Mark Wilson,
Vertali’s Technical Director, wrote in this year’s Arcati
Mainframe Yearbook that
the task list for mainframers is never ending, whether that means prioritizing
cyber resilience, implementing data loss prevention, or optimizing project work
and BAU activity. There’s clearly a continuing demand for specialist skills and
expertise.
2022 began with
pandemic restrictions still in place and ended with a controversial World Cup.
War came to Eastern Europe, precipitating an energy crisis. The UK had three
different Prime Ministers in 50 days. A global recession may be imminent. And
the mainframe has continued to do what it does: a strategic platform for the
ages, the single answer to multiple questions, as relevant in the digital world
as the analogue. Mainframes have traditionally accounted for up to two-thirds
of the world’s IT production workloads but well below 10% of IT spend. However,
the mainframe is being modernized, upgraded, optimized, and outsourced. And people
want help to do that.
Talking to
clients and partners has raised a myriad of issues: the continuing changes
required by digital transformation, the role of the modern mainframe, and of
course cyber security. Let’s take a quick look at two topics we’re asked about
regularly. The first is reasonably specific: Data Loss Prevention (DLP). The second
is wider ranging: how to build cyber resilience for mainframe infrastructure,
data, and processes.
Mainframe data
loss is fundamentally a business problem. Prevention is better than cure, which
means focusing on the risk of exfiltration. DLP is about detecting, identifying,
and preventing potentially damaging data breaches, data exfiltration, and the
unwanted destruction of sensitive data. Effective DLP means securing and
protecting your data, and complying with the necessary legislation and regulatory
requirements. Gartner estimated that by 2021, 90% of organizations would have
implemented at least one form of integrated DLP. But analysts also say the
market has reached maturity, with competitive solutions difficult to
distinguish from each other, with innovation in functionality stalling.
We should be
doing everything in our power to prevent the unauthorized and illicit removal
and transfer of data outside organizational boundaries, so avoiding the
customer, financial, and reputational damage that can result. Data loss may
come through a ransomware attack or data exfiltration via malware, and can be
the result of outside attacks or insider threats. There are many ways to get
data off a mainframe: FTP, SMTP, NJE (Network Job Entry), IND$FILE for mainframe
to PC file transfers, commercial products like XCOM and Connect Direct, and
what about HTTP and HTTPS in a connected world? And who believes READ access to
data is a good idea, as a rule? If I can READ something, I can copy it.
We need to
reframe DLP as a strategy, a journey, rather than a product-led approach. We
should not look to DLP as a magic bullet to protect sensitive information. It
requires a more informed approach. This often starts with a pen test or
security assessment. And a DLP strategy has to extend in different ways across
different domains: network, cloud, endpoints, and storage, ideally as part of a
managed approach to security (and cyber resilience – see below). It means
properly understanding our networks, and who or what is connecting to our
mainframes, monitoring network activity in real-time. We can make much better
use of tools already out there, using solutions that feed into a comprehensive
DLP strategy.
You can start
by asking a few searching questions:
- What
do we define as sensitive information? (The types of data classified as
sensitive need to be revisited frequently.)
- How
do we currently track (and understand) data access, movement, and usage?
- In
what ways do we restrict access to our data?
We also need to
be able to automatically detect and respond to threats: connecting the
mainframe to an Extended Detection and Response (XDR) approach. It’s a very
good idea to integrate the mainframe with third-party solutions such as tools
for IP Filtering, Intrusion Detection Services, z/OS Encrypted Connection
Monitoring (zERT), and Network Management APIs (NMIs) in IBM z/OS
Communications Server.
Why risk being
caught out? Vulnerabilities almost certainly exist, and you may be at risk of
data loss. It could only be a matter of time before a bad actor gets in. Of
course, there’s much more you can do…
Moving on, it’s
been said that resilience ultimately comes from recovery. We live in a complex,
ever-evolving world in which the very best cyber defence is not a guarantee
against a successful attack.
