Secure Access Sensitive Data in Mainframe Environment

Mainframes are a critical IT infrastructure at a majority of large financial services and other verticals. Despite years of predictions about their being replaced by modern technologies, mainframes continue to power business-critical applications and host more volumes of sensitive data than ever.

At the same time, organizations are embracing modern technologies to foster growth and enhance operational efficiency, leveraging cloud platforms, modern technologies and AI capabilities to name a few. Coupled with a growing shortage of skills and complex integration have put mainframe environments behind the rest of the IT infrastructure and security teams.

Securing sensitive data in mainframe infrastructure is becoming challenging more than ever as data is queried and processing technologies, accessed by multiple different personas, across multiple units and geographical locations.

Secure Privileged Users Access to Sensitive data

The challenge: Privileged users and Service Accounts access pose a significant risk to the organization’s data security. Without proper controls, privileged users can easily access sensitive data compromising critical applications and data. Insiders who misuse privileged access & credential theft pose one of the biggest data security threats to mainframe security.

What should you do? Identify all users with privileged access and regularly review the access rights they have to applications and data. Enforce privileged users brokering (PAB) to ensure access is granted in a ‘need-to-know’ basis. Automate removal of dormant accounts that are not being used or are not needed. Monitor and audit privileged user access every data access activity, and apply protection mechanism to sensitive data, such as dynamic encryption and dynamic data masking. Block or limit the ability of privileged and superusers to alter or reset critical controls by implementing least privileged access and ensure proper segregation of duties. Enforce strong authentication, SSO and MFA for all privileged users.

Image: example of dynamic data masking for protecting sensitive customer information by obscuring or replacing certain data fields while preserving the overall data format.

Apply Strong Access Controls Mechanism

The challenge: Users accessing sensitive data on mainframe can severely impact the organization’s ability to operate and serve its customers. Access the mainframe environment directly, via a web interface, privileged access tools, applications, and other means must be monitored, controlled and restricted.

What should you do? Set clear guidelines on who needs access to your mainframe resources, what they need to access, why and when, and what kind of access they require. Limit the ability to read, update, or delete data, transactions, and databases or to execute commands to only those users who require it. Implement strong data-centric access & security controls. Log all activities and apply automated anomaly detection and user behavior analysis to identify, in real-time behavioral anomalies and security risks.

Automate Mainframe Data Security

The challenge: Distributed workforce, regulatory frameworks, and organizational business processes require access to sensitive data classifications to be granted based on purpose.

What should you do? Classify your data, set clear guidelines on who should see what, who can access sensitive data and when. Automate classification to remediation process, ensure consistent enforcement of dynamic access policies and enforce zero-trust across your organization’s data operation

Summary: Prioritizing Mainframe Data Security is Crucial

Relaying exclusively on the native mainframe security measures can expose your enterprise to severe financial losses and complicate compliance with essential regulations such as DORA, PCI 4.0, SOX and others. By proactively addressing risks, organizations can strengthen their overall security posture and shield themselves from non-compliance issues and breaches.

It’s vital to recognize that mainframe security (like other platforms security) is not a one-time task but rather a continuous process. By thoroughly understanding the potential risks and implementing the right preventive measures, you can protect your enterprise regulatory fines, reputational damages and sensitive data leakage.