Will Insider Threats Prey on Data Despite IBM z14 Encryption?
Pervasive encryption is the primary selling point of the new IBM z14 mainframe. The capability prevents the theft of usable sensitive data within the encryption points, keeping data visible yet unintelligible at rest or in flight.
Automagical encryption is a leap forward in data protection, not to mention on a platform that already outshines others in securability; however, it’s inevitable there will eventually be eyes on that data—and potentially a data predator’s.
For a program or application user to access data, it must be decrypted, making it once again visible in its true form. At that point, the mainframe is once again exposed to its greatest vulnerability: Insider threats. While infrastructure security will be tightened by way of new z14 encryption, nothing will change for users who can still abuse privileges when viewing decrypted data through applications.
z14 Encryption Good; Complacency Bad
The new z14 encryption capability to improve data protection “on the wire” could cause some mainframe shops to be complacent. If the machine is doing encryption for you, you might be prone to assume security is being handled well enough at all levels. It’s not so.
Despite the z14 encryption capability, mainframe shops that bring the new platform into their datacenters must understand that even if the test data is encrypted in-flight and at rest, testers and developers will still view it when they debug and test their changes. It doesn’t matter if that application is a customer-written COBOL program, a utility such as SPUFI, or a batch-oriented program without human eyes on it. If that program abends, the unencrypted sensitive data will be visible in the dump. If a debugger is being used, data will be visible in the program’s storage and on the screen. Anything an application displays will be unencrypted for the purpose of users understanding what to do with it.
The bottom line is, with z14 encryption it will be more difficult for individuals to steal data by sniffing the network or doing a low-level read of the disk where the data is encrypted, but the data will otherwise be decrypted for whatever application is being used to read it. That’s why you still need to consider application-level security.
Remember Your Application Level Security
Despite the innovative and useful enhancement of security through z14 encryption, you still need to make sure you’re guarding your applications from insider threats—that’s where your mainframe’s greatest vulnerability is.
From a data privacy standpoint, you still need to privatize data that is visible to debuggers, programs and programmers. From a compliance standpoint, you still need to know who’s looking at sensitive data, for if you can see what data someone looked at in the case of a breach, you can narrow the scope for knowing which data was taken.
That’s where a mainframe cybersecurity and compliance tool like Compuware Application Audit comes in. It captures data about user access and behavior on the mainframe and automatically delivers that data to SIEM platforms such as Splunk® and QRadar®, either directly or in combination with CorreLog® zDefender™ for z/OS or Syncsort Ironstream®.
These granular intelligence and reporting capabilities help you mitigate cybersecurity risks and comply with regulations such as HIPAA and GDPR as well as security policies. Learn more in our white paper, “Mainframe Security in a Hybrid/Mobile World.”
When the z14 mainframe is made generally available and placed in your datacenter, leverage its encryption capability as extensively as possible—but don’t become complacent and neglect your applications. Insider threats are still a major concern, and they won’t be going away soon. The only way to combat them well is at two levels: the system and the applications.