You could argue – as some folks have – that mainframes are inherently more secure than commodity servers because there are fewer variables at play on mainframe systems, making them easier to secure in some ways. The fact that mainframes account for a relatively small portion of the overall computing market is also a security benefit because it means mainframes are a less common target for attackers.
But none of the above means that mainframes are immune from security risks. On the contrary, mainframes are subject to many of the same cybersecurity challenges as x86 servers and the apps that run on them. And because most cybersecurity solutions designed for commodity infrastructure don’t support mainframes, admins need to devise special strategies for keeping mainframes secure.
Keep reading for a look at why securing mainframes can be so challenging, as well as best practices for keeping mainframes safe against cyberattacks.
Again, mainframes are arguably more secure than other types of infrastructure because mainframes are simpler overall. There are fewer operating systems, programming languages, configuration options, and so on to contend with in the mainframe world. To be sure, the fact that Linux-based workloads can also run on mainframes means that mainframe configurations can become complex in some cases. But in general, they’re simpler than what you’d encounter on an x86 server. By extension, there are fewer places where vulnerabilities can arise, and fewer opportunities for admins to make mistakes that expose mainframe workloads to security risks.
That said, mainframes are still subject to a variety of potential security problems, such as:
- Vulnerabilities in mainframe operating systems (like z/OS), as well as in applications deployed on mainframes. Vulnerabilities result from flaws or oversights in source code that enable attackers to exfiltrate data or abuse systems.
- Weak or improperly configured access controls in mainframe environments could give attackers access to resources that they should not be able to view or modify.
- Malicious actors on networks that mainframes connect to. At the network level, attackers could “sniff” sensitive data as it flows to or from mainframes, or even potentially create backdoors into mainframes themselves by taking advantage of insecure network protocols.
The list could go on, but these threats represent some of the most common security challenges mainframes face.
Mainframe security risks are exacerbated by the fact that many mainframe engineers lack special security expertise, and many security teams have limited familiarity with mainframes. That makes mainframe security different from the world of commodity servers, where security analysts are typically quite familiar with the platforms that host workloads today – like public clouds.
If you manage commodity servers, you have a plethora of cybersecurity tools at your disposal to help address risks like those described above. Vulnerability scanners can alert you to insecure software. Configuration scanners can detect insecure settings. Network auditing software can identify malicious activity at the network level.
Unfortunately, mainframe admins don’t have access to the same types of tools, for the most part. With few exceptions, security solutions designed for x86 servers and workloads don’t support mainframes. IBM does provide some mainframe security tools, but in many cases, security teams aren’t familiar with available solutions because they’re more accustomed to supporting security for x86 workloads.
For that reason, businesses that use mainframes face what you could call a security “gap,” at least concerning security tooling. They can’t protect their mainframes by simply extending the cybersecurity tools and strategies they have in place for other infrastructure to secure mainframes as well.
Fortunately, teams tasked with supporting mainframes have resources at their disposal that can help defend mainframe operating systems and applications. Here are some key best practices they can adopt to protect mainframes.
Although most software vulnerability scanners aren’t designed with mainframes in mind, there are scanning tools available for apps written in languages like COBOL. Taking advantage of these tools is one way to extend cybersecurity strategies to protect mainframe applications in addition to conventional applications.
The most popular databases that report known vulnerabilities don’t do a great job of monitoring mainframe security issues. (For example, the CVE database, one of the most commonly used public vulnerability databases, has only a blank entry for z/OS vulnerabilities.)
IBM, however, does have a strong record of reporting known security issues with z/OS and other mainframe products. Mainframe admins should therefore make sure to follow IBM’s mainframe blogs and news feeds to ensure they’re aware of the latest security risks that affect mainframes.
Since mainframes use the same networks as commodity servers, most network security tools and strategies that are designed for commodity servers can be applied to mainframes, too. Admins should use network scanners to detect anomalous traffic patterns that could reflect attempted attacks. They can also check for insecure (or insecurely configured) protocols.
In addition, techniques like network segmentation can help to add security to the network at an architectural level. Segmentation benefits mainframes and any other infrastructure connected to your network.
Sometimes, mainframe apps don’t need to connect to the network at all. If that’s the case, consider “air-gapping” your mainframes by disconnecting them from the Internet, except when you need network connectivity to perform administrative tasks. Air-gapping virtually eliminates the risk of network-borne mainframe threats.
Not all mainframe workloads can be air-gapped, of course. For example, financial apps that have to respond to requests in real-time need constant connectivity to mainframe infrastructure. But applications that support users in a local area or that only need to sync data with central systems periodically are candidates for air-gapping.
Mainframe security can be challenging not because mainframes are any less secure than other types of infrastructure but because modern cybersecurity solutions don’t cater to mainframes. Nonetheless, there are special security tools and techniques that mainframe admins can leverage to help close the gap between securing their mainframes and securing the rest of their IT estates.
Christopher Tozzi is a technology analyst with subject matter expertise in mainframes, cloud computing, DevOps, open source software and more. He is also Senior Lecturer in IT and Society at Rensselaer Polytechnic Institute and an adjunct analyst with International Data Corporation. His most recent book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published by MIT Press.