“Do you think your current mainframe security is GDPR compliant?” might seem an odd question to ask. After all, the mainframe community loves to talk about the built in encryption and security of the platform. However, this is exactly what Macro 4 did ask at the annual GSE UK Conference for IBM mainframe users.
According to Keith Banham, Mainframe Research and Development Manager at Macro 4: “Far from being a closed off environment, today’s mainframe is typically connected to the internet, because it runs important business applications that need to be accessed by millions of enterprise users and customers across the globe. Anyone who has ever booked a flight, purchased insurance online or used internet banking is likely to have interacted with a mainframe somewhere along the line.
“Growing web and mobile access to the mainframe, combined with hackers getting smarter – and tougher rules and sanctions around data breaches – makes mainframe security a priority.”
What did mainframe users say?
Given the data and content stored on the mainframe and the claims it is the most secure platform around, it might be reasonable to think the overwhelming answer was Yes. It wasn’t. Only 25% of those surveyed said Yes. The other responses were No (31%), Don’t Know (40%) and What on earth is GDPR? (4%).
Looking in a little more detail at the mainframe platform it seems that many customers do not encrypt by default. Although 96% agree than data encryption is: “an important way of securing the mainframe.” While this is exactly what one would expect from mainframe teams it appears that it isn’t yet as pervasive as it should be.
As the IBM z14 model begins to sell, that will change. This is because the mainframe is set to pervasive encryption by default. IBM doesn’t give out details of how many customers are still on different models of its mainframes. The reality is that it will take years for its customers to move to the z14 or its successors. This means that it needs to look at what it can do to improve the use of pervasive encryption on older models.
IBM added support for multi-factor authentication (MFA) earlier this year for mainframe customers. For 67% of respondents that was an important step. That seems a low number. Given how easily password-based credentials get stolen, MFA seems like a must have especially for systems connected to the Internet.
It is also surprising that just 58% say restricting data access to the absolute minimum necessary is a security measure. The insider threat is bigger than the external hacker threat. All systems should be only allowing access to those with a proven need.
GDPR not the only driver for a more secure mainframe
GDPR is just one of several changes to data protection regulations across the world. China, Australia, Singapore and other countries are cracking down with stricter privacy regulations. Unsurprisingly 86% cited regulations as a driver for a more secure mainframe.
There have been very few successful hacks of mainframes over the past four decades. However, that doesn’t mean they are not targets. The data that they hold ensures that hacking a mainframe will deliver a big payday to the hacker. 80% were concerned about hackers and cybercriminals. The easiest and most likely attack will come from stolen credentials. Given that only 67% saw MFA as a requirement, there is a disconnect between the threat and a potential solution.
The increased connectivity of the mainframe to other systems and the outside world is a bigger risk. The attack against an IBM i system at a US water treatment plant relied on its connectivity to other systems. In that case the userid and password were stored, in a file, on another machine that was connected to the hacked system. The hackers just stole the credentials and used them. This is where basic security need to be improved and rules enforced as to how and where credentials are stored. It also requires testing to identify where developers or operations are using cached credentials for application access.
What does this mean?
IBM prides itself on the security of its mainframe. Its customers, those responding to this survey, seem less confident about data protection on the platform. This survey is important. The majority of surveys of mainframe customers give a glowing endorsement to its security. This one bucks the trend and, as such, is worthy of follow up. Unfortunately, despite being taken at a user conference it is unlikely to be part of a larger study.
The mainframe is a key target for experience hackers. That is because of the monetary value of the data on it. The lack of successful or at least publicised attacks means its security is better than other systems. However, regulations are not just about being hacker proof. It will be interesting to see if IBM responds to this survey with GDPR guidance for customers on how they should secure data on its mainframes.