Are Mainframes a Security Risk?
What a question! How dare I suggest that our favorite platform is capable of being breached? Along with reliability, scalability, availability and performance, security has always been a hallmark of mainframe excellence.
z/OS presents a lot of challenges to even the most talented hacker. First, there are fewer and fewer mainframe experts around, despite attempts to grow the numbers. Most mainframers are fiercely loyal to the platform and would consider hacking it to be treason. And it’s a complex environment, where few consider themselves experts on all aspects of what it can do. Even in the 1980s people specialized in just a few components. Finally, hackers, like other criminals, target the easiest to breach opportunities. As cops will tell you, you don’t need to build an impregnable fortress: Just be harder to break into than your neighbor.
Ayoub Elaasal, security auditor for Wavestone, though it might be fun to try. Sadly, he was able to find an exposure in z/OS rather fast, the ability of almost any user to edit the APF (authorized program facilities) and give yourself root access. At this point, you can do almost anything.
The good news is that he is a good guy, so he just documented the exposure, rather than exploit it. And few may try. But others have noted that with mainframe systems programmers spread so thin, they do tend to leave security to the security folks. This silo problem can expose companies to more risk; teams really do need to work together.
Having everything in EBCDIC does help make it more obscure. And loyal mainframers aren’t posting exposures and security holes online. In fact, it can be difficult to get a lot of documentation on how mainframes work online, unlike Linux, UNIX and Windows. These are factors in our favor.
So, whatever’s on the mainframe is probably safe … for now. But once mainframes share anything with other systems, you can’t feel as secure. And we’re talking data. Where once, mainframe data wasn’t shared with anyone but those few TSO users who had to get to it, now, we transmit the data everywhere, which includes to platforms that are less well protected. As we login to our banking application on our smart phones (really, do people do this?), the data about their accounts is far less well protected than it is when it stays on the mainframe.
In this Blog series, we’re going to talk a bit more about the data problem. That’s the security exposure we may not be as well aware about, but we need to know what to do. Stay tuned and learn about the exposures we face and the ways to lock them down.