24th January 2019: We all know that saying, "May you live in interesting times". Many people maintain it's actually a curse. Whichever way you look at it, times seldom get more interesting than today.
Last year I wrote about how the mainframe was now, properly, mainstream. Its stock was continuing to rise based on its inherent capabilities as "the most future-ready platform in the world ... The mainframe is more in vogue today than has been for more than 20 years, and is becoming even more critical to an organization's business success (and good health). It has become a streamlined super-fast data monster, a transaction eating behemoth, the system-of-record." And so it goes...
Running faster just to keep up
Early in 2018, I was on a working trip to the USA. In the hotel gym one morning, on the running machine, I was musing about how we, and the industry in general, seemed to be running faster just to keep up. In the week or so previously, our office felt more like a travel agency than a mainframe consulting company. The reason being that we were so busy booking travel and accommodation for 12 major security jobs coming up, in locations ranging from New Jersey to North Carolina. Right from the get-go, we were talking to more mainframe customers, visiting more places and working on more projects than ever before. I know, because I checked, looking back at workload in the previous three years when it had seemed we were pretty busy. In 2015, 2016 and 2017 we carried out, on average, 12 mainframe security assessments and pen testing projects globally each year. We had performed 12 such projects in the first three months of 2018 - and that trend continued. My view, as I've said before, is that people had woken up to the reality that the mainframe will be around for another 10, 20 maybe 30 years, and were asking more of it, while at the same time cyber crime was becoming a massive issue and a real threat. So mainframers are thinking, "Hmm, we really need to find out exactly how secure our systems are ..." So, security was a big theme for the year, to which I'll return a little later.
'Mainframers in training'
The last 12 months have also, I think, seen the pace of change speed up in terms of developing the next generation(s) of mainframe professionals. A year ago, I wrote that while we saw this increased recognition and appetite for mainframe systems and services, a potentially massive spanner in the works was the diminishing pool of skills, as expert mainframers retired and organizations so often lacked proper succession plans. But I believe we're making real progress. In the summer, for example, I attended a "University Day" in London organized by the IBM Systems Technical University, for people to meet and network with academics, practitioners and industry professionals from organizations including IBM, Lloyds Banking Group and the University of Wolverhampton. Events like this have an important role to play in "priming the pump" and having a real impact on the future of the industry.
Later, in October, I attended the similarly excellent five-day IBM Systems Technical University in the USA, which included a new "z/OS for Rookies" track for early-career programmers and engineers, along with a "Professional Development and Leadership Training" stream. Alongside formal training and academia, knowledge sharing and mentoring are proving critical. On our part, RSM is continuing to develop the successful Mainframer in Training (MIT) program, which provides three years of hands-on structured training followed by two years of bespoke specialist training. Crucially, the trainees start doing real-life work on the support desk, shadowing more senior mainframers, after just three months. Later still, at November's GSE UK Conference, this remained a central theme: how to attract and develop the brightest new talent, and in particular the role of women in IT. It was extremely encouraging to see so many students attending GSE, with many organizations interested in the fact that we already work with so many young people, and how many are women. All very encouraging - especially when you consider the major challenge of our age: security.
Is the mainframe the Cinderella of security?
Last year, I wrote about the coming of Pervasive Encryption; what was then talk and planning has since become action for many organizations. And while a new era of 'Crypto as a Service' hasn't quite emerged yet, security developments have continued. Indeed, ongoing issues around security, vulnerability - and the increasing attractiveness of our lovely mainframes to cyber criminals - go hand-in-hand with the reality that around 80% of the world's system-of-record data resides on mainframe systems, and more commercial transactions are processed on mainframes than on any other platform. They are high-value targets yet their security is so often taken for granted, with an old-fashioned security posture that "everyone had read access to everything". Simply because a mainframe is hidden away deep within a network, behind three firewalls, and at the back of a data center, doesn't mean that it's secure. To the bad actors, the mainframe is "just another server" to be attacked. Bad actors are looking at mainframe technology across the globe, right now, and working hard to identify vulnerabilities to exploit
I've spent quite a bit of time raising the spectre of mainframe hacking. I had the feeling that, in some quarters, people were uncomfortable discussing the subject. But that won't make the problem go away, and could actually make things worse. The elephant in the room is that it doesn't actually require any specialist mainframe knowledge to breach a mainframe and steal data: it's true. I know the real-life case of a non-mainframe pen tester who exfiltrated all the production Db2 data from a mainframe. Using standard Linux/Unix tools like ssh and grep, plus ODBC and a little ingenuity, somebody with no mainframe experience drained the system of all its sensitive client data. It really is a trivial matter for a competent hacker or penetration tester - which means it should be a very serious matter for all of us, right up to board level.
