When I first started working in mainframe back in the 1990s, I was told that the mainframe was the most secure platform in the world and that it was impossible to hack it. For many years I thought this was true.
Now in 2016, and after working in IT security for several years, I feel sorry for those that still believe in this myth.
Maybe it’s just a matter of semantics, but it’s a very important difference: the mainframe is not the most secure platform in the world; it is the most securable platform in the world.
The mainframe isn’t secure by default. Like any other IT platform it requires attention, expertise, and constant work to make it secure. All this, requires investment; investment of time, energy and of course, money. And this is where everything tends to go wrong.
Most companies who have a mainframe tend to believe in the myth of the mainframe being unhackable and regard the need to invest in security as minor or even unnecessary. It doesn’t help of course, that some decision makers within the company, don’t even know that they have a mainframe, or even fail to understand the importance of this platform to the business. It’s the perfect recipe for disaster.
The mainframe can be hacked and it has been hacked! It’s just not too commonly known. Non-disclosure agreements (NDA) prevent security companies from saying who has been hacked, when, and how; but a quick search on Google for ‘mainframe hacked’ returns some cases that have been made public.
Working in IT security and from my own personal experience, I can say that the hackers are getting ever more interested on the mainframe; the mainframe is seen as the crown jewel, and hackers want to ‘steal’ it.
So, what does the future hold? If companies keep ignoring the fact that securing the mainframe is paramount for their businesses (96 of the world’s top 100 banks, and 9 out of 10 of the world’s largest insurance companies use a mainframe), then we can only expect bad things to happen.
What can we do? Companies need to start taking mainframe security seriously. Regular security audits and penetration tests are very important; these will help identify where the problems are. Security teams need to be trained and be up-to-date to the current security risks and trends. Companies need to hire more people to work in the security team as well. They can’t seriously expect small teams of 2 or 3 members of staff to be able to be on top of things when they have complex mainframe environments.
Decision makers and staff in general need to be security educated; they need to understand the importance of the mainframe in the company and what the risks and business impacts are. In sum, therefore, investment and changes in mentalities are required.
And let’s remember one important thing: the mainframe is not dead and it won’t be for the foreseen coming years (should read decades). Contrary to what some may think, the mainframe has been keeping up with the technological advances and is still THE MOST important IT platform for most big companies and government agencies around the world.