Why Zero Trust for Mainframes Is a Financial Institution Imperative
Mainframe computers continue to form the backbone of financial service IT operations. According to Constellation Research, 45 of the top 50 banks rely on them for core banking functions. Mainframe systems process approximately $3 trillion in transactions every day, a number that likely understates the impact of mainframes in financial services because it counts only transactions using COBOL.
The need will continue to grow. According to a recent survey by Deloitte, 91% of executives at firms that rely on mainframes identified the expansion of their mainframe footprint as a major priority in the next 12 months.
However, security for mainframes is subject to misconceptions that leave financial institutions exposed. Executives rely too heavily on the idea of “security by obscurity,” which is a way of saying that threat actors avoid attacking mainframes because they are more familiar with Windows or Linux operating systems.
Security by obscurity is inadequate. The reality is that all mainframes today run Unix System Services with the same Linux-based capabilities and tools familiar to hackers. On top of that, mainframes often lack the modern detection and response tools that have become ubiquitous on other parts of the network. This means that attackers who are able to gain access to a mainframe system will be able to maintain persistence and easily expand their initial footprint to gain full control of the platform.
The Risks of Mainframe Trust
To secure their mainframes and remain resilient, financial services firms need to move to a modern Zero Trust architecture, defined by its “Never trust, always verify” mantra. Zero Trust gained popularity as cybersecurity defenders realized they needed more defense in depth. There were too many examples of hackers gaining initial access to an organization through stolen credentials and realizing that they could use those same credentials to gain access to the entire environment. This dramatically reduces the amount of work a hacker must do to steal or destroy sensitive data while limiting the ability of defenders to detect and respond to the breach effectively.
With Zero Trust, you continually assess the user’s identity, the sensitivity of the resources the user interacts with, and the user’s permissions to access those resources. It is designed to prevent privilege escalation and lateral moves within the network that advanced threat actors have so often used successfully. This philosophy, while around for nearly a decade, has gained tremendous momentum in the past year with the U.S. National Security Agency pushing guidance and the White House publishing its own Zero Trust strategy.
Over-reliance on traditional, perimeter-based security models, which bestow an enormous amount of trust on users, exacerbates the weakness of security by obscurity. It is unfortunately still quite common to hear experienced mainframe professionals claim the mainframe is not at risk because it is not internet-facing. Yet they also connect to the mainframe from a typical laptop, which is one targeted phishing attack away from being the entry point to the mainframe with single-factor credential access.
Inside a poorly configured mainframe, users can access files, export data and make lateral moves to gain more privileges. While the mainframe does have identity access management controls from one of the largest External Security Managers, the reality is that these platforms are almost never assessed by an adversarial-based penetration tester, which means most financial institutions operate daily with a significant number of unknown vulnerabilities on their system. The absence of adequate controls makes this type of system extremely vulnerable to insider threats or threats in which an outside actor gains access to compromised credentials.
As an example, one company did not have modern cybersecurity capabilities on the mainframe and was a victim to a ransomware attack. The hacker used a file-less keylogger on a laptop with access to the mainframe. Over time, they gained access to sensitive passwords and were able to extort a multimillion-dollar ransom after encrypting a mainframe computer. It is quite unlikely these hackers took the ransom and simply retired.
At the end of the day, losing the mainframe to ransomware or another cyberattack would be catastrophic for nearly all financial institutions. If you are a bank that cannot process credit card transactions or allow users to look up their accounts because the mainframe is broken, then you will simply not be able to do business. This mandates that the mainframe receives the same security capabilities and focus as every other server in the enterprise, which are all best served by a Zero Trust architecture.
Walking and Running to Zero Trust
For IT administrators, the core components of a Zero Trust policy for mainframes include robust identity management and heightened device security rules. These components need to govern the interaction between your sensitive data and the people, workloads, networks and devices that access it. There is no such thing as perfect in this domain, but as you start your Zero Trust journey, you can execute small and highly effective solutions before advancing to more complex capabilities.
Below are four immediate actions that can be taken to dramatically improve the resilience of the mainframe environment and move you toward a Zero Trust architecture:
Encryption: Workloads between the mainframe and other environments like cloud should be encrypted. This might sound obvious, but many companies are still running 3270 connections without encryption, which leaves username and password in clear text on the network.
Monitoring: IT administrators need robust visibility across the network to enforce and monitor these policies. Ask yourself if your mainframe data is integrated into your real-time security tools like your enterprise security information event monitor (SIEM). If it’s not, you have a significant risk from this blind spot.
Multifactor authentication (MFA): You cannot allow a single mainframe administrator to be the only gateway between an external threat and privileged control to your mainframe. What happens if this administrator is phished? MFA, while not a panacea, has been shown to dramatically reduce the ability for external threats to compromise credentials and conduct masquerading attacks.
Privileged access management: You don’t want to let security controls limit the necessary agility your operations teams need to do their job. Automate the management of privileged access tied to legitimate and approved service work so the mainframe is maintained smoothly while adhering to the least-privilege principle.
While these policies will drastically improve security, the list is by no means complete, and some of these features are easier to achieve than others. The ultimate goal is that your technology enforces the policy that your data is truly only accessed by those who are appropriately authorized to use it.
What is most important is that you decide that Zero Trust is a critical business goal and form an official initiative, as a Zero Trust architecture will not develop by accident. If your enterprise security team under the CISO already has a Zero Trust initiative, then it is not too late to ensure that the mainframe is part of the deliberate scope. If not, this is the perfect time to start that journey while confirming that all servers, from mainframe to cloud, are equally defended.