Many magazine articles have focused specifically on issues of data security, risk, and appropriate controls. While information security is a pervasive need, relatively few mainframe professionals focus on data security as a discrete discipline, even though the mainframe is central to many applications and exposed to great risk. Moreover, most mainframe focus has been on operational excellence and increasing ROI, as opposed to focusing on protection of mainframe data assets. As a result, many seasoned mainframe workers and managers could still benefit from a broader understanding of information security risks and remedies.
Data security must start with an understanding of why it’s necessary. In the earliest days of computing, data security consisted of no more than Barney Fife sitting at the door of the glass house, letting in only those whom he knew and trusted. Today, however, the mainframe exists in a world of pervasive connectedness, when immediate responses are required to meet business needs (see Figure 1). The mainframe is no longer restricted to an SNA network, but now is connected via TCP/IP, just like Windows and UNIX servers. Organizations must maintain a permeable perimeter while constantly exchanging data—much of it sensitive and regulated—if they expect to effectively compete in the market. The mainframe must now defend against incursions that were unthinkable as little as a decade ago.
Data processing on the mainframe is always a balancing act of usability, cost, and security (see Figure 2). The increased need for data protection has escalated as the need to collect and deliver data via the Internet emerged at the end of the last decade. That need increased far faster than many organizations could accommodate, leaving exposures in virtually every industry. While the mainframe remains the most secure commercial data processing environment available, it no longer operates in monolithic isolation. Contemporary mainframes host Websites, let PC client applications access and update data, and constantly exchange bulk data files with other operating environments.
The gap between the need for security and risk remediation remained so broad for so long that regulators, both public and private, were compelled to act:
• The European Union (EU) brought forward the Data Protection act of 1998 (a modification of the earlier European Data Protection Directive of 1995), specifying when data may be used and, particularly, when and how it may be transferred from one country to another.
• The U.S. Federal Government passed the Gramm-Leach- Bliley act (GLBA) of 1999, which requires financial institutions to diligently protect the privacy of consumer personal data. Starting with California in 2003, most U.S. states subsequently expanded the GLBA regulation by requiring any organization to publicly disclose details when a breach of their data protections occurs.
• Private industry joined the call for higher data protection standards, particularly in the electronic payments arena, consolidating five separate initiatives into the Payment Card Industry Data Security Standard (PCI DSS) in 2004.
• The U.S. Health Insurance Portability and Accountability act’s (HIPAA) privacy rule became effective in 2003, regulating protection of health information; it’s now been updated by the Health Information Technology for Economic and Clinical Health (HITECH) act of 2009 to require disclosure of data breaches for any organization dealing with any aspect of healthcare.
Consequently, data center managers are compelled to take action both to appropriately protect customer and company data, and to avoid penalties and disruptions to the organization’s business plan that regulators and auditors can represent. This means managers must manage the traditional data center risks—such as environmental (e.g., earthquake, tornadoes), social/political (e.g., war, riots), and operational (e.g., hardware failures)—while also considering issues of: