In-Depth

Mainframe Security: Good Enough for the 21st Century?

The mainframe is the hub of a network of connected devices, making it ever more vulnerable to attacks.

• By Al DeVito
• 12/17/2003

Security, a watchword of the 21st century, has been strong in mainframe shops for at least the past twenty-five years. Products such as RACF have served as bulwarks of that security. The centralizing aspect of the mainframe has also helped provide a secure environment for an organization’s data. Yet, we all know that no matter how strong the security, it can be broken by someone with sufficient motivation, talent, time and expertise. Fortunately, one needed an inordinate amount of time, talent and expertise to penetrate the twentieth century mainframe, sitting alone in its isolated, air conditioned, locked quarters, served by operators around the clock, understanding a language all its own.

The Mainframe has Company

But, as Bob Dylan sings, “the times they are a-changin”. Today, the mainframe is not alone. It is the hub of a network of PCs, Unix boxes and other mainframes. Web-based front-end products, such as IBM’s WebSphere and BEA's WebLogic, bring the Internet to the mainframe’s front door. And, as even the layman knows, the Internet is home to hackers. A smart programmer anywhere in the world can hack into the mainframe of an international bank in New York City. And that could be fatal to the bank since most banks – indeed, most Global 2000 companies – keep their vital data on the mainframe. My account information is there, as is yours. The bank’s accounting records are there. The data it needs to report to the government; employee records are there. In short, anything essential to the bank’s health and well-being is there.

Not only is the mainframe connected—companies are connected, too. That New York bank may have a company in Iowa handle its credit card processing, or use a call center in the Philippines. These connections usually involve an interchange of data. The bank may send files from its mainframe to the partner via FTP (File Transfer Protocol) or express ship magnetic tapes every night. Once those files leave the mainframe, another security mechanism has to be in place - one that can be used by the bank in both sending to and receiving data from its partner – or you risk a security breach.

If business reasons are not enough to make you reconsider the security of your mainframe data, there is always Uncle Sam. If you’ve visited your doctor since mid-April, you were given a form about HIPAA (Health Information Portability and Accounting Act) to sign. You probably signed it without reading it line by line. Your doctor, not wanting to go to jail or pay a fine, did more than scan the law and its associated Security Rule. HIPAA spells out privacy requirements for the health care industry. The penalties for not meeting the requirements can be severe.

But HIPAA is not the only security-related mandate our government has issued. If you’re a university, you have to comply with FERPA (Family Educational Rights and Privacy Act) and PPRA (Protection of Pupil Rights Amendment) and protect a student’s records from unwarranted disclosure or risk losing federal funds. If you are employed at a financial institution should read up on the Gramm-Leach-Blilley Act or pay the piper if you don't ensure the confidentiality and security of your customers’ information. The recent financial scandals involving Enron and others have resulted in the Sarbanes-Oxley Act, which makes it a crime for any company to, among other actions, impair an object’s integrity. Do you do business in Europe? The European Union Privacy Directive 95/46 makes privacy a basic human right. And the list goes on.

The Old Security is No Longer Sufficient

What’s a mainframe user to do? Your mainframe is connected to more vulnerable computers. Your company’s mainframe data is transmitted over insecure wires to partners. You must comply with various government mandates for security and privacy. Sure, RACF and firewalls make it difficult for someone to penetrate your mainframe. But RACF and firewalls were built by fallible mortals just like you and me, as was all of the software running on that mainframe. Your mainframe can be penetrated.

Fraud is a fact of life. Your best security protection is to make the cost of illegally obtaining confidential data greater than the benefits to be achieved by so doing. Security control products and firewalls offer protection against system access. But, like any security system, they can’t offer 100% protection. Make the attacker's job harder and more costly. One way many concerned mainframe users are doing just that is via cryptography, i.e., the encrypting of data so that it cannot be deciphered (decrypted) without access to a key that specifies how the data is encrypted. If security is penetrated, the attacker will not be able to readily understand the information she has accessed. The cost and difficulty to attackers accessing intelligible confidential data has risen considerably, to your benefit and their detriment.

Cryptography bolsters three primary security functions: confidentiality, integrity, and non-repudiation. With cryptography, your data can’t be read or altered and, most importantly, you are assured of the identity of the sender, who, in turn, cannot deny that he sent the data.

While cryptography has been around for millennia (the ancient Egyptians and Arabs used it), its use on the mainframe is relatively new, due, I suspect, to the assumed security of the mainframe. However, recent events have led forward-thinking organizations to question just how secure their mainframes are and to turn to cryptography to improve their security capabilities.

IBM is one of the few, if not the only, suppliers of a mainframe hardware solution; its Cryptographic Coprocessor is coupled with an OS/390 component, the Integrated Cryptographic Service Facility (ICSF). But it’s fairly complex and expensive. Most mainframe organizations rely on a software solution.

Selecting a Software Product

Of course, your cryptographic software solution should be easy to install, implement, and use, while giving you good value for your money. Beyond these basics, you want to ensure that you can support today’s multi-computer enterprise data center and your company’s partner-centric business model. The product needs to interoperate with encryption products on other platforms. The best way to achieve these goals is to ensure that the product complies with RFC2440 (OpenPGP) standards.

The product must be flexible. It should support well-known encryption algorithms (such as Triple-DES, DES, Blowfish, and others) and give you the option of using private and public keys. It should also offer alternatives—such as cyclic redundancy checking, message digest algorithms and message authentication codes—to ensure data integrity. A key element is the digital signature, a mechanism whereby the sender of the data can be positively identified.

To ensure maximum security, your files should be encrypted in place, before they go over the wire. Store your keys in your security control product as another level of protection.

You should be able to encrypt and decrypt data directly from a program (i.e., the cryptographic routines should be callable in any language) or as a separate job. Naturally, the overhead of encryption and decryption should be minimal.

Conclusion

Mainframe security is no longer the sole province of security control products such as RACF. The world of the twenty-first century is a dangerous one. You need additional protection. Cryptography can provide that protection.