My “(Blank) Needs a Mainframe” series of posts, such as the most recent AshleyMadison.com Needs a Mainframe entry, are periodic reminders that there are effective, potent IT solutions that can help prevent catastrophic and costly security breaches: mainframes. Yes, I’m being deliberately provocative, but it’s time to shake some IT people out of complacency and their prejudices. We, the IT community (and its management, including business managers), are failing miserably, repeatedly. We are not protecting our users’ privacy and security. So let’s roll out more mainframes, now, because that’s going to help, a lot.
That said, it’s important to understand that security “magic” isn’t for sale. Most people would agree that mainframes, particularly those with the latest z/OS releases, are the most securable server platforms. They are also often the most secure, but that’s not a given and not automatic. Boeing and Airbus commercial airliners offer the safest mode of passenger transport, but if you’re either determined or careless enough then even those safe airplanes are crashable. Likewise, z/OS is chock full of wonderful security features and securability, but its operators cannot be complacent about security. Achieving and maintaining secure computing requires both the right technologies and talented people, preferably people who are at least slightly paranoid. Often, but not always, so-called “mainframe culture” includes a reasonable, healthy dose of security paranoia.
Another big reason z/OS is so securable is because it’s the only consequential operating system (and probably even the only operating system) that, within a single instance, is inherently multi-tenant and that so smoothly handles mixed workloads with differing SLAs. Other UNIXTM operating systems — yes, z/OS is a certified UNIX operating system — had different development heritages with different demands and development pressures. z/OS evolved in a unique way that’s quite helpful in promoting security. Moreover, because mainframes (and z/OS) are “I/O monsters” supporting mixed workloads, they make it possible to centralize (and recentralize) information, especially personally identifiable information (PII), authorizing (or not) every access, every time. They also uniquely facilitate true continuous business service when suitably configured and operated, and that capability also makes information centralization viable.
Think of it this way. If you’re trying to keep a secret, is it easier to keep a secret if 85 people know the secret or if one person knows the secret? Of course the latter situation is more securable. Likewise, mainframes uniquely facilitate thoroughly centralized information architectures with hundreds or even thousands of authorized application consumers/producers, and they do it with just one (or a couple, for continuous service) z/OS instances. With mainframes you can store, manage, and secure information “once and once well.” You do not have to copy your precious data to 85 (or 855) servers and try to manage that inherently unmanageable security nightmare.
….You can design and implement information architectures in highly centralized fashion with mainframes, and many mainframe owners do, with great results. Unfortunately, many do not. “Oh, just copy that data over here…” may be the spark that eventually ignites a security breach. Another problem: “Oh, just give us a RACF server ID that has access to the whole database….” See the problem?
But aren’t those mainframes impossible to work with and develop for? Expensive? No, and no. If there’s a major (or even minor), industry standard application development technology that a mainframe cannot run (and typically well), let me know. It’s at least hard to think of one. And of course it’s possible and highly desirable to authorize (at least) each and every data access request. For example, the base z/OS operating system comes with its own thoroughly standards-compliant, high volume LDAPv3 server (with TLS-encrypted connectivity) at no additional charge. So why aren’t you using it? I can’t think of a good or even mediocre reason why not.
I’m not happy with the wider IT community’s security performance right now, and I hope you’re not either. Let’s get our act together starting today.