Mainframe's midlife crisis: Security

Computerworld - Twenty years ago, mainframes sat in tight glass houses, accessed by a limited list of select employees. Today, mainframes remain a mainstay of enterprise operations. All predictions of the mainframe's imminent demise have disappeared as quickly as those predicting the end of brick-and-mortar retailing. In fact, industry sources estimate that 30 billion Cobol transactions occur daily; that's more than the number of Web page hits in the same time period.
In today's enterprise, mainframes have shattered their glass houses and are accessible by a variety of network services. In addition to conventional users of core CICS or IMS-based transactions, large organizations (including many financial services companies) are shifting applications from Wintel to Linux on the mainframe to save costs and increase performance and reliability. And Web-based applications hosted on the mainframe's Linux or Unix environment enable millions of customers to access the core transactional data needed to conduct business.
With so much traffic from so many sources -- and new government regulations aimed at consumer privacy and corporate diligence -- it's time for companies to rethink how they secure the mainframe.
Fatigue, inexperience and overconfidence trump security
Marooned on islands, with limited outside connectivity, mainframes have always been relatively easy to administer and secure. It wasn't uncommon for an organization to literally have one mainframe technician per user. Now, it's one technician per 1,000 users. Across our customer base of more than 300 large companies, we're seeing the trend: Experienced mainframe help is overworked and hard to find. You can't just plug in a firewall administrator and expect him to find his way around a spaghetti works of applications and services that were written before that administrator was even born.
In addition to increased connectivity and staff scarcity and knowledge, one of the largest challenges for mainframe security is complacency and overconfidence. Most companies assume that mainframes are secure, simply because of their glass-house heritage. I recently visited a very large European bank that boasted about mainframe security. I made the wrong assumption; with so many applications hosted on the mainframe, it was relatively easy for an insider to abuse and compromise the system. Sensitive data could be copied, records deleted, and all traces of this activity could be removed.
In particular, mainframes are vulnerable to three major types of threats:

1. Malicious data access: Hackers and trusted users have increased potential to access the mainframe's core data repository just like any other platform. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and other standards all point to the need to protect data accountability and integrity. The mainframe can't be an exception.


2. Self-inflicted mistakes: A generation of mainframe masters is quickly retiring, and less qualified or less experienced technical staffers (often rushed and overworked) can inadvertently change code or settings to open up holes or deliver too much authorization to the system.


3. Aged software: The strength of the mainframe is that you can continue to run the old reliable software without too much maintenance. But even mainframe software needs checks, patches and updates to close gaps or simply improve security.

