Mainframe Security Best Practices
You need not be a cybersecurity expert to know that we are living in the age of data breaches. Protecting against cyber attacks requires securing all of your infrastructure — including mainframes. Toward that end, keep reading for mainframe security best practices.
When it comes to building a cybersecurity strategy, it can be easy to leave mainframes out of the picture. In many organizations, mainframes serve as backend systems buried deep inside the IT infrastructure. Unlike commodity servers that host customer-facing Web applications, or workstations that provide portals into internal networks, mainframes are a behind-the-scenes type of infrastructure.
In addition, it can be tempting to overlook mainframe security because mainframes are more complex and difficult to secure than other types of infrastructure. Most turnkey commercial security solutions were not designed with mainframes in mind, and the diversity of the mainframe ecosystem means that there is no one-size-fits-all strategy for security mainframes.
The fact is, however, that mainframes continue to host mission-critical workloads and data in a range of industries. Securing mainframe applications and data is just as crucial as protecting the rest of your infrastructure against breaches.
5 Steps to Mainframe Security
And although mainframe security may be difficult to achieve, it is certainly not impossible. Following are best practices for achieving mainframe security.
You may (and certainly should!) have access control policies in place for the rest of your infrastructure.
Given the fact that most people in your organization probably never touch mainframes, however, it can be easy to assume that you don’t need access control for your mainframes. Most people likely don’t even know how to access mainframe data if they wanted to.
This doesn’t mean your mainframes can be excluded from access control, however. Locking down access credentials for mainframes shells and databases is just as important as restricting access to the rest of your infrastructure.
Even if you have a strong set of mainframe security practices and policies in place, you should review them periodically to make sure they are up-to-date and continuing to meet your organization’s needs.
Yes, this takes time and forethought. It also requires you to have security experts on hand who understand the unique needs of mainframe systems. But periodic security reviews are essential if you want to catch problems before the bad guys do.
After all, a proactive security review is much less stressful than a post-breach post-mortem.
Given the types of data and workloads that mainframes handle, detecting a breach minutes or hours after it has occurred is often not enough to prevent major damage.
The compromise of credit card information, personal customer data and the like needs to be caught in real time.
This is why real-time data analytics and fraud detection are an important component of any mainframe security strategy.
One of the great things about mainframes is that their massive compute power can easily be segmented into multiple distinct environments by using the z/OS virtualization feature.
Z/OS virtualization not only helps you to organize workloads more efficiently but also helps to improve security. By isolating different workloads from one another using virtualization, you make it harder for attackers to escalate a breach. If they are able to break into one environment, they don’t have instant access to the rest of your mainframe.
So, unless two workloads need to run inside the same environment, consider isolating them using a hypervisor.
Software security updates on commodity servers are easy enough to handle. The operating system takes care of them for you automatically — or at least tries. (Yes, some “Patch Tuesdays” go awry, but in general, server administrators don’t have to worry too much about security patches these days.)
Keeping mainframe software up-to-date may require more manual effort. Enabling automatic updates in z/OS is one way to reduce that effort, but you should still make it a habit to check periodically for updates in z/OS Explorer, and to review the updates that get installed.
The results from Syncsort’s annual State of the Mainframe Survey not only show that mainframes are still the predominant platform for performing large-scale transaction processing on mission-critical applications, it uncovers the trend to put analytics in place for security and compliance, as well as operational intelligence.