The “OS/390 and z/OS Security Technical Implementation Guide” of the US Department of Defense (DOD) provides only a basic approach for a secure implementation of z/OS. The German Federal Office for Information Security (BSI) is far more comprehensive.
Since 2004 the German Federal Office for Information Security (BSI) has been focusing on necessary security measures for the mainframe platform in its central security guide, the “IT Baseline Protection Manual” (www.bsi.bund.de). Section 6.10 focuses on the z platform and describes the risks and related basic protection measures for a secure z platform.
The German security guide describes today’s demand for using real-time monitoring technology for securing the systems against manipulation and the exploitation of possible z/OS-specific weaknesses. According to the IT Baseline Protection Manual, “…such detection measures are practically indispensable if the greater damage is to be expected. …” and the necessary “… use of a real-time security monitor for z/OS systems in determining security infringements faster.…” (both passages are taken from the “Basic IT Security Protection Manual, 2004 Edition, Section “M6.67 Use of detection measures for security incidents”). Real-time monitoring of only a single isolated security aspect, such as SMF records, is still insufficient. Monitoring the entire z/OS with all its components and complex relations and details is crucial.
The strict requirements of the BSI demonstrate the high relevance of mainframe security and emphasize the need for additional protection against today’s risks. The z platform has thus become a “conventional” server platform with “conventional” risks, i.e. “less SNA, more TCP/IP” or “not only MVS, but also UNIX System Services”. This means that companies with an increasing demand for security and quality require further technical measures for their z platform not supplied by the standard security system. At this point, it is important to note that a real-time security monitor is not a standard component of the z/OS. BSI’s conclusion? Standard z security is not sufficient for companies with an increased need for security.
What types of companies have an increased need for z security and quality?
When you take into account the high investment and operational costs of mainframes, you realize that all mainframe users are affected, especially those in the financial and insurance sectors, commercial IT providers, health insurance companies, among others.
Which motivation, or rather, what pressure is there to act now to achieve such increased security measures? Enormous pressure, according to the new legislation and regulations, such as Basel II, IT Baseline Protection Manual (German Federal Office for Information Security), KonTraG, SOX, U.S. DOD Regulations, etc. Such pressure could even result in considerable “trouble” for companies and their management when the damage has already been incurred and any exonerating evidence is missing.
Nevertheless, even before something happens, insufficient security can prove expensive in the long run. This point has been reinforced by legislation, such as Basel II and SOX, among others. The key factor is the so-called “rating”, which acts as a consolidated measure for legislative compliance, professionalism, and stability for safeguarding companies and their business processes. As a result, IT becomes burdened with this added responsibility. On the one hand, business processes are based and dependent on IT. Given this relationship, IT becomes a source of risk. On the other hand, IT lets you minimize risks, e.g. through concepts that control, monitor, identify and eventually combat risks. IT security is therefore of central significance for rating agencies and governing bodies. One thing is clear: these organizations possess highly specialized knowledge of all platforms, including those belonging to the “good old” mainframes.
The assessment by rating agencies of companies is done by a so-called “rating”. A company’s rating can, for example, negatively impact the cost of credit. After all, a few per thousand of interest can add up to a large sum of money. The idea is that higher risk must correspond to an “extra charge”. In short, a company with a bad rating will have higher credit costs much like an insurance premium. Conclusion: Insufficient security costs more money in the long run.
Don’t you, as someone working in or for the financial IT service sector, feel affected by this? You ask yourself: how does a bank become rated? Why do only banks “rate” their customers, and not vice versa? While this may be true, remember that all companies are subject to a rating. After all, even banks are also debtors. Besides the legislation, there are several governing authorities that continuously rate banks. Some are state-controlled, such as the German Federal Financial Supervisory Authority (BaFin).