1 2 Next page Comments () Print What is Tech Briefcase? TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more Bookmark content Speed up your research efforts with content across the web. Search and Store Find the white papers you need. Create folders for any topic. View Anywhere Open your briefcase on your iPhone, tablet or desktop. Share with colleagues. Don't have an account yet? From CIO.com 15 Must-Have Android Apps, According to Twitter 12 Cool LinkedIn Features You Never Knew About What Tech Issues Loom Large for Election 2012? CIOs Don't Need to Be Business Leaders From CSO Online Inside online black markets A security checklist for SaaS, IaaS and PaaS clouds Security at the scene of the crime 7 great movies about social engineering Additional Resources WHITE PAPER Enter the Security KnowledgeVault Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority. Read now. WHITE PAPER Cut Communications Costs Once and for All New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs. Read now. Top Stories Microsoft's upgrade plans will test IT pros Google's Motorola buy seen boosting Android in workplace Cisco takes its lumps, keeps developing video meeting tools Apple CEO Tim Cook passes up $75M Free Insider Guide Excel 2010 Cheat Sheet Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more. Register for FREE now! » Security White Papers Driving Secure Enterprise File Sharing and Syncing in the Enterprise GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end... The Enterprise File Sharing Option Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do... Security Strategies to Virtualizing Internet-Facing Applications The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications.... Cloud Security Planning Guide Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different... Cloud Security Vendor Round Table This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers Security Webcasts Live Webcast Data Privacy and Protection in Production Environments: New Research from Ponemon Institute Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... Data Privacy and Protection in Production Environments: New Research from Ponemon Institute Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter? FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which... BlackBerry PlayBook OS 2.0 Security Overview The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and... BlackBerry NFC Security Overview The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers... Playing Defense: Staying on Top of Your Disaster Recovery Game When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts Newsletter Sign-Up Receive the latest news test, reviews and trends on your favorite technology topics Choose a newsletter Computerworld Daily News Security Virus and Vulnerability Roundup Security: Issues & Trends Industry Tech: Communication Carriers (ISP, Telecomm, Data Comm, Cable) Tech: Computer/Network Consultant Tech: E-commerce/Internet Tech: Manufacturing - Hardware/Software Tech: Retailer/Distributor/Wholesaler (computer-related) Tech: Service Provider (MSP, BSP, ASP, ESP, Web Hosting) Tech: VAR/VAD/OEM Tech: Other Non-Tech: Advertising/Marketing/PR/Media (Publishing, Broadcast, Online) Non-Tech: Aerospace/Defense Contractor Non-Tech: Agriculture/Forestry/Fisheries Non-Tech: Business Services/Consultant Non-Tech: Construction/Architecture/Engineering Non-Tech: Education Non-Tech: Finance/Banking/Accounting Non-Tech: Government - Federal (including Military) Non-Tech: Government - State/Local Non-Tech: Healthcare/Medical/Pharmaceutical/Bio-Tech Non-Tech: Insurance/Real Estate/Legal Non-Tech: Manufacturing & Process Industries Non-Tech: Mining/Oil/Gas Non-Tech: Retailer/Wholesaler/Distributor (non-computer) Non-Tech: Travel/Hospitality/Entertainment/Recreation Non-Tech: Transportation/Utilities (Energy, Water, etc.) Non-Tech: Other Job Title IT Management: CIO, CTO, CSO IT Management: Executive VP, Senior VP IT Management: VP IT Management: Director IT Management: Manager IT Management: Supervisor IT Management: Systems Integrator IT Management: Technical Consultant Business Management: CEO, COO, Chairman, President Business Management: CFO, Controller, Treasurer Business Management: Executive VP, Senior VP, VP, GM Business Management: Director, Manager Business Management: Other Corporate, Business Manager Business Management: Consultant (Non-Technical) Other: IT Staff Other: Non-Manager Company Size 20,000 or more 10,000 - 19,999 5,000 - 9,999 1,000 - 4,999 500 - 999 100 - 499 50 - 99 Less than 50 Country United States of America Afghanistan Albania Algeria Amercian Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia-Herseg Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Cook Islands Costa Rica Cote DIvoire (Ivory Coast) Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland-Malvinas Faroe Islands Fiji Finland France French Guiana French Pacific Islands (French Polynesia) French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Great Britain Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazachstan Kenya Kiribati Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives (Maldive Islands) Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Metropolitan France Mexico Micronesia, Federated States of Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Korea Northern Mariana Islands Norway Oman Pakistan Palau Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Islands Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands South Korea Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Islands Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand The Democratic Republic of the Congo Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United States of America United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Viet Nam Virgin Islands (American) Virgin Islands (British) Wallis and Futuna Islands Western Sahara Yemen Yugoslavia Zaire Zambia Zimbabwe US State Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware District of Columbia Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming Puerto Rico Virgin Islands Guam American Samoa U.S. Minor Outlying Islands Armed Forces Africa Armed Forces Americas AA Armed Forces Canada Armed Forces Europe AE Armed Forces Middle East AE Armed Forces Pacific AP Subscribe View all newsletters | Privacy Policy IT Jobs See All Jobs Post a job for $295 Go Jobs by SimplyHired Security White Papers | All Security White Papers Driving Secure Enterprise File Sharing and Syncing in the Enterprise Security Strategies to Virtualizing Internet-Facing Applications Cloud Security Vendor Round Table Cloud Security Insights for IT Strategic Planning Creating the Enterprise-Class Tablet Environment Optimizing and Securing Citrix XenApp and Xen Desktop Ready Your Enterprise for the Next Generation of Client Computing Streamlined Data Protection - The Pain of Managing Tape Backups in Branch Offices How much security do you really need? Security Strategy Roadmap for Cloud Computing The Enterprise File Sharing Option Cloud Security Planning Guide Planning Guide - Technology for Tomorrow's Cloud Demonstrate PCI Compliance through Better Change Management Securing the Cloud IT Managers Face Security, Management Challenges with Proliferating Mobile Devices How to Improve Disaster Recovery for the Enterprise: Obtaining Fortune 500 Security without Busting your Budget Strategies for Assessing Cloud Security Best Practice Guide "Taking a Proactive Approach to Patch Management" Sponsored Links Master the cloud with the power of convergence from HP Connect with IT leaders redefining mobility at the Enterprise Mobile Hub Easily create and manage custom iPad & iPhone apps for your business. Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile. Splunk translates machine data into "aha" moments for IT and the business. New! Diskeeper Corporation is now Condusiv Technologies. Visit Our New Website For More Information! Free SAP paper on managing mobility at the app level. Get yours today! BlackBerry® Mobile Fusion. Different mobile devices. One platform. Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage. Free Whitepaper : Why Phones Are the Leading Authentication Device Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class Cognizant. Leading in Business, Application & Technology Services Webinar: A Practical Approach for Using DLP to Manage Risk to Information Assets Virtualizing Your Infrastructure Just Got Easier MIT Sloan Executive Education. innovation@work Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management IT works better together with HP Converged Infrastructure. Better, more meaningful EMR/EHR solutions from Kodak Document Imaging. Elevate storage agility and efficiency with HP 3PAR storage. Easily create and manage custom iPad & iPhone apps for your business. Redefine your data center with HP servers. Protect against cyber attacks with a cybersecurity degree from UMUC. Technology for Tomorrow's Cloud Earn the law degree that works for I.T. management. Over 1,300 Grads. Simplify your data center with HP. Download the case study now. Learn the best approach for SMB data protection Join us for an upcoming Microsoft 365 live online demo event. Discover your easiest path to unified communications FREE SSCP Webcasts - overview of each domain and how to study for the exam. Protect your data now and down the road. Use LTO-5 Tape! Connect with global CIOs now at Enterprise CIO Forum Download Microsoft's latest Data Protection Management tool Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management Resource Center See your link here Skip to top About Us Advertise Contacts Editorial Calendar Subscribe to Computerworld Magazine Help Desk Newsletters Jobs at IDG Privacy Policy Reprints Site Map Ad Choices The IDG Network: CFOworld CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World Copyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.