Resolve to Keep Your Mainframe Secure in 2012
12 resolutions to address technology and human challengesJanuary 10, 2012
By Gabe Goldberg
Whether Santa just brought you a zEnterprise System or your workload is happily humming along on a previous—still very productive and cost-effective—technology generation, the arrival of a new year is always a good time for mainframers to review and renew essential security resolutions.
The most fundamental resolution is to understand that technology represents only part— perhaps less than half—of your infrastructure, network and database vulnerabilities. The other, often neglected, risks arise from human actions and frailties.
A key resolution spanning technology and human issues is to involve the mainframe's top-to-bottom management structure in security awareness, understanding and support. You needn’t tell them about every OS security patch applied but this does involve educating them on long-time inherent mainframe strengths and how your overall infrastructure, policies and practices avoid compromising them.
And now, some specific to-do resolutions:
1. Encrypt. It shouldn't be surprising that sensitive, proprietary, valuable and personal information must be encrypted. But the devil—and value—is in the details. Ad hoc self-service encryption is haphazard and error prone, so don’t just rely on a "Thou shalt encrypt" edict. Centralize encryption and key management, and push mandatory encryption to end-point devices wherever data originates, resides or arrives. That’s the only way to avoid problems when laptops, USB drives, smartphones and tablets go astray, and ensure end-to-end protection of data both at rest and in motion.
2. Track and apply security-related software and hardware patches. This too should already be standard operating procedure. But ensure you're receiving centralizing and processing notices and updates/patches from all vendors with a mainframe presence. That is, don’t let individuals responsible for mainframe components black-hole warnings or patches.
3. Defend the perimeter. As the employee “bring your own technology” (BYOT) trend launches a tidal wave of random gadgets connecting to the mainframe, layered security becomes ever more essential. Like the military strategy medieval castles are based upon, use multiple nested perimeters to resist attack. Centralized measures alone—passwords, encryption, processor features such as storage protection keys and software protections like a resource access control facility (RACF)—aren’t adequate. A malware-contaminated USB drive casually connected to a computer inside network protections can launch devastating attacks damaging or destroying resources, and compromising data. An unpatched or misconfigured firewall or router can be a welcome mat instead of a raised drawbridge.
4. Audit. The best intentions, technology, policies and practices lose effectiveness if they’re not monitored and refreshed. Too often, measures implemented after a security review fade away as complacency sets in. Periodic informal, internal and external audits can reveal gaps, shortcomings and new areas needing attention. Don't fall into the "us vs. them" mindset regarding auditors; it’s much better to hear bad news from them than your CEO, the news media or law enforcement.
5. Establish, enforce and review coherent and consistent policies. The more straightforward employee instructions are, the better they’ll be followed. And keeping them updated to track technology/infrastructure changes ensures they're meaningful and less likely to be ignored. But keep them broad, indicating goals and strategies, rather than describing settings of specific device front panels, for example; address these sort of issues with easier-to-change operational instructions. Don’t muddy long-term strategic policies with transient tactical details.
6. Awareness. Start simple and remind people that security matters. This needn’t be heavy-handed or draconian. But it really is everyone’s job to implement and preserve security. In different ways, everyone—application developers, network engineers, system administrators, managers, procurement/contracts staff—should do their jobs with security in mind and immediately report anything that might compromise it.
7. Educate. Don't think that "Be secure!" exhortations suffice. Help staffers learn what's needed in their jobs to support security and to understand their activities in the broader enterprise context. This can involve continuing education, certifications, webinars, user groups, professional societies, etc. A stellar information protection and IT security resource is InfraGard. <www.infragard.net/> A partnership between the FBI and the private sector, it’s an association of businesses, academic institutions, state and local law enforcement agencies and others.
8. Motivate honesty and disclosure. Include security awareness and behavior in regular performance reviews. Reward compliance with requirements and especially highlight proactive employee measures that enhance security or bring attention to deficiencies. Never "shoot the messenger" or deny reality when shortcomings are identified; that’s the easiest way to undermine a useful security program.
9. Defeat social engineering. Pay particular attention to possible targeted attacks directed at eliciting seemingly innocent actions that cause security breaches. Treat organization charts as sensitive material to prevent outsiders from learning which individuals have compromise-worthy positions. Impose strict procedures for help-desk personnel providing or resetting passwords and remind people to be as cautious divulging company information as they are with their own Social Security number.
10. Beware of insider threats. Probably the most unpleasant worry is that of harm deliberately done by trusted staff. So don't have an unrealistically optimistic outlook that the only threats are external. At the same time, balance precautions against the need for people to get their work done. Don't make security staff known as what my broker called his compliance department, the "Business Prevention Unit."
11. Separate duties. Requiring multiple people's actions to complete sensitive tasks specifically addresses insider threats by imposing checks and balances to reduce fraud and errors. And it shouldn’t be possible for even privileged staff to operate outside normal controls, logging and auditing.
12. Comply with regulations. Ensure that all staffers know specific requirements imposed by industry or government. For example, handling health or financial information means being subject to precise regulations for protecting data, disclosing breaches and caring for affected individuals.
Ultimately, achieving and maintaining security requires a disciplined mindset and a well-defined process. It’s a never-ending journey. As mainframe and ancillary technologies evolve and new threats arise, it's never safe to mentally check the security box and think, "Done."