Ray Overby, CTO and co-founder of Key Resources, tells Intelligent CIO that CIOs and CISOs who surround themselves with the right support can make up for their own gaps in mainframe knowledge while building a more automated and effective mainframe security estate.
Several years ago, the CIO at a major insurance company based in North America and Europe came to me with dire news: his company had suffered a data breach.
An independent audit revealed that a rogue employee exploited another user’s account to steal data. The user account that was exploited had been given more access than was necessary to do his job (excessive access).This vulnerability was only present because the company’s mainframe authorization settings had deviated from its corporate IT security policy.
To remedy the vulnerability, the auditor advised that the company routinely check all its mainframe configuration settings against the stated policy from that point on. They were given a very short deadline to update their systems to meet compliance.
The problem? The policy was written on paper. It’s not very practical or reliable for a global enterprise to manually check every IT system for policy drift.
He asked for my team’s help, so we digitized the documented policy and automated the security compliance check process. Now, the CIO and his team receive regular reports notifying them when settings have drifted from policy. As a result, the team can identify, classify, and fix misconfigurations, reducing the risk of more data breaches.
And this risk is not going away. Mainframe sales are on the rise, and despite its reputation as the impenetrable fortress of the IT world, the mainframe is just as much a target for inside and outside threats as any other system.
Notably, the main server of Nordea Bank fell victim to a sophisticated ransomware attack in which a hacker attempted to steal hundreds of thousands of Euros through a series of unauthorized transfers.
CIOs and CISOs need to avoid these kinds of risks, which is why it’s more important than ever to look for opportunities to automate mainframe security processes and procedures. Here’s what you’re up against.
A tempting target and an undermanned defense
Most CISOs understand the risk to distributed IT systems, but the mainframe tends to get overlooked or taken for granted in conversations about holistic corporate IT strategy. That’s scary, given how central the mainframe is to most enterprises – up to 87% of the world’s credit card transactions are executed on mainframes, for example.
Even within experienced mainframe operations teams, mainframe security is restricted to things like application vulnerability scanning. Companies use tools like IBM RACF, CA ACF2 or CA Top Secret for authorization and authentication.
Application scanning is important, but it’s not comprehensive. If someone were to attack a mainframe app, they could only gain access to the data within that app. Due to the way mainframe operating systems are designed, hackers who break into one app are not able to gain any additional level of access to other apps or the operating system.
What happens if a hacker gains access to the actual operating system, by exploiting integrity vulnerabilities in OS-level code? Now, the whole empire is at risk – every app, all data, and even mainframe configuration and user settings can be exploited. That’s when a hacker can really wreak havoc, exploiting vulnerabilities to impersonate users, access protected information, escalated privileges and much more. Worse, a hacker with OS-level access can even disable event logging to completely cover their tracks – you’d never know what hit you.
Unfortunately, not many companies have made it a regular practice to scan for and remedy vulnerabilities on the OS layer. For a while, many mainframe professionals and vendors even denied the existence of such vulnerabilities, despite evidence. This complacency meant major vulnerabilities were left open for hackers to exploit, as they did in the Nordea Bank case.
Additionally, in my experience, many of today’s C-level IT executives ascended to their position through the distributed side of IT – not mainframe. That just further complicates the issue, as mainframe security might feel entirely foreign and intimidating to them.
How are you supposed to protect this important IT system if you are essentially flying blind in terms of its vulnerabilities and remedies?
What should CISOs consider automating?
Automating mainframe security checks can help. With the right tools, CISOs can arm their security teams with the resources required to mitigate vulnerabilities in mainframe operating system code, without requiring impossible time-consuming manual work. This has benefits not just for improving security, but also meeting compliance standards.
For example, think back to the insurance example at the start of this article. Insurance is a heavily regulated industry and companies are expected to meet high standards for information security. Automation helped that business solve a common problem – policy drift – that led to an unfortunate circumstance.
Standards are also high across other industries. Depending on your field, you might have heard of the NIST Security and Privacy Controls for Information Systems and Organizations. This is a catalog of recommended security technologies and processes created by NIST, an agency within the US. Department of Commerce. Federal agencies, state organizations and private businesses closely follow NIST guidelines because it’s the best way to verify that their IT systems comply with federal laws and standards around data privacy and security.
The most recent NIST update, in March 2020, specifically recommended independent IT environment assessments that include routine vulnerability scanning for every IT system. That includes the mainframe. So, if your company works with federal agencies, it’s crucial to follow the NIST guidelines.
Other organizations, from the Department of Defense’s Defense Information Systems Agency (DISA), to the Payment Card Industry (PCI), make specific recommendations and requirements around security vulnerabilities. HIPAA does the same in healthcare, and the state of New York’s latest cybersecurity regulations sets unique standards for mainframe penetration testing and vulnerability scanning global financial organizations that are licensed to work in New York.
The bottom line: routine vulnerability scanning and compliance checking are fundamental in any industry that has a mainframe at the heart of its IT environment.
Auto-pilot isn’t the only answer. Find an architect.
Still, tech can’t solve everything alone. CISOs need experts they can trust, which is why we often advocate for the role of a mainframe security architect.
This is an ideal internal role for organizations that have struggled with mainframe security accountability in the past. A good mainframe security architect understands both broad IT security as well as the specific intricacies of the mainframe world. They can continually review and enhance corporate security policy, always considering mainframe protections along the way. They build your toolbox of software and technologies to protect the enterprise.
But they’re not alone. Separation of duties is important in IT security to eliminate conflicts of interest or situations in which the same person is reporting on their own activity. Your mainframe security architect simply builds the security architecture, but they should not be the same person that implements, tests, audits, monitors and reports on mainframe security. That work should be left to someone else in-house or a third-party consultant.
CISOs who surround themselves with the right support can make up for their own gaps in mainframe knowledge while building a more automated and effective mainframe security estate. That’s how you keep your data safe, keep the regulators at bay and keep your board of directors happy.