Raising our game in security
The thing is, mainframe security isn't really a mainframe security issue at all, it is an enterprise security issue. Which means we need to educate C-level executives about the real possibility of a mainframe breach. (And, of course, these enterprise security challenges also tie-in to the skills gap and the need for next-generation mainframe experts). Arguably the greatest threats are insider threats: the bad actors won't be looking to target a system or application, they are more likely to target individuals and steal system logins and credentials. This is why I've been talking recently about "the problem with passwords" and evangelizing how multifactor authentication (MFA) can help counter the security threat. If organizations are still authenticating users via passwords alone, a move to MFA is long overdue.
The mainframe often has the weakest password policies and algorithms in an entire enterprise. Are we making it difficult enough for potential hackers to get in? In effect, passwords represent a single point-of-failure. With mainframes, the maximum password length is eight characters. Up to 100-character passphrases are available but few sites use them. While there have been efforts to tighten up password security, the problem is, if passwords then are too complex and tricky to remember, it drives behaviors in user communities where, say, passwords are 'stored' on sticky notes and written to text files, or even on whiteboards. Some people use password vaults but not everyone. Passwords, in general, are easily shared, easily stolen, and easily guessed. One of the biggest threats is password reuse; combine this with other problems described here and you end up with some convenient attack points. At the same time, multiple risks are associated with any breach, no matter how it's perpetrated: for example, fines imposed by regulatory bodies relating to GDPR or PCI. If there is a data breach, the organization will also likely face compensation payments and the costs for identity theft insurance for all affected users for 12-24 months in addition to the media coverage and reputational damage. Other impacts may be even more damaging: from a denial of service attack that disables all mainframe systems, to a Ransomware attack where all data is encrypted and a ransom demanded.
However, while a mainframe may not be secure right now, the mainframe is the most securable commercial computing platform available, and all the tools you might need are out there. These can include: security products such as RACF, ACF2 or Top Secret; network segmentation; privileged user management e.g. RSM Partners Breakglass; Real-time Threat Detection; MFA; removing application passwords and using encrypted Passtickets; Client/Server certificates; and incident response. Deploying them should also be part of a planned sequence of actions. First: understand your security posture, carry out a Security Assessment, conduct Pen Testing and remediate issues. Second: implement Role Based Access Control, working to a least privilege model, also implement Real Time Alerts and a 'break glass' solution to manage privileged users and their access. Third: deploy MFA. The fourth but vital step in this initial rollout is to educate all users on the measures now in place and the actions and behaviors expected, bringing home the fact that security is the responsibility of everyone.
Given that some 81% of breaches can be attributed to credential reuse, MFA can be a powerful weapon in your identity and access management armory, creating a high degree of friction for bad actors while presenting minimal delays and disruption to legitimate users. Indeed, investing in MFA can be an extremely smart decision, as mainframes become more open and connected to the wider world, as regulations like GDPR demand stricter compliance (and include bigger fines) for data protection, and with PCI DSS actually requiring MFA to be implemented. MFA works by inspecting multiple identifying elements associated with a particular user account, raising the authentication assurance level that a system requires from a specific user. Various products are available. For example, IBM Multi-Factor Authentication for z/OS is integrated with RACF; RACF has an MFA API set available for other vendors to use. Other options include OTP (one-time password) generators to create a password only valid for a short time, maybe 60 seconds.
In fact, true MFA for the mainframe only arrived with IBM Multi-Factor Authentication for z/OS in late 2017, expanding the options available to deliver that all-important "layered defense". This integrated approach, designed to support various token types, requires that selected Z users authenticate using multiple factors: something they know - password or security question; something they have - ID badge or cryptographic token device; and something they are - a fingerprint or other biometric. In my view, the best way to unlock the benefits of MFA while also delivering a great user experience is to also use a Session Manager (we use Tubes for z/OS from Macro 4). Indeed, the secure mainframe is best achieved in general by using a range of best-of-breed technologies, expertise and professional services. And if we don't make the case for securing the mainframe, and then actually do it, who will?
An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.