Mainframes are still the backbone of data centers in a great many use cases. Big-hunk heavy-metal equipment made by IBM (Z Series) and Unisys (which owns the old-line Burroughs and UNIVAC brands) has developed a well-earned reputation for being secure, reliable platforms; this is why most data centers around the U.S. have at least one of them working away 24/7, often way behind the scenes.
That doesn’t mean the mainframe is impenetrable, however. Every platform has its risks, and the mainframe is no exception.
Enterprises need to apply the same policies and practices around vulnerability management on the mainframe as they do on distributed systems. In this eWEEK Data Point article, using industry information from Ray Overby, President and CEO of Key Resources, Inc., we offer six important points about mainframe security, which all too often flies under the radar.
Data Point No. 1: Businesses are taking mainframe security for granted.
Mainframes are mission-critical to countless businesses and organizations, with 71 percent of the Fortune 500 storing countless instances of personally identifying information (PII), financial information, health data and more on these systems. But, one of mainframes’ biggest weaknesses, code-based vulnerabilities, are overlooked by the market’s top security scanning solutions and often ignored by mainframe experts, CIOs and CISOs. Last year, for example, KRI observed 30 zero-day vulnerabilities in its scans of mainframe operating systems. That means the people and tools responsible for ensuring the security of a company's most important system are blind to a threat that could bring a business to its knees.
Data Point No. 2: There’s a need for both configuration and code-based scanning.
Mainframe configuration vulnerabilities can come from a variety of sources, including hardware configurations, IPL parameters, External Security Manager (ESM) configurations and operating system configurations settings. z/OS integrity code vulnerabilities are those vulnerabilities that originate in the operating system programs and extensions.Bad actors can try to exploit vulnerabilities in a system’s security configuration or in its operating system layer code, and both can spell disaster. No matter how diligent you are on the configuration side, a single code-based vulnerability will compromise that effort. If you want to fully protect your mainframes and do a complete security analysis, you have to examine both sides.
Data Point No. 3: There’s a conspiracy of silence around mainframe vulnerability disclosure.
Mainframe vendors tend not to publicly disclose vulnerabilities, and the types of companies that rely on mainframes don’t publicize if or how they've been hit either. That makes it difficult to determine the extent of mainframe exposure and creates a culture where there’s no independent research to shed more light on the risks.
Data Point No. 4: When it comes to code-based vulnerabilities, classification = clarification.
Classifying vulnerabilities according to a common classification system is critical to providing clarity in discussions around mainframe security. Classification provides a language for technical experts and risk managers alike to understand how serious the risk is for a particular vulnerability, putting everyone in a better position to talk about what acts of remediation would be most effective. To that end, KRI experts, with the help of their client base, are creating a standard classification system for vulnerabilities.
Data Point No. 5: Excessive access is causing unnecessary risk for many organizations.
It’s a common issue that there are simply too many people who have unnecessary access to sensitive information on the mainframe. That creates a huge security risk that companies need to solve. Find out who has access to data and cross compare against who should be accessing it. Eliminate the excessive access based on actual business need.
Data Point No. 6: Automation is essential to vulnerability management.
Organizations can’t perform adequate vulnerability management manually. It would take years to manually review what vulnerability management software does quickly, reliably and consistently, whether you’re reviewing configuration settings, application code, or operating system code. While it may be impossible to completely eliminate things such as manual pen testing and analysis, having an automated process will help guard against risk more efficiently.