Security experts explore how and why security has always underpinned the mainframe platform
Part 1
By Reg Harbeck
Since the IBM System/360 was announced, its foundational security innovations have continued to uniquely position the mainframe as the system of record for the world economy.
Over the years between the System/360 and the modern IBM Z, people have struggled and innovated ways to make up for the lack of intrinsic security on other platforms. The mainframe continues to have proven to be the most securable platform by design, even as it adapted and often adopted innovations from other platforms to advance the leading edge of computing security.
Today, IBM Z is already positioned for the quantum and AI era, with integrated end-to-end functionality that allows key players in the global economy to proactively secure the world’s most critical data and processing.
In this Mainframe Master Innovations installment, we come face to face with the vision, the journey and the position that this historically definitive platform has manifested.
We all need to do this together as a community and have better cybersecurity hygiene, better cybersecurity practices, and implement security.
Security is interwoven with the entire journey of humanity, and even of life itself. Predators and prey predate history, as do immune systems and sociological survival mechanisms. The most compelling historical and fictional narratives often include an essential element of security being threatened, either surviving or restored (in happy stories) or giving out (in tragedies).
Yet somehow security has always seemed an afterthought, much like immunity, which only occurs after the arrival of a given disease. Security exposures are theoretically limitless, but practically based on the behaviors of known threats. So it was with computing security that the lack of prior history of threats left the door open to innovations by malefactors to which integrity keepers had to respond.
Yet, somehow, the designers of the System/360 and its accompanying OSes had the intuitive sense of how the platform needed to be designed to enable such security once the need was discovered. Dr. Fred Brooks, who was responsible for its design, pointed out: “For the architecture team, the real System/360 was the Design Concept itself, a Platonic ideal computer.” (Jr. Brooks, Frederick P. Design of Design, The: Essays from a Computer Scientist (p. 24). Pearson Education. Kindle Edition.)
So, when locked doors and passwords were insufficient to prevent early hackers from misusing resources and modifying or deleting important data, new solutions were called for. The answer came forth loud and clear on the IBM mainframe: a fully documented description of what a properly secured computing system would entail. Within a decade, IBM had published its Statement of Integrity, promising the mainframe wouldn’t do anything you didn’t explicitly configure it to do.
The three mainframe external security managers (ESMs) had all arrived on the MVS OS (which evolved into today’s z/OS):
RACF from IBM
ACF2 from Broadcom
Top Secret Security from Broadcom
SPONSORED CONTENT
Performs CIS, NIST and custom compliance checks for internal and external regulations.
Provides continuous enforcement, corrects commands in accordance with corporate policies, while controlling security administrators.
Continuously monitoring system software, file integrity and malware detection while providing real-time insights.
Supplies the most complete range of multifactor Token, Tokenless and PIV/CAC Card Authentication capabilities
As a platform designed from the most basic hardware elements and architecture through the most advanced OS features, the mainframe has many unique characteristics that provide a uniquely secure environment.
Security is, of course, a multidimensional matter that touches every aspect of business and computing. Likewise, the uniquely powerful and positioned security of the IBM mainframe impacts every aspect of business computing.
In their book “Practical UNIX and Internet Security,” Gene Spafford and Simson Garfinkel tell us, “A computer is secure if you can depend on it and its software to behave as you expect.” It’s not about technology: it’s about reliably, consistently, and with integrity, enabling the systems of the world economy to continue functioning the way we expect them to.
Foundationally, there are the identity and access controls that the mainframe ESMs actualized and offer uniquely powerful and granular controls for. Marshall confirms, “Authentication, authorization, and audit are all extremely important on all platforms. And the mainframe actually led the way on this.”
The Promise of Mainframe
The fact that it began as an expression of the best thinking and design is a key part of this. But it has continued to advance, not merely to compete with alternatives, but to respond to the emerging requirements, particularly including security, from the key participants in the world economy.
It has done this while keeping a promise made with the announcement of the original System/360 that any software that would run on one IBM mainframe would run on any of them. IBM has held true to its vow, making it possible for clients to focus on innovation, rather than constantly rewriting functional software merely for new releases of the platform.
Comprehensive auditing and logging
⟶
Comprehensive auditing and logging (including the system management facility or SMF) with real-time monitoring and alerting
Pervasive encryption
⟶
Pervasive encryption is the ability for z/OS to automatically encrypt relevant data in use or at rest
Modern approaches
⟶
Modern approaches learned on other platforms, such as multi-factor authentication (MFA)
One of the things that we think about when we are considering what data is it important to encrypt, we think about the sensitivity of that data.
Anne Dames, Distinguished Engineer at IBM, explains that pervasive encryption is, “one of the things that we think about when we are considering what data is it important to encrypt, we think about the sensitivity of that data. We think about whether that data needs to be kept secure for a short time or for a long time. The kind of information that you want to keep secure are things like personally identifiable information. You want to keep secure health records. You want to keep secure IP - intellectual property. You want to keep secure information that is considered sensitive.
“Those are some of the kinds of things that you might be storing in a data set that you might want to keep secure. You want to keep secure communication between two parties. You want to make sure that that also is using algorithms that are secure.”
One aspect of this comprehensively secure environment is the seamless manner in which every other dimension of its functionality is intertwined with it. So, when the capacity of IBM Z to handle massive data storage, processing and throughput is combined with every kind of virtualization, from hypervisors to containers, all of it is protected in every degree, from memory protection to secure separation of address spaces and OS images to network connections, which are often kept entirely inside the physical mainframe using means such as HiperSockets.
Marshall says, “There's really a set of levels that you have to start from the operating system building your way up to the application, and then building your way up to the users. You've got the network interface, you've got all sorts of pieces that come into play. Security has to be baked into all of them.”
NEXT