What's next for mainframe security?
- By Ray Overby
- Jan 18, 2019
Of all the industries that I’ve worked with to provide mainframe security support, government is often the one most vulnerable to cyberattacks.
Part of the problem is that government systems are aging rapidly. It’s probably not news that government IT systems are old and in need of modernization. But, it’s also a growing security risk.
While agencies are making strides to modernize their systems and open access to government data for public use, they aren’t paying close attention to the hidden risks that can lead to data exposure -- threats like bad code in mainframe operating system software.
That should be seriously concerning to everyone. A breach of any government IT system could expose personal information of agency workers and U.S. residents, or spell disaster more broadly.
So, what's on the horizon for government cybersecurity and mainframe security? Here are a couple of trends we’re keeping an eye on as we move into the New Year.
1. Access to government data via unsecure apps introduces risk.
In the interest of offering a wider and more-modern range of public services to their constituents, agencies are exposing more data stored in government mainframes to people through the cloud and mobile apps. That’s great for users, but not great for security if proper steps aren’t taken to protect the data.
The ability to access tax returns or Social Security information from a phone is a strong draw even though, most of the time, there hasn’t been enough work done to protect that information as it travels through the cloud to the phone. Some of these mobile apps are also archaic in terms of design and security -- it’s like taking a mainframe interface and popping it onto a web application.
Is it the government’s job to make sure that the apps on phones are secure? Not necessarily, as agencies’ main responsibility is to meet compliance requirements to ensure that environments with integrity exist to store sensitive data. But, to date, there’s not much advocacy for better IT security standards for the apps that access and expose government data. That must change this year.
2. Excessive access issues will open the mainframe to massive risk.
There’s a pervasive lack of integrity when it comes to the cloud and other platforms that are hard to secure. Government agencies are increasingly moving secure data onto cloud solutions, a recent trend that brings new risks. Organizations that rely on cloud-based platforms can unknowingly create an easy path to their mainframe and other data sources because they aren’t dealing with the excessive access issues they have. The more people that have unnecessary access to mainframe data, the greater the risk.
Between 2016 and 2018, the number of cloud data breaches increased almost 300 percent, and this will only get worse in the coming years. It’s important to remember that agencies can’t have security without integrity, and government is currently struggling with both.
3. Ignorance will continue to be the biggest threat to mainframe security.
There’s a culture of complacency around mainframe security. Many government organizations are lulled into a false sense of security when it comes to their mainframes. They may believe that since the mainframe is known as the most securable platform, it doesn’t require as much security attention as the network or open systems. The thing is, the mainframe really must be treated like any other platform when it comes to security.
Still others deny that fundamental security issues -- like the type of vulnerabilities that crop up when poorly written code is introduced into mainframe operating systems -- even exist. They believe that authentication management or configuration compliance is enough to keep the mainframe secure. The unfortunate truth is that a single code-based vulnerability could bring an entire organization to its knees, exposing massive amounts of personally identifiable information and creating a bureaucratic nightmare in the process. These vulnerabilities will continue to threaten data security in 2019.
4. The mainframe industry will become more entrenched in the conspiracy of silence.
Part of the challenge when it comes to finding and fixing vulnerabilities is that mainframe vendors don’t want to talk about vulnerabilities in their products. Some go as far as pushing back when threats are brought to their attention, and they certainly don’t publicize their risks. To add to the complexity, companies that rely on mainframes also don’t publicize if they’ve been hacked, so it’s difficult to share information and determine the extent of mainframe exposure. That’s what I like to call the conspiracy of silence.
In the past, those vendors have defended their tight-lipped approach to recording mainframe vulnerabilities by saying it’s “what the customers want.” Now, to justify continuing to conceal these vulnerabilities, they’re saying the industry is too niche to warrant any public, organized vulnerability reporting. This will hurt everyone in the long run, making it even more challenging for government organizations to locate and patch vulnerabilities in their mainframe systems.
Government also has the power to enact some changes that could help secure the mainframe environment, from modernizing its own vulnerability management processes, to setting up watchdogs that would advocate for vulnerability disclosure throughout the industry.
Ray Overby is a co-founder and president of Key Resources Inc.