Why Zero Trust for Mainframes is a Must for Financial Institutions – The New Stack
Chris Perry is a cybersecurity strategist, for BMC
Mainframes continue to form the backbone of financial services IT operations. According to Constellation Research, 45 of the top 50 banks rely on them for core banking functions. Mainframe systems process approximately $3 trillion in transactions every day, a figure that likely underestimates the impact of mainframes in financial services, as it only counts transactions using COBOL.
The need will continue to grow. According to a recent survey by Deloitte, 91% of business leaders who rely on mainframes identified expanding their mainframe footprint as a top priority over the next 12 months.
However, mainframe security is prone to misconceptions that expose financial institutions. Leaders rely too much on the idea of “security through obscurity,” which is a way of saying that threat actors avoid attacking mainframes because they are more familiar with operating systems Windows or Linux.
Security through obscurity is insufficient. The reality is that today all mainframes run Unix system services with the same Linux-based capabilities and tools hackers are familiar with. On top of that, mainframes often lack the modern detection and response tools that have become ubiquitous on other parts of the network. This means that attackers who are able to access a mainframe system will be able to maintain persistence and easily expand their initial footprint to take full control of the platform.
The Risks of Mainframe Trust
To secure their mainframes and stay resilient, financial services companies must transition to a modern Zero Trust architecture, defined by its mantra “Never trust, always verify”. Zero Trust gained popularity when cybersecurity advocates realized they needed a deeper defense. There were too many examples of hackers gaining initial access to an organization through stolen credentials and realizing they could use those same credentials to gain access to the entire environment. This dramatically reduces the amount of work a hacker must do to steal or destroy sensitive data while limiting the ability of defenders to effectively detect and respond to the breach.
With Zero Trust, you continuously assess the user’s identity, the sensitivity of the resources the user interacts with, and the user’s permissions to access those resources. It is designed to prevent the privilege escalation and lateral movement within the network that advanced threat actors have so often successfully used. This philosophy, which has existed for nearly a decade, has gained tremendous momentum over the past year with the The US National Security Agency is pushing its guidelines and the The White House releases its own Zero Trust strategy.
Exacerbate the risks
The overreliance on traditional perimeter-based security models, which instill enormous trust in users, exacerbates the weakness of security by obscurity. Unfortunately, it is still quite common to hear experienced mainframe professionals claim that the mainframe is not in danger because it is not connected to the Internet. Yet they also log into the mainframe from a typical laptop, which is one targeted phishing attack away from being the mainframe entry point with single-factor credential access.
Inside a misconfigured mainframe, users can access files, export data, and perform lateral moves to gain more privileges. Although the mainframe has identity access management controls from one of the larger external security managers, the reality is that these platforms are almost never evaluated by a penetration tester. adversary-based, which means that most financial institutions operate daily with a significant number of unknown vulnerabilities. on their system. The lack of adequate controls makes this type of system extremely vulnerable to insider threats or threats in which an outside actor gains access to compromised credentials.
For example, a company lacked modern cybersecurity capabilities on the mainframe and fell victim to a ransomware attack. The hacker used a fileless keylogger on a laptop with access to the mainframe. Over time, they gained access to sensitive passwords and were able to extort a multi-million dollar ransom after encrypting a mainframe computer. It is unlikely that these hackers took the ransom and simply retreated.
Ultimately, losing the mainframe to a ransomware or other cyberattack would spell disaster for almost any financial institution. If you’re a bank that can’t process credit card transactions or allow users to view their accounts because the central computer is down, you simply won’t be able to do business. This requires the mainframe to receive the same security capabilities and focus as all other servers in the enterprise, all of which are best served by a Zero Trust architecture.
Walk and Run to Zero Trust
For IT administrators, key components of a Zero Trust policy for mainframes include robust identity management and strong device security policies. These components should govern how your sensitive data interacts with the people, workloads, networks, and devices that access it. Perfection doesn’t exist in this area, but when you begin your Zero Trust journey, you can run small and highly efficient solutions before moving on to more complex capabilities.
Below are four immediate actions that can be taken to significantly improve the resiliency of the mainframe environment and move you towards a Zero Trust architecture:
Encryption: Workloads between the mainframe and other environments like the cloud must be encrypted. It may seem obvious, but many companies still run 3270 connections without encryption, which leaves the user name and password in clear text on the network.
Monitoring: IT admins need solid visibility across the entire network to enforce and monitor these policies. Consider whether your mainframe data is integrated into your real-time security tools like your enterprise security information event monitor (SIEM). If not, you are at significant risk because of this blind spot.
Multi-factor authentication (MFA): You cannot allow a single mainframe administrator to be the sole bridge between an external threat and privileged control of your mainframe. What happens if this admin is a victim of phishing? While not a panacea, MFA authentication has been shown to significantly reduce the ability of external threats to compromise credentials and conduct cloaking attacks.
Privileged access management: You don’t want to let security controls limit the agility your operations teams need to do their jobs. Automate the management of privileged access related to legitimate and trusted service work so that the mainframe is maintained smoothly while adhering to the principle of least privilege.
Although these policies greatly improve security, the list is by no means complete and some of these features are easier to achieve than others. The ultimate goal is for your technology to enforce the policy that your data is only truly accessible to those who are properly authorized to use it.
What’s most important is that you decide that Zero Trust is a core business goal and form an official initiative, because a Zero Trust architecture won’t develop by accident. If your corporate security team under the CISO already has a Zero Trust initiative, it’s not too late to make sure the mainframe is part of the deliberate scope. If not, now is the perfect time to begin that journey while confirming that all servers, from mainframe to cloud, are equally defended.
Image selected via Pixabay.