By Stu Henderson

When you’re allocating resources between the mainframe and distributed platforms, and when deciding which platform to use for new applications, security will be one of several key factors in your evaluation. This article lists 10 key questions to ask about security on any platform, and describes how the mainframe (usually with the z/OS system software) ranks on each one. Because basic management controls of a well-run data center are interrelated, some of the questions will transcend security, addressing areas such as cost reduction, capacity planning, and problem management.

This article will provide a good framework against which to do your evaluation. On most measures, the mainframe offers more security than any other commonly available platform.

Most of these security advantages result from issues of:

• Size, since a larger operation can afford more functions and features, due to economies of scale
• Architecture, since a solid foundation makes it easier to build a secure structure
• Standards, since shortly after Lou Gerstner took over as CEO of IBM, IBM started abiding by all the common standards for security and interconnectivity.

When evaluating the mainframe against other platforms, consider these 10 questions relating to security:

1. How well does it protect sensitive data?

Mainframe computers provide for complete protection of all data from unauthorized reading and writing. If you want a measurable standard of how good the security of a given computer is, you probably want to know how it scores on the Common Criteria, a set of standards supported by the International Standards Organization (ISO). They specify seven levels of security from Evaluation Assurance Level (EAL)-1 up to EAL-7. A computer system is granted an EAL certification only after rigorous independent testing. Levels EAL-1 to EAL-4 apply to commercial installations. Levels EAL-5 and higher are much more formal and are granted only after certification by the National Security Agency (NSA).

Mainframe computers with z/OS system software have been certified at EAL-4+. Mainframes with VM system software have been certified at EAL-3+. With Linux system software, mainframes have been certified at EAL-4+.

Mainframe computers are usually kept behind locked doors in a secure data center. This physical security provides a “secure zone,” and within that zone, the mainframe security software permits only authorized users to access data. Outside the security of the data center, access to data is restricted by means of encryption. Whether the data is sent over a network or shipped on a tape cartridge, encryption can prevent unauthorized data access. You’ve probably read f companies whose computer tapes containing sensitive data were stolen off delivery trucks. In cases where the data on the tapes had been encrypted, the loss was minimal.

Mainframe computer security provides several additional access control functions not commonly found on other types of computers. These include verification of tape access by means of tape labels, access control over printouts before they’re printed, and automated obliteration of data when disk data sets are erased.

Because of its large size and standardized processes, the mainframe can be said to offer more functions and more comprehensive protection of computerized data than most computing platforms.

Windows computers have received a Common Criteria rating of EAL-4+, the same as mainframes with the z/OS operating system. Unix computer ratings vary with the brand of Unix, but mainframes with Linux also have been rated EAL-4+.

Mainframes can provide more security functions than Windows or Unix, such as the tape and printout protection previously described, because of their greater processing power. Unlike mainframes, Windows and Unix systems aren’t always housed in locked data centers with strong physical security.

For any computer system you’re considering, ask how it ranks on the Common Criteria, which provides a consistent, independent evaluation of a given computer’s security. Also, ensure that your staff encrypts all sensitive data leaving your data center.

2. How well does it protect things other than data?

Beyond data sets, mainframe security tools let you restrict access to anything else you want using a single security tool. As computer systems increase in size and complexity, there’s more to protect.

Some computer systems provide this protection via a variety of tools, each operating independently of the others. This makes it difficult for anyone to see and to understand the overall security picture. For example, you might want to control which programs can access the Internet, who can issue what type of commands to the computer, who can cancel programs from executing, and who can access various parts of a database. If each of these resources is protected with a different tool, no one person will be able to tell you whether they’re all adequately protected.

It would be better to have all resources protected by a single tool, which is administered by a single set of security administrators. This is what the mainframe gives you. (Mainframes have one of three possible security tools: IBM’s RACF, or one of two CA offerings, ACF2 or TopSecret.) Any of these will let you protect literally hundreds of types of resources. For example, you can restrict who can execute certain powerful programs, who can use a given workstation, or who can execute specified online transactions. Your data security officer will likely have a list of these resource types, along with an indication of which ones he is using.

