Friday, April 30, 2010

Your Mainframe Security Risk: Retirement

Jim Yurek of Vanguard Security gave an interesting talk today about mainframe PCI compliance. One benefit, for any of you mainframe types out there, is that Vanguard has made a Gartner research note written by Ant Allan available on their web site: “Why Your IBM z/OS Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It”. You can get your copy by clicking here. The key findings that Jim discussed were:
  • A real shortage of mature mainframe security skills makes configuration and administration errors more likely than on other enterprise server operating systems (OSs) in the same enterprises — and less likely to be found and remedied.
  • Relatively lax compliance audits fail to identify mainframe control weaknesses, and lack of management attention can allow "worst practices" to continue. The risk of compromise has increased with greater mainframe connectivity.
  • There are fewer z/OS-specific security guidelines than for other enterprise server OSs. Mainframe-specific compliance requirements are rare, but increasing.
  • Full compliance with mainframe-specific security guidelines is difficult, and the incidence of high-risk vulnerabilities is astonishingly high.
Basically, Jim’s theory was that there is a higher probability of a mainframe data breach as less people know about the mainframe anymore. I couldn’t agree more. It was a bit of a shocker that there is no material published that explains how to configure z/OS for PCI compliance – or any compliance for that matter. Crazy. With the mainframe population of programmers and analysts all getting older and retiring I can see how Jim’s predictions may be true.

No comments: