Sunday 30 May 2021

The new mainframe mantra – trust no-one!

 

‘Ransomware attacks, phishing exploits, malware, bad actors’ and many other words and phrases associated with security have become common-place parts of everyday conversation for so many people as attacks on all sorts of organizations and individuals have taken place. In addition, the pandemic and the widespread working from home has accelerated a trend that has been growing over recent years that people expect to be able to shop, use social media, and work from anywhere at any time. And, they expect to be able to do it from their phone, tablet, nearby laptop, and any other WiFi-connected device. And that means the attack surface (another commonly-used phrase to add to the list) has grown exponentially over the past year or so.

And what makes mainframe security even harder is that people are using the cloud for their work without even going through mainframe first. So where does authentication take place? Does it make sense to route all traffic through the mainframe and then out to the cloud, and then back to the mainframe, and then back to the user? The answer is probably not. In which case, RACF etc aren’t getting a look in!

The big question facing IT security teams is how can they keep their data and their network secure when they are faced with the problem of users using so many different devices to access the network and the data existing in a cloud or hybrid cloud environment, as well as on DASD connected to their mainframe in the secure data centre? Ransomware attacks have proved that simply authenticating people when they first log in isn’t enough – especially with so many credentials becoming available on the dark web. There needs to be some way to spot that a person who usually logs in from down the road seems to be working late at night from somewhere in Africa or Mongolia (or any other distant country) this week.

At one time, hackers would take a valid login id and then brute force attack with as many potential passwords as they could until they found one that worked. Then they tried using social media to find the name of a targeted person’s dog etc, and used versions of that to try to gain access. Now they have hundreds of valid login id, and they use password spraying – where a few commonly-used passwords are tried against a large number of accounts.

And, once in, hackers try to raise their security level, and access the personally identifiable information (PII) that they can sell on the dark web. And they will corrupt backups, encrypt data, and demand a ransom. And, if you pay the ransom, they may unencrypt the data – but will probably still sell their copy of it!

That’s where zero trust architecture (ZTA) comes in. Continuous trust evaluation is based on people, devices, and applications having digital identities that are continuously being evaluated (by looking for anomalous behaviour). This ensures that everything stays secure. Obviously, it’s not perfect – you have to trust some people doing some things or else no work will get done. What it does though is balance trust against risk. It’s context aware – which means that it will identify unusual behaviour and flag it. The basic rules with zero trust are: least privilege access; never trust, always verify; and assume a breach.

That makes it harder for staff to perform unusual activities and for hackers to gain access to more secure data unless they meet prescribed identity, device, and application-based criteria. And that helps reduce the size of the attack surface. Everyone has just enough privileges (and no more) to do their work. They must meet appropriate identity, device, and application-based criteria. Obviously, criteria can change as personnel change roles within an organization.

PWC suggests four compliance aspects for zero trust. They are: security configuration baseline (SCB) monitoring; file integrity monitoring (FIM); vulnerability monitoring; and data breach detection. I wonder how many mainframe sites can tick all four boxes?

IBM has recently announced a new software as a service (SaaS) version of IBM Cloud Pak for Security, which simplifies the deployment of zero trust architecture across the enterprise. In addition, IBM announced an alliance partnership with Zscaler, and new blueprints for common zero trust use cases.

The new IBM Cloud Pak for Security as a Service allows users to choose either an owned or a hosted deployment model. Users can access to a unified dashboard across threat management tools, which comes with a usage-based pricing approach.

Looking at the blueprints, which provide a framework for security, a prescriptive roadmap of security capabilities, and guidance on how to integrate them as part of a zero trust architecture. They address business issues such as preserving customer privacy, securing a hybrid and remote workforce, protecting hybrid cloud, and reducing the risk of insider threats.

IBM’s partnership with Zscaler will help organizations connect users to applications seamlessly and securely. IBM Security Services uses the technology of Zscaler to help clients adopt an end-to-end secure access service edge (SASE) approach. Integrating Zscaler Private Access and Zscaler Internet Access with IBM security products such as Security Verify helps to build zero trust architecture.

All together, it continues to make the IBM mainframe the most secure computing platform available anywhere.

No comments: