Security and Compliance Challenges in Mainframe Support

Large enterprises have been relying on mainframe computer system for over 50 years. Although newer computing architectures such as cloud and distributed systems have come to light, mainframes still work on critical workloads in such industries as banking, insurance, transportation, healthcare, and so on.

But such supporting and securing of complex, business-crucial mainframe environments also comes with complexities that technology professionals must learn and sharpen up for. Security standards and regulations also demand compliance when mainframes store and process sensitive data on a daily basis. 

In this comprehensive guide, we will cover the current mainframe landscape, dive into the very particular security and compliance issue that mainframe support teams deal with today, highlight what best practices and technologies are in place to minimise security risks, and then predict what the future of this platform will look like. With this information at their disposal, IT leaders will have more information to work with when it comes to their strategies regarding mainframe support services, security, and compliance.

The Current Mainframe Landscape

Before examining mainframe security issues, it’s important to understand what mainframes are still used for and why they persist across industries despite newer computing options.

Mainframes Remain Critical for Core Business Operations

The mainframes had been forecasters of mainframe death with waves of distributed computing followed by cloud adoption, but still 71 percent of Fortune 500 companies still rely on mainframes to carry out core business processes like transactions, batch processing, and essential data services. These larger express industry enterprises run very complex, very mission-critical programmes that are important to keeping those trains on time. The processing power, scalability, high availability, and security capabilities that mainframes offer continue to make them well-suited for workloads like: 

• Transaction processing systems. Mainframes handle incredibly high volumes of small, simple transactions for use cases like credit card payments and stock trades. They can process billions of transactions per day.
• Batch processing. Batch jobs like billing statements, payroll runs, and ETL data transformation tap into the mainframe’s ability to rapidly process huge amounts of records.
• Legacy applications. Important business applications that have been running for decades live on mainframes. Rewriting or replacing them comes at considerable cost and risk.
• Data serving. With petabytes of business data under their command, mainframes provide analytics and reporting to data consumers across the enterprise.

In these types of workload scenarios, mainframes offer strengths that alternative platforms have difficulty matching:

• Predictable high performance at scale
• Continuous availability with redundant failover capabilities
• Sophisticated security controls and isolation
• Mature operating systems like z/OS
• Billions invested in custom applications over decades

For these reasons, Allied Market Research estimates that the mainframe market continues to grow at about 7.3% annually, with the worldwide install base representing around $2.9 billion in mainframe hardware, software, and services spending.

The Oncoming Mainframe Skills Shortage

While mainframes show no signs of disappearing from large companies, the humans that support them face extinction. Mainframe specialists are rapidly aging out of the workforce, while younger IT professionals gravitate towards “sexier” technologies like cloud, mobile, and AI.

Surveys indicate that most of the current mainframe staff will likely retire in the next few years. Yet fewer university graduates enter the field every year, creating an alarming skills shortage:

• 79% of organisations believe the mainframe skills shortage has affected their business outcomes already
• 20-30% of current mainframe jobs are unfilled due to lack of qualified candidates
• The typical mainframe professional is over 50 years old

As veteran mainframers retire, they take decades of institutional knowledge with them. This can directly impact mainframe security and compliance posture. Younger admins may not understand the nuances of RACF security controls or have experience with audit preparation. Specialized mainframe roles like systems programmers and network architects become harder to fill.

Large enterprises must take action now to address the looming loss of mainframe expertise. Cross-training, documentation, and knowledge transfer will help retain critical information. Strategic hiring and engaging with educational institutions can also help fill the internal mainframe skills gap.

Now let’s explore the specific security and compliance problems this mainframe skills challenge introduces.

Key Mainframe Security Challenges

While mainframes offer sophisticated security capabilities, integrating controls across the entire mainframe environment poses complications, especially for understaffed teams.

Here are 4 of the top mainframe security challenges that enterprises face today:

Consistently Applying Mainframe Security Controls 

The mainframe operating system z/OS and its security manager software RACF provide over 150 security controls for access control, encryption, monitoring, and more. However, utilizing these tools to properly secure each mainframe in an enterprise takes significant expertise and effort. 

With the loss of experienced security administrators for mainframes, that knowledge disappears, while lean teams scramble to secure hundreds of them. This can lead to the inconsistent application of security policies or the omission of major gaps. Critical data and applications are put at risk.

Managing Increasing Mainframe Complexity 

In addition to general-purpose mainframes running the core business systems, enterprises are also using mainframes like the zIIP and zAAP to offload certain lines of work. Pervasive encryption is one of the new capabilities that the z15 mainframe brings with it.

More types of mainframes and more features that advance add management complexity. It makes the complexity and potential attack surfaces of the attacker. It also stresses short-staffed security teams trying to apply consistent controls to the various mainframe environments.

Lacking Mainframe Activity Monitoring & Auditing 

To comply with regulations like PCI DSS, GDPR, and more, all access to sensitive mainframe data must be logged and audited. However, native mainframe monitoring tools like SMF data provide low-level infrastructure logs not optimised for security monitoring.

These cryptic logs require extensive expertise to decipher and piece together high-level user activity details. With experienced administrators for mainframe security retiring, filling this auditing and monitoring knowledge gap becomes more urgent and challenging.

