In the bustling realm of finance, mainframe systems stand as silent sentinels, processing transactions and safeguarding sensitive data. Yet, in the face of escalating workloads and looming cyberthreats, traditional operational resilience measures may falter, exposing financial institutions and their data to risk. Enter the European Union’s Digital Operational Resilience Act (DORA), a transformative force reshaping the landscape of operational resilience in finance.

This act, with its comprehensive standards and framework, extends beyond distributed systems to include the mainframe as well, offering a lifeline of regulation and guidance to fortify critical infrastructures against the tides of uncertainty. Strengthening the core of mainframe systems not only ensures regulatory compliance but also bolsters their ability to withstand the dynamic pressures of the modern financial landscape. This article serves as a guide, exploring the essential components and technology considerations that empower financial institutions on their journey towards DORA compliance and, ultimately, resilience.

Reevaluating mainframe operational resilience in the digital age

Operational resilience has resurged as a top priority, reflecting the acknowledgment of its indispensable role in navigating the digital age. This resurgence is particularly pronounced when considering the mainframe systems that serve as the backbone of financial operations, managing vast amounts of sensitive data and transactions. In an era marked by escalating workloads and demands, as well as cyberthreats and potential disruptions, traditional operational approaches fall short, underscoring the necessity for a renewed focus on mainframe operational resilience.

The importance of operational resilience for mainframe systems is not merely theoretical—it’s a strategic imperative for financial institutions. Every transaction, data point, and critical operation relies on the mainframe, making any disruption a significant risk. The repercussions of not embracing new technologies to enhance resilience are multifold—financial organizations risk not only regulatory non-compliance but also jeopardize the integrity of their operations.

Increased mainframe workloads demand a paradigm shift, and without a robust operational resilience framework powered by innovative technologies, institutions risk compromising the very core of their mainframe operations, putting data security and operational stability at stake. Embracing new technologies isn’t just a choice; it’s a necessity for financial organizations aspiring to thrive and remain resilient in the face of the evolving digital landscape.

Embracing DORA: Beyond compliance to mainframe operational resilience

DORA introduces a pivotal shift in the financial sector, expanding beyond traditional compliance into a comprehensive framework that reimagines service awareness, risk management, business continuity, and governance. This evolution in regulation serves as a call to action for financial institutions, urging them to proactively enhance their mainframe infrastructure.

As DORA harmonizes risk management practices and raises the standard for resilience in mainframe systems, it emphasizes not just compliance but a transformation of mainframe operations to meet the challenges of a dynamic digital landscape. This necessitates embracing advanced mainframe technology solutions, crucial for maintaining robustness and agility in response to these evolving demands.

DORA sets a regulatory focus on five key topics impacting mainframe operational resilience

DORA emphasizes the importance of holistic operational resilience principles, urging financial institutions to gain a thorough comprehension of their entire IT infrastructure, discern potential vulnerabilities and risks, and establish resilient automated strategies to safeguard their systems, data, and clientele from cyberthreats and other potential disruptions. Key areas of DORA focus include information and communication technology (ICT) risk management, incident reporting, resilience testing, ICT third-party risk management, and information sharing. Nevertheless, companies utilizing mainframe systems should consider the following:

1. Service awareness and availability

Effective technology for service awareness includes regular health checks, automated maintenance, and predictive alarms based on workload patterns. Log mechanisms aligned with DORA’s transparency requirements offer real-time insights into mainframe activities.

2. Risk management

Beyond standard vulnerability assessments, technology solutions for risk management involve real-time monitoring tools, security patch updates, and dynamic risk mitigation. This approach addresses exposures and vulnerabilities, aligning seamlessly with DORA standards.

3. Business continuity management

Technological considerations for business continuity management include comprehensive recovery plans, failover mechanisms, and automated backup solutions. Integration of cloud storage ensures scalability, meeting DORA expectations for enhanced recovery objectives.

4. Incident management

An effective incident management approach involves the seamless integration of monitoring alerts into an enterprise service console. Automated response playbooks and collaborative incident resolution align with DORA guidelines for efficient incident management.

5. Governance and compliance

Technology for governance and compliance encompasses vulnerability scanning tools specific to mainframe environments. Automated compliance checks, regular audits, and the evolution of governance processes ensure adherence to DORA components.

Operational resilience toolchain: a holistic approach

In navigating the intricacies of DORA compliance, the focus should extend beyond specific solutions to a holistic toolchain approach. Technologies that empower financial institutions share common attributes:

1. Identify

Early detection mechanisms and robust data analysis capabilities are integral. Technologies that offer insights into potential issues and risks provide a proactive foundation for resilience.

2. Protect

Implementation of security measures and safeguards for mainframe systems is crucial. Technologies that fortify defenses, ensuring the integrity of critical data, contribute to DORA-aligned protection.

3. Detect

Real-time monitoring tools equipped with anomaly detection capabilities are essential. Technologies that vigilantly spot threats in vast data landscapes align with DORA’s emphasis on understanding potential impacts.

4. Respond

Incident response protocols and collaborative incident resolution mechanisms are vital. Technologies that facilitate well-defined action plans and coordinated efforts to limit the impact of cybersecurity events meet DORA guidelines effectively.

