mainframe security

8/8/2019 Mainframe Security

http://slidepdf.com/reader/full/mainframe-security 1/4

Advanced Software Products Group, Inc. l (800) 662-6090 l (239) 649-1548 l www.aspg.com

1

Mainframe Security:Good Enough for the 21st Century?

Security, a watchword of the 21st

century, has been strong in mainframe shops for at leastthe past twenty-five years. Products such as RACF and Top Secret have served asbulwarks of that security. The centralizing aspect of the mainframe has also helped providea secure environment for an organization’s data. Yet, we all know that no matter how strongthe security, it can be broken by someone with sufficient motivation, talent, time andexpertise. Fortunately, one needed an inordinate amount of time, talent and expertise topenetrate the twentieth century mainframe, sitting alone in its isolated, air conditioned,locked quarters, served by operators around the clock, understanding a language all itsown.

The mainframe has company

But, as Bob Dylan sings, “the times they are a-changin”. Today, the mainframe is not alone.It is the hub of a network of all sorts of computers: PCs, Unix boxes, other mainframes.Web-based front end products, such as IBM’s WebSphere or BEA’s WebLogic, bring theInternet right to the front door of the mainframe. And, as even the layman knows, theInternet is the home of the hacker. A determined, smart programmer in Botswana could usehis Internet connection to hack into the mainframe of an international bank in New YorkCity. And that, my friend, could be fatal to the bank since most banks – nay, most Global2000 companies – keep their vital data on the mainframe. My account information is there,as is yours. The bank’s accounting records are there. The data it needs to report to thegovernment is there. Employee records are there. In short, anything essential to the bank’shealth and well-being is there.

It’s a partner-centric worldNot only is the mainframe connected. Companies are connected also. That New Yorkinternational bank may have a company in Iowa handle its credit card processing, or use acall center in the Philippines. These connections usually involve an interchange of data. Thebank may send files from its mainframe to the partner via FTP (File Transfer Protocol) orexpress ship the files on magnetic tapes every night. Once those files leave the mainframeanother security mechanism has to be in place - a mechanism that can be used by thebank in both sending to and receiving data from its partner – or you risk a security breach.

The government has a sayIf business reasons are not enough to make you reconsider the security of your mainframedata, there is always Uncle Sam. If you’ve visited your doctor since mid-April, you weregiven a form about HIPAA (Health Information Portability and Accounting Act) to sign. You

probably signed it without reading it line by line. Your doctor, not wanting to go to jail or paya fine, did more than scan the law and its associated Security Rule. HIPAA spells outrequirements for electronic healthcare transactions, your privacy, healthcare information




2

security and enforcement mechanisms. The penalties for not meeting the requirements canbe severe.

But HIPAA is not the only security-related mandate our government has issued. If you’re auniversity, you have to comply with FERPA (Family Educational Rights and Privacy Act)and PPRA (Protection of Pupil Rights Amendment) and protect a student’s records fromunwarranted disclosure, or risk losing federal funds. If you run a bank, a credit union or a

financial services company, read up on the Gramm-Leach-Blilley Act, or pay the pipershould you not ensure the confidentiality and security of your customers’ information. Therecent financial scandals involving Enron and others have resulted in the Sarbanes-OxleyAct, which makes it a crime for any company to, among other actions, impair an object’sintegrity. Do you do business in Europe? The European Union Privacy Directive 95/46makes privacy a basic human right. And the list goes on. Be in a position where a hackercan violate the privacy of someone in your files and you could lose government funding,wind up in jail or pay a large fine.

The old security is no longer sufficientWhat’s a mainframe user to do? Your mainframe is connected to more vulnerablecomputers. Your company’s mainframe data is transmitted over insecure wires to partners.

You must comply with various government mandates for security and privacy. Sure, RACFand firewalls make it difficult for someone to penetrate your mainframe. But, RACF andfirewalls were built by fallible mortals just like you and me, as was all of the software runningon that mainframe. Your mainframe can be penetrated, and the penetrator need not besomeone outside your organization; he may be a disgruntled insider.

You have to make it harder and more costly for the attacker Fraud is a fact of life. It has existed from the very first days of one person trading withanother. Your best security protection is to make the cost of illegally obtaining confidentialdata greater than the benefits to be achieved by so doing. You want to protect as many ofyour vulnerable areas as is feasible and understand what the risks are if one of thesevulnerabilities is breached by an attacker. Security control products and firewalls offer

protection against system access. But, like any security system, they can’t offer 100%protection. So, you want to make the job of the attacker harder and more costly. One waymany concerned mainframe users are doing just that is via cryptography, i.e., the encryptingof data so that it cannot be deciphered (decrypted) without access to a key that specifieshow the data is encrypted. If security is penetrated, the attacker will not be able to readilyunderstand the information she has accessed. The cost and difficulty to the attacker ofachieving her goal of accessing intelligible confidential data has risen considerably, to yourbenefit and her detriment.

