Mainframe Master Innovations

Chapter 4

Security and the Mainframe 

“The IBM System Integrity Statement represents decades of confidence and commitment in the IBM Z and IBM LinuxONE platforms. System integrity has many facets, including excellence in system security, design and development. These are all intended to prevent unauthorized application programs, subsystems and users from bypassing system security, preventing them from gaining access, circumventing, disabling, altering or obtaining control of key system processes and resources unless allowed by the installation.” – IBM’s System Integrity Statement, first issued in 1973 and updated with each new level of innovation.

As the system of record for the world economy, the IBM mainframe has effectively and uniquely shouldered the mantle of integrity to such an extent that it is normal for applications on other platforms to let the mainframe be the keeper of the most sensitive data they use and serve. 


While the story of this security begins with the earliest days of the mainframe, the key point of inflection was the founding of the SHARE Security Project in 1972 with the publication of the original document describing the requirements for production-quality security, and the subsequent development and refinement of the three distinct External Security Managers (ESMs)–IBM’s RACF and Broadcom’s ACF2 and Top Secret Security. These distinct software products, tightly integrated with the OS using the System Authorization Facility (SAF), enable a uniquely powerful policy-based capacity for authentication, authorization and awareness.

In fact, that tight integration from hardware all the way up and the pervasive integrity are key differentiators of mainframe security. As 
 chief strategist at Vanguard Integrity Professionals, explains, “Essentially one of the things that the mainframe gives us is the ability to have reliable data, data with integrity, the data availability. So Reliability, Availability and Serviceability: RAS, right? When people talk about security, they very rarely think about RAS.

“But it’s actually important because if your system’s not up and available, security doesn’t matter. Beyond that, we’re talking about, within the system itself, not just the ESMs, but going back to the IBM integrity statement. How important it is that the system itself keeps data and programs separated in memory and from other programs themselves. 


“So, you have integrity of data, you have integrity of programs: it’s not easy to write a program to go run on a mainframe, go read and see everything else that’s happening in memory because you’re denied access to that.”


Of course, security is not a converged destination, but an ongoing journey, interacting with every emergent threat to further support the ongoing confidentiality, integrity and availability of critical information and processing. And at the forefront of that journey, the IBM mainframe platform has continued to be a security leader.


In fact, security visionaries are seeing the mainframe’s leading role in security becoming an explicit leadership role it offers as a service to other platforms, as they interact in a zero trust world to maximize the security of corporate and personal data across the board. 


As Marshall explains, “We’re actually moving towards allowing all sorts of disparate information to be combined on platform and taken and sent off platform for consumption by either a SEIM or other type of application that’s interested in consuming that data, whether it’s compliance data security data. 


“I’ll even go so far as say, security rules themselves, we can actually take the entitlement data from the mainframe and make it available off platform and bidirectionally allow the off-platform application to request services to and from the mainframe or allow it to have its two sets of security rules that have been synchronized on platform and off platform and allow the synchronization of the security entitlements bidirectionally.


“We’re going to see more and more of this in the coming years where more and more applications are going to want to take their data and take it off of the mainframe. They’re going to want to take the data and make it available off-platform without losing the security that they have on the platform today because the platform on the mainframe has been created honestly over the last 30 to 40 years and it’s evolved over 30 to 40 years and it’s really hard for anybody to go to a bank and say we want you to take all of your financial information, take this off platform and just believe us when we tell you it’s going to be secured, kind of the same. 


“They go, ‘No, no, no, no, that that’s not really good enough for us! If we’re going to do that, we want some method where we can take the entitlements that exist on the mainframe and make them available off the mainframe.’ ”

Of course, new threats will continue to emerge, new security innovations will both anticipate and respond to such threats, and new regulations and standards will mercilessly pummel the world of IT without surcease. The platform that is known to remain robust under sustained high demand is the one that can handle this ever-increasing load. As 
 Global VP for Sales Marketing and Business Development for Vanguard Integrity Professionals, puts it, “The mainframe is built to run, it’s happy at 90%. It loves going fast. And you take a lot of this open systems architecture, they’re not real happy at 50.”

Regulations, Reliability, Privacy and the Mainframe

Before the advent of electronic computing, keeping data behind a locked door was a standard way to secure it. But there have always been secret or confidential data that needed to be treated with greater sensitivity, and numerous mechanisms throughout the ages to maintain that status, with varying degrees of effectiveness.


The arrival of the internet was the essential turning point when locked doors ceased to significantly impact securing data stored on network-connected computers. Fortunately, the foundational paradigms for computing security had already been established on the IBM mainframe by that time. But the requirements for security of data on and between various platforms necessitated the creation of rules, regulations, laws and principles of confidentiality and privacy that have multiplied over recent decades.


While various industry and professional bodies have had key roles in elaborating on their own standards to meet emergent IT challenges, the majority of new regulations have had politicians among their main enactors. As a consequence, the concerns of the general electorate have played a much greater role in modern privacy legislation than in the past.


Interestingly, many of the rules and regulations make inaccurate assumptions about the nature and capacity of the platforms that are stewards of critical data, as the technical experts brought in to help draft them rarely have mainframe experience. Fortunately, time and again the mainframe ecosystem has risen to the challenge and exceeded all requirements–sometimes just by proving that they were never issues on the mainframe to begin with.


Nonetheless, the mainframe is the de facto steward of the majority of the world’s most sensitive business and personal data, so regulatory compliance and privacy of consumer data have become explicit components of the security context on the mainframe. And the range and depth and currency of solutions clearly manifest this.