration
- Partially or fully mask data fields based on the user’s role
- Enforce data input standards and cross-screen validation
- Implement long complex passwords and multi-factor authentication.
A Fresh View On Mainframe Terminal Emulation
Such lofty objectives are, however, not the stuff of dreams. All of this is possible today. Our relentless focus on customer success, Micro Focus has invested to create a new generation of powerful, secure and comprehensive emulation products.
Tackling all the requirements above, additional capabilities include end-to-end encryption of data streams, centralized management, partial or full field masking of sensitive data, multi-factor authentication, integration with Microsoft Office tools, and linkage to other Micro Focus identity management software for user lifecycle management.
Without touching a line of code on the host, you can lock down access to your mainframe, meet industry-specific rules and regulations, and prevent data from being changed or being taken out of the organization through traffic monitoring or impacting the business through modification.
Additionally, power users can now create entirely new ways of viewing and manipulating core business data; again without modifying a line of mainframe code. Creating powerful and user friendly windows or web-based applications from dated green screen applications is just a few clicks away.
The mainframe is a powerful part of organizational value. It must be web and mobile device ready, but also totally secure. Whether organizational security direction is coming from the board, auditors, business units, end-users, or more importantly, the customers, Micro Focus provides powerful solutions that can help address these requirements by making access to core mainframe applications secure and friendly.