- A real shortage of mature mainframe security skills makes configuration and administration errors more likely than on other enterprise server operating systems (OSs) in the same enterprises — and less likely to be found and remedied.
- Relatively lax compliance audits fail to identify mainframe control weaknesses, and lack of management attention can allow "worst practices" to continue. The risk of compromise has increased with greater mainframe connectivity.
- There are fewer z/OS-specific security guidelines than for other enterprise server OSs. Mainframe-specific compliance requirements are rare, but increasing.
- Full compliance with mainframe-specific security guidelines is difficult, and the incidence of high-risk vulnerabilities is astonishingly high.
Friday, April 30, 2010
Your Mainframe Security Risk: Retirement
Jim Yurek of Vanguard Security gave an interesting talk today about mainframe PCI compliance. One benefit, for any of you mainframe types out there, is that Vanguard has made a Gartner research note written by Ant Allan available on their web site: “Why Your IBM z/OS Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It”. You can get your copy by clicking here. The key findings that Jim discussed were: