Have you ever noticed that technology is the only industry where the term “legacy” carries a negative connotation? In recent months, so-called legacy systems - most notably the mainframe - have drawn much unwarranted ire, particularly in the government sector. Mainframe technologies are outdated, not compatible with modern security approaches and represent a major risk, critics argue.
But the facts tell a different story. Contrary to popular group-think, the widely publicized Office of Personnel Management (OPM) breach did not originate on the mainframe, but within a surrounding distributed infrastructure. Older programming languages that typically run on the mainframe, like COBOL and Fortran - which were designed with “thick walls” to begin with - continue to be updated to support the newest security protocols. The argument that they “can't be modernized” is unsubstantiated nonsense.
The mainframe remains the most intrinsically secure platform on the planet for several additional reasons. First, all of the hardware and software that's needed to complete mainframe transactions resides on a single machine, unlike a distributed environment where there is much network traffic that can be intercepted by an attacker. Second, mainframes' front-end processors often handle the task of interfacing with the rest of the world, freeing up the system to do nothing but what it was expressly designed for - executing transactions. These front-end processors also handle the security aspects, effectively isolating the mainframe from the rest of the world.
Yet according to a recent survey of CIOs worldwide, 70 percent report they have been surprised by the amount of additional work and money required to ensure newer platforms match the mainframe's level of security. In fact, security – along with superior reliability, scalability and sheer strength – are key reasons for the mainframe's longevity, and it stands alone in its ability to handle the massive workload increases brought on by the digital economy.
From a security perspective, however, there is a growing threat that all organizations must keep an eye on, including mainframe users - and that is the insider threat. According to IBM's 2016 Cyber Security Intelligence Index, approximately 60 percent of all cyberattacks are carried out by insiders. The insider role in breaches – whether malicious or inadvertent – is massive and growing, across all types of companies.
Another recent survey of U.S. CIOs at mainframe-based organizations found that a majority of their business-critical information - and customers' personally identifiable information (PII) - continues to reside on mainframes. This makes determining how best to safeguard against inside attacks a critical business decision.
Today's organizations using mainframes must evolve their approaches, moving beyond simply reviewing insufficient log files and SMF data to capturing and analyzing complete start-to-finish user behavior. Some may cringe at this suggestion of “surveillance,” but when you consider what's at stake, surveillance need not be a dirty word. In fact, it is a necessity for any organization that wants to protect itself from breaches (both malicious and unintentional) and their devastating impact, including tarnished brand, lost revenues and non-compliance fines.
So the next time you hear that the mainframe – or any other technology for that matter - is too old, too antiquated and not compatible with modern security approaches, make sure you know the facts before you generalize. While floppy disks certainly have seen their day, as an industry we often fall victim to believing that just because something is new or modern (the cloud, for instance), this somehow automatically translates to “better.” That's not always true, and individual technologies need to be evaluated on a case-by-case basis. Instead of ripping, rewriting and replacing your mainframe code (which we've seen result in many disasters), most mainframe user organizations would be much better served focusing their efforts where they're apt to make a positive difference – protecting against the insider threat.
