In our first blog we discussed how the mainframe must meet new demands in connectivity and security. In the second of our three blogs, Barbara Ballard looks at how the enterprise is using access control and data privacy to extend enterprise-level security to the mainframe.
Access control is a combination of authentication and authorization.
Authentication is the process of proving who you are, and can use a number of factors. These include what a user knows (for example, a user ID and password), what they have (a smartcard or chip) and what a user is physically. Examples here include biometrics, such as a fingerprint or retina scan. The more factors, the stronger the authentication.
Authorization is the mechanism by which a system grants or revokes the right to access data, or perform an action. When the principle of least privilege is applied, authorization only gives users access to the applications and data to which they have legitimate access, based on their role in the organization.
In mainframe organizations, access control is not typically integrated with corporate security frameworks, typically the stronger security requirements of IAM systems, because of difficulty and cost. It is a separate activity often implemented through RACF, ACF2, and Top Secret. Many organizations still use eight-character passwords for mainframe access. While many enterprises are implementing multi-factor authentication (MFA), the strongest form of authentication, mainframes are either not included in the MFA plan, or mainframe MFA is separate from the enterprise. Organizations should consider an MFA platform that delivers MFA across the enterprise, including the mainframe.
Another way to secure the mainframe is by leveraging identity and access management (IAM) in the enterprise to enable or deny access, so the organization can use existing enterprise access security controls with the mainframe. This makes the making the IAM the primary control of who gets in and what they get access to.
This dovetails neatly with access control, and is essential to securing mainframe data. Organizations should be looking at their data privacy options to ensure mainframe data integrity. There are a few to choose from.
One, only allow as much sensitive information access as a users’ role requires. Two, protect data, both at rest and in transit, as it moves in and out of the organization. The two controls protecting sensitive data are encryption, which secures data in transit and at rest, and masking, which secures viewable data. However, as mainframe applications often pre-date the advent of modern security mandates such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), sensitive data is most likely viewable by all mainframe users. In addition, mainframe applications can be difficult, and costly, to update.
However, redaction–the masking or obscuring of any fixed or variable data field for protection on the mainframe–can hide data at the presentation level.
Redaction should be role-based, according to least privilege. Doing this requires a complete understanding of what data is sensitive. Examples include the primary account number for credit card data, and any information that identifies the individual to whom the information applies. Redaction replaces some of that data with random characters, or dummy information, to ensure the information cannot be connected to a specific identity.
Used in conjunction with encryption, redaction is another option for ensuring the security of sensitive information stored on the mainframe. Encryption encodes data in transit so that only authorized parties can decode it in order to access it. Typical encryption technologies for mainframe data include TLS and SSH, and encryption protocols often needs upgrading to counter security vulnerabilities.
Upcoming blog post
Topics in our third post, Tightening Mainframe Access and Security: Part 3, include ‘Endpoint Hardening’ and ‘Defense in Depth’. Find me on Twitter and learn more about integrating IAM with your mainframe by downloading this whitepaper, Integrating Host Systems with Modern Security Frameworks if you’d like.