9th January 2019: Breaking those mainframe security bad habits: I'm not sure I believe in New Year resolutions: they seem to be made to be broken. And as we finish off the last of the Christmas chocolates and resolve to be a bit healthier, LinkedIn can become a blur of predictions for the year ahead.
>A short diversion, before I start talking mainframes again: I was wondering about the history of the tradition of New Year resolutions, so I spent a few seconds looking into it.
It seems the Babylonians used to make promises to their gods at the beginning of each year to return any stuff they'd borrowed and to pay their debts. Hmm. Not sure about that.
Later, in medieval times, knights were said to have taken the "Peacock Vow" after the festive period to re-state their commitment to chivalry. That sounds about right for RSM, and mainframers in general: a code to live by. So, in the spirit of positivity and after conferring with my RSM colleagues, we came up with a list of security resolutions for your consideration.
1. Implement Multi-Factor Authentication and be properly authenticated. As bad actors increasingly target our favorite platform, MFA is a valuable tool in the fight against data breaches resulting from credentials theft. Shameless plug: look out for my new security paper on this very topic, The problem with passwords.
2. I'll encrypt all my data like everyone is watching and dance like there's nobody watching (with thanks to Lennie). This means making real efforts to implement pervasive encryption. Those self-encrypting drives aren't going to protect you when bad guys get access to your system.
3. I will be alert and implement true real-time alerting. Real-time alerts for security monitoring are a great way to protect your data from threats, and increasingly important for governance and compliance - from thwarting brute force attacks to catching attempted data exfiltration.
4. I will be a good role model and implement and maintain Role-Based Access Controls. We should set an example, and there's no better way than RBAC. We love our users, but we also need to be making sure they are in their assigned seats and only have access to the things they need to get their job done.
5. Penetration tested Pen testing helps to provide us with confidence and protection by truly emulation what the bad guys can and will do, given the chance,
6. I will be remediated and ensure I've fixed all the issues I know about. Once you understand the risks and know the gaps, you need to plug them. Planning and executing effective remediation must follow pen testing as night follows day, to remove those pesky vulnerabilities and deliver targeted security improvements.
7. I will budget for training to keep informed on security best practices. With pressure on spending, this is easier said than done, but in my view it's money well spent: an investment in the future. As the cyber threats change and the mainframe is being aggressively targeted, we need to be on our toes.
8. I will review and recertify my mainframe security settings. As the world and the threat landscape continue to evolve, so must you and your mainframe systems. It's all too easy to fall behind and to let those security resolutions slip. So a very good idea is to...
9. Have my mainframe security audited by third-party experts. That extremely useful external set of eyes, ears and ideas will almost certainly identify strengths and weaknesses that might otherwise have been missed. The key is using experts rather than generalists doing a simple checklist or tick-box audit. The worst thing would be to believe your infrastructure is secure and infallible when, actually, it isn't.
10. I will review and implement strong security processes for my mainframe. Check, review, test, implement, monitor, and review again. The reality is that effective security for your mainframe systems and data is a constantly moving target. You need to identify, risk assess and prioritize the various security issues you face, and then ensure the most robust processes are consistently in place.
Of course, there's always so much to do across the board, so the trick is to focus on the areas that make most sense to you and your own operations, and deal with those first. I'm sure at least one or two of these "resolutions" may resonate with your own operations, possibly more. If you have any questions or need some help, just give RSM a shout.
That's it for now. I like to take this opportunity to wish you all a happy and prosperous 2019, from the entire team at RSM Partners. Onwards and upwards.
An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.
To download a copy of our mainframe security paper "The problem with passwords" click here or email firstname.lastname@example.org
Click here to find out about RSM Partners mainframe security services