Cyber
resilience is about adapting fast and recovering fast as you respond to a
disruptive event. Business continuity today is impossible without a strong
cyber resilience plan. It’s part-and-parcel of continuously protecting the
business and maintaining a hardened security stance. How can you ensure this
resilience, securing mainframe systems and data from attack and other threats
and, crucially, resume operations quickly and effectively if a successful
attack breaches your defences?
The US National
Institute of Standards and Technology (NIST) defines cyber resilience as “The
ability to anticipate, withstand, recover from, and adapt to adverse
conditions, stresses, attacks, or compromises on systems that use or are
enabled by cyber resources”. Noting that cyber resilience extends beyond
deliberate attack, IBM says it “brings business continuity, information systems
security and organizational resilience together… the ability to continue
delivering intended outcomes despite experiencing challenging cyber events,
such as cyberattacks, natural disasters, or economic slumps”.
The European
Union is also proposing an EU Cyber Resilience Act (CRA), “the first horizontal
regulation to introduce security requirements for connected devices and related
services… Hardware and software products are increasingly subject to successful
cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5
trillion [in] 2021.”
We are indeed
seeing increasing demand from mainframe organizations who want to prepare,
protect, detect, respond, and recover from cyber threats, internal and
external, intended or accidental. We recommend a two-pronged approach:
developing a tailored Cyber Resilience Strategy then building, executing, and
regularly updating a robust Cyber Resilience Plan based on that strategy.
A viable Cyber
Resilience Strategy depends on the smooth collaboration of several
preventative, detective, and responsive approaches, understanding the
interrelationships between these elements and how each one complements the
functions of the others. Creating your tailored strategy will therefore draw on
existing operational disciplines such as Business Continuity (BC), Disaster
Recovery (DR), Incident Response (IR), and Cybersecurity Planning. These
elements already exist in most organizations but are siloed. We need to bring
them together.
Your strategy
defines how and what you will develop, and the priorities of your Cyber
Resilience Plan. Developing plans that are clearly documented, updated, and
regularly tested is achieved through a balanced program of activities. These
include cybersecurity planning, business continuity and disaster recovery
(BCDR) plans, incident response plans, periodic Business Impact Analysis (BIA)
and Risk Analysis, regular testing, and stakeholder engagement. An important
part of the process is educating and updating the senior leadership team on the
threat landscape, based on the assumption that a breach will take place. We
need to explain the risks and impacts of not having a strong strategy and plan,
quantifying benefits wherever possible in monetary terms. Cyber resilience can
help to significantly reduce financial loss and reputational damage.
You can also
explore and deploy tools to support cyber resilience that work for you. These
might include IBM z Cyber Vault (“reduce time to recovery from days to
minutes”), Dell’s Data Protector for z Systems (zDP), which has been described
as a “mainframe data recovery game changer”, as well as tools from Maintegrity,
Action Software, New Era, Vanguard, BMC, and others.
When it comes
to effective cyber resilience, a flexible approach is required, one that may
include: identifying and documenting the most critical elements to your
business; input from diverse stakeholders; performing a risk analysis and risk
rating of systems, applications, and data (pen tests and security assessments
may be part of this); ensuring your strategy and plan align with wider cyber
related requirements eg GDPR, NIS Directive; and documenting, testing, refining,
and updating – and continuing to do so.
When it comes
to cyber security and optimizing mainframe operations in general, simply
because the task is like painting the Forth Bridge – said to be never ending –
doesn’t mean we shouldn’t be constantly scrubbing away the old, reinforcing and
repairing, and providing new layers of protection. With the continuing role of
the mainframe, at the heart of so many organizations and activities, these
aren’t really technical issues or security problems anymore: they are business
issues that go to the heart of successful operations, great customer service,
and commercial resilience.
You can find
out more about Mark Wilson and read the full article from Verali here.
