IT Management

Jul 18 ’11

Having feelings of insecurity about the lack of cloud security? Many organizations are hesitant to migrate applications and data to the cloud due to security concerns fueled by the all-too-common reports of security breaches and performance outages. For example, consider the recent major data breach when Sony’s PlayStation Network was hacked. The incident is currently the second largest online data breach in U.S. history, as some 77 million network subscribers were affected, and possibly 24.6 million users had their personal data compromised. A few weeks after partially restoring some services but keeping the video game network offline so it could be rebuilt and integrity restored, Sony’s CEO told reporters he couldn't guarantee the security of the company's videogame network or any other online service in the “bad new world” of cybercrime.

In the aftermath of the attack, a review of the breach by Sony’s forensics team revealed some of the virtual servers participating in the attack had been rented by the hacker for merely pennies an hour from Amazon’s Elastic Computer Cloud (EC2), confirming predictions by pundits that cloud’s massive resources would be rented and used for evil. Amazon wasn’t hacked, but the hacker used rented Amazon cloud servers in the attack. Seems Amazon has had more than its share of the security breach spotlight for years, exacerbated by hackers’ claims regarding the ease of planting rootkits and subverting the Xen hypervisor, which is an open source hypervisor used by Amazon for EC2. The irony here is that Amazon’s CTO promised last year to “raise the bar” on security and make it better than most enterprises can achieve on their own. He must be excluding enterprises that rely on mainframes.

To my knowledge, no mainframe has ever been compromised by a rootkit or commandeered for a botnet attack (a rootkit is malware that infects a computer and can hijack various hardware and operating system functions, and a botnet is a network of computers [bots] infected by malware that allows them to be controlled remotely by attackers for malicious purposes). For other than mainframe servers, Xen is arguably one of the most secure hypervisors out there while Amazon EC2 has been viewed as having state-of-the-art security by many cloud proponents.

I suspect what constitutes state-of-the-art is ultimately in the eye of the beholder. Just recently, a security vulnerability was discovered on Facebook that had existed since 2007, when apps were enabled. The breach gave advertisers and other third parties a way to access users’ accounts and personal information. Since 100,000 or more apps were affected, consider all the access tokens inadvertently leaked. Leaked tokens can be subsequently used to access or post information on a user's account, read wall posts and friends’ profiles, and mine personal information from these locations.

Oh yes, Facebook has fixed the leak, but recommends users change their Facebook password to prevent further use of leaked tokens. More good news for mainframe executives: I can’t recall a single instance reported where a  mainframe system has ever leaked a token.

Hackers as well as stakeholders in black market activities are beholden to providers of these unsecured systems and applications for their livelihood. What is the largest data breach to date?

A March 2011 event involving Epsilon, a marketing firm that is part of Alliance Data. Hackers gained unauthorized entry into Epsilon’s email system, which serves some 2,500 companies, and were able to access the names and email addresses of customers of more than 100 companies, including such big names as Citigroup, Verizon, Hilton Hotels, Best Buy, Capital One, Chase, Ameriprise, Target, and Walgreens.

Before you get your knickers in a twist over cloud data security, encrypting data before migrating it to the cloud is a common practice. Any responsible cloud service provider will use encryption to safeguard data, and, increasingly, regulations and policies mandate encryption of Data at Rest (DAR). Look for those services that use dual authentication keys that support encrypted DAR—and preferably something that can be implemented without any changes to your application or database. Also, make sure your applications are designed to prevent leaking tokens.

If you’re serious about fighting back in the bad new world of cybercrime, make sure you have a mainframe in your arsenal. Evaluate the proof points. The mainframe makes a great cloud server because it’s equipped with system security that’s bullet-proof, system code that’s malware-proof,  robust virtualization that’s 200-proof, and a built-in dedicated encryption processor that’s


Now that's 100 percent fool-proof!

Bill Carico is a 38-year veteran of the IT industry, a staunch defender of the mainframe, and has

been a featured writer for Mainframe Executive since its inception. He’s president of

ACTS Corp., a consulting and software firm.

Email:; Voice: 434-933-2287