Guarding Mainframes in Real Time

Regulations drive monitoring

Remember the halcyon days when security was simple. All you had to do was lock the computer-room door to secure terminals. “Twenty or 30 years ago, the mainframe was only used by a few people, and at that point, security was really easy, but the mainframe has evolved,” observes Koen Bouwers, CEO of Delft, The Netherlands-based Consul Risk Management BV.

The new thinking is that, like the rest of the network, mainframes should be watched around the clock too. “The mainframe, as you know, has gotten a new lease on life with the advent of Web application servers, and the strength of a mainframe is that it runs continuously; you don’t have to shut down a mainframe every so many weeks to do maintenance,” says Rob van Hoboken, manager of mainframe implementations and a co-founder of Consul.

The company's new product, Consul/zAlert, provides real-time intrusion detection monitoring of mainframes. When it detects threats or dangerous device configurations, zAlert can notify administrators via mobile devices, e-mail, or the Consul/eAudit security event management console. When used with Consul/eAudit, security managers can audit and view mainframes at the same time as distributed systems. This product is on the leading edge of a new mainframe trend: real-time intrusion detection.

“What has been previously available is auditing tools that report on exposures, and you’re supposed to run this auditing program once a day or once a month, and it will tell you that these exposures exist and will stay there until you address them,” says van Hoboken. “zAlert is an auditing program that runs continuously, and continuously monitors the products for intrusions. So you no longer need to wait until the audits come along or the schedule has allowed for a state system monitor.”

Organizations define their own policies and the degree to which zAlert should attempt to automatically handle any perceived intrusions—for example, by suspending user accounts when someone makes a poor configuration choice. “Our product can automate actions based on the alert, whereas other products seem to stop at alerting,” Bouwers notes

As the uses have changed and security stakes intensified, so, too, have regulations. “If you look at a lot of the standards and security regulations out there—Gramm-Leach-Bliley and HIPAA—it actually requires that you are monitoring for security reasons, so I see a lot more organizations starting to focus on a product like this,” says Michael Rasmussen, a director at Giga Information Group. In terms of mainframe monitoring options, “Vanguard might play in this space, but Consul is the one I see out there. They’re interesting because they play across a lot of networks and operating systems—for example, for all of your Windows servers and Oracle databases.”

Consul/zAlert runs on IBM Security Server (RACF); OS/390 V2R8 or higher; and z/OS 1.1 or higher. zAlert also keeps itself up to date with its operating environment, easing some administration headaches. “If an installation adds authorized data sets to the data system, then zAlert knows about these data sets almost immediately. You don’t need to alter the parameters of the product to cater to the existing environment. We keep it in line with the existing policy,” says van Hoboken.

zAlert also helps manage Unix running on mainframes. When bad management takes place, van Hoboken observes, Unix on the mainframe—Unix System Services (USS)—doesn’t necessarily communicate alerts well with an administrator. Of course, like any operating system, USS could also just get configured incorrectly. Though USS runs on a mainframe, security isn’t assured. “It is still a Unix system, and the administrator on a Unix system is still all too powerful. And even though it’s safe when it’s properly configured, there are not a whole lot of messages to tell you what’s going on. zAlert adds some of the messaging capabilities, so that you find out when things are happening instead of finding out after. This is relatively new for the mainframe world.” Indeed, IBM only pushed Unix for mainframes about four years ago, he says. “Now zAlert puts in the active monitoring.”

None too soon. “The mainframes are just another node on the network anymore, so they are susceptible to attackers, but it’s also the insider attacks,” says Rasmussen.

In fact, “80% of all intrusions are done not by outside people, but by inside people, so you really want to get real-time alerting and remediation,” Bouwers suggests.

Organizations running mainframes will turn to real-time security monitoring more and more in the future. “If I can be alerted to somebody trying to break into my system before they make off with data that could make me liable and expose me to a class action lawsuit, then I’m going to be really interested in a real-time monitoring solution,” notes Rasmussen.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.