IBM Z Experts on the Role of Automation and Mainframe Compliance
Automation and Mainframe Compliance
Part 1
By Reg Harbeck
Whither Regulatory Compliance?
When everyone is already running flat out, and another technology, another challenge, another regulation arrives, something’s gotta give. Dealing with these issues isn’t optional.
However, the first instinct in the world of business when facing a problem that does not appear to add bottom line value or build our core competence is to make it someone else’s problem.
Yet, as Stephen Covey tells us in his famous book, “The 7 Habits of Highly Effective People,” you must sharpen the saw and take ownership of your own wellbeing—or in this case your company’s health.
We get the business connection on the mainframe. After all, two of the key mainframe constituents – IBM and COBOL – have the same middle name: Business. It’s about running the business of the world in a manner that is proven to be trustworthy.
Rebecca Levesque, chief technology advisor at 21CS, affirms, “It's the business need and the value that drives the IT, whether it's the platform you go on or the services you provide or the compliance that's required.”
Mark Wilson, technical director at Vertali, confirms, “Being resilient is about people, it's about process and the technology, not just about ‘I've put some extra backups in place.’”
The Role of Automation in Compliance
All these matters of compliance, then, are exactly about having a viable organization. Levesque recommends viewing compliance differently. “Compliance isn't our enemy. It's our friend. Compliance is what's going to allow you to do the best job possible, grow within your job, allow you to learn new things, and take on new challenges,” she explains.
That doesn’t change the fact that compliance is a growing burden that needs to be addressed strategically, not just as a matter of course. And automation must play a central role in this.
Manual compliance takes time and effort. “As a task-oriented world, we need to be more automated. We can use our minds and our thinking in order to be automated,” she adds. “The other thing that we have to address is that we're going to have constant changes.”
At the same time, no two organizations have identical compliance needs. As Milt Rosberg, VP of global sales, marketing and business development at Vanguard Integrity Professionals, makes clear, “Every organization needs to take the time to really decide what regulations they're going to pay attention to and use those as a guideline.”
What they all have in common could be described as health, as uniquely relevant to each organization’s business. Provably achieving and sustaining it is the key. But what does that look like? One of the core aspects of health is resilience.
Given the many different geographical and political circumstances involved, sovereignty is also an increasingly critical aspect of this. In a recent blog, Levesque wrote: “Resilience determines whether systems can be recovered, sovereignty determines whether that recovery is controlled, and compliance demonstrates that operations remain within defined boundaries. When these elements align, organizations can operate with confidence. When they do not align, recovery may occur, but the organization cannot demonstrate that it is operating within control.”
Bringing it all together, compliance must be pursued, achieved, maintained, and proven to auditors and other interested authorities. The set of relevant rules, regulations, frameworks, blueprints, and best practices is unique to each organization, based on factors that include the:
-
Industry they’re in
-
Where they’re located
-
Unique history
-
Role in the world economy
Growing Compliance Challenges
So, your organization is already compliant with all relevant regulations worldwide, and consistent with the frameworks and best practices that show what success looks like? Great! Just as you feel like your organization is set, along comes some more for you to deal with. These could include technology changes, new innovations and unplanned configuration drift.
In other words, even the best of us end up among the rest of us the moment something changes. And something is always changing.
Once you have a clear picture of your compliance environment and have established clear baselines, blueprints, and guidelines to follow and report on, you can choose the appropriate tools and begin to implement and automate. But important challenges must be considered as you architect your approach:
?
Jessica Doherty, senior manager & strategist at Broadcom Mainframe Software, describes, “manually having … to interpret the regulations coming in, you're inspecting the systems, it's challenging.” She enumerates challenges that include the imminent retirement of the best experts, the scarcity of mainframe expertise, experience and representation in the compliance space, and insufficient lead time for mentoring by soon-to-retire employees.
?
It’s vital to understand when things change, why they change, whether they were supposed to change, and the impacts of those changes including possibly reversing them.
Those are the basic challenges. But now, two new double-edged swords have arrived.
Quantum and AI
First, there’s the advent of quantum computing and its implications for encryption. The date in the near future when quantum computing will be sufficiently powerful and pervasive to decrypt sensitive data such as corporate secrets, personally identifiable information, and cryptocurrency keys is known as “Y2Q” and it is nearly here. It’s already time to be re-encrypting critical data using quantum safe algorithms such as are already provided by the IBM Z mainframe.
“So quantum, as much as we act like it's a known, the one thing we know is what we don't know. We know that we're going to have to be worried a little bit more about protecting our data. We need to put things in place now. That's the whole reason for the NIST framework,” Levesque says.
“We know inevitably that … our encryption needs to be stronger. We know inevitably that bad actors can use this against us as much as we can use it for us. We know that the type of things that quantum can do are different than other algorithms and other things that we do.”
Now, combine that with the double-edged sword of AI, and compliance becomes the canary in the coal mine of survival for your organization.
Wilson maintains that there are other challenges in using AI to try to find weaknesses in systems. “I think it doesn't matter whether you've got quantum safe encryption in place. If I can get onto the system and then elevate my privileges to a state where I'm supervisor state key zero, I can just call all the encryption routines I want anyway legally and decrypt everything I want,” he explains.
Brian Marshall, chief strategist at Vanguard Integrity Professionals, believes this pair of double-edged swords will manifest like a war of sorts. “We're going to be using AI to find vulnerabilities and fix those vulnerabilities before the other AIs can exploit them. So it's going to become … an AI arms race. And that's how I've begun to start thinking about it. We are in an AI arms race between the black hat and the white hat. And instead of human hackers, it's going to be AI hackers doing it.”
One more major issue that Rosberg points out is that organizations need insurance in place to prepare for eventualities. Importantly, it must be people that make and provide explanations for any compliance-relevant changes that are made. Allowing AI to make them instead can jeopardize an organization’s insurability.
“They're talking about having stipulations in the insurance that they won't pay for the cybersecurity if you start introducing new rules and regulations from AI that they're not able to evaluate,” Rosberg says.
Part 2 of This Article →
SPONSORED BY
