Moving Security to the Mainframe
Vanguard wants the mainframe to be the center of security
- By Chris DeVoney
If the adage “everything old is new again” applied, a company called Vanguard Integrity Professionals would join the ranks of Lincoln Logs, short haircuts, and skinny jeans. The company wants the mainframe to be the core of your enterprise’s IT security. Not just the securing the mainframe—they want it to be the security controller for your entire enterprise.
I’m fine with the securing the mainframe but wrestle with the rest of the proposition. However, the concept is so intriguing that customers are embracing it and more companies should consider it.
I talked with Ronn Bailey, CEO/CTO of Vanguard who founded the company in 1986. As he explained, you might blame it all on Congress, NASA, and the German-based Chaos Computer Club which invaded NASA’s networks in early 1987. That incident provided the motivation to improve security in the organization. But later that year, the agency discovered the Space Shuttle’s Primary Avionics Software System (PASS) was compromised. The latter occurred because a security administrator inadvertently deleted the file holding the security rules protecting PASS.
Congress mandated NASA fix their security and Vanguard was awarded the contract in 1989 to develop Enforcer, a host-based intrusion detection system for then-PDP/11s. Since that time, Vanguard bought the rights to Enforcer (NASA keeps a 10-year multisite license), ported Enforce to the zSeries, added more products and systems to its portfolio, and several of its more than 500 large customers are in the Fortune 50 or are government agencies.
Despite the changes, the story remains the same. Threats continue to come from the outside world and inside the house.
In our high-distributed environment, we apply security to the parameters, the edges, the clients, and the servers. We ring the mainframe with security but may evolve into the Tootsie Pop configuration—a hard-shelled exterior with a soft interior. Even if infrastructure denies successful intrusions to the heavy iron, authorized people with inadvertent or malicious actions can take down mainframe-held data. For any loss, try explaining to your fiduciary or judiciary interests why you implemented security on non-critical systems and left the mainframe unprotected.
Those scenarios are countered by a Vanguard’s family of mainframe-oriented security products that includes the current Enforcer product. Administrator adds functionality and reporting to systems running IBM’s Resource Access Control Facility (RACF). Advisor performs event log monitoring. Analyzer handles auditing (with or without RACF). PasswordReset provides self-service password maintenance (cutting down help desk costs). SecurityCenter pulls Security and DB2 server administration from a green tube onto a graphical Windows machine. INCompliance puts an overview of your RACF environment into a Web browser and provides faster (and less expensive) SOX, GBL, HIPAA, and other reports and audits.
Those products have attracted a wide variety of customers: Boeing, the Canadian Department of National Defence, Bank of America, Lockheed Martin, Target, Prudential, Wal-Mart, JP Morgan, and the IRS and FAA government agencies. Given the environments, the moves make sense.
The Mainframe as Central Security Controller
The more intriguing idea is using the mainframe as a central security controller for the enterprise. That’s the upshot of the ez product family line which is currently based on the IBM zSeries. The family includes a multiplatform single signon (ez/Signon) that works with Windows, Red Hat/SUSE Linux, Solaris, HP, AIX, and AS/400. Registration Manager is an admin tool to manage and push mapped profiles throughout the enterprise.
ezAccessControl moves all access requests of a Windows 2000/2003/XP system, including devices and file system use, from the individual computers to the central security authority. ez/Integrator is an interface to bring the same mainframe-based authentication, authorization, and auditing to home-grown software.
Basically, a software shim is installed on the systems which redirects security requests, be it identification, authentication, access privileges, or others, to the central security authority. The central authority allows, disallows, and tracks all actions.
The approach allows the entire enterprise to be treated as a single security domain rather than many disparate domains. You eliminate handling servers and applications as one-offs and can administer all users and all data on all platforms through a common interface. Policy and access changes are instantaneous through out the enterprise. The auditing and compliance information is more complete and quickly accessed. Total cost of ownership (hopefully) is reduced.
I’m comfortable with Bailey’s answers to some obvious issues. For example, I asked if the infrastructure handle that traffic. Bailey replied that all assets don’t need equal protection. You apply high-level protection to the high-value systems, the mainframe, and servers. Since an IBM z9 can literally handle 10,000 transactions and 6,000 SSL handshakes per second, the processing power is available. One customer has 300,000 users signing on for the workday and sees no degradation.
What about connectivity issues? WAN-wide, networking can be fault-tolerant. On 9/11 and during the San Francisco earthquake, the nation’s ATMs kept dispensing cash with the networks intact. Recall that problems that might interfere with centralized security would also interfere with distributed controller-based security.
I see issues with enterprises or institutions whose networks are not substantially or completely secure, and problems with multiple-datacenter enterprises with less than fault-tolerant high-speed links in between. The products don’t completely solve issues of shadow data sitting on client machines that are either compromised, lost, or stolen.
However, there are substantial benefits, both operationally and financially, from having a single security authority. I just have that operational discomfort for trusting the mainframe rather than replicated authorities for all things security. Bailey humorously calls it the Internet Protocol-distributed orientation versus mainframe-orientation, or the IPers vs. MFers.
Forrester analyst John Penn puts it more bluntly. “Don’t think of it as mainframe security. It’s security that happens to use a mainframe, which shouldn’t be look at as archaic. It’s the architecture [of the products], not what it sits on, that’s important.”
Penn makes sense. If you buy into the Vanguard architecture of a single security authority, then using a fault-tolerant, high-availability box like a zSeries makes sense. Bailey admitted a mid-year announcement will herald an additional platform as controller.
I see the value in Vanguard’s enterprise products and see a range of companies and institutions where the products make sense. Given the increased requirements for structured security and compliance in enterprises, more enterprises should investigate what Vanguard offers too.