If you’re running a big server like a mainframe, a zero trust strategy means you shouldn’t trust anything outside that box. If it’s your responsibility to protect the mainframe, you must ensure the right mechanisms are in place on the box itself.
If you’re in charge of the mainframe, you are responsible for protecting your data and applications. This means you’re accountable for access and ensuring cyber security and resilience, a responsibility that becomes even more acute with a zero-trust security stance.
Network Segmentation
Network segmentation is essential for implementing a zero-trust strategy and for compliance. This is especially true for PCI/DSS, where network segmentation is a strong recommendation and is close to becoming mandatory for many organizations. Would sensitive mainframe applications pass compliance when they are only protected by network perimeter security rather than being protected on the platform on which they are running?
Server or Perimeter
Regarding security measures at either the server or perimeter, there’s a simple analogy: Would you still lock the front door of your house if you knew the garden gate was locked? Of course, you would. Today’s networks shouldn’t rely solely on off-mainframe network segmentation using firewalls and routers.
Would you still lock the front door of your house if you knew the garden gate was locked? Of course, you would.
You can’t rely on anyone else if it’s your job to secure mainframe applications and data. (Okay, if a bad actor breaches protections outside your remit, it’s not your breach, but the impact can still be significant).
Network Segmentation Off the Mainframe
I was talking to someone at a large European financial services organization recently, a big mainframe house. It implemented network segmentation off the mainframe, using many firewalls and routers, and it took several years.
And they ran into another problem: the team managing the firewalls and routers didn’t understand the mainframe and how it worked. They hadn’t needed to previously; it was just another box at the end of a cable (which, architecturally, it is). However, the firewall team was now responsible for network security that included the mainframe.
On the mainframe side, those folks are unaware of any changes made in the wide area network because the firewall team manages that side. The mainframers don’t know if a firewall has been opened to allow certain connections, but they could feel the effects if an unauthorised connection reaches the mainframe.
Zero Trust On the Platform
To implement zero trust on the mainframe, you have to put network segmentation and firewall-type technologies on the platform itself. In fact, this already exists with IBM Policy Agent, z/OS Communications Server, and IP filtering. However, you need a little more to make it work effectively.
zTrust software, with its combination of network discovery and micro-segmentation, places the responsibility for network security where it should be: with the mainframe team. It doesn’t replace firewalls and routers. It’s part of a “belt and braces” approach—another layer of security and a vehicle for security administrators to control and manage those firewalls.
If network changes are made on the mainframe–perhaps a new application connecting to the outside world–the mainframe and the rest of the network are protected immediately. This means you don’t need to explain changes to the off-mainframe firewall team, who would then need to deal with it while you hope they make the correct changes at the right time.
Instead, you have full-fat network segmentation at the granular level you require – the watertight protection you want.
Is Network Segmentation Working?
It’s one thing to say you’ve implemented network segmentation, but how do you know it’s working unless you have monitoring and reporting? Policy Agent doesn’t produce alerts if someone connects, and the logging for denied connections is likely unmanageable.
This is another piece of the jigsaw that zTrust provides: the ability to do network segmentation not only at the mainframe level but also as a security administrator, as it’s done in RACF. Plus, it monitors and reports that segmentation to confirm it’s set up and working as intended.
Use Your Tools Correctly
The good news is that many of the tools you need to get started are already available on the mainframe. The bad news is they’re either rarely used or not used correctly. IBM z/OS Communications Server has at least five sophisticated security tools, which come free as part of the product, including intrusion detection services.
But we rarely see them fully implemented and, equally importantly, correctly monitored. Imagine if your mainframe was hacked and your manager discovered you already possessed free cyber security tools, but that you didn’t know about or had the time to configure and use properly.
BM z/OS Communications Server has at least five sophisticated security tools, but we rarely see them fully implemented.
The first step is to examine what you’ve already got to ensure you have solid foundations to build on. Then, if you’re serious about zero trust and want to go further, look to something like zTrust for additional layers of security, management, and control.
Terry Stanton isSenior Technical Architect at Vertali and a former z/OS Consultant, Stanton has worked in the IT industry on various platforms for more than 30 years, applying skills ranging from migration, installation, and upgrades to systems programming, configuration, and technical support.