Mainframes are configured to protect hundreds of types of resources beyond data sets. Windows and Unix computers also can protect many types of resources. We know of no formal study to determine which type of computer is commonly configured to protect more types of resources. However, mainframes can protect all resource types with a single tool, administered by one security staff member. This makes it possible to have one person responsible for computer security; that person can easily review and understand all security settings.

Consider WebSphere MQ software that runs on mainframes, Windows, Unix, and many other platforms. On the mainframe, the same tool that protects data sets controls access to WebSphere MQ resources (such as commands, queues, and namelists). On other platforms, the tools or control files used to protect these resources often aren’t the standard tools used to protect data sets.

Windows and Unix computers don’t have a single security mechanism you can easily invoke with various software packages and administer with a single person. So it’s harder on these platforms to hold a data security officer accountable for all security settings.

When evaluating the security of any computer platform, don’t just consider controls over who can use the system and who can access data. Ask for a list of what types of resources can be protected, which ones are protected, and how many different tools are used to provide the protection.

Identify what resource types, beyond data sets, you need to protect on the computer, and then evaluate how well each platform matches your requirements.

3. How auditable is it?

The z/OS system software has three major sources of audit records: System Management Facility (SMF) data, the system log (SYSLOG), and the MVS logger. A typical mainframe will record literally millions of audit records daily to these automated data sources. Security staff and auditors can specify exactly which events are to be logged to these sources, and how the resulting audit trail is reported and evaluated. Typical events to be logged include: access to data sets, access to the system, violations (access attempts rejected by the security software), changes to security rules, and any changes to system options. This data is used to report security incidents, to hold people accountable for what they do on the system, to demonstrate that controls are working, for problem management, for chargeback, and for other purposes.

Audit information can be used for cost reduction and security improvement. What do you think it costs your company when you forget your password and have someone reset it? Various sources have estimated the cost to reset a single password at between $50 and $85. Many organizations use audit data to track the number of times this happens. Tracking trends in such events as password resets can help security administration identify where to direct improvement efforts, both to improve security and to cut costs.

Using audit information for chargeback to individual departments helps prevent unauthorized usage. (You will find a fascinating, true description of a major computer crime that was first detected because of a 75 cent discrepancy in the computer chargeback system in The New York Times bestselling book, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll.) Windows computers support several types of audit log (security, system, application, and so on). Unix computers also support a variety of audit logs. Mainframe computers have significantly greater speed and capacity in terms of processing power, input/output, and storage than Unix and

Windows computers. Because of this, mainframes generate and store more log records than the other platforms. This may not be a useful comparison, since a mainframe also supports more users and more work. We know of no practical study comparing the exact logging capabilities of these platforms. However, when deciding which platform to use, you should determine what purposes you want to address with log data (such as security monitoring, cost reduction, problem management, capacity planning, and so on as previously described). Then ask for a comparison of the platforms in terms of how well they will help you meet those purposes. Ask for specific examples of specific logging reports that illustrate the comparison.

Ask your staff what they’re doing to identify trends, outliers, spikes, and patterns in audit data. This is much more likely to pay off than just “reviewing the items in the violations report.” Peter Drucker, the management guru, said you can’t manage something if you can’t measure it. This applies to both the efficiency and quality of your information security.

Ask your staff whether the number of password resets is increasing or decreasing, and how much it costs you. Or ask them what groups of users have the most violations each month. When evaluating different types of computer, ask for a comparison based on the audit data available, the reports produced from it, and specific actions that can be taken based on analysis of the audit data.

