Secure your mainframes, too

Have you been paying enough attention to your mainframe lately?

According to a San Francisco Chronicle article from April 2004, IBM mainframes are still serving many organizations 40 years after the first ones were introduced. Indeed, Big Blue is still selling the big machines: “IBM sold $4.2 billion worth of mainframes in 2003, up 6% from the previous year, according to International Data Corp.” Even more startling, “Doug Balog, an IBM vice president, noted that 70% of the world’s data are still housed in mainframe computers. And [IDC analyst Steve] Josselyn said they are bound to stay there for a long time.”

My old friend Jerry Harding, managing director of Type80 Security Software (the name is derived from the IBM log file record for security events) was chatting with me recently about some of the work his company has been doing with mainframes and I think readers will be interested in his perspective as a mainframe-security vendor.

Jerry says mainframe computers are generally secure systems, but they are being overlooked as security managers implement centralized security-monitoring systems.

You can’t ignore mainframes when planning for enterprise-wide security. Jerry finds that some security products have surfaced in the market in which mainframe operating-system logs, including console logs, are piped into a security incident monitor (SIM) repository using batch-mode FTP. The problems with this approach are that:

* The data transfer is not in real time.

* The logs are sent without much configurability to filter out useless records such as tape-mount messages and other innocuous events.

* The excess data contribute to data overload and excessive false-positives on the analysis side.

Type80 based its product on a network-centric approach instead of sticking to the traditional mainframe model. The goal was to interoperate with other security products and to share alert data with existing security-monitoring software so that network and security administrators could see an integrated picture of the whole network that included the mainframes. They made the mainframe look like a Unix box sitting on a network delivering security-event data via standard TCP/IP connections.

These data and connection protocols are understood by all the SIM vendors in the market. Once the data are available and analyzed, they can be used for forensic analyses such as tracking intruders through a network. Did the intruder attack the mainframe? Was the intruder successful in penetrating the mainframe defenses?

Making mainframes part of the overall security architecture is particularly important for organizations working through the audit process to satisfy due-diligence requirements that demonstrate compliance with demands from laws such as Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act and Sarbanes-Oxley.

If you’d like to learn more about Jerry’s background and his perspectives on mainframes, you can read one of my articles.