Having dedicated much of my career to mainframe software and security development, I've witnessed the incredible evolution of technology and the threats challenging its integrity. I’ve also been part of its history, setting the stage for today’s professionals to be more effective.
In this article, I discuss the problems we were addressing in the early days of mainframe security, before touching on where CPT Global believes the industry is heading. From there, I offer advice and considerations for organizations looking to strengthen their mainframe security posture.
Laying the Groundwork
Early on, as Assistant Director of the Computer Center at the University of Illinois-Chicago, I encountered student hackers on our mainframe time-shared system, which forced me into the area of computer security.
At that time, the only protection provided by IBM was dataset passwords – either entered by the user from their TSO terminal or by the Computer Operator, who knew it from a piece of paper handed to him or from a console logbook. This set me on a path to explore and implement better security measures.
The early challenges were different from today's threats. Back then, access control was our main concern. Collaborating with professionals, I formed the SHARE (organization for IBM mainframe sites) Data Security and Management Project, and we laid the foundation for modern security solutions.
Launching ACF2
Our project developed requirements for future IBM enhancements, which included protection by default and the use of pattern matching to select the security controls. When IBM responded with their Resource Access Control Facility (RACF), it did not have those features, and IBM told me they thought these two features were unachievable.
I designed and, with the assistance of two of my co-workers, Eberhard Klemens and Scott Krueger, developed a prototype for ACF2 as a response to these shortcomings. When the University declined our request for support in making it a commercial product, the London Life Insurance Company in London, Ontario provided this support. This led to the founding of SKK, Inc., providing a transformative product in mainframe security. There's even a Wikipedia entry, if you're interested in a little more backstory.
ACF2's implementation marked the start of its widespread adoption, solidifying its status across roughly 2700 sites as a billion-dollar product. As one of the key players in this and other innovations, I've had the privilege of shaping mainframe security, seeing how it has evolved, and ensuring its continued growth.
Solving Serious Challenges
Early mainframe security challenges were the result of increasing computer usage, often by non-IT professionals with little understanding of data protection. Additionally, access control requirements varied widely from one business to another.
In those days, IBM's RACF was then the only solution for managing access controls, but it lacked flexibility and simplicity. It was also based on “protection by itemization” – or guarding one dataset at a time.
I recognized that a more customizable and user-friendly system was necessary. By leveraging our expertise and extensive knowledge base, we went on to create ACF2, a user-friendly system with many unique features such as resource rules to protect transactions, program paths, and more.
The long-term impact of ACF2 and other related work on mainframe security rests in its ability to evolve with technology without compromising core access control principles. Moreover, the clear and concise rule structure enabled considerable time savings for IT professionals configuring access controls.
Specific areas that were particularly challenging in the early days included managing user access rights across multiple systems and database protection. ACF2 addressed these challenges by providing a centralized interface for managing user privileges.
Evolving with Today’s Threats
However, as technology advanced, so did the threats IT faced. With increased connectivity through networks and the internet, mainframes became vulnerable to external attacks. Consequently, security solutions had to adapt to address these new threats.
Cloud computing, virtualization, and containerization also presented challenges in ensuring data protection across multiple environments. This has led to the development of hybrid mainframe security solutions that offer centralized management and control of access controls across different systems.
Now, with artificial intelligence (AI) and machine learning (ML) emerging at full speed, this has also impacted mainframe security – for good and bad. On the one hand, AI-powered technologies can monitor system usage patterns and detect anomalies that may indicate a potential breach in real time. However, these same technologies can also be used by malicious actors to bypass traditional security measures.
Looking to the Future
Looking ahead, mainframe security will keep evolving with technology. However, many of the fundamentals of protecting data will stay the same.
Organizations looking to invest in or improve their mainframe security should prioritize implementing a multi-layered security approach that includes access controls, encryption, and detection capabilities. Regular assessments and updates, including those by external experts, are also essential to staying ahead in a landscape that is constantly facing new threats.
Technology keeps changing, and so do the challenges faced by mainframe security professionals. That’s why it is important for organizations to keep up with these shifts and invest in continued education and training for security teams. Supported by the right tools and expertise, your business can stay ahead of threats and ensure the continued security and integrity of your mainframe systems.
When you're ready to discuss mainframe security, please get in touch.
.png?width=75&height=75&name=CPT%20Global%20Logo%20(75%20x%2075%20px).png)
.png?width=50&height=50&name=CPT%20Global%20Logo%20(75%20x%2075).png)
.png)