5. Recover

Swift recovery strategies and post-incident analysis capabilities are key components. Technologies that streamline recovery processes and offer insights for continuous improvements contribute to a resilient mainframe environment.

Summary: A technological compass for mainframe resilience

As financial institutions embark on the journey towards DORA compliance and the intricacies of mainframe operational resilience, this exploration serves as a technological compass, guiding financial institutions towards a fortified future. We’ve underscored the imperative of adopting innovative technologies that align with the key components of DORA. From service awareness to governance and compliance, the compass points towards solutions that offer early detection, robust safeguards, real-time monitoring, efficient incident response, and swift recovery strategies. The essence lies not just in compliance but also in leveraging technology to proactively fortify mainframe systems, ensuring they both meet regulatory standards and stand resilient against the ever-evolving challenges of the digital landscape.

Want more resources to learn about DORA and it’s impact on mainframe operational resilience? Go to BMC’s DORA Survival Guide and learn how to fortify your mainframe.

Today marks a significant milestone for the world of cybersecurity, as BMC announces a strategic collaboration with NetSPI, the renowned leader in offensive security. The goal? To fortify mainframe security for our valued customers. This partnership is not only a testament to BMC’s unwavering commitment to deliver the best security solutions, but also showcases our dedication to collaborating with industry leaders like NetSPI to create an even more secure digital landscape.

The importance of mainframe security: a shared vision

Mainframes continue to hold critical information and perform essential functions for numerous large enterprises around the globe. Given this, the need for rigorous security testing cannot be overstated. Both BMC and NetSPI understand that it’s imperative to ensure the resiliency of mainframe systems against cyber threats, and this collaboration is driven by a shared vision of enhancing cybersecurity as part of mainframe operations.

NetSPI’s expertise enhances BMC’s security portfolio

BMC customers now have access to NetSPI’s comprehensive mainframe penetration testing (pentesting) solutions, coupled with state-of-the-art delivery platforms, enabling them to evaluate network security from an adversarial perspective. This is a significant leap forward in ensuring the robustness of mainframe systems. In return, NetSPI gains the advantage of utilizing BMC AMI Security automated vulnerability scanning, which will help identify and address potential exploits, further solidifying the security posture of both organizations.

Driving innovation in mainframe vulnerability management

This collaboration isn’t just about the present. NetSPI will also actively contribute to the future development of the BMC AMI security portfolio, fostering innovation in mainframe vulnerability management solutions. The mutual goal is to ensure our customers have the best protection, allowing them to continue innovating with confidence.

A brighter future for mainframe security

Today’s announcement is a win-win for the cybersecurity world. BMC and NetSPI are now better equipped than ever to deliver cutting-edge, robust mainframe security solutions to organizations across the globe. As mainframes continue to be a cornerstone of many enterprises, securing them is paramount, and this collaboration demonstrates the firm commitment of both companies to safeguard digital assets, promote innovation, and empower organizations to navigate the digital realm with confidence.

Learn more in this NetSPI press release.

Today, enterprise means everything—including the mainframe. Once upon a time, however, the cry of, “We’re struggling to integrate our IBM^® Z mainframe with enterprise solution X or Y,” was commonplace. Indeed, “enterprise solution” could be taken to mean “enterprise solution apart from the mainframe.”

Times change. A new breed of BMC integrations is enabling the mainframe to benefit from those nifty enterprise solutions that it was previously difficult—or impossible—to utilize.

The secret of these integrations is to hide the complexity of the mainframe platform from the enterprise software. It can now “speak mainframe”—in other words, issue requests to the mainframe, including IBM RACF^® and Top Secret^®, as if it were any other server or IT platform, and without needing to understand logical partitions (LPARs), system complexes (sysplexes), multiple mainframe security databases, and so on. This approach can help solve a multitude of issues.

For example, some time ago, a BMC Mainframe Services security consultant was working onsite with a client, where someone was struggling to implement machine identity management on the mainframe. Despite playing a central role in so many organizations, machine identity management protection solutions didn’t yet extend to the platform. However, BMC was already talking to Venafi, the machine identity specialists, and our consultant suggested this person talk to their enterprise Venafi colleagues.

The reason this matters is certificate management. Most of us have tried to access a website and received a warning that advises caution because the site’s trust certificate has expired. In a major enterprise, there can be tens of thousands of servers and endpoints in play. As you can imagine, implementing and managing all those certificates and ensuring they have not expired, is a serious undertaking. And if certificates aren’t managed properly, you get outages because applications simply stop. Meanwhile, homegrown solutions and manual fixes may not actually ensure application availability, and could even raise potential security risks.

Enter Venafi: its Trust Protection Platform (TPP) manages the creation of certificates to enable the trust of those all-important connections. BMC’s integration with Venafi brings automated certificate management and access control to the mainframe, helping you move closer to enterprise-wide Zero Trust security, support application availability, and avoid error-prone manual processes.

So how did we get to this place?

