Skip to main content

Protecting Mainframe Applications

Secure IBM Z application access with multifactor authentication, endpoint management and more.

Technological security represented as a blueprint.

Organizations with IBM Z* mainframe applications are faced with ever-evolving challenges because business demands continue to change. Some of these demands are regulatory in nature, while others come out of the digital transformation that’s sweeping so many industries. Digital transformation requires connecting existing tenured systems of record and new systems of engagement, which can present unique challenges when your system of record is a mainframe application.

When it comes to modernizing mainframe applications, much of the focus goes to the application code and the infrastructure that those applications run on. While this is massively important, it represents only half of the picture. The other half of the modernization picture is about the ways in which users access and utilize those applications.

Changing Requirements for Mainframe Applications

As part of their digital transformation, organizations are faced with new demands on their IBM Z applications. At a business level, failing to meet these demands means a widening competitive disadvantage, decreased productivity due to multiple systems and the risk of failing a security compliance audit. At a technical level, these demands mean that managing access to mainframe applications has become increasingly complex due to new policies and regulations—even as new and unique user experience demands arise around how the applications need to be consumed. 

New Methods of Application Access

One approach that modern businesses are taking to meet these evolving business and technical requirements is to extend mainframe application access to a broader set of devices and application platforms through web, mobile and API-based technologies. HTML-based (zero footprint) and native mobile terminal emulation clients are providing businesses with the flexibility that modern workers need in order to work at any location, any time. Web- and API-based platforms are enabling terminal-based mainframe applications to participate in new solutions with improved UIs and workflows. 

Organizations, therefore, are taking the necessary steps to ensure that core business systems are accessible and are compatible with modern access methods, which is increasing the demand for solutions that deliver web-based/mobile-enabled access to IBM Z. 

Security, Privacy and Compliance

With these changing methods of access, and mainframe applications being increasingly exposed, security and data privacy have never been more important. Organizations need to be concerned about their mainframe applications. These reliable, high-throughput applications serve as repositories of business logic and data that include personally identifiable information (PII), customer financial details and intellectual property that must be protected and are subject to regulatory security audits. 

Corporations have been mindful of protecting sensitive data across the rest of the enterprise—leveraging modern security approaches that include authentication and authorization technologies connected to an enterprise-wide identity and access management system. In many cases, however, organizations haven't extended those same security controls to the mainframe. IBM Z application security has typically been separate from the rest of the enterprise, because it’s running in a private network, is isolated from the public environment and hasn't been seen as a viable target for attack. In many cases, those in charge of security might not even know how to apply security controls to mainframe applications. 

Because of the private information that’s on mainframe systems, and due to data privacy regulatory compliance such as the Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation, IBM Z application security and data privacy is something that organizations need to consider and strengthen. Companies must meet the standards required to be deemed compliant, to pass an audit as well as prevent breaches and attacks. 

A key approach to modern security comes down to access control. Organizations need to ensure that users who access mainframe applications can prove who they are when logging in through two or more factors tied to something they know (a password), something they have (smartcard/chip) or something they are (biometrics). This is known as multifactor authentication (MFA), which extends well beyond traditional eight-character, case-insensitive passwords. Strong MFA, coupled with a consistent application of the concept of “least privilege” (allowing users to access only the applications and data that they need to do their job), forms the basis for solid access control. 

Modern MFA solutions are being applied to enterprise application access throughout organizations that are leveraging modern identity and access management (IAM) platforms. However, this type of security control is, to a large extent, not being utilized with mainframe applications. This is because the identity source is an isolated, independent user directory that’s separate from the corporate IAM. This can create a gap that the security team doesn’t know how to cross.

Significant data breaches have occurred when bad actors have gained credentialed access to systems of record via passwords compromised through social engineering vectors such as phishing. MFA provides a significant barrier to these attack vectors and is becoming a staple of data security in security policies and regulations. 

Simplified Endpoint Management

Endpoints that connect to mainframe applications must be managed and administered properly. Terminal emulation customers who have not yet implemented strict controls for how the products can be used could quickly face a situation where emulation configuration files (e.g., session and macro files) begin to spread as they are copied among users. This can lead to security risks (think recorded macros that contain a user’s login credentials), along with making the job of upgrading the emulation environment more difficult. These access endpoints must be hardened along with the mainframe itself.

Modern terminal emulation solutions include security controls for various types of frequently accessed data; these solutions should be regularly updated with the latest versions and security patches. However, depending on the size of the organization and how the software is deployed, this can be a labor-intensive and time-consuming task that requires multiple people to perform the required testing and deployment. As a result, many organizations don’t apply needed security patches in a timely manner or are running old versions. 

The Solution

Modern terminal emulation solutions address the need to improve access control. They support MFA frameworks, centralize provisioning to strengthen authorization controls and lock down endpoints with administrative controls that limit user configuration changes and macro execution. HTML5-based emulation solutions reduce the number of devices that need software security patches and limit which users can connect to mainframe applications. 

With the right solution in place, organizations can continue to deliver reliable and convenient access to IBM Z applications, while ensuring security and data privacy and facilitating regulatory compliance. 

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →