Modernising Mainframe Protection in a Hybrid IT World

Why traditional mainframe security controls are no longer effective

CA Southern Africa, the sole sub-Saharan Africa representative of CA Technologies, a Broadcom company, has placed a spotlight on the need for the modernisation of mainframe security.

“Typical mainframe security controls include identity and access administration monitoring, augmented by complex passwords,” says Dolf Snyman, CA Southern Africa, Account Director. “However, these are inadequate security measures in today’s hybrid IT world and do not cater for multi-factor authentication, configuration compliance, privileged user management, data classification and assessments beyond auditors’ checklists,” he adds.

Snyman explains that mainframes operating in a hybrid IT environment are faced with more threat vectors due to new vulnerabilities being introduced via the digital economy. “Today’s mainframe security landscape is a far more expansive and perilous place due to issues including broad connectivity coupled with often poorly tracked or monitored bulk data movement. Add to that insider threats from malicious users through to well-intentioned but ill-informed employees, broad access through shared data and increasingly stringent regulatory requirements and you have just some of the headaches facing mainframe management executives.”

The Imperative: Modern Mainframe Protection

He stresses that risks must be identified by leveraging data using analytics.  “A set of best practices needs be implemented to provide protection throughout the entire security lifecycle. These include security assessments to identify gaps and fill them plus automation and simplification of health checks. CA’s range of products including CA Advanced Authentication Mainframe/ESM; CA Cleanup; CA Trusted Access Manager for Z; CA Data Content Discovery and CA Compliance Event Manager, combine to deliver a comprehensive array of solutions that cover all aspects of the security lifecycle.

“CA Trusted Access Manager for Z helps reduce the risk of insider threats that can lead to data loss and system outages. It does this by streamlining the management of privileged identities on the mainframe. CA (Broadcom) TAMz is the only solution that supports all three of the commonly used mainframe security products, namely, CA Top Secret, CA ACF2 and IBM RACF.”

Just in Time Access

The concept of Just-in-time (JIT) hails from the manufacturing sector through the search for a method of eliminating waste – the goal was to get only what you need when you need it. Applying JIT in security risk management ensures users have the right amount of access, at the right time, for the right duration.

Authorised users can be elevated to a privileged state to perform system tasks. “Upon completion, the user de-elevates or has privileged entitlements automatically removed when the set time box expires. Privileged access that is attached to a particular ID poses a risk to the organization,” says Snyman.

He explains that should a user make a change to a system file this can cause problems days/weeks, or even months from the date of the initial change and make it harder to diagnose problems. “If an ID is compromised or has access to more than is necessary to fulfil the business task – this leads to further damage. TAMz elevates users’ IDs. There are no pooled IDs/ Firecall /Superman IDs, TAMz ensures that regulated or sensitive data is not available to users who have privileged status. Users can justify elevation requests and obtain access to only the resources they need to do the job. Moreover, a full audit trail is created. Control of cryptographic keys under Trusted Access Manager grants access only to individuals with a legitimate business requirement to read the data.”

Control is the name of the game notes Snyman. “CA products and prescribed best practices provide the necessary controls to minimise risk and deliver comprehensive mainframe security and subsequent peace of mind,” Snyman concludes.