Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Big Data and Analytics
    • Cybersecurity
    • IT Management
    • PC Hardware
    • Servers
    • Storage

    Taking a Closer Look at Mainframe Security

    By
    Chris Preimesberger
    -
    October 26, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Mainframe

      Mainframes are still the backbone of data centers in a great many use cases. Big-hunk heavy-metal equipment made by IBM (Z Series) and Unisys (which owns the old-line Burroughs and UNIVAC brands) has developed a well-earned reputation for being secure, reliable platforms; this is why most data centers around the U.S. have at least one of them working away 24/7, often way behind the scenes.

      That doesn’t mean the mainframe is impenetrable, however. Every platform has its risks, and the mainframe is no exception.

      Enterprises need to apply the same policies and practices around vulnerability management on the mainframe as they do on distributed systems. In this eWEEK Data Point article, using industry information from Ray Overby, President and CEO of Key Resources, Inc., we offer six important points about mainframe security, which all too often flies under the radar.

      Data Point No. 1: Businesses are taking mainframe security for granted.

      Mainframes are mission-critical to countless businesses and organizations, with 71 percent of the Fortune 500 storing countless instances of personally identifying information (PII), financial information, health data and more on these systems. But, one of mainframes’ biggest weaknesses, code-based vulnerabilities, are overlooked by the market’s top security scanning solutions and often ignored by mainframe experts, CIOs and CISOs. Last year, for example, KRI observed 30 zero-day vulnerabilities in its scans of mainframe operating systems. That means the people and tools responsible for ensuring the security of a company’s most important system are blind to a threat that could bring a business to its knees.

      Data Point No. 2: There’s a need for both configuration and code-based scanning.

      Mainframe configuration vulnerabilities can come from a variety of sources, including hardware configurations, IPL parameters, External Security Manager (ESM) configurations and operating system configurations settings. z/OS integrity code vulnerabilities are those vulnerabilities that originate in the operating system programs and extensions.Bad actors can try to exploit vulnerabilities in a system’s security configuration or in its operating system layer code, and both can spell disaster. No matter how diligent you are on the configuration side, a single code-based vulnerability will compromise that effort. If you want to fully protect your mainframes and do a complete security analysis, you have to examine both sides.

      Data Point No. 3: There’s a conspiracy of silence around mainframe vulnerability disclosure.

      Mainframe vendors tend not to publicly disclose vulnerabilities, and the types of companies that rely on mainframes don’t publicize if or how they’ve been hit either. That makes it difficult to determine the extent of mainframe exposure and creates a culture where there’s no independent research to shed more light on the risks.

      Data Point No. 4: When it comes to code-based vulnerabilities, classification = clarification.

      Classifying vulnerabilities according to a common classification system is critical to providing clarity in discussions around mainframe security. Classification provides a language for technical experts and risk managers alike to understand how serious the risk is for a particular vulnerability, putting everyone in a better position to talk about what acts of remediation would be most effective. To that end, KRI experts, with the help of their client base, are creating a standard classification system for vulnerabilities.

      Data Point No. 5: Excessive access is causing unnecessary risk for many organizations.

      It’s a common issue that there are simply too many people who have unnecessary access to sensitive information on the mainframe. That creates a huge security risk that companies need to solve. Find out who has access to data and cross compare against who should be accessing it. Eliminate the excessive access based on actual business need.

      Data Point No. 6: Automation is essential to vulnerability management.

      Organizations can’t perform adequate vulnerability management manually. It would take years to manually review what vulnerability management software does quickly, reliably and consistently, whether you’re reviewing configuration settings, application code, or operating system code. While it may be impossible to completely eliminate things such as manual pen testing and analysis, having an automated process will help guard against risk more efficiently.

      Chris Preimesberger
      https://www.eweek.com/author/cpreimesberger/
      Chris J. Preimesberger is Editor Emeritus of eWEEK. In his 16 years and more than 5,000 articles at eWEEK, he distinguished himself in reporting and analysis of the business use of new-gen IT in a variety of sectors, including cloud computing, data center systems, storage, edge systems, security and others. In February 2017 and September 2018, Chris was named among the 250 most influential business journalists in the world (https://richtopia.com/inspirational-people/top-250-business-journalists/) by Richtopia, a UK research firm that used analytics to compile the ranking. He has won several national and regional awards for his work, including a 2011 Folio Award for a profile (https://www.eweek.com/cloud/marc-benioff-trend-seer-and-business-socialist/) of Salesforce founder/CEO Marc Benioff--the only time he has entered the competition. Previously, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. He has been a stringer for the Associated Press since 1983 and resides in Silicon Valley.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×