Integrating Mainframe Security into the Modern IT Stack 

Today’s technology environments encompass a broad ecosystem of tools and platforms, with mainframes being just one piece. Ensuring consistent identity and access controls, monitoring, encryption, and other security policies across the entire hybrid IT stack has become crucial.

However, RACF, as a complex mainframe operating concept, does not easily fit with modern IT security tools targeted for distributed systems. It can leave gaps that jeopardize the whole environment.

And the path forward for modern enterprises lies in the use of software that bridges the gap between mainframe and distributed security controls in tune with middleware tools and platforms. More on specific solutions later. Let’s now shift our focus to mainframe compliance challenges.

Mainframe Compliance Issues 

Mainframes have to comply with government and industry regulations such as HIPAA healthcare policies, credit card security standards, financial industry requirements, and so on due to the sensitive data they handle.

But complex mainframe environments don’t easily map to compliance controls formulated with distributed systems in mind. This introduces several mainframe compliance challenges:

Mapping Unstructured Mainframe Data 

Many compliance frameworks now levy data privacy and protection requirements like GDPR and CCPA. But mainframes contain unstructured system and application logs not designed to identify personal data fields like credit card numbers or healthcare codes.

Mainframe compliance teams that are understaffed struggle to consistently identify regulated data spread across disparate mainframe systems and log sources. This complicates reporting on total sensitive data exposure for audits.

Centralizing Mainframe Audit Data 

To pass external audits and avoid hefty non-compliance fines, mainframe activity logs must feed into centralized monitoring tools like SIEMs. However, each unique mainframe log format, like SMF records, IMSTM logs, RACF SMF logs, and more, requires custom parsing before it can integrate with security analytics tools.

With mainframe experts retiring, keeping up with parsing and feeding all these logs into the central monitoring dashboard becomes challenging. Gaps form in the auditing process.

Applying Controls & Frameworks Consistently 

Many regulations like PCI DSS explicitly reference mainframe considerations. However, overworked staff may overlook the subtleties of mainframes when implementing controls across various environments. For example, mapping PCI DSS’ “least privilege” access tenets to granular mainframe permissions challenges underqualified admins.

Governing compliance across distributed and mainframe platforms consistently demands specialized skills that growing numbers of IT teams lack. This skills gap puts enterprises at risk of failed audits, fines, and reputation damage.

Communicating Control Efficacy

Compliance auditors now expect metrics and reports that demonstrate security control effectiveness beyond just policy documentation. However, complex mainframe data offers little visibility without expertise to enrich and interpret it.

It strains already overloaded teams by providing their compliance boards with easy-to-understand reports and metrics that prove mainframe control efficacy. However, without this reporting, organisations can pass audits even with foundational security controls in place. 

As the shortage of qualified mainframe staff continues, addressing these compliance gaps only becomes more critical and challenging.

Best Practices for Mainframe Security & Compliance

Given the array of escalating threats and compliance obligations targeting mainframe environments, enterprises must take action to fill security gaps exacerbated by the looming skills crisis. 

Utilising these best practices can help secure mainframes and meet compliance mandates despite lacking specialised personnel:

Seek Mainframe Security & Compliance Expertise

While hiring initiatives may not completely fill the widening skills gap, bringing on qualified mainframe security consultants can provide interim expertise. Seek external auditors and assessors familiar with mainframe nuances. Augment overstretched internal teams with trusted MSP partners.

Cross-Train Staff on Mainframe Security Concepts

Identify distributed systems admins with infrastructure security experience and aptitude for learning mainframe concepts. Through formal training and mentoring initiatives, equip these junior team members with enough mainframe security skills to share the compliance workload.

Automate Manual Processes that Rely on Specialized Skill

Automate the use of disappearing institutional knowledge in cumbersome mainframe security and compliance processes with intelligent software platforms. For instance, deploy tools that auto-parse complicated mainframe logs and send them to monitoring systems. Create dashboards that automatically audit user access by comparing it to HR data. For example, other use cases include the use of sensitive data discovery, access modeling, and control mapping for auditing.

Bridge Mainframe Security Controls with Modern IT Environments

Establish platforms for centralized identity and access governance, privileged access management, security analytics, and encryption key management that are architected and supported for mainframe environments. This is a feature that brings disjointed security controls under a single governance strategy for hybrid IT.

Seek Mainframe-Specific Compliance Frameworks

Many established compliance mandates still focus primarily on distributed systems. As mainframe compliance challenges escalate, leverage prescriptive new regulatory frameworks designed specifically for mainframe environments. The FITARA Act for US government agencies and more provides mainframe-centric governance checklists. 

Look Ahead: The Future of Mainframe Security & Compliance

The oncoming loss of specialised mainframe skills may seem dire, but hope remains for enterprises dependent on these mission-critical platforms. Creative staffing strategies, security automation initiatives, and mainframe-aware compliance frameworks can help fill knowledge gaps. 

The next-generation platform thrives, and while veteran mainframers retire, it keeps on going. IBM’s security-stamped z-Series is still innovating, such as pervasive encryption and resistance to quantum computing. Mobile and cloud apps that access data and services on the mainframe become part of the mainframe market. 

The world’s economy ran on the platform that won’t disappear overnight. However, mainframe security and compliance still need to be adapted for the modern, skills-scarce enterprise. This guide covers the strategies that allow teams to protect these necessary systems.