Sunday, 5 February 2023

The NeverEnding Story: Optimizing and Securing the Modern Mainframe

Mark Wilson, Vertali’s Technical Director, wrote in this year’s Arcati Mainframe Yearbook that the task list for mainframers is never ending, whether that means prioritizing cyber resilience, implementing data loss prevention, or optimizing project work and BAU activity. There’s clearly a continuing demand for specialist skills and expertise.

2022 began with pandemic restrictions still in place and ended with a controversial World Cup. War came to Eastern Europe, precipitating an energy crisis. The UK had three different Prime Ministers in 50 days. A global recession may be imminent. And the mainframe has continued to do what it does: a strategic platform for the ages, the single answer to multiple questions, as relevant in the digital world as the analogue. Mainframes have traditionally accounted for up to two-thirds of the world’s IT production workloads but well below 10% of IT spend. However, the mainframe is being modernized, upgraded, optimized, and outsourced. And people want help to do that.

Talking to clients and partners has raised a myriad of issues: the continuing changes required by digital transformation, the role of the modern mainframe, and of course cyber security. Let’s take a quick look at two topics we’re asked about regularly. The first is reasonably specific: Data Loss Prevention (DLP). The second is wider ranging: how to build cyber resilience for mainframe infrastructure, data, and processes.

Mainframe data loss is fundamentally a business problem. Prevention is better than cure, which means focusing on the risk of exfiltration. DLP is about detecting, identifying, and preventing potentially damaging data breaches, data exfiltration, and the unwanted destruction of sensitive data. Effective DLP means securing and protecting your data, and complying with the necessary legislation and regulatory requirements. Gartner estimated that by 2021, 90% of organizations would have implemented at least one form of integrated DLP. But analysts also say the market has reached maturity, with competitive solutions difficult to distinguish from each other, with innovation in functionality stalling.

We should be doing everything in our power to prevent the unauthorized and illicit removal and transfer of data outside organizational boundaries, so avoiding the customer, financial, and reputational damage that can result. Data loss may come through a ransomware attack or data exfiltration via malware, and can be the result of outside attacks or insider threats. There are many ways to get data off a mainframe: FTP, SMTP, NJE (Network Job Entry), IND$FILE for mainframe to PC file transfers, commercial products like XCOM and Connect Direct, and what about HTTP and HTTPS in a connected world? And who believes READ access to data is a good idea, as a rule? If I can READ something, I can copy it.

We need to reframe DLP as a strategy, a journey, rather than a product-led approach. We should not look to DLP as a magic bullet to protect sensitive information. It requires a more informed approach. This often starts with a pen test or security assessment. And a DLP strategy has to extend in different ways across different domains: network, cloud, endpoints, and storage, ideally as part of a managed approach to security (and cyber resilience – see below). It means properly understanding our networks, and who or what is connecting to our mainframes, monitoring network activity in real-time. We can make much better use of tools already out there, using solutions that feed into a comprehensive DLP strategy.

You can start by asking a few searching questions:

  • What do we define as sensitive information? (The types of data classified as sensitive need to be revisited frequently.)
  • How do we currently track (and understand) data access, movement, and usage?
  • In what ways do we restrict access to our data?

We also need to be able to automatically detect and respond to threats: connecting the mainframe to an Extended Detection and Response (XDR) approach. It’s a very good idea to integrate the mainframe with third-party solutions such as tools for IP Filtering, Intrusion Detection Services, z/OS Encrypted Connection Monitoring (zERT), and Network Management APIs (NMIs) in IBM z/OS Communications Server.

Why risk being caught out? Vulnerabilities almost certainly exist, and you may be at risk of data loss. It could only be a matter of time before a bad actor gets in. Of course, there’s much more you can do…

Moving on, it’s been said that resilience ultimately comes from recovery. We live in a complex, ever-evolving world in which the very best cyber defence is not a guarantee against a successful attack.

Cyber resilience is about adapting fast and recovering fast as you respond to a disruptive event. Business continuity today is impossible without a strong cyber resilience plan. It’s part-and-parcel of continuously protecting the business and maintaining a hardened security stance. How can you ensure this resilience, securing mainframe systems and data from attack and other threats and, crucially, resume operations quickly and effectively if a successful attack breaches your defences?

The US National Institute of Standards and Technology (NIST) defines cyber resilience as “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources”. Noting that cyber resilience extends beyond deliberate attack, IBM says it “brings business continuity, information systems security and organizational resilience together… the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as cyberattacks, natural disasters, or economic slumps”.

The European Union is also proposing an EU Cyber Resilience Act (CRA), “the first horizontal regulation to introduce security requirements for connected devices and related services… Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion [in] 2021.”

We are indeed seeing increasing demand from mainframe organizations who want to prepare, protect, detect, respond, and recover from cyber threats, internal and external, intended or accidental. We recommend a two-pronged approach: developing a tailored Cyber Resilience Strategy then building, executing, and regularly updating a robust Cyber Resilience Plan based on that strategy.

A viable Cyber Resilience Strategy depends on the smooth collaboration of several preventative, detective, and responsive approaches, understanding the interrelationships between these elements and how each one complements the functions of the others. Creating your tailored strategy will therefore draw on existing operational disciplines such as Business Continuity (BC), Disaster Recovery (DR), Incident Response (IR), and Cybersecurity Planning. These elements already exist in most organizations but are siloed. We need to bring them together.

Your strategy defines how and what you will develop, and the priorities of your Cyber Resilience Plan. Developing plans that are clearly documented, updated, and regularly tested is achieved through a balanced program of activities. These include cybersecurity planning, business continuity and disaster recovery (BCDR) plans, incident response plans, periodic Business Impact Analysis (BIA) and Risk Analysis, regular testing, and stakeholder engagement. An important part of the process is educating and updating the senior leadership team on the threat landscape, based on the assumption that a breach will take place. We need to explain the risks and impacts of not having a strong strategy and plan, quantifying benefits wherever possible in monetary terms. Cyber resilience can help to significantly reduce financial loss and reputational damage.

You can also explore and deploy tools to support cyber resilience that work for you. These might include IBM z Cyber Vault (“reduce time to recovery from days to minutes”), Dell’s Data Protector for z Systems (zDP), which has been described as a “mainframe data recovery game changer”, as well as tools from Maintegrity, Action Software, New Era, Vanguard, BMC, and others.

When it comes to effective cyber resilience, a flexible approach is required, one that may include: identifying and documenting the most critical elements to your business; input from diverse stakeholders; performing a risk analysis and risk rating of systems, applications, and data (pen tests and security assessments may be part of this); ensuring your strategy and plan align with wider cyber related requirements eg GDPR, NIS Directive; and documenting, testing, refining, and updating – and continuing to do so.

When it comes to cyber security and optimizing mainframe operations in general, simply because the task is like painting the Forth Bridge – said to be never ending – doesn’t mean we shouldn’t be constantly scrubbing away the old, reinforcing and repairing, and providing new layers of protection. With the continuing role of the mainframe, at the heart of so many organizations and activities, these aren’t really technical issues or security problems anymore: they are business issues that go to the heart of successful operations, great customer service, and commercial resilience.

You can find out more about Mark Wilson and read the full article from Verali here.

No comments: