security monitoring

To be honest, mainframes are pretty secure, aren’t they? We’ve had RACF and other External Security Managers (ESMs) for years. On top of that, the new z14 gives us pervasive encryption. And there are any number of logs recording what’s going on on Z, and we can run reports to see what happened yesterday. What else is there that’s going to add anything to what we’ve already got?

Well, unfortunately, there are loads of regulations that apply to mainframes that were developed in the Wild West world of distributed computing. These regulations were much needed in that more-hackable environment and now apply to all environments, including mainframes. What’s needed on the mainframe is some kind of Information Security Continuous Monitoring (ISCM) software that ensures the mainframe is even more secure and that these regulations are being complied with. I’m thinking about the kind of software that will easily display any security vulnerabilities. Software that will be able to run security diagnostic checks on the mainframe, and that can update the mainframe’s security risk status on a GUI display that makes it easy to see important information and to use. Lastly, the software needs to be able to provide simple steps to fix any security issues it identifies.

The sorts of regulations and guidelines that can apply to mainframe sites include GDPR, NIST ISCM, FISMA, PCI, DSS, and DoD. For many sites, Information Security Continuous Monitoring software would act as GRC (Governance, Risk management, and Compliance) software. This is software that allows publicly-held companies to integrate and manage IT operations that are subject to regulation.

Your Information Security Continuous Monitoring product needs to continuously monitor your mainframe, and automatically perform appropriate security checks – so it will be looking for system vulnerabilities, altered system settings, and modified operands. These are tasks that would otherwise take months to examine manually. These security scans should be based on RACF or other ESM product STIGs (Security Technical Information Guides), which contain optimized policy and configuration information.

In these days of peak four-hour rolling average MSU values, it’s important that the software runs with a low overhead itself and reduces the overall workload needed, and, of course, the results produced need to appear in real-time.

In the event that some change is detected, the software needs to launch automatic diagnostic routines that are able to determine what exactly the security problems and errors are; the root cause of any problems identified; exactly which components are affected; and which system issues are at the highest risk.

To ensure compliance, the Information Security Continuous Monitoring tool should adhere to the National Institute of Standards and Technology (NIST) ISCM (Information Security Continuous Monitoring) Guidelines. It should follow the Risk Management Framework (RMF). And it should run security diagnostic scans based on Defense Information Systems Agency (DISA) STIGs (Security Technical Implementation Guides). This can facilitate a working Risk Management Framework implementation on the mainframe. If no DISA STIGs are available, the software should allow users to create their own based on their system’s components, variables, data, users, libraries, etc.

We mentioned earlier about the results appearing in real time. These results and the vulnerabilities that are exposed need to be understood by people without necessarily having mainframe expertise. This may well be senior managers and other members of the security team. It doesn’t need to be just for mainframers and mainframe trained security specialists, although they may need to be able to get more information from the details from the screen to guide them when implementing the fixes detailed in the guides.

Information Security Continuous Monitoring software would, for example, be able to validate that an application or group meets security standards. And when the software is run regularly over time, it will create a history that can be used to confirm system integrity over time for compliance reporting.

Mainframers need to change their thinking away from the idea that their mainframe is very secure to thinking of ways that their mainframe can be made even more secure. Installing new Information Security Continuous Monitoring software will provide your site with additional mainframe security on top of your already very secure mainframe.

Regular Planet Mainframe Blog Contributor
Trevor Eddolls is CEO at iTech-Ed Ltd, and an IBM Champion since 2009. He is probably best known for chairing the Virtual IMS, Virtual CICS, and Virtual Db2 user groups, and is featured in many blogs. He has been editorial director for the Arcati Mainframe Yearbook for many years.

One thought on “Do I need real-time, continuous, mainframe security monitoring and auditing?”
  1. After your last writing about SIEMs need on mainframes I was expecting some more details on how that would work out. This writing is more hypothetical, while the last one mentions different solutions. I expected maybe some experiences being shared about zSecure and Qradar integration, good practices etc…

Leave a Reply

Your email address will not be published. Required fields are marked *