4. How well does it let me demonstrate the quality of control it provides (for SOX & other purposes)?

Sarbanes-Oxley and similar regulations are designed to encourage effective management controls. By “control,” auditors mean comparison to a standard. So, if an auditor reviews the list of who is permitted to read the payroll data on your computer system, the auditor needs a standard, a way to determine who should be able to read it. If there’s a written approval signed by the head of the payroll department, the approval is the standard. The auditor can compare the list of who can read the data to the list of who should be able to read the data.

If there’s no written approval, or it’s not signed by the payroll head, or if there’s no automatic enforcement of what’s specified, then control breaks down.

Security tools on the mainframe let you specify standards for security settings, and then automatically enforce those standards. For example, IBM provides the Health Checker software, which periodically compares actual security settings to the standard your information security staff has specified. If you can demonstrate that such automated comparisons are in place, then you can demonstrate that the controls are effective.

Size of organization makes a difference. Demonstrating the quality of security means being able to regularly compare security rules to written standards business managers approve. Almost all computer types can provide for automated comparison to a standard. This is more common with mainframes than with distributed computers since mainframes more often are large enough to support dedicated security staff, and powerful enough to process the large amounts of information to be compared.

When considering any computer system, ask what automated verification of controls is available. In your own installation, ask what automated verification is actually implemented. Ask who approves the security rules, who implements them, and who verifies that the rules match the approvals.

5. How reliable is it (i.e., how long does it keep running without a restart)?

Every computer user has experienced the frustration of having a computer fail in the middle of processing his work. With large computers processing large workloads, the effect of any failure is multiplied. If your company depends on its computers to stay in business, computer failures can be fatal to your organization.

Common ways of measuring reliability include percent of scheduled time that the system is actually operating, Mean Time Between Failure (MTBF), and number of Initial Program Loads (IPLs) or restarts of the computer.

For many years, it was common practice to IPL a mainframe every weekend, whether or not there were system problems. When there were hardware or software problems, there would be additional IPLs.

Some clever manager looking for root causes of system problems recognized that often problems occur immediately after an IPL. He then directed his staff to IPL just once per month. The number of problems significantly decreased, so he declared there would be an IPL just once every two months. And problems decreased even further.

Since then, many mainframe installations IPL their computers just once every three or more months. However, some programmers complained it was difficult to apply maintenance to the system without IPLing the system.

IBM responded by improving both hardware and software so maintenance could be applied without restarting the system. With the development of the z systems, IBM improved the reliability of both hardware and software. IBM now promises 99.999 percent reliability, suggesting that properly configured mainframes will experience no more than five minutes of unscheduled downtime per year. This far exceeds what other platforms can promise. In fact, for a while, Microsoft claimed in ads for the Windows platform that “five nines” (99.999 percent reliability) could be achieved only in a laboratory and would “probably violate some law of nature.”

Because mainframe data centers are large enough to provide economies of scale, they often institute formal problem management programs, which are designed to ensure every problem of every type is identified and resolved in a timely fashion. Such problem management programs can tell you how often a given computer system fails, and what the cause is.

Mainframes fail less often than Windows or Unix computers. Ask how often a computer you’re evaluating can be expected to fail, or what its percent reliability is. After you commit to a given computer system, ask for periodic reports on how its actual reliability compares to this standard.

6. How well does it provide encryption?

The mainframe supports all the standard encryption algorithms, the mathematical formulas to make data unreadable to other people. It also supports all the standard protocols for making use of these algorithms.

IBM initially created a version of each of these protocols for each program that needed to use them. After several false starts, IBM instead put a single copy of each of these protocols in the central system software. IBM made it so that any program could easily request use of these protocols, just by making a request of the central software. From that point on, it became easy for any program to use any of the encryption algorithms and protocols.

To make encryption faster, IBM added specialized hardware processors to the mainframe. It also enhanced the hardware in mainframe tape drives to support tape encryption.

Mainframes, Windows computers, and Unix computers support all the standard encryption algorithms and all the standard protocols. Because of the mainframe’s greater processing power, it can encrypt more data and do so faster than the other platforms.

