Freely subscribe to our NEWSLETTER

GS Mag: How important are mainframes in today’s enterprise environment, really? Haven’t they mostly been phased out?

Ulf Mattson: When we visit organizations, many of them tell us, “We’re trying to phase out our mainframe.” Then we come back after a couple of years and they still have the same mainframe and they say, “Well, it isn’t really an easy operation and it isn’t really cost effective to get rid of it.”
The thing is, they are still very reliable, easy to manage, high capacity, take up smaller footprint, and are light on cooling. They satisfy all of the factors that make a system cost-effective from a total cost of ownership perspective.
The reality is that about 75 percent of all business data worldwide still resides on the mainframe and 85 percent of all business transactions are carried out on mainframes. They are high-end systems and maybe only 100,000 organizations worldwide are using large mainframes. But even though the number of computers is not that huge, the amount of data they process is. While smaller systems process a couple of thousand of transactions per second, the mainframes are doing millions of transactions. Plus they have huge data stores with a lot of data warehouse applications that are hosting a ton of information.

GS Mag: Why are mainframes facing a security crisis today?

Ulf Mattson:There are a couple of issues at play. In the old days, mainframes tended to be used within a very secure environment. You used to have a dumb terminal connecting into the mainframe so that the mainframe could control the access to the data stores. It knew the user and where it came from.
Nowadays in the open networks of our time, the mainframe cannot really trust the user. The use of clients has evolved, first from direct-connect terminals then to client servers and now you typically see the web-based systems. You have the service oriented architecture today where you basically have a chain of computers touching the request before it hits the back-end system. The user could be several tiers away.
So, the back-end system, the mainframe, is not really sure who the real users are and where they identified and authenticated themselves. So in that highly distributed world, when you open up the mainframes for the data, the security situation gets really scary.
Another issue is that it is very hard to find people who know mainframes inside and out these days. The mainframe people are mostly retired now. So it is hard to find people that know the applications and it’s hard to find people that know the mainframe security products.
Learning the mainframe environment typically takes ten or fifteen years.
From a security point of view you need to know a handful of products: the operating system, the file system, the database system, the security system, the storage management system—a lot of different products, possibly from several different vendors, and they are complicated.
It is a major task to learn just one of these products, let alone several. So the skill-base is kind of dying-off at a time when we’re opening up the mainframe and sharing the data. At the same time, vulnerabilities and threats from both outside and inside are increasing.

GS Mag: How are the threats increasing?

Ulf Mattson:Attacks are getting more and more sophisticated. They’re out to steal information rather than the sabotage, denial of service and defacing attacks we saw a couple of years ago. Now you have organized crime with very skilled hackers and they are inventing more attack vectors than anyone can patch.
Mainframes are a very fruitful target for these professionals. They typically tunnel in under a protocol to reach them. So the mainframe is looking at the protocol like an FTP or HTTP and the mainframe is basically saying, "Oh, this looks nice. I approve this.” It could be a SQL injection and the mainframe can’t do anything about it.

GS Mag: Why are mainframes such big targets for attack?

Ulf Mattson:I like to bring up the example of Willie Sutton to illustrate the danger our mainframes and databases face today. He was a famous bank robber in the 1920s. When he was caught someone asked him, “Why do you rob banks?” His answer?
“Because that’s where the money is.”
If he were around today I could see him working in front of a terminal hacking databases. “Because that’s where the money is.” It is where the valuable data resides and hackers are going after these tremendous data stores that reside right on those vulnerable mainframes.

GS Mag: How can an organization properly address this convergence of security problems facing their mainframes?

Ulf Mattson:I think in general you need to put infrastructure functions in place, because you cannot rely on fixing the mainframe applications. It is not feasible for many reasons and you can’t find the people to fix them.
So you want to put security functions outside your databases, your applications, your web servers and so on. Adding security as an additional layer is very effective.
So this additional layer will fill the gaps where authentication, for example, will fail. If someone is stealing a password and can bypass the authentication system then you want to have another layer right next to the data.
So adding deeper security product lines and defense in depth is critical.
We need to start by inspecting things that security systems did not inspect before.
Looking at the data level, at who is trying to read the credit card column in your databases, for example. Also, if you have hackers that are signing on as valid users with access to credit card numbers we should add functionality that is looking at how much data is being accessed. If your user ID is compromised, you should have a layer of defense that prevents the data from getting too much data quickly. You slow the hacker down and you can also detect the intrusions by this type of data usage control.
We have a patent on this type of behavior, controlling the amount of records per hour that a user can read. It is a very natural thing in the physical world. You go to a pharmacy and you have a prescription that will give you so many pills and you will not get more. You go to an ATM and you can only get $400 at a time. I just think that we need to apply the same sort of general thinking that we are applying in physical security in IT security as well.

GS Mag: What are some good best practices to apply this defense in depth when it comes to mainframe security?

Ulf Mattson:I would say first, apply separation of duties so you can take care of attacks from both the inside and the outside.
Next, you don’t just want to look at the data when it walks out the door. Auditing and intrusion detection is not good enough. You will make headlines regardless if you saw a breach happen in the audit logs or not.
You need to prevent data theft from happening, so you need to have some way of locking down the data. Encryption happens to be the best way to do this. It is the only method that you cannot circumvent if correctly implemented.
Finally, you want to monitor your users. Once you have locked down the data, you really want to see what is going on. Are there unauthorized requests? Hack attempts? You want to see these things and shut the user down if they are misusing data. I think these three things are the pillars of mainframe security.