Cryptography is helping mainframe users todayWhile cryptography has been around for millennia (the ancient Egyptians and Arabs usedit), its use on the mainframe is relatively new due, I suspect, to the assumed security of themainframe. However, recent events in both the computer and “real” worlds have led forward

thinking organizations to question just how secure their mainframes are and to turn to bothhardware and software cryptography products to improve their security capabilities.




3

IBM offers a hardware solution, the Cryptographic Coprocessor, which is coupled with anOS/390 component, the Integrated Cryptographic Service Facility (ICSF). But, in the view ofa Mid-Western health insurer, it’s quite complex, requiring them to bring in consultants toimplement it. So, organizations turn to a software solution.

Today, there are fewer than a handful of software products available to the mainframe user.The most popular of these products is MegaCryption from Advanced Software Products

Group (ASPG) of Naples, Florida. Its popularity is due to its addressing the three criticalareas referred to above: connecting with the non-mainframe computing world, dealing witha range of business partners and complying with government mandates. Let’s look at howMegaCryption deals with these issues.

It really is an enterprise data center…The Global 2000 organization that has only a mainframe computer is a rarity today. Themainframe is almost always accompanied by a UNIX or PC network, often by both. Themainframe is the workhorse, the network is used for communications and desktopapplications. To state it boldly, these non-mainframe computers are more vulnerable thanyour mainframe. Every time your mainframe interchanges data with these other computersyour risk level is increased. Fortunately, because cryptography has been around for a long

time, cryptography standards, primarily the OpenPGP standard, exist. MegaCryptionrecognizes this and fully supports the OpenPGP standard; it can send and receiveencrypted files that comply with this and other standards. Thus, you’ve strengthened thesecurity of any data leaving from or coming to your mainframe, raising the cost to theattacker.

Additionally, Megacryption encrypts your data at the file level and, thus, protects the databoth prior to and after any transmissions complete. Solutions that encrypt only at thecommunications-level fall short of complete protection because once any data istransmitted, you then have lost control of it and it is in the clear.

…and partners communicate back and forth

“MegaCryption gives us freedom,” says a system programmer from a major university in theNortheast. “We can easily deal with business partners by sending them self-decrypting filesor files that conform to international cryptographic standards.”

A state government was afraid to send data to its partners via FTP, but the need tocommunicate electronically made it necessary. Now MegaCryption enables them to ratchetup their protection by first encrypting the data on the mainframe and then sending it viaFTP.

A medical insurer avoided using FTP to send their files to partners, they sent tapes eventhough it was costly and insecure, but not, in their opinion, as insecure as FTP.MegaCryption allows the insurer to send its encrypted files via either FTP or tape, as tapescan now be ‘sealed’ so that any tampering with them can be readily detected by the insurer.

MegaCryption is especially strong in supporting our current partner-centric world, no matterwhich computer environment your partner uses. If your partner is another mainframe user,




4

he can use MegaCryption’s mainframe decryption software to decipher your encrypted filesat no cost to him. If your partner uses PCs, he is supplied with free decryption software. AUnix partner can use GnuPG, a freeware product, to encrypt and decrypt partner files with aMegaCryption user.

MegaCryption also supports partners who have no decryption software installed. Thesystems manager of a large MidWestern state university really appreciates this capability,

“As the major employer in our area, we deal with a lot of smaller companies who havehardly any computer staff. To ask them to install software is like asking them to lend you anarm. The self-decrypting file feature of MegaCryption makes our partner’s life easier. That’sone of our goals.”

You have to comply with government mandates“It’s a no brainer,” says the security chief of a Southwestern financial services company.“We have to comply with Gramm Leach Blilley. It’s as simple as that. I wanted somethingthat would make us compliant as quickly as possible. MegaCryption was it.”

The preceding comments are not unique. You hear them from more and more organizationsas they become more aware of their mainframe’s vulnerability and the consequent risk of

penalties for violating government mandates. An Application Development Manager for aMidWest insurer had been advocating for greater mainframe security via encryption foryears to no avail. HIPAA made his arguments moot; the company had no choice. Theyopted for MegaCryption as the most effective way to meet their legal obligations.

Security control products, firewalls and cryptography for 21st

century protectionSecurity control products such as RACF are still one of the mainframe user’s best friends.The rise of networks and the Web have made firewalls mandatory for the enterprise datacenter. But, hackers and disgruntled employees can be very ingenious and determined.Another level of security is needed for the 21

stcentury mainframe so that, if your security

control or firewall is penetrated, the attacker will not be able to understand the data in your

files. Cryptography provides that level.

Forward looking mainframe users have opted for MegaCryption as their cryptographicsolution because it’s simple to install and use, extremely comprehensive and flexible (itsupports a variety of standard encryption algorithms and both symmetric and asymmetricciphering) and, most importantly, its performance is outstanding.

mainframe security

Documents