Security, and System z

Security, and System z

According to an IBM estimate, over 60% of online data resides on mainframes, so security is crucial to large and small businesses worldwide. Seen as a closed environment, mainframes are often considered immune to all kinds of risks, and invulnerable to hackers. Consequently, many businesses wrongly ignore potential security threats.

Here's the Good News

Mainframes are an inherently secure platform. And security is designed into System z, not added on. System z for commercial grade platforms includes:

·       Consistent policy based user authentication, access control, audit and management

·       Protection of critical data with high-speed encryption and centralized key management

·       A secure foundation for enterprise cloud and consolidated workloads

·       Strengthened compliance and audit responsiveness to evolving regulations

·       Reduced operational risk, with early detection of application and network vulnerabilities

System Integrity, Too

The IBM System Integrity statement sets out designs and development practices intended to prevent unauthorized application programs, subsystems and users from bypassing system security. It lays out standards to prevent programs from gaining access, circumventing, disabling, altering or obtaining control of key system processes and resources, unless allowed by the installation.

IBM has a System z Security Portal, to which clients are urged to subscribe. The Security Portal’s automatic notification process gives access to the latest service information on security and system integrity for z/OS.

When a System Integrity problem is reported, IBM will investigate, and take appropriate action to resolve it. Actions may include development of fixes, identifying applicable workarounds, or recommending migration to a later release. IBM treats client information in connection with System z as confidential.

Vulnerability

A System Integrity vulnerability is defined as the ability of any unauthorized program (i.e. outside the installation’s control) to circumvent or disable store or fetch protection, access a resource protected by a Security Server/Manager, or obtain control in an authorized state.

Security vulnerabilities are a set of conditions in the design, implementation, operation or management of a product or service that's unable to prevent an attack. This can result in exploitations like controlling or disrupting operations, compromising (i.e. deleting, altering or extracting) data, or assuming ungranted trust or identity. Examples include TCP/IP or Java architectural concerns, Denial of Service (DoS) attacks, and heuristic or algorithm errors.

Web Services

To make them available to users outside an organization or in the consumer market, mainframe applications may be converted into Web services. This can present both problems and opportunities.

Often, users expect access via a single sign-on, with some privacy as to identity or user characteristics. Users may attempt to access mainframe applications frequently, requiring flexible adjustment by mainframe security software.

Web services on linked non-mainframe platforms may introduce vulnerability. A PC application could become a pathway for a hacker to attack key corporate data on the mainframe. But the Web service allows users to define corporate-standard security, which is automatically applied with each access. By creating a service-oriented architecture (SOA), organizations can enforce mainframe-level security across the entire organization.

Standardization also makes it easier to mesh the Resource Access Control Facility (RACF) and encryption facilities of the mainframe with the Kerberos and firewall capabilities of other platforms.

By defining the right corporate standard for security, based on mainframe security, and implementing it in an SOA, you can actually reduce security risks as you move to adopt Web services. The end result being that, as Web services arrive, security is harder to implement but, once done effectively, delivers more benefits.

Tools & Counter-Measures

IBM's approach to mainframe security stresses MultiLevel Security (MLS) for z/OS. This is a multiple-layer approach in which perimeter defenses (e.g., firewalls, anti-virus, intrusion detection, cryptography via eServer Cryptographic Coprocessor) operate as a first line against broad threats from outside.

A control layer (e.g., RACF, Tivoli Access Manager, Tivoli Identity Manager) then applies more refined criteria to determine whether a particular user can carry out a particular function on the mainframe. After that, an assurance layer carries out "service level fulfillment" tasks related to business compliance, auditing, risk management, and security-event response.

System z security options also include PKI (Public Key Infrastructure) support to manage digital certificates, Crypto Express2 for easier migration to higher levels of mainframe cryptographic security (e.g. anti-fraud security), z/OS Intrusion Detection Services, and SSL (Secure Sockets Layer) with improved performance.

IBM's System z System Integrity Competency Center uses inspection techniques, various testing and scanning tools, ethical hackers from the Watson Research Lab, and external sources including CERT, CVE, BugTraq, and MIT. 

Best Practices

1. Prevent access to key proprietary information by unauthorized users (access control, firewalls, etc.).

2. Conduct security auditing, penetration testing, and vulnerability assessments on your network assets.

3. Encrypt and decrypt sensitive data like email addresses, social security numbers, and credit card numbers, to enable their safe, secure, and rapid passage in and out of data stores.

4. Encrypt entire binary files when there's no need for field-level granularity to protect data.

5. Erase sensitive data (where applicable) as soon as possible after it has been used.

6. Remove data as soon as possible to a secure facility, for archiving.

7. Consider all potential threats arising from interaction between the mainframe and different kinds of clouds.

8, Stay up-to-date via the System z Security Portal.