The Mainframe vs. Distributed Platforms: 10 Key Security Questions to Help Determine the Most Secure Platform

by Stu Henderson
June 19, 2008

IBM enhanced TCP/IP security further by incorporating links to the encryption tools into it and also added a standard security tool for any version of TCP/IP: a program called a firewall. Firewalls provide protection for TCP/IP networks via several techniques, including filtering of messages, address translation, and intrusion detection (recognizing patterns of messages that identify a possible attack). This firewall software, called Policy Agent, is included in mainframe TCP/IP.

All three types of platform can connect securely to the other types, and to the Internet, using the TCP/IP protocol. They all support encryption and firewalls to provide security over such connections. Because of the thoroughness of IBM’s software security cleanup, and the rigor of its original software architecture, and the integration of its TCP/IP security with the system software security, the mainframe version of TCP/IP has no known security vulnerabilities.

You should have your staff evaluate any computer platform you’re considering in terms of known security TCP/IP vulnerabilities as indicated by CERT. For any computer your organization uses, have your staff regularly contact CERT for news of any newly discovered vulnerabilities.

8. What organizational effects does it have for security?

The size of mainframe installations makes it possible to support separation of duties, a key security technique. This works by ensuring that, for example, computer programmers aren’t permitted to execute their programs. Instead, computer operators execute programs that programmers have written. The operators themselves are prevented from accessing the data on tapes in the tape library. This separation provides security by isolating required functions so no one person can perform them all.

On smaller computer systems, separation of duties is difficult to implement since the number of staff is often too small.

The size of mainframe installations also permits separation between security administrators and programmers and business managers who understand the business risk associated with their data. This supports a control structure where, for example, the head of the payroll department specifies in writing who should be allowed to read and who to write payroll data. A separate person, the security administrator, creates rules in the computer based on the written approval from the payroll head. A third party, perhaps the auditor, can compare the actual rules in the computer to what’s specified in the written approvals. This separation of duties is necessary for effective security. It’s only possible when there’s a sufficiently large staff.

Because mainframes support larger workloads, and are more powerful, they’re more likely than Windows or Unix computers to have the staffing to support this separation of duties.

In evaluating various computer platforms, give added value to computers that can support this separation of duties.