Mainframes are secure because their simplified architecture lacks vulnerable endpoints. Customer information is protected by technologies that have shown the ability to secure endpoints.
Security threats do target mainframes. These threats include:
- Insider threats
- Code-based vulnerabilities
- Human error
- Hackers
- Ransomware
Many enterprises and financial institutions rely on proven mainframe environments for crucial workloads. According to Forrester, 57% of enterprises with a mainframe use it to run more than half of their business-critical applications. Additionally, 72% of customer-facing applications are completely or very dependent on mainframe processing.
Companies that depend on mainframes for mission-critical workloads need to evolve their approaches to security to defend against threats.
Here’s an overview of 5 ways your company can protect its mainframe:
1) Pervasive Encryption and Multifactor Authentication
IBM z14/z15 has pervasive encryption built in. Data is encrypted while at rest as well as in flight. Pervasive encryption allows companies to meet compliance regulations. It is also a cost-effective approach to security.
Multifactor authentication (MFA) is available for mainframes. With MFA, companies can bar hackers from accessing data without impeding authorized user access. MFA uses a combination of tokens, behaviors, and biometrics to identify authorized users and grant access.
2) Many Operating Systems, Many Security Options
Mainframes can host a variety of IBM Z operating systems and others, including z/OS, z/VSE, as well as z/Linux and z/TPF. Each operating system works differently and comes with its own set of challenges, concerns, and best practices to obtain the right fit for your environment.
If security is a top concern, the best operating system is IBM z/OS. IBM z/OS provides built-in security features to protect customer data. It is designed to offer a secure, highly available, and stable environment.
The built-in security features for z/OS provide an environment secure enough to be used by financial institutions, manufacturing, and government. IBM RACF is a proven security tool for protecting customer data. It also provides critical audit records needed for compliance.
IBM z/Virtual Machine (z/VM) is a hypervisor operating system capable of supporting thousands of Linux machines. Security for z/VM can be enhanced with an external security manager, such as RACF Security Server.
With RACF® and Lightweight Directory Access Protocol (LDAP) on z/VM, it’s possible to create an enterprise-wide point of control. At the center of z/VM is the Control Program (CP), which is used to create and maintain virtual environments to host virtual machines. RACF works with CP to receive requests from resource managers. Based on the authorization, access is either allowed or denied.
z/Virtual Storage Extended (z/VSE) is optimized for use with smaller mainframe computers. z/VSE provides stability and security for environments that do not need the suite of z/OS. It comes with several basic safeguarding features, including online security, authentication and authorization, and encryption. For companies that require additional security, an external security manager (ESM) might fit their needs.
There are several Linux (non-IBM) distributions that are compatible with IBM System z mainframes. The right security solution will depend on the Linux distribution being used to operate the mainframe. For enterprises that process high transaction volumes — such as credit card companies, airlines, and banks — there is a specialized mainframe operating system: the z/Transaction Processing Facility (z/TPF).
3) External Security Managers (ESMs)
ESMs add extra layers to the basic security measures that mainframes already supply. They help companies meet compliance and customer expectations.
Resource Access Control Facility (RACF®) is a set of tools developed by IBM for z/OS that help manage access to critical resources. With RACF, you can establish pervasive encryption for absolute security. Files are encrypted at every point, including in storage and during transmission.
CA Technologies offers two compatible security solutions for the mainframe environment. CA Access Control Facility (ACF2) is a security system that enables discretionary access control for IBM mainframe operating systems z/OS, z/VSE, and z/VM. ACF2 controls access to sensitive information and critical business assets. With advanced authentication, applications can increase their assurance that users are correctly identified and data is protected. ACF2 works similarly to other ESMs, such as RACF and Top Secret.
CA Top Secret provides advanced authentication for mainframes. By requiring additional information, applications ensure that users are properly identified. Top Secret is designed to help enterprises meet compliance requirements.
4) System Authorization Facility (SAF)
SAF is an interface built into the z/OS operating system that provides infrastructure-security administration tools to help prevent unauthorized access to critical business information. The system can recognize patterns that signal unauthorized access. Nothing gets past SAF ― not even the sneakiest of hackers.
SAF with a security manager sends an instant report so your IT team can restrict access immediately. All information gets logged, so you can review any suspicious activity in detail. The SAF router provides a common focal point for all products providing resource control. It works with ESMs to direct access control according to conditions.
5) System Management Facility (SMF)
IBM Z/OS mainframes come equipped with SMF that records every activity like the “black box” in a modern aircraft. The SMF feature keeps a complete record of all baseline activities running on the IBM mainframe OS, including user access, error conditions, software usage, I/O, network activity, and processor utilization. If any attempt is made at unauthorized access, all activities can be reviewed in SMF log files.
Increasing Mainframe Security
Because mainframes provide a simplified networking environment via OSA cards, it is easy to manage and secure the mainframe environment, as opposed to monitoring a network of servers with many connection points. The OSA card allows administrators to create hundreds of virtual servers under one ethernet connection.
Mainframes also come with built-in security features — such as SMF and pervasive encryption — and can be enhanced with ESMs.
If your enterprise needs the security and performance of the mainframe environment but lacks either professional resources or capital resources, PSR can help with remote management or hosted mainframe solutions.
