Software Complexity Bedevils Mainframe Security

Companies just can't quit mainframes.

While cloud infrastructure hogs the spotlight, mainframe systems continue to dominate major segments of the economy, especially those that require high-performance and high-reliability applications, such as the processing of financial transactions. Mainframe systems handle an estimated 90% of credit card transactions, for example. According to a Deloitte study, 71% of Fortune 500 companies continue to rely on mainframes, and 90% of executives expect to expand their mainframe footprint.

Securing mainframes remains top of mind, with 61% of mainframe and IT professionals ranking security as the top problem they are facing, according to BMC's annual survey of mainframe users for 2023. While mainframe hardware is regularly updated, the software architecture often includes an agglomeration of added features and components that are hard to secure, says Jeff Emerson, integrated mainframe service lead at Accenture.

"Despite the screaming performance of many mainframe applications, they are increasingly brittle due to decades of 'just add this' code modifications that drive exponential increases in software complexity," Emerson says. Inheriting software architectures from two to three decades ago, he adds, has also led designers "toward highly shared data structures on a single, monolithic platform, which has become incredibly difficult to tear apart."

Security and compliance is the top concern for users of mainframes. Source: BMC

The problems will only worsen because, far from dying out, mainframe systems continue to power much of the infrastructure that underpins the information economy. This poses a challenge to software development and security because of mainframes' monolithic nature and the growing scarcity of mainframe technical expertise.

Security Is Top Concern for Mainframe Users

Starting in the 1950s, the mainframe architecture was synonymous with computing. While many mainframe users are looking for ways to move some workloads to the cloud, the vast majority of business and IT executives (94%) have a positive view of the future of mainframes. A sizeable share (62%) foresee their use of mainframes growing with new workloads, according to the BMC report.

The market continues to grow. IBM Z Systems, Fujitsu's GS series, and Unisys' Libra servers are the most popular mainframe ecosystems. Z Systems alone saw 21% year-over-year revenue growth in 2022, according to IBM's financial statements.

However, sustainable growth can only happen if mainframe users figure out ways of making their infrastructure easier to secure and more agile, says Linda Betz, acting CISO and insurance sector lead for the Financial Services Information Sharing and Analysis Center (FS-ISAC). Because mainframes are built to last, the software portfolio connected to mainframe systems is often complex and hard to manage.

"There is an aspect of 'if it ain't broke, don't fix it' to the cloud migration debate," she says. "Financial institutions who use mainframes must weigh the cost of upending their current mainframe system for something else, and they may not see enough benefit in doing so, or they may do so for certain functions and systems but not for others."

The system has a plethora of security controls — such as user authentication and access controls, decentralized security administration, discretionary and mandatory access controls, logging to the systems management facility (SMF), resource control, and auditability and accountability — but the software is hard to secure, says Accenture's Emerson.

"The mainframe platform provides security, audit, and tracking capabilities nearly out of the box, providing great assurances for the data held within," he says. "This is both a blessing and a curse, as the mainframe platform is incredibly robust, but software that has been developed over four or even five decades is increasingly complex, yet under ever-increasing demand for flexibility and agility to meet emerging business needs."

The obscurity helps in some ways, as attackers often do not know how to access the systems, even if they could run the gauntlet of security measures thrown up to protect mainframes. However, no company should rely on a security-through-obscurity approach, says Kevin Stoodley, chief technology officer for IBM Z, the company's mainframe division.

"That's the old philosophy, honestly, and anybody who's relying on that, I think, is on thin ice," Stoodley says. "With modern techniques around defense in depth, such as network segmentation, even when there are breaches, which there inevitably will be in an organization, mainframes are probably not the first place they can get to."

Mainframe, Cloud, or Hybrid

Many companies are transitioning workloads from their mainframe systems to cloud infrastructure. In the next five years, two-thirds of banks (67%) will move at least half of their mainframe workloads to the cloud, up from 31%, according to a 2022 Accenture report. The barriers to migration are significant, however. Nearly half of all financial firms worried about business disruption and the complexity of dealing with their critical applications during any attempt to move away from mainframes.

Moreover, while mainframe systems can run Linux and applications written in modern languages, many applications are written in COBOL, which is more prone to SQL injection attacks that can compromise the underlying data, according to Accenture's Emerson.

"Cleaning up this code in place or putting appropriate protections in place as it is modernized is paramount to protecting the world's critical data," he says.

While most companies are considering rearchitecting mainframe software to increase developer agility and reduce costs, improved security is another benefit. Moving to a hybrid cloud could help, says Cynthia Overby, director security for customer solutions engineering at Rocket Software.

"Mainframes are such an intrinsic part of an organization, housing so much critical data, that the process to completely rip and replace would take too much time and money," she says. "For this reason, we're seeing a rise in demand for hybrid cloud infrastructure, which offers users the best of both worlds."

AI Could Sub for Disappearing Mainframe Experts

Modernizing mainframe infrastructure to more secure architectures will be difficult without the right people. Highly specialized mainframe operators and engineers are a rapidly disappearing demographic in the modern workplace, with 90% of business leaders finding it moderately or extremely difficult to find the right people to maintain mainframes, according to the Deloitte report.

"Especially given the lack of skilled workers available, finding people to maintain these systems — or worse, respond in the case of an outage — could become very expensive," the report stated.

Because the mainframe technology stack is not often taught in schools, specialists have to learn the architecture and its vagaries on the job, and security teams have to learn how to defend them on their own. This problem is one that AI may be able to help companies solve by mapping mainframe code to more modern languages, FS-ISAC's Betz says.

"With the ongoing cybersecurity talent shortage, institutions may not have the manpower and expertise to transition to a different infrastructure," she says. "However, AI actually poses an opportunity for translating between mainframe languages and newer ones to help younger engineers in maintaining mainframes."