Sunday, 20 June 2021

Auditors, compliance, and the mainframe

Mainframes have been successfully keeping organizations in business for over 50 years. Let’s just look at some statistics. Mainframes are used by 71 percent of Fortune 500 companies. They handle 90 percent of all credit card transactions. Each IBM z15 mainframe can handle 19 billion business transactions a day. And mainframes handle 68 percent of the world’s production IT workloads, yet they account for only 6 percent of IT costs.

Drilling down on those figures we find that in terms of ATMs and IMS:

  •         $7.7 trillion credit card payments (annual)
  •         29 billion ATM transactions (annual)
  •         12.6 billion transactions (daily)
  •         87% of CC Transactions done on z/OS.

With so much work taking place on a mainframe and so much money being transacted, you’d assume that auditors would be all over the mainframe. You’d probably assume that auditors would know almost as much about how mainframes work as systems programmers do. You’d think that they would want to know the tiniest of intricacies in order to assure themselves that corporations using mainframes were absolutely compliant with all the regulations that applied to them – things like the Payment Card Industry Data Security Standard (PCI DSS).

Worryingly, in many cases, auditors are put off by the complexity of mainframes and don’t know the right questions to ask. Not that I’m suggesting that organizations are committing any kind of fraud on their mainframes. What I am suggesting is that they may not be completely compliant with the regulations that apply to them.

The very nub of the problem is that the PCI DSS requires the use of file integrity monitoring (FIM) software on a computing platform, and hardly anyone using an IBM mainframe has that type of software installed. And that seems strange, bearing in mind that mainframes are used by the majority of financial institutions in the world.

Let’s look at those PCI regulations in more detail. Section 10.5.5 asks: “Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?”. And section 11.5 asks: “Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files?”.

Clearly, most sites aren’t compliant because they aren’t running file-integrity monitoring software on their mainframes, and yet these organizations are signing off the section 3 validation form saying that they are. And the person signing is probably the CIO, CFO, or CEO!

Many mainframe sites try to get round this issue with what they call ‘compensating controls’. The truth is that these compensating controls are basically non-existent. The next ploy used by organizations is to keep mainframes ‘out of scope’. But as shown in the figures at the start of this article, that clearly isn’t the case. And, if the auditors understood what was actually happening on the mainframe, they would be able to ask appropriate questions to show that was the case. The question they should be asking is: “If 90 percent of debit and credit transactions end up running on a mainframe, how can mainframes possibly be out of scope of a PCI Audit?”

Worryingly for many mainframe sites and their auditors is that V4.0 of DSS is due out in the next year. It’s unlikely that the rules in 3.2.1 will change. However, what is likely to change is that the enforcement and scrutiny of compensating controls will probably be greatly strengthened.

Focusing on security for a moment. On 12 May, US President Biden issued an executive order, amongst other security measures, to develop a plan to implement Zero Trust Architecture (ZTA) for Federal organizations. And zero-trust seems to be the way that security is going. NIST (The National Institute of Standards and Technology) earlier this year said: “An enterprise monitors integrity and security posture of all owned and associated assets. No asset is inherently trusted.” How do we get to ZTA on a mainframe? PWC recently published some guidelines. Item 2, on their 4-point list. says ‘File Integrity Monitoring’. That, I think, also highlights the pivotal role of file-integrity monitoring in mainframe security.

Lastly, and this is relevant because the majority of ATMs are connected to IMS running on a mainframe, there was advice from the PCI and the ATM Industry Association highlighting the need for file-integrity monitoring software on mainframes running transactions from ATMs. You may remember last October, there was an urgent bulletin from the PCI and the ATM Industry Association – the first ever bulletin issued by the two associations together, which highlights its significance – about cash-out attacks on ATMs. Thieves breached bank or card processor's security to manipulate fraud detection and took lots of cash from a number of ATMs. As we said, most ATM transactions are captured by IMS running on a mainframe. The advice given was that organizations should get file-integrity monitoring (FIM) software to combat the cash out hack.

What is file-integrity monitoring software? As its name suggests, it identifies when a file has been changed. It does this by taking a baseline copy and keeping that securely in a vault. It then checks the baseline copy against the current version at user-defined intervals and alerts when any differences are found. Obviously, lots of changes will be authorized, so, it can check against ServiceNow, BMC Helix, etc to only alert about unauthorized changes. More advanced FIM software can identify exactly what has been changed, when it was changed, and who by. And, following agreed policies, it can have the userid of the culprit suspended and the changes backed out. Ransomware attacks now corrupt backups before encrypting data. Advanced FIM software can check backups at regular intervals to identify if any unauthorized changes have been made and so help stop ransomware attacks. And it can do all this very quickly.

Putting it all together, it seems that the PCI, the US government, NIST, PWC, and others are looking at FIM as part of the answer to mainframe security. It seems that auditors need to be better prepared to ask more searching questions about mainframe compliance with agreed standards. And it seems that mainframe sites need to realize the benefits they will get from using FIM software.

No comments: