Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Mainframe computing data encryption.

Protegrity : 14 August, 2007  (Technical Article)
Gordon Rapkin, CEO of Protegrity explains the new approach to ensuring the security of mainframe databases through the latest data encryption technology.
Why do banks invest in high security vaults, armed security guards, and layers of identification? Because banks are where we keep vast quantities of money. And why must corporations invest in high security for mainframe databases? Because mainframe databases are where vast amounts of sensitive data is kept, and data is corporate money.

In the last few years industry initiatives and government regulations have become significantly more demanding and specific about data security. The Payment Card Industry (PCI) has led the charge with IT security requirements that must be met by any organisation involved in the credit card value chain. These requirements apply across the full span of computing environments that manage sensitive credit card information. While the early focus of the PCI initiative was transactional systems, each year the assessment process has become more rigorous and more inclusive. If card data touches the computing infrastructure, the PCI assessors expect data protection to be implemented across the board - mainframes included.

Many countries around the world have passed privacy legislation. In the US, the common form of this legislation requires protection for any personally identifiable information and the EU is set to introduce similar regulations this year. The legislators have clearly provided guidance to organisations about how to avoid the risks of theft and the embarrassment of being required to publicly disclose all suspected data breaches. Focusing on data is the key to protecting your organisation. However, even with this clear, unambiguous legislative guidance and safe-haven, it is shocking how many computing environments are still relying solely on perimeter protections and have not focused on the heart of the data security challenge - protecting the data.

Over 80% of corporate data resides on mainframes, and IBM's 'Big Iron' mainframe is the back bone of corporate computing. Because of the quantity and type of data that is available on corporate databases, these mainframes are target environments for thieves and hackers. The bad guys know that if they infiltrate a corporate mainframe, they will have access to a treasure trove of sensitive data. Security is not a new thing in the mainframe arena, and many excellent security products have been available for years. But security strategies of the past have not kept pace with the security risks of the present.

Not all security breaches come from external sources. In fact, the vast majority of data breaches are perpetrated by corporate insiders. Sometimes these are authorised users performing malicious acts. However, data losses are frequently as mundane as physically misplaced backup tapes or misguided data extracts that happen to include too much data. Perimeter security is useless to prevent this type of threat.

In addition to internal security threats, external threats are very real. The hacking community is constantly refining new ways to attack systems. When external hackers succeed, the results are usually sensational and devastating. In 2005, over 40 million consumers were exposed to identity theft when hackers breeched the security barriers of several corporations. The estimated damage from these thefts was well over three billion dollars.

Previously, mainframe security involved building walls and barriers to challenge users' rights to gain access to the mainframe. However, once a user gained access past those walls, the path to the data was relatively unguarded. Corporations relied on limited network connectivity, access control, and user authentication for protection. Unfortunately, while these measures are necessary and valuable, these tools are no longer sufficient to fully guard against the risks. New approaches must be deployed to keep pace with new threats and malicious attacks.

The days of the glass house mainframe environment where only a limited number of users could gain access to the system are gone. The mainframe is no longer an isolated environment for data storage. Today, corporate mainframe databases participate in the corporate network just as the smaller UNIX and Windows servers, and frequently, mainframes are even participants in public networks.

With all of this valuable data at risk, why do we use mainframes for data storage? Because one of the benefits of a mainframe data repository is that it becomes the trusted source of information. Corporations need a reliable area in which to place all of their data. To perform this important role, mainframes allow data to flow in two directions. Data flows from supporting systems to the mainframe database for aggregation, and from the mainframe database out to operational data stores. Instead of a protected, separate environment, the mainframe suddenly becomes the hub of the network wheel connected to all the outlying systems, and data is flowing everywhere along the wheel, back and forth from the hub to the spokes as well as along the rim. Because of this characteristic of the way that mainframes interact with the rest of the network, there really is no such thing as a pure mainframe data security strategy because what was sensitive data on the mainframe is now pulsing through the corporate network and ending up on a myriad of connected environments that all need an orchestrated protection strategy.

The result of this new access and connectivity is that mainframes face a new class of security threats. The traditional walls and barriers of access control are no longer enough to provide effective security. They create environments that present a 'crunchy on the outside; soft in the middle' security model. While it may be a bit tough to break in from the outside, once you are inside the walls, data protection is soft at best and non-existent at worst. With all the new ways that mainframes interact with the network, and the legitimate connections and information flows required to develop an efficient information infrastructure, existing security tools are completely inadequate to provide protection. The time has come to deploy a new type of mainframe security; security that doesn't rely purely on external barriers. In short, it is time to completely re-think mainframe data security.

So, what can you do about mainframe security? You may be tempted to build bigger security walls, stop all the information sharing, and tighten the ring of defenses without really addressing the underlying vulnerabilities. But that would still not protect your sensitive data, and would only cause you to lose an important networking capability that is vital to the life of your corporation.

Progressive data security management leaders are leading a shift in corporate security culture. Sound best practices, backed up by industry and government regulations require us to take a much more holistic view of protecting sensitive information. The risk is the theft of data, and it is imperative that we do something about directly protecting the data wherever it may be. This attitude must pervade all of the key corporate systems, and it starts with highly data-centric, highly focused attention to the data stored on the mainframe.

It is important to use a solution that secures specific portions of data from security risks, not just the mainframe computing environment. By providing security on the data itself you are assured that only the appropriate users have access to the data. This reduces the risk that unauthorised users will inadvertently access data that they shouldn't. If backup tapes are accidentally lost, the data on those tapes are encrypted. If hackers are able to bypass external mainframe barriers, they are still confronted with security on individual portions of data. Using a combination of external barriers and internal data encryption, corporations can increase the security of their mainframe databases immeasurably. Corporations can focus their database protection by selecting only the sensitive data such as credit card details, national insurance numbers, and the like, to protect. If each element of data receives its own protective encryption, then the overall database receives more protection, as any prospective data thief must wade through protection after protection to access any data. For example, A major textbook publisher, recognising the business need for securing data-at-rest and data-in-transition across its mainframe and open systems environments, chose granular column-level database encryption to protect the integrity, and confidentiality, of its credit card payment processing operation.

This is the best practice methodology that has evolved from a re-examination of mainframe security measures. There are risks to corporate data everywhere. From hackers to internal data thieves to accidents that affect the mainframe, corporations must make greater and greater efforts to protect the data on their mainframes. You wouldn't expect a bank to have flimsy security systems to protect the money, so why should we have flimsy security measures on corporate databases? As more and more information is contained in corporate databases, and hackers and data thieves are continually refining how they attack corporate mainframes we must continually re-examine and refine how corporate entities go about protecting their greatest asset - data.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo