Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Ray Overby
Ray Overby
Connect Directly
E-Mail vvv

The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?

The old-school technology is experiencing new popularity, but too many people assume mainframes are inherently secure.

By all accounts, a mainframe renaissance is here. After years of negativity and predictions about the impending death of the mainframe, the technology is experiencing a resurgence and wide adoption this year, with even greater growth predicted beyond 2019.

Case in point: IBM's Z series mainframe sales are up 70% year-over-year. And a recent Compuware survey showed that mainframe workloads are increasing. Currently, 57% of enterprises with a mainframe run more than half of their critical applications on the mainframe, but that number is expected to rise to 64% by next year, according to Compushare.

As the face of IT has changed, the mainframe has kept up with trends, with its ever-evolving ability to provide the performance and number-crunching required by technologies such as machine learning and artificial intelligence.

But while mainframe technology has evolved to meet the trends, the security processes and practices needed to keep the platform secure haven't exactly kept up. It's not for lack of technology and tools, however. The phenomenon is largely due to a series of misconceptions among IT professionals around mainframe security. Those misconceptions are placing countless businesses — and an enormous amount of sensitive customer data — at serious risk.

Debunking Misconceptions
I've spent the majority of my career in mainframe security, and the one mistaken belief I come across consistently is that the mainframe is inherently secure. What I hear is that mainframes have security built into them from the ground up — that through cryptographic hardware acceleration and a secure operating system, mainframes fulfill the critical requirement of keeping data protected. But that's only part of the story.

If you're thinking "But one of the main reasons I chose mainframe technology was its reputation for security!" you're not mistaken. It's true — the mainframe is arguably the most secure platform. But really, I prefer to think of the mainframe as the most securable platform. Any system comes with weaknesses, and the mainframe is no exception.

Like any other system, mainframes are subject to ransomware attacks, cybersecurity threats, and vulnerabilities that leave them open to serious exposures. Despite the reputation for security, reliability, and scalability, the mainframe requires the same level of attention as any other computing platform when it comes to security.

Widespread Complacency
Unfortunately, I see businesses overlooking mainframe security all too often. This advice isn't only meant for businesses new to mainframes that might not know any better. It's also an important reminder to businesses that have long been relying on mainframes to run mission-critical processes and safeguard sensitive customer information.

Overlooking mainframe security is an industrywide issue today. Recent research shows that even though 85% of companies say that mainframe security is a top priority, 67% admit that they only sometimes or rarely factor security into mainframe environment decisions.

In other words, companies aren't practicing what they preach when it comes to mainframe security. And as we hear about a new data breach seemingly every day, business and consumers alike should be worried about the implications of security complacency.

There's also a widespread lack of knowledge around how to best protect the mainframe. Executives around the world rank security as the second-biggest challenge today, but they're not sure how to get started.

Creating a Mainframe Security Strategy
Companies can't afford a breach: The cost of a data breach is high, averaging $3.86 million globally, not to mention the damage to your business in reputational harm and potential lost business. With that in mind, how can businesses build a successful mainframe security strategy?

Most organizations rely on third-party tools to establish permissions (authentication) and access control (authorization), but that alone isn't a complete solution. Security exploits are also a major cause of breaches, and organizations need to make sure they're taking steps to protect against them. A Forrester survey of companies that have experienced a data breach within the last year found that 35% were caused by an exploited vulnerability.

With the threat and vulnerability landscape constantly changing, organizations are under attack across their IT systems. As a result, compliance regulations increasingly require mainframe penetration testing, vulnerability scanning, and ongoing vulnerability management. Consistent testing and evaluation can help uncover known and zero-day vulnerabilities.

A comprehensive security strategy also includes things like automating compliance assessments, penetration testing, scanning mainframe applications and operating systems (OS) for vulnerabilities, and, of course, making sure they have the right resources (both in terms of tools and people) to secure the environment.

In other words, the best defense is a good offense. Organizations need to be proactive about protecting the mainframe not only against known threats but also seeking out the gaps in their systems that might allow unknown threats to creep into their mainframe and compromise customer data.

Ultimately, the mainframe renaissance will equip businesses with the processing power, reliability, and scalability they need to thrive. But for true peace of mind, especially where sensitive customer data is involved, businesses need to be aware of the importance of mainframe security and, just as importantly, prepared to execute on it.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 5 Things to Know About Cyber Insurance.

Ray Overby is a Co-Founder and President of Key Resources, Inc., (KRI), a software and security services firm specializing in mainframe security. A recognized world authority in mainframe security, risk, and compliance for IBM Z System environments, Ray heads the KRI ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
8/15/2019 | 1:25:19 PM
Training, where can we get time to run practice workloads on a mainframe
I think the biggest problem is the lack of availability to work on a mainframe and to become familiar with it, one needs time to work on it to take into consideration the commands one has to run to ensure its availability and security. I know there is Z-Linux, ZOS but I can't go to a friend or neighborhood store or online and put the time in to master mainframe security procedures, there is a process of course.

Maybe you can shed some light, other than taking these expensive online classes or going to one of IBM's training facilities (Rockville, Gaithersburg, RTP or ATL).

Give me some of your thoughts.

User Rank: Moderator
8/16/2019 | 10:14:39 AM
Mainframe vs. PC security
I would say this to those who thought mainframes are "inherently" more secure:

It is true that mainframe security is "easier" to maintain and an aggregate network of PCs. Once the mainframe itself is secured, all systems are secured, as opposed to securing all individual PCs in various configurations and network exposures. However, reserves is also true. If mainframe security is breached, the whole system goes down, whereas certain sections of a PC network might still be secured or can be made functional immediately after attacks. It's all about trade-offs and proper security postures for different computer systems.

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...