January 16, 2019
To succeed in today’s business world, organizations need to protect data with a secure infrastructure that is worry-free, reliable, and cost-effective. The mainframe has earned its reputation as one of the most secure environments. Many enterprises still depend on mainframes for their most important workloads.
According to a recent Forrester survey:
- 64% of responding enterprises run more than half of their critical applications on a mainframe.
- 72% of customer-facing applications are completely or very dependent on mainframe processing.
Mainframes have remained useful because they allow for user access while providing seamless, airtight security. A major advantage in mainframe security is simplicity. Instead of monitoring a complex network with multiple endpoints and pipes, the mainframe has just one point of connection to oversee.
While very secure, mainframes can still be compromised, just like any other part of your infrastructure.
In this article, we’ll look at modern security threats to the mainframe environment, plus several features and options that address them.
1. Modern Security Threats
Some of the threats that could compromise your mainframe’s security include:
- Insider threats
- Code-based vulnerabilities
- Human error
IBM z14 and Pervasive Encryption
In July 2017, IBM unveiled the z14 mainframe server, with new capabilities in areas such as analytics, cognitive, cloud, and security. The main security enhancement of the z14 is pervasive encryption, which enables extensive encryption of all data, whether it is at-rest or in-flight. The result is robust security at the hardware level, which substantially simplifies encryption of data. Pervasive Encryption allows companies to efficiently meet regulatory compliance requirements without making application or database changes. The ability to utilize data set encryption of files in bulk vs. a single row or file at a time improves efficiency and reduces costs. This data set encryption capability is a component of z/OS V2.3.
Although multifactor authentication (MFA) has been around for quite some time, many clients do not realize this capability been made available for mainframes. MFA makes it more difficult for hackers, while minimizing disruption for valid users. It does this by verifying multiple identifying factors such as physical tokens or behavioral and biometric traits. Raising the authentication assurance level of the system improves security by increasing friction for attackers while allowing legitimate users to access the tools and information they need.
2. Many Operating Systems, Many Security Options
Mainframes can host a variety of operating systems, including z/OS, z/VSE, and Linux. Each works differently and comes with its own set of challenges, concerns, and best practices.
Mainframe operating systems:
If security is a top concern, the best operating system is z/OS. Created by IBM, it is an operating system designed to offer a secure, highly available, and stable environment.
Also known as z/Virtual Machine, z/VM is a hypervisor or virtual machine operating system capable of supporting thousands of Linux machines. Security for z/VM can be enhanced with an external security manager, such as RACF Security Server.
With RACF and Lightweight Directory Access Protocol (LDAP) on z/VM, it’s possible to create an enterprise-wide point of control. At the center of z/VM is the Control Program (CP), which is used to create and maintain virtual environments to host virtual machines. RACF works with CP to receive requests from resource managers. Based on authorization, access is either allowed or denied.
z/Virtual Storage Extended (z/VSE) is optimized for use with smaller mainframe computers. Users often migrate to z/OS when they outgrow the capacity of z/VSE. It comes with several basic safeguarding features, including online security, authentication and authorization, and encryption. For companies that require additional security, an external security manager (ESM) might fit their needs.
Linux for System z
There are several Linux (non-IBM) distributions that are compatible with IBM mainframes. The right security solution will depend on the Linux distribution being used to operate the mainframe.
For enterprises that process high transaction volumes, such as credit card companies, airlines, and banks, there is a specialized mainframe operating system: the z/Transaction Processing Facility (z/TPF).
3. External Security Managers
Most mainframe operating systems come with basic security, but enterprises often need additional layers of security to meet customer expectations and compliance requirements. You can increase the security of your mainframe environment with an external security manager (ESM).
Here are the ESMs we recommend to our customers:
Resource Access Control Facility (RACF®) is a set of tools developed by IBM for z/OS that help the installation manage access to critical resources. With RACF, you can establish pervasive encryption for absolute security. Files are encrypted at every point, including in storage and during transmission.
Computer Associates (Now CA Technologies)
CA Technologies, formerly known as Computer Associates, offers two compatible security solutions for the mainframe environment.
CA Access Control Facility (ACF2) is a security system that enables discretionary access control for IBM mainframe operating systems z/OS, z/VSE, and z/VM. ACF2 uses multifactor identification to control access to sensitive or critical business assets. With advanced authentication, applications can increase their assurance that users are correctly identified. ACF2 works in concert with other ESMs, such as RACF and Top Secret.
CA Top Secret, an advanced authentication mainframe, works with ESMs (such as ACF2 and RACF) to enable multifactor authentication, using features such as hard and soft tokens. By requiring additional information, applications ensure that users are properly identified. Top Secret is designed to help enterprises meet compliance requirements.
4. SAF – System Authorization Facility
This security feature is an interface built into the z/OS operating system. It provides infrastructure-security administration tools that help you prevent unauthorized access to critical business information. The system can recognize patterns that signal unauthorized access.
Nothing gets past SAF ― not even the sneakiest of hackers. Your IT security team will receive an instant report and can restrict access immediately. All information gets logged, so you can review any suspicious activity in detail.
The SAF router provides a common focal point for all products providing resource control. It works with RACF or other ESMs to conditionally direct access control. While additional ESMs are not necessary, security functions are greatly enhanced if SAF is used concurrently with an ESM, such as RACF.
5. System Monitoring Facility
Like modern aircraft, IBM mainframes come equipped with a “black box” that records every activity. Called the System Management Facilities (SMF), this feature keeps a complete record of all baseline activities running on the IBM mainframe OS, including user access, error conditions, software usage, I/O, network activity, and processor utilization. If any attempt is made at unauthorized access, all activities can be reviewed in SMF log files.
The Mainframe: Simple and Secure
Because a mainframe is just one piece of hardware, with only one “door” ― the OSA card ― it is easy to manage and secure the mainframe environment, as opposed to monitoring a network of servers with many connection points. The OSA card allows administrators to create hundreds of virtual servers under one ethernet connection.
Mainframes also come with built-in security features, including the ability to monitor and audit all transactions through a virtual “black box.” The newest IBM mainframe, the z14 also comes with pervasive encryption.
If your enterprise needs additional layers of security, such as multifactor authentication, you can add security packages. RACF, ACF2, and Top Secret are great options.
If your enterprise needs the security and performance of the mainframe environment but lacks either professional resources or capital resources, PSR can help with remote management or hosted mainframe solutions.
Contact a PSR mainframe security expert to discuss your data storage and security needs.