Mainframe Security

A 2014 Computer Weekly article stated “80% of the world’s corporate data is still managed by mainframes.” The article also stated that the IBM mainframe runs more than 1.1 billion transactions per second, which is significantly more than the “6,900 tweets, 30,000 Facebook likes and 60,000 Google searches per second.”

Despite its often mission-critical transactions for businesses and government agencies, mainframe security is often lax. There are several interconnected reasons for this:

  • Retirement of mainframe professionals, who walk their knowledge out the door.
  • Limited availability of mainframe training opportunities and documentation, resulting in security teams not being knowledgeable about mainframe components. As a result, security tasks are passed to system programmers who, for better or worse, favor performance and availability over security.
  • Legacy security controls not designed to address the complexity and risks associated with an emerging trend of using mainframes as platforms for mobile and cloud computing, file, web, and application servers, e-commerce, and big data.
  • Low security priority, since mainframes have historically not known for being targets of security breaches.

It doesn’t need to be this way.

Modernizing Mainframe Security

In addition to upgrading the skill set of your security team so they are more knowledgeable about mainframe components, the following are some ideas to consider, questions to ask, and things to do to modernize mainframe security.

Know Your Risk.

What data resides on the mainframe? Who can access that data? What is the value/cost to the organization if that data is compromised, exfoliated, or destroyed?

  • Data Discovery. Conduct data discovery to identify data on the mainframe, its location, volume, and context.
  • Data Classification. Conduct data classification to identify label data according to type, sensitivity/confidentiality, and cost/value to the organization if altered, stolen, or destroyed.

Be Proactive.

Who are the users of the data on the mainframe? What data must they access to do their job? How do they access the data (corporate-issued device or BYOD device)? How would an internal or external malicious attacker do to bypass existing security controls?

  • Behavioral Analysis. Create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; and then spotlight the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.
  • Privilege Management. Ensure appropriate user privileges, according to principle of least privilege, based on functional unit, role, and duties. Revoke excessive user rights and remove dormant users.
  • Separation of Duties. Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities.
  • Authenticate both the user and bring-your-own devices attempting to access resources.
  • Threat Intelligence. Stay informed about trending security threats.

Clean the System.

Are there outdated security controls or access permissions?

  • Collect Usage Information. Audit usage data to determine unused access permissions, groups, or roles.
  • Collect Security Control Information. Audit anomaly-detection alerts.
  • Delete Obsolete Definitions. Remove any unused access permissions, groups, roles, or alerts.

Simplify User-Rights Management.

  • Privilege Management. Ensure appropriate user privileges, according to principle of least privilege, based on functional unit, role, and duties. Revoke excessive user rights and remove dormant users.
    • Role-Based Access Control. Design and implement role-based access controls to ensure only roles that need to access specific systems, applications, or data have access. Grant the least privilege required to do the job.
    • Context-Based Access Control. Use context-based access control (CBAC) to authenticate both the user and device to control what a user can see or do. For example, an authorized user accessing sensitive data from a personal tablet can see/do less than if he or she accessed that data from a corporate-issued laptop.
  • Separation of Duties. Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities.
  • Privileged User Monitoring. Monitor all privileged user access to files and databases (including local system access), audit user creation and newly granted privileges, and restrict usage of shared-privileged accounts. Identify user behavior that deviates from normal access patterns, and alert and block suspicious activities that may indicate privilege abuse. Users performing unauthorized activities should be quarantined and their privileges should be reviewed. Audit reports and analytical tools are needed to support forensic investigations.
  • Use Real-Time Monitoring. Consolidate and simultaneously run network, application, and file scans in order to see issues across the environment.

Learn how Imperva solutions can help ensure robust mainframe security.

 

You might be interested in:

Relational Database Security

The most common ways that relational database security can be compromised is through user privilege abuse, weak authentication,…

Learn More

Data Masking

Data masking, also referred to as data de-identification, pseudonymization, anonymization or obfuscation, is a method of protecting sensitive…

Learn More
Live Chat Agents Unavailable