Zero Trust for Mainframes

As many agencies are amid multi-year IT modernization programs, they often lack the resources to convert applications running on mainframes to modern infrastructure, not to mention the cost and time associated with transitioning a mission-critical application off a mainframe.

A 2020 Deloitte survey of U.S. business and IT leaders revealed some interesting data points indicating that mainframes are not going anywhere soon:

• 74% believe mainframes are a long-term strategic platform for their organizations
• 91% indicate that expanding their mainframe footprint in the next 12 months is a major priority
• 71% say their mainframe team is understaffed
• 54% plan to use external resources to accomplish their mainframe goals over the next three years

Mainframes often lack the ability to use security tools that are present on more modern technologies. This has led some organizations to adopt a “security through obscurity” posture, in which they rely on design or implementation secrecy as the main method of providing security. It’s clear how that approach is insufficient in today’s sophisticated threat environment and would give bad actors the ability to exploit multiple avenues of access to the mainframe.

The most common attack vector tends to be through TN3270, an emulated terminal that is the most typical way to connect to a mainframe using telnet via port 23. When telnet is used over the internet, information is transferred in clear text. This allows for bad actors to eavesdrop on connections and compromise confidential information. Other methods that are used but are not as common are Secure Shell Protocol (SSH) and File Transfer Protocol (FTP).

During a security meeting it is not uncommon for someone to dismiss the risk to mainframes because they are generally not exposed to the internet and typically accessed via a VPN connection by a remote workforce. But, as we know, VPN connections are often fraught with security vulnerabilities, as once a user is authenticated, they likely have access to most of the network.

If you have been in the security space for any amount of time you have most likely heard of Zero Trust and more specifically Zero Trust Access control. Zero Trust is a paradigm shift toward a never trust, always verify mindset—whether a user is privileged or not. Zero Trust never grants any type of access, either at a network or application layer. It requires that trust be earned through proactive device introspection, identity validation and contextual analysis that is continuously re-evaluated during every interaction using a contextual, risk-based approach.

Zero Trust is based on three key security concepts:

• Secure Access: Zero Trust requires an identity-centric approach to authentication. Rather than a simple “yes” or “no” to confirm user access based on whether an IP address has privileges, access is dependent on the contextual variables surrounding a user’s access request—i.e., device, location, user behavior, etc.
• Least Privilege: Once secure access is granted to a user, the scope of that trust will continue to be limited. Users and devices are only permitted to access approved resources while everything else remains invisible and inaccessible.
• Visibility: To arm your security analysts with timely and accurate data, your Zero Trust efforts should include the ability to view access request details for all north-south and east-west network traffic, empowering your security operations center (SOC) to identify blind spots and make quick decisions for faster remediation.

Zero Trust security protection can be evaluated across five typical attack surfaces:

1. People: Users are extensively verified by Zero Trust security policies based on contextual variables, device security posture and multi-factor authentication (MFA), and they are only permitted conditional access to approved resources.
2. Workloads: The Zero Trust model requires making server ports invisible to prying eyes and further unifies privileged access to and between all heterogeneous environments, automating security to scale with workloads.
3. Networks: Zero Trust security can limit access with network segmentation and confines lateral movement, keeping unauthorized resources invisible, across all environments. It ensures all access is trusted by continuously authenticating users and devices.
4. Devices: With a Zero Trust security approach, networks are restricted entry by isolating BYOD and IoT devices to prevent lateral movement. For user devices, it neutralizes attacks and evaluates device security posture as criteria for secure access to workloads and data.
5. Data: Providing encrypted 1:1 tunnels to secure data flows, Zero Trust security limits and controls access to sensitive databases and emulates data exfiltration techniques to unearth vulnerabilities before adversaries can take advantage.

The market today is crowded with vendors promising Zero Trust. I urge you adopt a focused approach to Zero Trust Access where results take precedent over claims. If you have any questions about how you can encrypt your mainframe traffic and leverage modern security protocols such as MFA, please reach out to your Appgate representative or click on the “Talk to an Expert” button at the top of this page, and let us show you how we can help.

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.

Additional Resources:

Visit Appgate at RSA
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Blog: The CISA Zero Trust Maturity Model Series – Part 5: Data