Vaune M. Carr
February 23, 2015
The mainframe environment, or Big Iron, continues to grow at a rate of about 5% per year according to recent predictions. While experts have historically considered the Mainframe to be the safest environment from a Cybersecurity perspective, one has to wonder if this “big box dinosaur” is able to handle the latest information security challenges. Looking at how the Mainframe came to be, and how it has survived many computer marketing wars, may reveal an answer.
These giant boxes came to the market with an interesting pitch of Make Mainframes, not War drummed up by Madison Avenue Advertisers. The computer revolution became fashionable. Starting in the 1950s and ‘60s, this carried on until the 1970s when “smaller became better” was the marketing angle introducing the smaller computers. The thought of losing the large investment that mainframe systems represented and the value of critical data, processing speed, capacity and power (among other things) made big business afraid of getting rid of mainframes. Essentially, small computers could not replace the valuable mainframes. Many still predicted the mainframes would disappear. They are still here. It now is estimated that over 80% of all critical data for corporations is on mainframes.
The information security piece was introduced in the form of access control software for these mainframes. It became important to know who was accessing what and when. Another separate “war” was introduced between competing information security products. The operating systems were not a priority at that point. This was a time when there was no global economy and therefore no fierce competition to obtain other nations’ data. Access Control software seemed to be the right amount of security for that era.
Now it is 2015. Cyber warfare is the outcry from the information security profession and auditors alike. Legislation like Sarbanes-Oxley, PCI DSS, GLBA, and many others mandate specific information security controls for ALL computers. Companies and governments are adding security controls to close the gaps on computer systems where enemies or malicious insiders can slip through. The operating systems of the smaller computers are undeniably under attack. What are people doing about the mainframe? Have they forgotten it?
If you ask most people if their mainframe is protected to the same standard as the rest of their computing environment, they would probably answer that they don’t know. Until there is a breach, does one really know how well a system is protected? The fact is that there are already reported breaches of the mainframe. The war has already begun. How many people know about it? How many people know that there are already tools in the marketplace to detect and stop the latest threats to the mainframe?
Cyber warfare is here. It is real. Reports of break-ins happen every day. How long should organizations ignore the exposures on the mainframes? The actual, intentional widespread conflict is the “war” on our nation’s computers and it requires a defensive strategy. Information security protects computers against outside and insider threats, and the use of standards, preferably coming from technical standards bodies, can be the best strategy for an information security program.
ISO 27001 is an international standard that can provide the framework of controls needed to defend any type of organization from cyber attacks. There are also other standards that may be used for a particular purpose: HIPAA is a U.S. standard for Health Care, while FISMA is one option for Federal Agencies. Legal counsel can be very helpful in advising which legislation governs the organization for understanding any compliance requirements. Of course, IT managers, together with the senior executives, must make a strategic decision on which of these frameworks would be the most appropriate; once this decision is made, they have to make sure that a control framework that maps to the standards is fully implemented.
Why are the standards and frameworks useful? Gaps are inevitable when you do not use them. Any hole in the security defense has the potential to be exploited by the enemy, just like in war. ALL computers need to have the same standard of controls; mainframes are not exempt. The challenges lie in discovering the vulnerabilities on the mainframe and closing the holes where the enemy can penetrate. Implementing a framework of controls would identify any gaps in the mainframe environment.
Wars are destructive. Mainframes have survived the marketing wars over the years, but can they survive cyber warfare? Big Iron can not only survive with the systematic implementation of security controls; with a strategic design, the battles of cyber warfare can be fought and won. A strategic plan, in order to be successful, should take into account the differences inherent in the environment of any organization. A good strategy will help the organization address the risks and priorities for implementing controls in the order which will provide the best protection at the right cost. Every program worth implementing is worth having a strategy. The security plan for controls is no different.
The same due diligence companies are rigorously applying to their distributed computing must now be turned toward the vulnerable mainframes – before it is too late. The battle is on.
Click here to download a free eBook 9 Steps to Cybersecurity that explains the steps needed to protect the critical information in a company.