Navigating the complexities of security and compliance on the mainframe
As organizations look to modernize IT systems, including the mainframe, there’s a critical need to do so without sacrificing security or falling out of compliance. But that’s a balancing act that is easier said than done, especially as cybersecurity threats grow increasingly sophisticated.
Malicious actors have access to more tools and plans of attack than ever before. They’re also aggressive—in 2023 alone, there were more than 3,200 data compromises in the U.S. that affected over 350 million individuals. As those threats evolve, so too do the regulations and guidelines that are established in response.
These shifts mean that companies have to prioritize a number of critical capabilities like annual or quarterly penetration testing, vulnerability scanning, audit logs, systematic access controls, and much more to remain compliant. Faced with this complex task, IT leaders need to ensure they are equipped to support new technologies while also adapting to an evolving regulatory and threat landscape if they are to keep modernization initiatives moving forward.
Balancing modernization in a complex regulatory landscape
Modernization is essential, and organizations that put off doing so risk getting left behind. Yet, one missed configuration-based vulnerability or data loss during a migration can be catastrophic. A single cybersecurity incident can ruin a company’s reputation with corporate partners and customers. And those incidents can have far-reaching consequences that go beyond the immediate damage to IT systems, data, or operations.
But for mainframe systems, what can these incidents look like? Some of the most common mainframe vulnerabilities are:
- Code-based vulnerabilities. These vulnerabilities account for flaws in existing code (often from third parties) that can be exploited by cybercriminals.
- Configuration-based vulnerabilities. These vulnerabilities stem from improper settings and configurations that can leave systems open to unauthorized access.
- Insider threats. These threats represent employees or contractors who intentionally or unintentionally misuse their access to mainframe systems to harm an organization.
Businesses will need to identify and implement the right strategy to combat those potential vulnerabilities while also accounting for a variety of new regulations, like the EU’s Digital Operational Resilience Act (DORA) or the Payment Card Industry Data Security Standard v4.0 (PCI DSS v4.0). More and updated localized cybersecurity regulations like 23 NYCRR Part 500, created by the New York State Department of Financial Services (NYDFS), require critical consideration, in this case requiring financial services companies operating in New York to conduct annual mainframe risk assessments, perform annual mainframe penetration testing, and have robust mainframe vulnerability management programs in place, to protect customer data and the systems they rely on.
Policies and regulations like these make it more important than ever for organizations to catch vulnerabilities before they become full-fledged cyber attacks. Falling out of compliance could mean risking serious financial and regulatory penalties. With the stakes so high, IT leaders need to ensure their modernization strategies are inclusive of mainframe security.
The keys to mainframe security
With the understanding that mainframe security is integral to broader modernization goals, where should organizations start? There are a few important elements that should make up an effective security strategy. Mainframe security requires a great deal of attention—threats and vulnerabilities are constantly evolving. To that end, one important step organizations can take to improve their mainframe security is to designate a mainframe security architect. This role can help design and maintain a secure environment that is tailored to the business’s specific needs while also helping to identify potential risks.
From a practical standpoint, one of the more important aspects of new regulations, like DORA, is the role of regular testing and scanning for vulnerabilities. Every mainframe security strategy should incorporate capabilities like code-based vulnerability scanning, regular mainframe penetration testing, regular compliance checks, point-in-time data recovery, and widespread, fully deployed, multifactor authentication (MFA).
That’s where working with a trusted partner with deep expertise in mainframe modernization and security can be a game-changer. Take, for example, the security solutions offered by Rocket Software, which deliver capabilities that are tailored to the complex security and regulatory realities facing mainframe systems. Tools like the Rocket z/Assure® Vulnerability Analysis Program automatically scan and pinpoint vulnerabilities in mainframe operating system code, making it easier to keep pace with potential threats as they evolve. Similarly, Rocket® Mainframe Security Services also offers a powerful solution for organizations looking to bolster their security with services like compliance assessments, penetration testing, and conversion services, among others.
For modernization initiatives to be successful, businesses need to ensure they are prioritizing security and compliance as part of that journey. Mainframe systems bring with them a unique set of requirements, but by implementing the right programs, processes, and tools businesses can stay secure, minimize disruption, and adhere to local and international regulations.
Learn more about how Rocket Software can support your modernization journey without sacrificing security or compliance.