Brian Jackson - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Mainframe applications may not be as secure as you think

Mainframes are well-suited for mobile apps, and though these systems are known to be safe, there are ways to tighten mainframe security.

The mainframe has a reputation for being a data vault, but some enterprises may not know who has the keys.

The growth of mobile applications has changed the way data on mainframes is used, increasing its role and importance in the so-called digital economy for banks and insurance companies, among others.

Many of those businesses have custom applications that are decades old, according to Tim Grieser, a program vice president and analyst at IDC in Framingham, Mass. Mainframes host mission-critical transactional applications for many large enterprises.

"A lot of financial applications are coming out to the end-user level," he said. "Handheld devices to financial applications are an area of workload growth."

The growth of big data platforms, such as Splunk, Spark and Hadoop, and their role in giving companies a business advantage, could mean mainframes will get a renewed purpose.

But many companies don't have a complete picture of all the data on their mainframes and who has access, according to David Hodgson, general manager for mainframe business at CA Technologies in Islandia, N.Y.

"It is a piece of dirty laundry," he said.

A complete picture

CA has released new software designed for some of its largest customers, including financial institutions and insurance companies, to get a complete picture of mainframe data.

CA Data Content Discovery crawls through mainframes doing data discovery in relational databases, such as IBM's DB2, putting it into categories and providing enterprises with a report on the types of data and where it is located. It also spells out who has access and the types of permissions.

"The purpose is to improve your ability to be compliant," Hodgson said. This includes regulations for personally identifiable information (PII) and the Health Insurance Portability and Accountability Act.

Despite the mainframe's reputation for hardened security, many of CA's customers are paying closer attention to the security of their mainframe data, as stories of data hacks continue to make headlines, Hodgson said.

That said, public examples of hacks and data breaches involving mainframes are rare -- a highly publicized hack of a major bank did not get to the mainframe, for example.

But many enterprises lose track of user permissions and who has access to what, which poses a possible insider threat to data security. IT pros may have usernames and data descriptions, but not a complete picture of data on the mainframe.

Government regulations may also have changed since permission was initially granted, Hodgson said. There's often a line between the business departments that set policies and system administrators that can create confusion about who is supposed to get access to what.

For example, a company may need to dump data to a vendor, but it doesn't know whether there is any PII in it.

"There are a lot of real issues here," Hodgson said.

The newest CA tool is designed to allow an enterprise to keep data on its mainframe, where it can determine who has access versus taking the data off the mainframe, since almost all mainframe users use it as a platform for the company's systems of record.

"There is often no easy way to move applications off [the mainframe]," Hodgson said.

Similar to CA's offering is DataSniff from Xbridge Systems Inc., in San Jose, Calif., which was released in 2010. It goes through mainframes and finds data that may have been considered untouchable or may have been categorized as exempt from an audit.

Mainframes and mobile apps mix

The increased demand mobile applications put on the mainframe also increases the need to understand the role mainframes have on the performance of mobile apps.

Mainframes are "particularly well-suited" to mobile applications -- or to adding a mobile channel to legacy apps -- because mainframes inherently handle prioritization and scheduling well, according to David Norfolk, an analyst at Bloor Research International Ltd., based in London.

"You can process high-priority transactions, like payments, at higher priority than routine inquiries, without inquiries affecting performance," he said.

To manage mainframe applications as "first-class participants in the whole infrastructure," it is important to know what data is on the mainframe and its characteristics. To make it work, IT pros need discipline and good practice, he said, by separating the presentation layer from the business logic.

"CA has tools to enable this -- but no tools will help if your internal practice is low maturity and chaotic," he said.

CA's Unified Infrastructure Management (UIM) had been used for an end-to-end look at distributed systems in large enterprises for Level 1 support monitors to keep an eye on networking and storage across multiple platforms. Today, more enterprises want a view from mobile to the mainframe, and UIM supports IBM z System mainframes running z/OS.

"The first-level responder can see it all and start to connect the dots," Hodgson said.

I'm glad that it still sees the mainframe as part of this, since major companies still use the mainframe for mission-critical data, services and applications.
David Norfolkanalyst, Bloor Research International Ltd.

A mobile app may be running slow because a SQL query may be wrong or the transactional server is running slow -- and unified monitoring is watching it all in one place.

In many organizations -- according to CA's numbers, it is about 51% -- management of distributed systems and mainframes is separate. When a single tool helps IT monitor multiple systems, that can help bridge the two teams.

"A tool isn't going to solve it all, it is an organizational thing," Hodgson said.

It is used by BHI USA, a commercial bank headquartered in New York, to monitor its mainframe and distributed environments to identify and diagnose poorly performing transactions, according to Scott Brod, the bank's assistant vice president of IT services.

Simplify IT operations

Software such as CA Unified Infrastructure Management for IBM System z helps simplify IT operations by reducing the staff time needed to track and optimize service performance, according to Grieser, the IDC analyst. It helps improve business application performance and availability, and makes the infrastructure where the applications are deployed faster and more reliable.

The newest software offerings focused on the mainframe show its renewed role in the enterprise, driven by the "application economy." At CA World this month, for example, CA doubled the mainframe-oriented sessions, compared to previous years.

"We're investing big on the mainframe," Hodgson said.

Norfolk, who is at CA World, said the dominate theme is about disruption and innovation, with a focus on using APIs to deliver agile services.

"But I'm glad that it still sees the mainframe as part of this, since major companies still use the mainframe for mission-critical data, services and applications," he said.

Next Steps

IBM goes all in with open source mainframes

Understand SIMD instructions on the z13 mainframe

Generate and maintain quality mainframe test data

Backup plans for the mainframe

Dig Deeper on IBM system z and mainframe systems