A couple of years ago, a large Venafi client in financial services wanted to extend its use of Venafi to—you guessed it—automate certificates on the mainframe, where it still had manual checks and balances in place. Three weeks before the certificate’s expiration, the customer would renew it and put it in the vaults. Then, two weeks before expiration and once the application team was ready, they would swap it over at 2 AM with the help of the certificates team. The client was doing this twice a week, if not more frequently. Each time, a member of the certificates team was on call overnight and paid overtime. And all of this was risky, prone to errors and mistakes that could potentially damage the business. There had to be a better way.

Venafi did some research into, “How do you get a Windows machine to talk to the mainframe?” and “What interfaces are there on the mainframes?” There were no easy answers: the TPP simply wasn’t designed to accommodate a mainframe requirement out-of-the-box. Then BMC Mainframe Services experts got involved.

Fast forward to 2022 and we have Venafi for IBM^® z/OS^®, powered by BMC. You can generate all the certificates you need, load the signed certificates, and execute enterprise security manager (ESM) commands to implement them as and when needed. Automation, control, peace of mind. This capability can also work in tandem with BMC AMI Security as part of a wider mainframe security strategy, automatically detecting and responding to threats and providing continuous protection against malicious actions and data theft. Again, all this contributes to a Zero Trust stance.

The message for mainframe shops that need machine identity management is clear: don’t settle for a sub optimal “solution” that risks expired certificates and might expose the business. If you already have Venafi, integrate it. It’s a faster, lower-cost, proven outcome that removes risk and avoids maintenance headaches. “But every Venafi implementation is different,” you say. Indeed. Talk to your Venafi architect, connect with BMC experts, and together we can define how this valuable integration will adapt and work for you and your mainframe.

To learn more, download our Solution Brief: “BMC AMI Enterprise Connector for Venafi.”

In spite of the longstanding perception that the mainframe is inherently secure, a full 91 percent of organizations with mainframes have experienced a compromise or breach of sensitive data in the last five years. For more than a quarter of organizations, it’s happened between six and 25 times. That’s according to The Essential Holistic Security Strategy, a recent report by Forrester Consulting, commissioned by BMC.

It’s no surprise that hackers are finding their way into this critical enterprise system; today’s connected mainframe is a long way from the isolated data centers of the past. And with the recent surge in work-from-home, its vulnerability has only increased. When it comes to mainframe security, there’s clearly more work to do. But is it getting done?

The Forrester Consulting report, based on a survey of 310 companies, as well as interviews with security and mainframe decision-makers, examines the current state of mainframe security in the enterprise, how it has changed over the past year, and the characteristics of the most well-prepared organizations. Topics discussed in the report include:

• The strategies and priorities of security and mainframe decision-makers—and how they differ between “Ready” and “Not Ready” organizations
• Adoption trends and supporting technologies for Zero Trust
• Overcoming barriers to security and operations alignment to enable SecOps
• Recommendations for advancing mainframe security readiness

Ready or not

While many organizations are increasingly aware of the risks facing their mainframe environments, Forrester’s analysis finds that over the past year, “companies overall have decreased their mainframe security readiness.” In fact, while most teams realize that their data isn’t safe, only 29 percent of survey respondents are taking steps to actively secure their mainframes—a decline of 12 percent from a year ago.

To gain insight into trends in security strategy optimization, Forrester categorized respondents according to their readiness to respond to mainframe-related security events. By comparing organizations in the “Ready” and “Not Ready” groups, the firm underscores the measures that define the most effective security teams. For example, “Not Ready” organizations tend to focus narrowly on detection, security monitoring, and threat intelligence, while “Ready” companies are taking a more holistic approach that includes building an internal culture of collaboration between security and operations teams, hiring additional IT security staff, and investing in mainframe security.

Extending Zero Trust to the mainframe

As companies move to close the mainframe security gap, many are emphasizing active security measures. Asked about their top security priorities over the coming year, 81 percent of survey respondents cited security orchestration automation and response (SOAR), while 76 percent named extended detection and response (XDR).

Zero Trust was considered a high or critical priority by 71 percent of respondents—and 84 percent of respondents agreed that it is important to include the mainframe in a holistic Zero Trust strategy.

Organizations that have already or plan to adopt a Zero Trust approach for their mainframe name benefits such as the ability to detect breaches, stop malware propagation within the mainframe, and prevent mainframe breaches.

Solving SecOps silos and friction

While Forrester underscores the importance of achieving alignment between mainframe and enterprise security teams, organizational barriers continue to impede progress on SecOps. More than half of respondents report friction between these teams, and a similar number find that their operations are too siloed to work together effectively. Addressing these challenges is high on the agenda for the coming year, with 81 percent of organizations prioritizing the integration of security functions and improving security detection and response. Both measures will help security and operations teams collaborate more successfully while also protecting the mainframe against active threats.

Forrester’s analysis concludes with recommendations that advise mainframe and security leaders to:

• Work smarter—not harder—to reduce risk
• Hone their Zero Trust practices
• Bridge silos between security and operations teams
• Govern the mainframe as just another internet-connected device

To explore Forrester’s findings in depth, download the full report, The Essential Holistic Security Strategy: Mainframe Security Is Dangerously Absent From Enterprise Strategy.