Are Mainframes Bulletproof When It Comes to Data Security?

Over the years, I’ve spent a lot of time sitting side by side with CISOs, helping them to assess their data security risks and counseling them on best practices and technology options to mitigate those risks. The biggest data security misconception I encounter is the belief that the mainframe environment is inherently secure — bulletproof, if you will.

Over the years, I’ve spent a lot of time sitting side-by-side with CISOs, helping them to assess their data security risks and counseling them on best practices and technology options to mitigate those risks. If I’ve learned anything, it’s this: 

When I go into an organization that runs Windows, there’s little question of the need for data security. The organization knows it and so do I.

When I visit a company whose IT infrastructure revolves around a mainframe, the mindset is often quite the opposite, however.

In fact, the biggest data security misconception I encounter is the belief that the mainframe environment is inherently secure — bulletproof, if you will. Most IT staff view the mainframe as just another network node. Why? Because it’s universally perceived as a closed environment and, therefore, invulnerable to hackers.

In some cases, it’s the mainframe IT pros who hold this conviction. In other instances, it’s the executive management team. Lack of management attention allows "bad practices" to continue. I can tell you this without reserve: Data stored in mainframes needs protection just as much as sensitive information stored on a Windows server or anywhere else.

In truth, mainframes can be hacked. And for that simple reason, mainframe security should not be taken for granted.

Even though the mainframe is a mature platform, there is a real shortage of mainframe-specific security skills in the market. And, the few mainframe security practitioners who are out there spend a lot of time implementing configuration and controls within their environments as well as putting into place security systems like IBM Resource Access Control Facility (RACF), which provide access control and auditing functionality. As for other security measures, in my experience, mainframe people know about encryption, but they’re not terribly aware of newer data security techniques like tokenization as it relates to protecting data within the mainframe environment and beyond.

Tokenization is a data security model that substitutes surrogate values for sensitive information in business systems. It is a rapidly rising method for reducing corporate risk and supporting compliance with data security standards and data privacy laws. In fact, for companies that need to comply with the Payment Card Industry’s Data Security Standard (PCI DSS), tokenization has been lauded for its ability to reduce the cost of compliance by taking entire systems out of scope for PCI assessments.

To illustrate how effective tokenization is for de-scoping, consider the case of a major national retailer, who last year applied tokenization to its mainframe-centric extended IT infrastructure. It was able to remove 80 systems from scope — leaving only three in scope — for an estimated annual cost savings of $225,000 a year related to recurring PCI DSS audit costs.

What’s more, Format Preserving Tokenization, a particular variety of tokenization that generates tokens to fit existing data field sizes, is an equal-opportunity data security method that is as adept at protecting credit card numbers as it is at securing Personally Identifiable Information (PII) and Electronic Health Records (EHR) to extend data security beyond cardholder information to protect company, employee and other types of consumer information. Even for companies that do not have to comply with PCI DSS or other security mandates, tokenization is just as effective in reducing risk, in managing the duplication of data across Logical Partitions (LPARs) and in facilitating the usage of potentially sensitive data for development purposes.

Too often, compliance audits skim over mainframe control weaknesses and there are also fewer mainframe-specific security guidelines. But this does not mean that significant risk is not there. You can apply a risk-based, defense-in-depth approach within the mainframe environment by using stronger mainframe security host controls and by using tokenization to protect the data itself.

To beef up data security on a mainframe, here’s my advice:

Bring in mainframe security experts to identify and remediate risks, and to develop and enforce security policies and procedures.

Develop in-house capabilities and skilled professionals across the mainframe platform to support security initiatives.

 Evaluate available security configuration and administration tools — there are some really good ones out there.

Apply an in-depth security strategy that includes secure access and authentication controls and use them appropriately.

Adopt encryption and tokenization to protect sensitive information. Through their proper implementation, it’s really not that hard to achieve a true high level of protection within the mainframe environment.

Protecting sensitive and business-critical data is essential to a company’s reputation, profitability and business objectives. In today’s global market, where business and personal information know no boundaries, traditional point solutions that protect certain devices or applications against specific risks are insufficient to provide cross-enterprise data security. Combining encryption and tokenization, along with centralized key management, as part of an enterprise-wide data protection program works well — including in a mainframe-centric environment — for protecting information while reducing corporate risk and the cost of compliance with data security mandates and data privacy laws.

Mainframes are not bulletproof when it comes to data security. Ignoring the problem won’t make it go away, but a strong mainframe data protection program will go a long way toward making your environment more secure.