Mainframe Security:
The Future is Here

How IBM Z blazes the way with MFA, quantum-safe encryption, AI and more

Part 1

By Reg Harbeck

Do you remember the PASSWORD data set? According to IBM, it still exists. Back in the early days of System/360 and OS/360 this was one of the original security measures built into the mainframe. It contained a list of sensitive data sets and the password needed to access each. It was plain text. In their dedication to backwards compatibility, IBM still documents the nature of this early control.

The PASSWORD data set has long since been superseded by the three External Security Managers (ESMs) available on IBM Z: IBM RACF (Resource Access Control Facility), Broadcom ACF2 (Access Control Facility 2) and TSS (Top Secret Security). They are each foundational to the world-leading securability of IBM Z, providing authentication, resource authorization, granular administrative authority and scoping, detailed logging, complete recovery, and many other features that stand in a class apart from what is available on any other computing platform.

Each of these ESMs have used encryption for more and more purposes over the years, beginning with encrypting passwords and then entire security databases. They have also been used to generate and manage public/private key pairs and interact with other aspects of encryption on the mainframe.

But mainframe security, and all types of computing security relevant to the mainframe, now exceed the scope of ESMs, so additional tools, both on and off the mainframe, have been introduced to continue to advance the securability of this key platform.

AI, Regulations and the Future

Security experts weigh in on the future of mainframe security.

Multi-Factor Authentication

MFA is 99% effective in thwarting cyber attacks.

—Ravi Patil, director of cybersecurity and compliance at Broadcom Mainframe Software

Multi-Factor Authentication (MFA) uses not just a user ID and password to log on (authenticate) to the mainframe, but also an additional separate factor, often accessed via a user’s mobile phone, though many other options exist.

As Ravi Patil, director of cybersecurity and compliance at Broadcom Mainframe Software, points out, “Research has been done to show that MFA is 99% effective in thwarting cyber attacks.” In other words, one of the most important ways to secure access to the mainframe is with the addition of something off the mainframe.

Encryption

As hinted earlier, encryption also exists well beyond the traditional purview of the ESMs. One key aspect of this is pervasive encryption–the ability for critical data on the IBM Z mainframe to be encrypted and decrypted as needed by the platform, so applications don’t need to be modified to benefit from it. Of course, everything has a trade-off in terms of resource usage, complexity and even relevance, so even though encryption is now broadly and readily available on IBM Z, it’s important to choose which things to encrypt.

Anne Dames, Distinguished Engineer at IBM, makes this clear. “One of the things that we think about when we are considering what data is it important to encrypt, we think about the sensitivity of that data. We think about whether or not that data needs to be kept secure for a short time or for a long time.

“So, the kind of information that you want to keep secure are things like personally identifiable information. You want to keep secure health records? You want to keep secure IP (intellectual property). You want to keep secure information that is considered sensitive. So those are some of the kinds of things that you might be storing in a data set that you might want to keep secure. You want to keep secure communication between two parties. So you want to make sure that it also is using algorithms that are secure.”

Quantum Computing

But then comes along quantum computing, and the inexorable journey toward being able to decrypt data that has been protected with larger and larger encryption keys. This means that it may soon be convenient to factor extremely large products of two prime numbers that traditional computing could not handle in less than millions (or more) of years. Such numbers are key to blockchain, cryptocurrency and PKI.

Ravi Patil answers crucial questions:

What does the government recommend that corporations do now?
↪

“The government is now recommending that all corporations upgrade their encryption algorithms to be quantum resistant by the year 2030.”

What is the imminent threat to encrypted data?
↪

“The attack vector that exists right now is harvest now decrypt later, meaning the cyber gangs are vacuuming information, even though it's encrypted. They can't do anything with it now, but once quantum computers arrive on the scene, they can do brute force attacks, depending on the encryption level, and that data will then be rendered in plain text.”

The impending date when quantum encryption becomes an immediate threat to critical encrypted data is being referred to as “Y2Q” or years to quantum, which, unlike Y2K before it, is an unknown, but imminent, date. So, using the quantum-safe encryption now available on the IBM Z platform is important today. And it’s not too early to be converting all critical encrypted data to such algorithms.