It’s an ill wind that blows no good, and profits nobody. That old nautical phrase popped into my head when I first heard about the SolarWinds supply chain compromise. We’ll return to that later, and its implications. But first I wanted to take a look at a few of the pressing issues that should be topping the 2021 priorities list of mainframe teams, security experts, CISOs and, indeed, CEOs.
Towards the end of 2020, the BMC Annual Mainframe Survey provided its regular snapshot of the industry – and after a year like no other in recent memory. A major headline was that “the mainframe is here to stay” (no surprise to all of us here). More people are understanding the benefits and the fact it can be an open, API-friendly platform that’s sitting in the heart of your DevOps world, helping you to create and deliver the “intuitive, customer-centric digital experiences” of tomorrow.
The other big headline was that Security is now centre stage: the majority of survey respondents said that security and compliance had become their top mainframe priorities. Indeed, ‘Security’ over-took ‘Cost Optimization’ as the leading mainframe priority for the first time in the survey’s 15-year history.
90% of respondents saw the mainframe as “a platform for growth and long-term applications”. 68% expected MIPS to grow. More than half of respondents (54%) reported an increase in transaction volumes; 47% reported an increase in data volumes. So the mainframe is now consolidated as a core element of the modern digital enterprise. What’s more, it’s being seen as a hub for innovation.
Work in that direction will continue through 2021 and beyond, with a focus on security and automation. Rising digital demands will require new and enhanced processes. With calls to update applications on the mainframe faster and more efficiently, we’ll see further developments in DevOps on the platform. As a colleague wrote recently, “With the right procedures, tooling, education, culture shift and mind set, the business-critical applications that currently run on mainframes can easily be integrated into a DevOps operation.” This reflects the continued prevalence and power of the mainframe: “The mainframe is fast. Very fast. It is also scalable, resilient, secure, flexible and available. It can handle the workload of thousands of x86 servers for a fraction of the TCO and manpower.”
But the usual dark clouds are gathering, too. As more people become interested in mainframe technologies, more stuff is appearing on the web about the platform – and how it can be hacked. The only thing that’s stopping a tsunami of attacks right now is that the platform itself, which is still too pricey and tightly controlled to be accessed, taken apart and reverse engineered by the bad actors. But that will change. This is why 2021 should see CISOs focus on ramping up their defenses, from access rights, password policies and insecure applications to overprivileged users, the threat of unencrypted communications and more.
READ access is so often the norm. In reality, default access should be NONE. It’s commonsense in my view that you shouldn’t automatically trust anyone and anything, inside and outside your perimeters: you need to look to verify everyone and everything. For years, I’ve advocated the principle of least privilege (PoLP). While that may be a big change in mindset for some, the equation for me is simple: authenticating everybody + least privilege for all your data access, systems and applications = Zero Trust security for your mainframe shop. CISOs need to work towards Zero Trust security for their mainframe shop.
As part of the mix, organizations should be looking to ramp up their threat detection and response capabilities. Is an approach that utilizes endpoint detection and response (EDR) and managed detection and response (MDR) still enough in a new landscape of mass home and remote working? Extended Detection and Response (XDR) is coming to the fore. (Back to the Zero Trust point, XDR might as well mean “anywhere, everyone and everything detection response”).
The point is that every system, every user, every drift “from the normal” in behavior counts. The actionable “threat intelligence” provided via XDR could mean the difference between assured security levels or experiencing damaging hacks and data breaches. While security should never sleep, the reality is that there simply aren’t enough talented and skilled mainframe security experts on the planet to constantly monitor all our systems all the time. That’s why harnessing automation, AI and machine learning through XDR are so important. This was another thread picked up by the BMC annual survey: “Mainframe modernization continues to play a key role in priorities among respondents with the need to implement AI and machine learning strategies jumping by 8% year over year. Are you part of that wave or are you lagging behind? The opportunity is being able to pick up on anomalies and exceptions straight away, because you’ve been tracking, learning from, and so better understanding previously undetected patterns.
In general, in support of these and other pressing initiatives, we are seeing increased demand from organizations industry for services, delivered remotely and securely. These include security assessments, pen tests and vulnerability scans. At the height of lockdown, my team planned and implemented an end-to-end Db2 system security project. With the pandemic and home working accelerating digital transformation for many organisations, new processes and security challenges emerged. While we wait for next-gen mainframers to get trained and join us, we’re in the tail-end of the era of an ageing and retiring workforce, with all of those attendant skills shortages. Engaging external experts to deliver reliable mainframe services makes sense, whether that means extra bods for specialist projects, helping to keep the lights on, or ramping up your security posture against cyber-attacks and hacking.
Which brings me back to where we started: the SolarWinds supply chain compromise and the fallout that followed. Bad news for the US federal agencies involved and the estimated 18,000 other SolarWinds customers attacked with malware (initial estimates were as high as 300,000 organizations). But this could actually lead to something positive. That is, shining an even harsher light on the complacency that exists when it comes to security, and particularly on the different security standards applied to development and supplier systems (“not really important or at risk, so why bother?”) compared to in-house production systems (“we must protect our crown jewels”). It’s the realization by many senior IT and security folk that they escaped the toxic impact of SolarWinds’ security failings by the skin of their teeth. This could have happened to anyone including them; they only escaped through the good fortune of not choosing Orion software. That’s a near-hit in my mind rather than a near-miss. For pity’s sake, the US Treasury and its departments of homeland security, state, defence and commerce were all attacked. Systems were monitored, data and IP harvested. And it’s thought the hackers had compromised SolarWinds for eight months prior to detection.
This sorry tale draws together three of my main themes: a huge increased demand to enable employees to work remotely and access their corporate systems; persistent complacency in some quarters that continues to hamper an effective Zero Trust approach to security; and the real threats in today’s connected world that are posed by a supply-chain attack. The bad actors don’t need to get to your production systems, which may indeed be tightly protected. No, they can target the perhaps woefully under-protected dev systems of a supplier, or someone else in your supply chain.
James Stanger of the Computing Technology Industry Association (CompTIA) described the nub of the problem when he wrote that “most organizations continue to pursue traditional measures based on a firewall-first, signature-based, trusted-partner mindset.” Stanger describes this old-school BAU approach as ‘Cowboy IT’, which he defines as “underutilization of modern tools, over-reliance on old ones and a lack of proper monitoring.” I couldn’t agree more.
Securing the supply chain has therefore become a hot topic for 2021. We need to lift our gaze from the threats nearest to us, once they have been mitigated, imagine what else might happen in our extended environment, and then ask searching questions of our partners and suppliers. As an industry, as a whole, we need to better protect ourselves. And the tools are already out there, as I’ve said many times: it’s the mindset that isn’t. All systems have to be treated as production systems, with better monitoring, more threat intelligence, and Zero Trust the order of the day. That, at least, would be an effective starting point. We want better analytics, automation and adaptability, all underpinned by informed governance and the latest policy-based approaches. It’s quite an In-Tray, to be sure. But we can do it. We have to.