There is a fundamental misunderstanding about what it takes to secure the mainframe

Mainframers need better tools, training and education, writes Ray Overby, co-founder and president of Key Resources

In today’s world, mainframes play a critical role in the daily functioning of most of the largest corporations and in many cases are the backbones of data centres. They keep daily operations up and running in industries ranging from banking to insurance to government, to name a few. In fact, 71 percent of global Fortune 500 companies use mainframes, as mainframes handle 68 percent of the world’s production IT workloads.

Mainframes are mission-critical, but they’re often taken for granted – especially when it comes to mainframe security. Despite the mainframe’s well-earned reputation for being the most securable platform, mainframes still need to be given as much attention as any other computing system when it comes to security.

Perhaps because of this misconception, there’s an issue in the mainframe world with complacency around security. And, in today’s cloud-first mentality, many organisations are actively working to secure their new cloud infrastructure, but they’re not necessarily working to ensure the security of mainframes, which also increasingly interact with the cloud.

A recent Forrester Consulting study put some context around this issue. The survey found that while 85 percent agree that mainframe security is a top priority for their company, just 33 percent always or often take the necessary steps to protect the mainframe.

Security isn’t being factored into decisions about mainframe security. The unfortunate truth is that complacency around mainframe security is putting countless mainframes – and the mission-critical data they hold – at risk.

What’s the risk?

The same study found that 95 percent of companies are worried about the potential of customer data breaches on the mainframe. That’s with good reason, since data breaches are incredibly costly and becoming more and more prevalent. All it takes is one data breach to seriously damage an organisation.

In the US, the average data breach could cost a company $7.9 million (6.24 million), and the cost for each lost or stolen record containing sensitive information averages $148 (£116).

Mainframe security misconceptions

Part of the problem is that there’s a fundamental misunderstanding among IT managers and security professionals around what it takes to secure the mainframe. Even though data breach prevention is a top priority, scanning for operating system (OS) vulnerabilities came in last place on companies’ to-do list according to the same Forrester study.

That’s misguided, since actively scanning for vulnerabilities is a critical way of preventing data breaches. A separate February 2019 Forrester study, “The State of Application Security, 2019,” revealed that, among companies who have experienced a breach within the last year, 35 percent were caused by an exploited vulnerability.

In order to minimise the potential for a data breach, organisations have to secure the operating system first. That’s where hackers go looking to gain access to critical corporation data, through escalation of privileges.

Exploiting OS-level vulnerabilities

Here’s how it happens. Vulnerabilities pop up because of bad code introduced to the mainframe operating system, which can happen during an OS upgrade, standard maintenance or the introduction of a new third-party software product. Vendors try to catch these gaps, but many still make it through because it’s very difficult to anticipate how software will run in every client environment.

Hackers who exploit these OS-level vulnerabilities have full access to mainframe data, applications and users. They can escalate their own user privileges, dig into data from hundreds of applications and thousands of users, and then completely cover their own tracks, so you’ll never know they were there. It’s a PR and security nightmare waiting to happen.

What does this era of complacency mean for the mainframe world, going forward? The good news is that most companies understand their own limitations around preventing zero-day attacks, and IT managers know that they need help with their mainframe security. 86 percent of those surveyed in the complacency study admitted that protecting their systems from zero-day attacks is their biggest challenge.

As a result, more and more companies are looking outside of the organisation for help review security and compliance. Better training, resources and education will give mainframers the tools they need to adequately manage the security of these mission-critical systems.