You Use Mainframes Everyday and Might Not Know It
You may not realize it, but mainframes play a large part in your everyday activities. Did you visit your ATM? Make airline reservations? Swipe your credit card? Then you “touched” a mainframe today. Did you know that 80 percent of the world’s corporate data resides on or originates from mainframes?
Why? For one reason, mainframes are still the most trusted platform, with an EAL5+ security evaluation. Companies rely on mainframe security to provide industrial-strength protection. Mainframes are still the platform of choice for processing mission-critical applications and hosting essential corporate information for banks, health care, insurance, retail, government and other industries largely because of mainframe security.
Furthermore, mainframes have become the true mother of reinvention: They have evolved and reinvented themselves with new technology, supporting cloud, mobile, big data and social innovation. Mainframes have transformed from isolated glass house systems to fully connected servers for Internet web applications, data analytics and private clouds. Security has also evolved to keep pace with innovation. It has been an interesting journey.
Mainframe in the Beginning
At first, System/360 security was very simple: To protect sensitive information, you created data set passwords specified on batch jobs with Job Control Language (JCL). While it was easy to share the password to allow data access, it was far more difficult to deny someone access later, which required changing the password and notifying all the other valid users.
The first step in the security journey was to establish user identification (user IDs) and authentication. Access control lists indicated who could access the data and how. This security information needed to be administered by authorized security managers in secure repositories. In 1976, IBM announced IBM Resource Access Control Facility for mainframes, with capabilities including:
- User groups and privileged roles, such as auditors, operators and special administrators.
- Resource protection for data sets, files, tapes, programs, applications and general resources.
- Auditing of security events, including user log-on, data access and privileged operations.
Mainframe Security and Applications Evolved
As the mainframe evolved to support new applications beyond batch processing, security evolved along with these applications:
- IBM TSO (Time Sharing Option) allowed multiple interactive real-time users.
- IBM DB2 offered field-level security controls that wouldn’t impede performance.
- IBM IMS and CICS protected transaction applications.
- IBM Security AppScan identifies application vulnerabilities and generates reports with intelligent fix recommendations to ease remediation.
Communication Security Expanded to Internet and Mobile Access
Mainframes began to communicate outside their enterprises and across public networks, which required new encryption protocols and new security capabilities, including:
- User directories that uniquely identified users across enterprises and domains.
- Trusted authentication protocols that utilized certificates instead of passwords.
- Secure communication protocols with distributed untrusted systems and mobile users.
Early “Cloud” Capabilities
Many people do not realize that the mainframe offered virtual machine capabilities long before today’s cloud options were available. Mainframes have provided a number of virtualization options over time:
- Secure hypervisors that could run software virtual machines.
- Physical logical partitions (LPARs) that run virtual machines with physical isolation.
- Most recently, blade servers that run systems under the covers of the latest mainframes.
Growth of Database to Big Data Analytics
Mainframes provide robust information security, so it makes sense that mainframes have grown over time to host data warehouses, big data and data analytics. Mainframe data security has been enhanced with IBM Security zSecure and IBM InfoSphere Guardium security solutions. Big data by nature is enterprise-wide, so many other data sources connect with the mainframe. Guardium’s ubiquitous support for a wide variety of platforms and data sources ensures that any potential threats from within or outside the platform are detected, blocked and reported in virtually real time. InfoSphere Guardium Data Encryption for DB2 and IMS Databases provides additional protection of data at rest and in motion over communications at the column, row and segment levels. Security encryption key management solutions protect those keys from disclosure.
Security Intelligence and Compliance
As mainframes transformed, they were exposed to new threats. The overall volume of mainframe and enterprise-wide security events that requires analysis is staggering. Mainframes have new capabilities to obtain actionable insight with security intelligence using zSecure and QRadar SIEM to automate threat analysis, create alerts, monitor status and respond.
As the occurrence of big data breaches grew, new security standards and compliance regulations have been adopted to help protect user payment card information, sensitive financial information, medical health care records and other vulnerable data. These regulations require privileged user monitoring, vigilant audit reporting, data encryption and other security controls that help safeguard information. zSecure offers new compliance framework reporting to demonstrate governance and compliance.
Over the past 50 years, the mainframe has evolved from a siloed system to supporting databases, applications, networking, virtual machines, Internet, cloud, mobile, big data and business analytics. Mainframe security has transformed to secure these new capabilities and help customers create the ultimate security platform for their mission-critical workloads. Mainframe security has stood the test of time for 50 years and is still going strong.
Mainframe Security Marketing Manager, IBM Security
Anne Lescher is a Senior Marketing Manager currently championing mainframe security. Anne's involvement with mainframe security started with Resource Access ...