When evaluating the security of various computer platforms, ask which encryption algorithms and protocols each one supports. Ensure your staff has identified all data that needs to be encrypted, whether it’s on tape, or disk, or in the network. Tapes sent outside the protection of the data center are especially appropriate for encryption. Ensure your staff has configured the system to encrypt all data that needs it.

7. How securely does it connect to other platforms & to the Internet?

IBM has added two key software components to the mainframe that provide the foundation for its connections to other platforms and to the Internet. One of these is a version of the Unix system software built into the mainframe system software. This version of Unix, Unix System Services (USS), has been evaluated and certified as standard Unix. It has better security than most other versions of Unix because it executes as part of the mainframe system software and because its security is integrated with the standard mainframe security tools.

The other key component is called Transmission Control Protocol/Internet Protocol (TCP/IP). This is the standard way for computers to communicate over a network. It started with Unix and spread to the Internet. Microsoft has since adopted it for Windows. Microsoft recommends that anyone who wants to have a secure Windows environment should use only TCP/IP, to the exclusion of other, earlier protocols. Shortly after Lou Gerstner became CEO of IBM, IBM joined the crowd by supporting TCP/IP on all its computer platforms. This means the mainframe easily connects to all the other common types of computers and to the Internet.

When IBM added USS and TCP/IP to the mainframe, it identified all known security vulnerabilities in all versions of them. This was possible because an organization known as Computer Emergency Response Team (CERT) keeps a record of known security exposures in commonly used computers. IBM ensured that every one of these known vulnerabilities was corrected in USS and in TCP/IP on the mainframe. IBM also subjected the mainframe versions of USS and TCP/IP to its internal source code scanners; these programs read other programs to identify possible security flaws in the logic. IBM uses the code scanners to enhance the quality of all its mainframe software security.

IBM enhanced TCP/IP security further by incorporating links to the encryption tools into it and also added a standard security tool for any version of TCP/IP: a program called a firewall. Firewalls provide protection for TCP/IP networks via several techniques, including filtering of messages, address translation, and intrusion detection (recognizing patterns of messages that identify a possible attack). This firewall software, called Policy Agent, is included in mainframe TCP/IP.

All three types of platform can connect securely to the other types, and to the Internet, using the TCP/IP protocol. They all support encryption and firewalls to provide security over such connections. Because of the thoroughness of IBM’s software security cleanup, and the rigor of its original software architecture, and the integration of its TCP/IP security with the system software security, the mainframe version of TCP/IP has no known security vulnerabilities.

You should have your staff evaluate any computer platform you’re considering in terms of known security TCP/IP vulnerabilities as indicated by CERT. For any computer your organization uses, have your staff regularly contact CERT for news of any newly discovered vulnerabilities.

8. What organizational effects does it have for security?

The size of mainframe installations makes it possible to support separation of duties, a key security technique. This works by ensuring that, for example, computer programmers aren’t permitted to execute their programs. Instead, computer operators execute programs that programmers have written. The operators themselves are prevented from accessing the data on tapes in the tape library. This separation provides security by isolating required functions so no one person can perform them all.

On smaller computer systems, separation of duties is difficult to implement since the number of staff is often too small.

The size of mainframe installations also permits separation between security administrators and programmers and business managers who understand the business risk associated with their data. This supports a control structure where, for example, the head of the payroll department specifies in writing who should be allowed to read and who to write payroll data. A separate person, the security administrator, creates rules in the computer based on the written approval from the payroll head. A third party, perhaps the auditor, can compare the actual rules in the computer to what’s specified in the written approvals. This separation of duties is necessary for effective security. It’s only possible when there’s a sufficiently large staff.

Because mainframes support larger workloads, and are more powerful, they’re more likely than Windows or Unix computers to have the staffing to support this separation of duties.

In evaluating various computer platforms, give added value to computers that can support this separation of duties.

9. How does it use virtualization & isolation to provide security?

“Virtualization” means letting a computer pretend to be two or more computers, sometimes even different types. This makes it possible to have one computer pretend to be a test computer and simultaneously a production computer. With one set of hardware, you separate production data and programs from test data and programs.

