It's no longer enough simply to store data. An enterprise must encrypt their data to guard against the threat of loss or theft. Lost tapes and instances of hacking often make the front page of The Wall Street Journal, but proper security measures aren't just a PR move -- regulatory compliance laws prescribe severe penalties if personally identifiable records are not secured properly. And security also involves people, using authentication techniques and identity management tools to ensure that each user has the right permissions and restrictions. To complicate matters further, Web services are gaining ground as more users inside and outside of the company seek to utilize mainframe applications. Let's consider the issues of mainframe security.
Mainframe data encryption
Data is typically secured through encryption which processes data through a mathematical algorithm based on a unique code (or key), leaving the data inaccessible without the corresponding key. There are two areas in the enterprise where encryption can occur; at rest and in flight. Encrypting data at rest protects data that is stored on tape or disk. Encrypting data in flight protects data that is actually transmitted across a LAN or WAN (such as the Internet).
Encrypting data at rest is generally easier. There is less processing overhead because the encryption must only be performed once. Encryption is also available in numerous software tools like Symantec's NetBackup, or directly in tape drive products like Sun Microsystems' T10000 drive. It is common to encrypt backup taped before storing them at an Iron Mountain or other storage facility. Files can also be encrypted to disk, though this is less common.
Encrypting data in flight is a bit more complicated because the processing overhead required for real-time encryption/decryption can impair network performance. Still, encryption can be essential when transferring sensitive data outside of the enterprise. For example, encryption might be entirely appropriate when performing asynchronous remote replication to a backup or DR site. When real-time encryption is required, the work is usually offloaded to a dedicated appliance like a Decru DataFort, or handled within the mainframe itself through a cryptographic coprocessor (CC) such as the PCIXCC or Crypto Express 2 available for IBM's z9 system.
Encryption is not an "all or nothing" decision -- only sensitive data needs to be encrypted, so administrators can select the folders or data types that should be encrypted. This lowers the overall processing overhead, which can sometimes make encryption attractive by omitting the expense of dedicated encryption devices.
Any implementation of encryption should include a consideration of key management. If keys are lost or forgotten, any data encrypted with that key is inaccessible. This can be a devastating loss for an enterprise, so understand how keys are protected and secured by the encryption product, and make sure that policies and procedures are in place to protect keys from loss.
Identity management is about user authentication -- ensuring that only authorized users can access the mainframe with appropriate rights and restrictions. For example, you wouldn't want an ordinary finance user to access information in R&D, and you can't have outside users changing security settings. Identity management has traditionally been a matter of user names and passwords. While this is still a tried and true means of authentication, security concerns are prompting additional precautions. Additional physical security techniques like ID cards and biometric devices (e.g., fingerprint scanners) are being coupled with traditional authentication to tighten security, especially for sensitive tasks like network administration.
There are two persistent problems with identity management; expense and confusion. The issue of expense is often addressed by automating basic tasks with ID management software, eliminating much of the direct intervention that was traditionally required by system administrators. Citrix Password Manager is one popular management product.
However, eliminating the confusion of identity management is more challenging. Every user typically requires unique authentication for each system or network that they access. Just consider the number of user names and passwords that you have to remember even for the services within your own organization. New techniques are evolving to ease this confusion. For example, password synchronization allows a user to access systems across a network with just a single password. The single signon technique builds on this to allow access to applications as well as systems. Emerging standards like the Extensible Name Service (XNS) are evolving to support ID management beyond the enterprise, and the push is on for global identity management.
Web services impact on mainframe security
The introduction of Web services on the mainframe has had a significant impact on security. Although Web services can make applications available to a broader range of users, there are more potential vulnerabilities that a hacker can potentially exploit during their attack. Enterprises have typically protected their data through encryption, secure deletion, archiving, and strong access control. But this is often not enough to secure the mainframe and data. Today, mainframe-based organizations are adopting a service-oriented architecture (SOA) that shifts this paradigm by supporting communication between Web services.
Rather than keeping unauthorized users out, SOA emphasizes appropriate user access while enforcing mainframe security. SOA can define how two programs interact so that one program can perform work on behalf of another program. Interactions are self-contained and defined by a scripting language, so each interaction is independent. For example, placing an order online involves the interaction of several different and independent services. You can use those services to do work (place an order), but you cannot access data or system behaviors at a deeper level -- the mainframe and system remain secure.