How to Politely Talk Politics When it Comes to Enterprise Security
The other day, I broke a social rule among polite company. I talked politics.
At a speaking gig with a security experts group near our HQ in Milwaukee, one attendee wanted to know the biggest impediment to securing data on their massive hardware systems. Rather than a technical diatribe, I said that misunderstandings on mainframe security typically boil down to a political divide. (A political divide over data centers and mainframes, my kind of soapbox!)
Too often in enterprise IT, the mainframe is separated from the rest of the data center. Many organizations have IT security on one side and mainframe security on another. There are systems administrators and, for the mainframe/data center, a different set of systems programmers. We see database administration and mainframe database administration. I think you get the drift. The mainframe is treated as if it was a special entity. (No wonder some folks think it’s so simple to lob off from the rest of the enterprise computing world, but that’s a rant for another time …)
However you size up the mainframe, it really amounts to another server on the network. Long ago, the mainframe was in a glass house of sorts, with its own terminal generated on a network for any access, but those days are as old as, well, the slew of mainframe experts set to retire over the next few years.
Meanwhile, this separation has caused a complicated relationship over responsibility and risk. The governance, risk and compliance (GRC) folks are perplexed when they get pushed away from auditing or testing the mainframe and its connected systems. CISO and CIOs, operating high above the hum of the data center and hardware, often work from the assumption that the mainframe is implicitly safe from threats.
The mainframe should be treated as any other server on the network, and GRC should not be stumped by the sea of acronyms that is associated with the mainframe. Vulnerabilities are as likely on EBCDIC-based systems as they are on ASCII-based systems due to the same culprits that hit up websites, smartphones and software: thieves, snoops and idiots. These "bad actors" on data are looking for the easiest path to sensitive and valuable information, regardless of the platform.
Even in a room of security experts, there were still a few lightbulbs flickering “on” around concepts of hardware security and afterward it led to some lively, albeit geeky, chatter. I’m in the process of beefing up a presentation around mainframe and data center security at the national level. What GRC or scalability issues have you come across? What’s the worst misconception you’ve heard with data protection on computing hardware? How have you rooted out politics as part of your security plans?