Securing Legacy Applications the Open Source Way

The mainframe must march to many different beats nowadays, and this poses a particular challenge for security members of Big Iron’s vast maintenance squad. Once upon a time, the steady drumbeat of the mainframe dictated the pace of business — in banks, insurance companies, vehicle manufacturers, retailers, airlines, government branches, and so on. Such regularity and the splendid isolation of the mainframe meant it was bulletproof, security-wise.

Today, the mainframe’s memory and batch processing capacity means that many corporations still rely on it to run their core business applications. But the mainframe now has to co-exist with a distributed computing environment that includes open-source and cloud, which, as platforms go, offer enough flexibility to meet the demands of modern business. Being interconnected creates vulnerabilities, and the inherited perception of the mainframe as a fortress is under scrutiny.

A full 91 percent of organisations with mainframes have experienced a compromise or breach of sensitive data in the last five years, according to a report by Forrester Consulting. A respected security blogger in turn urges IT departments to hire more people: “You can’t seriously expect small teams of 2 or 3 members of staff to be able to be on top of things when they have complex mainframe environments.” Mainframe security is becoming a major headache, but modernising the estate provides an opportunity to reduce security-related risks.

Creating and policing multi-layered security to protect the mainframe is a significant undertaking in the 21st century. Housekeeping includes identifying threats and scanning for holes, adhering to in-house risk policy, governance and industry regulations, threat remediation, and automated security intelligence. Relevant data needs to be protected with encryption and access control according to defined data classification rules. And all of the above, and much more, needs to be applied to legacy operating environments where skills become increasingly scarce.

Modernisation simplifies security

A significant appeal of shifting core legacy applications and data off the mainframe onto open-source platforms, is the simplicity of nailing the security piece. The modernisation journey towards open source is already underway on many IT estates. The key driver is to quickly and affordably scale mainframe applications from the cloud or supercharge them with existing cloud-based tools. Alongside innovation, remediating security is a crucial reason for embarking on the journey.

Mainframe logic can be securely run on Linux platforms because all the security tooling already exists within the operating system – or can easily be downloaded. Security is integrated into Linux and not bolted on, so most generalist Linux engineers have a good handle on this. This talent abundance compares favourably to the mainframe security skills shortage.

Importantly, CIOs tend to trust open source because of the transparency of the code (including its security provision), which brings the backing of the board.

Compliance as a driver

Compliance may prove to be a key driver towards mainframe modernisation because it brings the dual benefits of more straightforward implementation and more significant risk reduction. Specific regulatory standards are more easily implemented on Linux, such as the U.S. Department of Defense’s Security Technical Implementation Guide (STIG), which has its own Linux version. At the same time, it’s easier to make applications’ business logic compliant in one platform, rather than maintaining and tweaking it on the legacy mainframe as well.

The growing regulatory compliance burden within financial services and other sectors constitutes a clear argument in favour of legacy modernisation. Take the Sarbanes-Oxley Act (SOX), for example. SOX mandates practices in financial reporting and record-keeping, but when it comes to procedures and processes, it is not always black or white like any other piece of regulation. Companies must interpret how they apply the rules to their own mainframe environment, then wait and see whether they pass the audit.

LzVault is the security and audit component of LzLabs’ Software Defined Mainframe® (SDM), a software container supporting mainframe applications on commodity hardware and in the cloud. Using this middleware route to modernisation brings the benefit of ease of compliance.

Easier integration of Identity and Access Management

Ensuring user access rights and privileges to mainframe data and applications is a vital component of the security task; unhelpfully, the directory that polices access (IAM) is rarely hosted on the mainframe nowadays, and so integration can be hand-cranked and patchy. And for mainframe modernisation specialists, every time a change is made on the open-source environment, the tweaks must be applied back to the mainframe end.

The software that automates these updates comes with a high price tag, and it’s an area where LzLabs can help. SDM migrates the security settings of the mainframe into LDAP, the open and cross-platform protocol used for directory services authentication that’s ready-to-go on Linux.

Tools that administer the LDAP directory can be downloaded for free, or it’s easy to extract data from the LDAP repository and feed it into another destination directory and do reporting that way. Other more conventional migration methods re-implement all the security settings, which is very expensive and sometimes inaccurate.

De-risking affordably

And the beauty of securing mainframe data through the open-source route is that part of the answer is frequently present in the form of an existing Linux platform. When CIOs talk to their C-suite colleagues about mainframe modernisation, it’s often assumed it comes with a hefty price tag: either through the purchase of a replacement mainframe or an alternative open-source system on which to port the company’s applications.

Securing business-critical mainframe applications and achieving adherence to changing compliance rules needn’t be painstaking or risky, and it doesn’t have to break the bank. With LzLabs, it’s just another application running on Linux – job done.