Data Loss Prevention

It’s high time we acknowledged that mainframe data loss is far more than a security problem. It’s fundamentally a business problem.

As the old saying goes, prevention is better than cure. This applies to data loss and cyber attacks as much as anything else in life. If we leave things as they are, we may find ourselves trying to fix the roof as rain pours in. Water is getting into the attic, soaking the insulation, damaging beams, and ruining whatever is stored up there (railway set? Christmas decorations?)

Think of the cost, and the loss, of having to replace and put things right.

By contrast, fixing things while the sun out means making sure our stuff is safe and protected and at a time when we’re not under direct threat. We have to think the same way about our valuable data, and with the mainframe that means focusing on the risk of exfiltration.

As Vertali security experts have said repeatedly, while the mainframe may be the most securable platform on the planet, it doesn’t come that way out of the box. For today’s cyber criminals, it’s simply another server to be hacked – yet the mainframe is the system of record for many organizations, the transactional beast of burden, and the hub for today’s digital services.

Data loss can take various forms. It often happens through a ransomware attack or data exfiltration via malware. It can happen through outside attacks and insider threats. We should be doing everything in our power to prevent the unauthorized and illicit removal and transfer of data outside organizational boundaries and hence avoid the customer, financial and reputational damage that can follow.

Data Loss Prevention (DLP) – data leakage mitigation – is about detecting, identifying, and preventing data breaches, data exfiltration, and the unwanted destruction of sensitive data. Effective DLP means securing and protecting our data and complying with the necessary legislation and regulatory requirements. It is an essential part of a Zero Trust security posture.

So what does it mean for mainframers? In terms of risk of data loss, there are many ways to get data off the mainframe: FTP, SMTP, NJE (Network Job Entry), IND$FILE for mainframe to PC file transfers, commercial products like XCOM and Connect Direct – and that’s not all. How about HTTP and HTTPS? It’s a connected world like never before. And with mainframes, here’s a real bugbear of mine: who believes READ access to data is a good idea? As a rule? If I can READ something then I can also copy it.

DLP isn’t a new kid on the block, of course. Gartner had estimated that by 2021, 90% of organizations would have implemented at least one form of integrated DLP. But analysts also say the market has reached maturity, with competitive solutions difficult to distinguish from one another and, crucially, innovation in functionality stalling.

We need to reframe DLP as a strategy, a journey, rather than a product-led approach. Analysts also say, organizations should not look to DLP as a ‘magic bullet’ for protecting sensitive information. It requires a more wide-ranging and informed approach. One that often starts with a pen test or security assessment to properly understand your security stance. And a DLP strategy has to extend in different ways across different domains: network, cloud, endpoints, and storage, ideally as part of a managed approach to security.

So how can we take practical action and develop an effective DLP strategy? Start by asking yourself (or asking the people responsible for security and data protection in your organization) a few simple but searching questions:

  • What do we define as sensitive information?
    (The types of data we classify as sensitive need to be revisited frequently)
  • How do we currently track (and understand) data access, movement, and usage?
  • In what ways do we restrict access to our data?

We need to properly understand our networks and who or what is connecting to our mainframe systems. We need to monitor network activity in real-time. And we need to make better use of the tools already out there to help, which means selecting and using solutions that feed into a comprehensive DLP strategy.

We need to be able to automatically detect and respond to threats, connecting the mainframe to an Extended Detection and Response (XDR) approach. We need the mainframe to integrate with third-party solutions such as Venafi’s Trust Protection Platform (TPP) to bring machine identity management and automate certificate management to z/OS. There are many other tools: IP Filtering, Intrusion Detection Services, z/OS Encrypted Connection Monitoring (zERT), and Network Management APIs (NMIs) in IBM z/OS Communications Server, for example. Take a look at what’s out there. Seek trusted advice. Get what’s right for you.

Vulnerabilities are present all too often. And you may be at serious risk of data loss. It could only be a matter of time, before a bad actor gets in. And by the time that happens, it may be too late. As another old saying goes, a stitch in time saves nine.