Security Strategy, Plan, Budget

Remember the mainframe

Yet, because of its enormous processing speed and power, the mainframe now runs about 80 percent of the world's mission-critical data and applications, industry experts estimate. Although there was a cost-savings trend about 10 to 12 years ago to move valuable information and applications off the mainframe and onto distributed Linux- or Window-based platforms, the process proved more tedious and expensive than anticipated, and the mainframe — the foundation of computing — endured.

"While the overall number of IBM mainframe customers is declining, as the number of smaller customers migrating off the mainframe each year exceeds the number of first-time customers, most large enterprises have accepted that their legacy application suites ... will need to remain on the mainframe environment," says Rakesh Kumar, a vice president in Gartner Research, specializing in large-scale enterprise computing strategies.

Industry leaders predict about 10,000 and 15,000 mainframes are in use worldwide. While they remain widely deployed, though, mainframes have suffered through a long period of neglect, experts agree. Many IT administrators have almost forgotten about the platform although it provides security and reliability.

"The problem is that the mainframe has effectively become invisible because it has worked so well," says Reg Harbeck, global mainframe solutions manager at Islandia, N.Y.-based CA, a leading provider of mainframe security. "But there's a need for companies to take their mainframes seriously. The mainframe is a powerhouse of business computing, when understood."

Some older mainframe professionals have grown complacent and are overlooking emerging risks, say experts, while the younger set seems more drawn to innovative appliances and obvious network threats than an intricate and mature platform that was developed years before they even were born.

But compliance is changing this stand-offish attitude, industry observers say. Regulations spelled out in federal laws requiring organizations to log and report financial and accounting assets — many of which sit on the mainframe — are changing the way organizations act. And they are being forced to reassess their baseline security controls to determine whether proper protocols are in place.

Combine that with a bevy of new security worries now that the mainframe is connected to the network, and the nearly half-century-old supercomputer is again, dare we say, fashionable.

"Companies are realizing they have a lot of important stuff on there, and compliance isn't going to stand for that," says Lina Liberti, vice president of product marketing for security management at CA. "That is what's creating the vogue. It's not that someone's been called on it. But people are realizing that if we're signing on the dotted line for information security — and some of that information is on the mainframe — I need to be looking at that."

The mainframe has long been valued for its security. Leading producer IBM (Big Blue has about a 90 percent market share) says the security architecture of the mainframe is incomparable — and most experts agree the box was built with safety in mind.

"Designed from the ground up to make intrusion into the system nearly impossible, the IBM mainframe is one of the most secure servers on the market," IBM says in a fact sheet. "The System z's [the latest version] approach to security is integrated and multi-layered." Just last year, IBM announced encryption software for the mainframe that is designed to secure the transport of data tapes.

"Mainframes are the most securable general purpose computing platform available at a company," says Ronn Bailey, founder, CEO and CTO of Vanguard Integrity Professionals, a Las Vegas-based corporate data security firm.

Joanne Kelly, senior information security analyst at Boston University in Massachusetts, says she would not use any other platform to process the college's critical business data, including payroll and human resources information. "With the mainframe, you have one central server," she says. "It's secure. They have it right. For those people running legacy systems, you can't do better."

Plus, the mainframe has "security by obscurity" going for it. Many would-be hackers have little knowledge of the highly customized operating systems run on the mainframe, says Gunter Ollmann, director of X-Force research and development at Atlanta-based Internet Security Systems. Therefore, they tend to focus their attention on platforms of which they have a better grasp, such as Windows.

But during the past 15 years, the mainframe is taking on increasing capabilities, such as hosting Linux and Unix web-based applications. "I think you'll find that they are heavily firewalled internally, and access controls are forced to very high levels," Ollmann says. "That said, all you need is one machine with a connection to the mainframe, for whatever reason, and if you were to compromise that workstation, you'd have much freer reign to hack or play around with the mainframe itself."

Although avenues for attack may be growing, the major threat to the mainframe's integrity is the people responsible for running it, experts say. The system is still the most securable and reliable platform in the world, so responsible management and proper implementation of security controls typically can make all the difference. Instead, many security professionals are focusing their attention on the obvious network threats, not realizing the mainframe could be at risk.

"The biggest threat is not the software, hardware and hackers," Harbeck says. "IT managers don't understand the critical role the mainframe plays in the internet protocol (IP) and business environment. Managers are making decisions without realizing the mainframe often processes their most critical information processing."

What may help the cause are people such as Michael Sullivan, 23, who is seeking a master's degree in computer science at Boston University and is working as an analyst under Kelly. He says he enjoys working with the mainframe, even though he knows others his age are learning more about distributed systems.

Especially in light of compliance, the mainframe provides an organized platform for centralizing data, Sullivan says. "You have everything in one place. It's a lot easier to keep everything accounted for when you have it one place. It's a lot easier to monitor what's going on."

But the mainframe needs protection as it stands at the core of the nation's critical infrastructure, Bailey says. However, the United States is "polarized between two camps, one which thinks in bits and bytes, the other in bullets and bombs."

"I just don't think it's an either/or world," he says. "How many al Qaeda guys have high degrees in information technology? They're very sophisticated and they're very intelligent and they live in a cyberspace world."

He says securing the mainframe, pivotal to preventing more terrorist attacks, should not pose a daunting challenge for organizations and governments. Compliance will help, he adds.

"While the effort to secure these environments is not proportionate to the risk, it's not difficult to fix this," Bailey says. "The mainframe continues to be the most securable and the most robust. It is not difficult to fix these problems if you have the right tools and people. There is a message of hope here that it doesn't take that much time and effort. We just have to take care of it."


Facts and figures


Cost: Rented for $2,700-$115,000 per month
Cost to create: $5 billion ($30 billion in today's dollars)
Sold: 1,000 models per month shipped in 1966
Date shipped: April 7, 1964
Speed: Could process up to 750,000 additions per second
Memory: Could store up to 8,000,000 characters

System z9

Cost: $100,000
Cost to create: $100,000
Sold: N/A
Date shipped: Sept. 16, 2005
Speed: Process 1 billion transactions per day
Memory: Up to 512 GB

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.