Mainframes are the definition of “mission-critical" for many businesses, keeping operations up and running in industries ranging from banking to insurance to government. Up to 70% of your corporate data might reside on the mainframe, and 71% of all Fortune 500 companies have their core businesses located on these systems.
Most businesses simply could not operate without the computing powerhouse – IBM’s latest mainframe can handle 12 million encrypted transactions a day.
Far from being back-end devices, the functions provided by mainframes are some of the most visible and customer-centric aspects of your technology. Your mainframes likely process countless instances of personally identifying information (PII), financial information, health data, or other types of highly sensitive data, making it a prime target for intruders. With the average data breach costing businesses $3.62 million, you really can’t afford a breach.
Yet, most businesses take the security of their mainframes for granted. While mainframes are arguably the most secure computer system, they still are not impenetrable. Any system comes with weaknesses, and the mainframe is no exception.
Most organizations know that they need to bolster their mainframes, to some extent, and they turn to mainframe security products like RACF, ACF2 or TopSecret. While these kinds of products are essential for establishing permissions and access control, they don’t provide a complete security solution. It’s easy for organizations to be lulled into a false sense of security and think that those products can keep the mainframe completely secure.
Unfortunately, that means that the people and tools most responsible for ensuring the security of a company's most important system are blind to a threat that could bring the business to its knees. Most mainframe security products fail to address a crucial weakness: code-based vulnerabilities.
Just one code-based vulnerability could compromise the entire integrity of your mainframe, but it’s a threat that’s either overlooked by mainframe experts or entirely ignored by CIOs and CISOs. Here’s what you need to know about code-based vulnerabilities, and how you can protect your organization.
What are code-based vulnerabilities?
Essentially, code-based vulnerabilities are areas of bad code that can crop up any time a change is made to a mainframe operating system, such as an OS upgrade, standard maintenance or the introduction of a new third-party software product. Even though vendors try to catch the code gaps with every new product release, it’s very difficult to simulate every client environment, so these vulnerabilities often slip through the cracks.
The deep-seated nature of code-based vulnerabilities can cause headaches, since they’re so difficult to find. And, there’s a huge amount of risk involved with operating system-level vulnerabilities. If a hacker were to exploit one, he or she would have access to all of the data, applications and users on the entire mainframe. This kind of mainframe exploit can provide system administrator privileges to the hacker, allowing them to view/update data as it moves through the system. That means hundreds of applications and thousands of users would be exposed, all from one single code flaw.
Of course, any mainframe breach could open you up to regulatory fines, to say nothing of a consumer litigation and a public relations nightmare. That’s why it’s so important to secure your environment at every level, and make a conscious effort to make OS-level integrity part of your overall security strategy.
The next step forward
Awareness of these vulnerabilities is the first step to addressing the problem, since you won’t be able to plug code gaps if you don’t even know to be looking for them. Mainframe professionals need to recognize that application scanning alone won’t identify every system flaw, and traditional scanning tools simply aren’t capable of picking up on OS-level capabilities.
Then, it’s a matter of working to address blind spots in security code, and being diligent about it. Mainframers need to address these blind spots and scan for operating system vulnerabilities.
Most importantly, organizations simply need to know about these risks, so they can act to better secure their mainframes. It can be hard to close all the gaps, but it’s even harder if you don’t know they’re there.