Cybersecurity, the mainframe and Halloween actually have more in common than one might think. October is National Cybersecurity Awareness month, dedicated to reminding individuals and businesses that we all need to do our part to make sure that our online lives are kept safe and secure. Indeed, the cybersecurity scope is wide, from the pre-teen chatting on their mobile device to the global business processing billions of dollars of customer transactions on their mainframe.
This month also brings Halloween, also known as “Allhallowtide,” “All Hallows’ Eve,” or “All Saints’ Eve” in some countries. It’s about remembering the dead, including saints and the faithful departed. And it’s about ghosts and ghouls and other scary symbols and traditions.
Given what experts see as the top enterprise security concerns, the mainframe’s role in security can seem as scary as Halloween – but it doesn’t need to be. In order to calm the fears that enterprise security can conjure up, organizations need to couple traditional identity-centric approaches with ones that focus more on data centricity to improve their overall security and compliance posture.
Managing Security, Privacy and Compliance Can Be More of a Trick Than a Treat
The Halloween phrase “trick or treat” suggests that if a treat is not given to a child in costume at the front door, the child might play a “trick” on the owner of the house. Likewise, getting an organization’s house in order to head off the implications and costs of compliance failures is far from a treat, often requiring lots of effort, time and money.
The notable shift in privacy laws, such as the EU-US Privacy Shield, and the challenges in proving regulatory compliance for PCI DSS, HIPAA, and Sarbanes Oxley (just to name a few) pose a tricky landscape in which to operate. In fact, some company board members and CIOs see keeping up with regulations and the overhead associated with compliance is now a greater concern than breaches.
In addition, company auditors, as well as external firms, are being encouraged to become more technical. Auditors are now viewing the mainframe as a key element in a platform-agnostic approach to enterprise security.
For years the focus in data security has been on open systems and end points, but that is only part of the equation. At CA, we are investing in a mainframe-focused, data-centric audit and compliance strategy which emphasizes data security policy, activity monitoring and enforcement. It expands from a user-centric view to one that also encompasses the data, to clearly determine what data is residing on a system, and who has access to it.
Protecting Your Company's Data Is Like Protecting Halloween Candy From the Neighborhood Bully
Just this past month, we saw media reports that Yahoo had a “series of embarrassing security failures” which resulted in hundreds of millions of customer accounts being compromised. It reminds us of that neighborhood bully who roams the streets on Halloween and steals candy from the younger kids who fear being beaten up. Just like candy, corporate and sensitive data is a challenge to safely handle and protect.
But whether its candy or data, being aware of potential bullies ahead of time and taking steps to avoid theft is a good place to start.
On the mainframe, the CA Technologies approach to proactive, data-centric security starts with CA Data Content Discovery, which finds sensitive and regulated data on z Systems, classifies the data based on sensitivity level, and provides users with the option to archive or delete the data to prevent its misuse or duplication elsewhere. This solution can also be used to determine who has rights to access the data, and helps security administrators proactively manage those rights accordingly.
We’ve got some exciting news around CA Data Content Discovery that we’ll be sharing at CA World. It’s definitely a treat you will not want to miss, so be on the lookout to hear more about this news.
How Do You Know That the Person Knocking at the Door Is Really Who They Say They Are?
One of the most prevalent requests we hear from our customers is how to help them secure their assets against the internal and external threat. Compromises to the mainframe perimeter are a concern, as is the heightened awareness of the fact that 59 percent of employees steal confidential company information when they quit or are fired. This is coupled with how relatively easy it is to gain the credentials of an employee through social engineering.
So what’s a company to do when it comes to securing the mainframe and keeping data at rest, in use and in motion available for application use yet protected from hackers and employees with nefarious intent?
Starting with advanced authentication measures in place for the mainframe is paramount. The Advanced Authentication Mainframe feature recently added to CA ACF2 and CA Top Secret includes advanced authentication support for all users on the mainframe, including those with privileged access. Supporting both hard and soft tokens, our customers are using this capability to help them ensure that users are who they say they are and that privileged IDs are not compromised.
Properly including the mainframe in your company’s cybersecurity posture is well within your reach, and October is the perfect time to examine your stance. A data-centric approach to security and compliance starts with knowing who’s at the door of your house, keeping your enterprise data “candy” away from the hands of bullies, and making sure that lack-of-compliance ghosts can’t haunt you later on.
To avoid any additional Halloween frights, I encourage you to view the National Cybersecurity Alliance site. The information can help educate, inform and remind us that it’s everyone’s responsibility to be cyber aware – from the mainframe and beyond.