This content made possible by our sponsor. It is not written by or reflect the views of MSP TechMedia or IBM Systems Magazine.

Ray Overby

Ray Overby


Key Resources, Inc.

Ray Overby is a recognized authority on mainframe security for  IBM Z* environments.


Security analysts often state that in order to effectively safeguard the vast data volumes stored on a mainframe, an organization must establish configuration-based security controls and then continuously monitor these controls to determine effectiveness and compliance to standards. Yet it only takes one zero-day, code-based vulnerability in the OS layer to afford a hacker with the ability to bypass everything that is considered essential and best practice in securing the applications and the source data associated with those applications.

Code-Based Vulnerabilities
Security professionals understand how to mitigate the risks caused by configuration-based vulnerabilities, but a code-based vulnerability assessment will lead you to the realization that you have serious exposures. Code-based vulnerabilities allow hackers (external or internal) to circumvent internal z/OS integrity controls, as well as your External Security Manager (ESM), and in some cases, you will never know they have access to your applications and your data.

In the case of a storage alteration vulnerability, an exploit program will allow a non-authorized user to modify OS memory. These locations would include where the ESM (e.g., RACF) keeps its security credentials. Code-based vulnerabilities are caused by poor design and coding errors in programs that reside in the mainframe’s OS layer.
A comprehensive security compliance review of a mainframe system should always include analysis for configuration-based and code-based vulnerabilities. The balance between protection and vulnerabilities isn't static or even predictable; it's impossible to monitor and comprehend consequences of vendor development and maintenance streams. In the same way that PCs and servers need frequent scans for malware, mainframes need periodic evaluation for exposures created by configuration changes and vendor releases and patches. Failure to do both leaves your mainframe system at risk.
Ensuring System Integrity
Remember, ensuring system integrity is outside the scope of the current ESMs. The ESMs were not designed to enforce your security policy when an OS-layer code vulnerability is exploited and allows unauthorized access to data.
Where does all of this lead? It surely does not undermine the mainframe's well-deserved reputation for integrity; no other platform rivals what its integrated architecture, development and maintenance philosophies, and fundamental reliability mindset provides.

It does, however, recall sage advice: Trust but verify. Mainframes remain the ideal platform for supporting business processes and especially for building future successes (mobile, cloud, payment). Their use must include appropriate verification that the system's architectural foundation—z/OS—provides no "basement kitchen window" vulnerabilities.