I recently spoke to Scott Crawford, managing research director for Boulder, Colo.-based analyst firm Enterprise Management Associates, about compliance on the mainframe. Here’s what he had to say.
Is compliance on the mainframe more of a challenge today than it has been in the past? Why?
I think it’s a question of perception more than anything else. The reason I say that is there has long been the perception that the mainframe is inherently secure. But security professionals shouldn’t think anything is inherently secure. A lot of benefits are based on how the mainframe is managed and administered. Now there’s the challenge of bringing in a new generation of professionals to manage the mainframe. What do they understand about mainframe security and access? How far is the mainframe really extended? How much mainframe functionality is integrated with applications that have high exposure?
Do you see mainframe applications being integrated with non-mainframe apps more frequently now, and maybe more haphazardly?
We have seen a number of system integrators whose primary business focus was integrating mainframe functionality through Web services. LPARs make is possible to host a Linux environment and a z/OS environment side-by-side. It’s also possible to host many common applications in that environment whose exposures are fairly well known. What the mainframe has going for it is a culture of disciplined control and disciplined management. Centralized control gives you benefits, but the risk has to be managed in such a way to get those benefits.
Is there a certain danger around people just assuming that the mainframe is secure?
There are a lot of assumptions around inherent reliability on the mainframe. A lot of security pros come from networking and distributed computing and not as much from the mainframe. They’re not as educated about the mainframe. Even a lot of the people trained as auditors might not have the skills to recognize risks in certain areas. In some case they might not know what they’re looking for, especially if they’re unfamiliar with the mainframe environment.
Is compliance on the mainframe harder than on distributed platforms? Why or why not?
Aspects of it are different as far as the underlying platform. You have to be knowledgeable of things like z/OS, RACF, and other products like (CA’s) Top Secret. You need to know things such as console operations and securing the console itself. But there is a lot that is alike. Securing a Linux host, for example. Those things are likely to be very similar. But the differences require special expertise.
Should IT shops with mainframe look to do compliance internally or just hire someone to do it for them?
Internally, companies need to realize that they need to make the generational transfer of knowledge and expertise. You need to manage the environment. This isn’t going to happen overnight. For external resources, you can turn to those providing tools, companies like IBM, CA and BMC, who have expertise.