- Posted by:
Santiago de Chile
On Dec. 7, 2016, 1:11 p.m.
Banks spent about $188bn on IT last year and that figure is expected to grow at close to 5 per cent a year, taking it above $200bn by next year, according to Celent, the research company.
Many banks, such as RBS, are plagued by computer systems that have been built up over several decades through acquisitions and new product launches to form a costly and complex patchwork of systems. “A lot of these programmes get three-quarters done,” says a senior technology executive at one of the largest US banks. “It’s one of these technical debt problems that builds up over the course of time. If you have one thing happen it might cause the whole thing to fall down.”
The cost of maintaining these often ageing and unwieldy systems eats up three-quarters of banks’ IT spending, according to Celent. That leaves only a quarter to spend on innovations to keep up with the rapidly emerging threat from the many technology groups and start-ups trying to steal market share in areas such as payments.
As many banks struggle in the post-financial crisis environment to generate returns above their cost of capital, these spiralling costs and inefficiencies are becoming increasingly unacceptable to managers and shareholders. (Source FT)
Modern mainframe design is generally less defined by single-task computational speed (typically defined as MIPS rate or FLOPS in the case of floating point calculations), and more by:
- Redundant internal engineering resulting in high reliability and security
- Extensive input-output facilities with the ability to offload to separate engines
- Strict backward compatibility with older software
- High hardware and computational utilization rates through virtualization to support massive throughput.
Their high stability and reliability enables these machines to run uninterrupted for decades.
Why is such scrutiny of mainframe security controls important?
As regulators make ever growing demands on banks to provide them with vast amounts of data for everything from stress tests to anti-money laundering checks, banks are racing to keep their systems up to speed. Deutsche Bank insiders blamed its failure in this year’s US stress test on years of under-investment in IT that made it unable to meet US regulators’ demands. Concern is growing about cyber security after a string of high profile hacking attacks, such as last year’s theft of data on 76m customers from computer systems at JPMorgan Chase. Executives say this focus on cyber security is a catalyst for change, pushing banks to simplify and upgrade their IT systems. “Making something secure requires it to be consistent and clean and up to date and well managed,” says the US tech executive.
Software upgrades usually require setting up the operating system or portions thereof, and are non-disruptive only when using virtualizing facilities such as IBM's z/OS and Parallel Sysplex, or Unisys's XPCL, which support workload sharing so that one system can take over another's application while it is being refreshed. Mainframes are defined by high availability, one of the main reasons for their longevity, since they are typically used in applications where downtime would be costly or catastrophic. The term reliability, availability and serviceability (RAS) is a defining characteristic of mainframe computers. Proper planning and implementation is required to exploit these features, and if improperly implemented, may serve to inhibit the benefits provided. In addition, mainframes are more secure than other computer types: the NIST vulnerabilities database, US-CERT, rates traditional mainframes such as IBM zSeries, Unisys Dorado and Unisys Libra as among the most secure with vulnerabilities in the low single digits as compared with thousands for Windows, Unix, and Linux.
The majority of payments today touch or are processed on mainframes, regardless of whether the merchant or service provider is aware of it. The primary focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection of cardholder data. PCI DSS provides required controls for cardholder data that is stored, processed or transmitted on any platform. Unfortunately, many mainframes are currently not being assessed properly for PCI DSS compliance.
Mainframes have three external security management systems (ESMs) used for data and access protection: IBM's RACF, CA-TopSecret and CA-ACF2. Mainframe assessors not trained on or with limited exposure to these platforms will run a RACF DSMON, TopSecret TSSAAUDIT report or ACF SHOW ALL command that provides global security options at the OS level, but doing so still fails to give detailed protection of cardholder data.
Since the 1980's, ESMs for mainframes have become feature-rich, robust and expansive. Consequently, many QSAs are less concerned with PCI cardholder data on the mainframe. They believe that the mainframe is so secure because of ESMs, they would rather focus on the ubiquitous server environment. The server environment certainly requires attention. However, ESM security features are installation-selectable. This means installations can choose to activate them -- or not. Security professionals and IT auditors who perform mainframe ESM assessments invariably find these features turned off for performance, cost and inconvenience reasons. This not only affects PCI compliance, but can also put cardholder data on those systems at risk.
Ignorance is not a control.
Not having sufficient understanding of mainframe security constructs is not a valid reason to ignore them or justify minimizing the risk of cardholder data on insecure mainframes. Assuming few individuals know how to exploit mainframe vulnerabilities is unwise and portends negative results. Most QSAs and penetration testers don't have a background in mainframes and thus don't know how to exploit even the simplest vulnerability. However, remember attackers only need to be right once.
Protection of cardholder data that PCI DSS proposes should not be conditionally excluded because the cardholder data environment is not fully understood. This also includes issuing and acquiring financial institutions whose payment processing is predominantly mainframes -- but that is yet another neglected topic.
LiquidNexxus is the first company to launch a Mainframe Security Training to help banks address existing IT, Compliance and Security issues in Legacy Mainframe systems. For more information visit our website.
Sources: Techtarget, Wikipedia, FT
Share on LinkedIn
Share on Facebook