Setting the Stage: Mainframe Data Security

by Joe Sturonas, Jeff Cherrington
February 1, 2010

• Private industry joined the call for higher data protection standards, particularly in the electronic payments arena, consolidating five separate initiatives into the Payment Card Industry Data Security Standard (PCI DSS) in 2004.

• The U.S. Health Insurance Portability and Accountability act’s (HIPAA) privacy rule became effective in 2003, regulating protection of health information; it’s now been updated by the Health Information Technology for Economic and Clinical Health (HITECH) act of 2009 to require disclosure of data breaches for any organization dealing with any aspect of healthcare.

 

Consequently, data center managers are compelled to take action both to appropriately protect customer and company data, and to avoid penalties and disruptions to the organization’s business plan that regulators and auditors can represent. This means managers must manage the traditional data center risks—such as environmental (e.g., earthquake, tornadoes), social/political (e.g., war, riots), and operational (e.g., hardware failures)—while also considering issues of:

• Data integrity (e.g., hacking, disgruntled insiders)

• Data availability (e.g., denial-of-service attacks)

• Data authenticity (e.g., man-in-the-middle attacks)

• User access to resources (e.g., identity management)

• Data confidentiality (e.g., malicious and unintentional data leakage) (see Figure 3).

Managers, then, are compelled to consider a range of responses to these risks that branch far afield from the traditional data security domain for the mainframe (see Figure 4). Traditional disciplines of business continuity planning and testing to counter environmental, political, or operational concerns and Identity and access Management (IAM) to restrict rights, are now only the beginning. Encryption for data privacy protection, automated log review for data integrity monitoring, realignment of batch update processes to ensure multiple nines availability, smart Personal Identity Verification (PIV) technology for data and user authentication, and more—all must become part of the mainframe data center manager’s repertoire.

The mainframe has always been considered the heart of the data center and information the lifeblood of an organization. An awareness of today’s data security issues provides a foundation for understanding and reacting to those issues. Following are examples of several issues managers now face:

1. Data privacy is the cornerstone of contemporary compliance. Every connection, every database extract, every write to removable media (including backup tapes), and every transaction represents a risk. After decades of focus on operational excellence and tuning jobs to fit tight batch windows, managers must now maintain those standards while taking new steps to protect data if it’s lost or stolen. Compliance with the regulatory pressures listed earlier requires exploring how risks to the confidentiality of data on the mainframe have changed with the advent of pervasive connectivity, and increased integration with partners, customers, and vendors; it also means leveraging the advantages the mainframe offers for mitigating the risk of data breaches.