The mainframe is now an integral part of a rapidly-evolving connected, digital, and hybrid IT world. To remain, it must meet new demands for device connectivity and security. But what does that look like? In the first of three blogs, Barbara Ballard assesses how the enterprise is extending enterprise-level security to the mainframe with access control, data privacy, and endpoint hardening.
Why mainframe security matters
The mainframe continues to be business-critical, and it is here to stay. A recent Forrester survey shows that 72 percent of customer-facing applications are ‘completely or very reliant’ on mainframe processing. Now, 64percent of enterprises will run more than half of their business-critical applications on the mainframe, up from 57 percent in 2018. And that’s not all. IBM states that 80 percent of the world’s corporate data resides or originates on mainframes.
Despite all this, many organizations struggle to extend enterprise security to the mainframe. According to IBM, 85 percent of companies say mainframe security is a top priority, yet 67 percent admit that they only sometimes or rarely factor security into mainframe environment decisions. What is a mainframe?
Regulatory requirements demand additional security for the mainframe, as it is a crucial component of the enterprise. These regulations include Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). All require security controls that we will discuss here.
These regulations protect individuals and their data. For example, PCI DSS mandates multi-factor authentication (MFA) in certain scenarios regarding cardholder data, encryption, and data masking, as well as specifics around applying security patches. GDPR includes securing data in transit and at rest, and at its core, requires that personally identifiable information is only accessible by those with a legitimate reason to do so. And CCPA shares much of the same foundation as GDPR.
Sensitive data needs strong security
In addition to regulations requiring secure systems, the uptick of breaches proves the need for strong security for systems holding sensitive data. The most common breach is through compromised account credentials. Making access harder is the key to breach prevention.
One of the best ways to prevent unauthorized access is through multi-factor authentication (MFA). With MFA, the password will not be enough to gain access. In addition to access controls, data privacy through encryption in conjunction with data masking ensures sensitive data stays secure. If your systems are compromised, but sensitive information is encrypted and masked, that data will not be visible.
More than ever before, organizations must extend enterprise-level security controls to the mainframe. At a minimum, these controls include:
- Access control
- Data privacy
- Endpoint hardening
Let’s now look at how the enterprise is using access control and data privacy to extend enterprise-level security to the mainframe. Access control is a combination of authentication and authorization.
Authentication is the process of proving who you are, and can use a number of factors. These include what a user knows (for example, a user ID and password), what they have (a smartcard or chip) and what a user is physically. Examples here include biometrics, such as a fingerprint or retina scan. The more factors, the stronger the authentication.
Authorization is the mechanism by which a system grants or revokes the right to access data, or perform an action. When the principle of least privilege is applied, authorization only gives users access to the applications and data to which they have legitimate access, based on their role in the organization.
In mainframe organizations, access control is not typically integrated with corporate security frameworks, typically the stronger security requirements of IAM systems, because of difficulty and cost. It is a separate activity often implemented through RACF, ACF2, and Top Secret. Many organizations still use eight-character passwords for mainframe access. While many enterprises are implementing multi-factor authentication (MFA), the strongest form of authentication, mainframes are either not included in the MFA plan, or mainframe MFA is separate from the enterprise. Organizations should consider an MFA platform that delivers MFA across the enterprise, including the mainframe.
Another way to secure the mainframe is by leveraging identity and access management (IAM) in the enterprise to enable or deny access, so the organization can use existing enterprise access security controls with the mainframe. This makes the making the IAM the primary control of who gets in and what they get access to.
This dovetails neatly with access control, and is essential to securing mainframe data. Organizations should be looking at their data privacy options to ensure mainframe data integrity. There are a few to choose from.
One, only allow as much sensitive information access as a users’ role requires. Two, protect data, both at rest and in transit, as it moves in and out of the organization. The two controls protecting sensitive data are encryption, which secures data in transit and at rest, and masking, which secures viewable data. However, as mainframe applications often pre-date the advent of modern security mandates such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), sensitive data is most likely viewable by all mainframe users. In addition, mainframe applications can be difficult, and costly, to update.
However, redaction–the masking or obscuring of any fixed or variable data field for protection on the mainframe–can hide data at the presentation level.
Redaction should be role-based, according to least privilege. Doing this requires a complete understanding of what data is sensitive. Examples include the primary account number for credit card data, and any information that identifies the individual to whom the information applies. Redaction replaces some of that data with random characters, or dummy information, to ensure the information cannot be connected to a specific identity.
Used in conjunction with encryption, redaction is another option for ensuring the security of sensitive information stored on the mainframe. Encryption encodes data in transit so that only authorized parties can decode it in order to access it. Typical encryption technologies for mainframe data include TLS and SSH, and encryption protocols often needs upgrading to counter security vulnerabilities.
Endpoint hardening means strengthening the endpoints (devices) that access the mainframe to help prevent attacks. It secures systems by reducing the surface of vulnerability. This relies on installing the latest security patches, and configuring operating systems and applications according to least privilege principles, policies, and standards.
In mainframe organizations, the key application requiring endpoint hardening is the terminal emulator, or other host access software. Owners must lock down terminal emulation, as not all users need to create new sessions, edit macros, or connect to unauthorized systems.
In the new era of cyber security, terminal emulators need to be controlled. Centralized management of host access software simplifies locking down the emulator and applying the necessary security configuration changes, on demand.
The faster a security patch is rolled out, the quicker a threat is thwarted. But promptly applying patches for every individual desktop device is more complicated and time-consuming than using a server-based host access solution.
Defense in Depth
In this series, we have promoted a ‘defense in depth’ approach. This is the name we give to the coordinated use of multiple security controls to protect the information in the enterprise. The strategy follows the military principle that it is harder for an enemy to defeat a complex and multi-layered defense system than penetrate a single barrier.
In summary, no silver bullet will protect the enterprise from a breach. However, a multilayered defense plan, which includes the controls we have outlined in our first and second blogs, can secure the mainframe, and the data on it.
At a minimum, these controls must include
- Access control: Authentication and Authorization
- Data privacy: Encryption and Redaction
- Endpoint hardening: Terminal lockdown and Patch Rollouts
And it is worth noting these security controls work better together.
What to do now
The security challenges may seem daunting. Implementing everything outlined here may feel overwhelming. However, the mainframe must be secure. So, what do you do now? The best thing for any mainframe organization to do is something. Take any one, or more, of these controls and implement it – the sooner the better. And Micro Focus is here to help!
Check out these resources for more information about mainframe security:
- Download the White Paper Integrating Host Systems with Modern Security Frameworks
- On-demand webinar: Quickly Implement Better Mainframe Access, Authentication, and Privacy
- Coming soon! IBM Systems eBook on Mainframe Security
- Try Host Access Management and Security Server (MSS) free for 120 days