Isolation is a powerful security tool, and a simple one. By separating production programs and data from test, you prevent accidental access to production data by programmers.

You may be familiar with VMware—software that provides virtualization on PCs. Microsoft is starting to provide its own brand of virtualization for Windows computers, called “Hyper-V.” However, mainframes have provided virtualization in two different ways, for over a decade, long before VMware was born.

The first way is by means of software. On the mainframe, this is accomplished with the VM operating system. The VM software creates “virtual machines,” each of which appears to be its own computer, completely isolated from its brothers. Some data centers run the Linux operating system in one, or several virtual machines. This is an easy way to have several powerful copies of Unix running on one computer, yet completely isolated from each other. Instead of Linux, you also can run the MVS operating system in one or more virtual machines, or even another copy of VM in a virtual machine.

The second method for providing virtual computers is in the hardware. On the mainframe, each such “virtual computer” created by means of the hardware is called a Logical Partition (LPAR). Just as with the VM software, you can have several computer systems running on one set of hardware, with complete isolation.

Mainframes provided virtualization decades before other computer platforms. Virtualization supports security only when it provides the basis for isolation. Mainframes have the size and power to simultaneously support several virtual machines with heavy workloads. Virtualization on a computer such as a Windows or Unix server usually doesn’t have the scale to provide such isolation.

When evaluating various computer platforms, evaluate the possible benefits of virtualization, particularly how it provides “security through isolation.”

10. How does it protect against viruses?

Viruses are almost unheard of on the mainframe. The only one that comes to mind was the “Christmas Tree email virus,” which wasn’t really a virus at all. This email circulated within IBM several years ago. It was caused not by a weakness in the computer security, though. It relied on tricking users into executing a program they thought would just display a pretty Christmas tree. The program actually sent copies of itself to other computer users while it was printing the Christmas tree.

Most people consider this not to be a true virus at all. Real viruses take advantages of weaknesses in a computer’s system software and hardware. Since the ’60s, mainframe computers have been built on an architecture that makes it impossible for unauthorized programs to execute functions that could bypass security. This is why mainframe viruses are almost unheard of.

IBM is so dedicated to this protection that the company has issued an integrity statement, promising that the architecture of the mainframe system will prevent unauthorized programs from obtaining privileges that could disrupt security. In the few instances where someone has found a flaw in this architecture, IBM has immediately developed, tested, and distributed the fix.

Of course, it’s sometimes necessary to permit a program to have such privileges, especially when you install purchased software. IBM provides several ways for you to grant this permission. These ways are collectively known as “back doors.” IBM makes clear that when you open a back door, you’re responsible for maintaining the software integrity. IBM provides classes and manuals on how to install back doors while maintaining system security.

Mainframes have fewer viruses than either Windows or Unix. This can be verified by reviewing records at CERT or by reviewing security fixes from Microsoft. This is the result of IBM’s designing the MVS operating system with a built-in security architecture they’ve maintained and documented over decades.

On the Internet, go to CERT (www.cert.org). In the search field, enter keywords to learn about known security vulnerabilities with different computer systems. For example, for mainframes, you might type “mainframe vulnerabilities,” “MVS vulnerabilities,” or “z/OS vulnerabilities.” For other platforms, enter “Unix vulnerabilities” or “Windows vulnerabilities.” Or you might replace the word “vulnerabilities” with “viruses” or whatever you find interesting.

If you have a mainframe computer, ask your staff how many of these back doors are on it, and how they know that the back doors are “safe.”

Summary & Call to Action

When deciding what computer platform to invest in, or where to process new computer applications, security is a key factor to consider. This article has described 10 important aspects of mainframe security. Whatever computer platform you use, you should apply basic data center management controls. If you aren’t benefiting from these controls now, whatever computer platform you’re using, your security will improve as you pay more atte