Mainframe Blog

How Are You Insuring Against Data Breaches?

3 minute read
Glenn Everitt, Mark Schettenhelm

Overview: Data breaches are inevitable, making protection against outside threats essential. But what if the breach happens internally? Taking the correct measures now can help mitigate the impact of internal breaches and protect for the future. The ability to record network traffic, view how records were accessed and by whom, and produce compliance reports are just a few of the benefits of implementing auditing software.

We buy insurance for protection against the cost of things we hope will never happen. But we know they will happen to someone, at some time, so we purchase protection which is less costly than enduring the loss. Data breaches do happen, and they are expensive and damaging to all involved. Sadly, they happen frequently, and we do have procedures to mitigate the loss. We continue our war against the outside threat of hackers, putting in firewalls and instituting physical security. All of this does a great job of protecting us and more importantly those that have put their trust in us. We should be, and we believe we are, always looking for ways we can do better. As threats evolve, so must our methods.

An area that is not always given enough attention is the insider threat. As we mentioned above, we provide for physical security and training to make sure those dealing with the public don’t fall prey to those using pretexting, but things happen. What can we do to limit our loss when all else has failed and a breach occurs? How can we respond quickly and definitively when confronted with someone inside our perimeter defense that has access and has breached our data and our trust? Any way we can limit our exposure matters. Any way that we can produce a list of only the customer data accessed by this person limits the exposure and increases the trust the public has in the organization.

What is needed is a way to simply and efficiently record the activity on the system of record, the mainframe. A means to be able, if necessary, to start with a breached record and tie it back to anyone who viewed it, or to take the opposite approach and produce actual screens of activities carried out by a suspected person. By having this means we can quickly isolate the damage and begin the repair, allowing us to meet reporting deadlines and have confidence in our investigation. It would provide evidence which would help in prosecution if necessary. These abilities would be the difference between announcing that we know we were breached, sometime, by someone and so we have to assume it could be all records – or – we can state we know who did it, during which timeframe, and which records were accessed. Instead of notifying and entire customer base of the breach, we can notify only those who will have a concern.

Fortunately, this solution exists and is being used by many for the assurance they need. BMC AMI DevX Application Audit can:

  • Efficiently record network traffic and application screens, archiving them for investigation.
  • Provide insight into user behavior, such as which data a particular user viewed and how it was accessed.
  • Leverage SIEM integrations like BMC AMI Datastream for z/OS provide application-level insight for identification and reduction of cybersecurity threats.
  • Provide the intelligence and reporting required for HIPAA, GDPR, and Australian NDB scheme compliance.
  • Eliminate dependency on specialized mainframe knowledge.
  • Maintain Separation of Duties between system administrator and auditor.

Beyond this there is a unique benefit from this form of “insurance.” Once you have implemented the recording and periodic searching of activity you will also put a warning on the screen to inform those who log in that their activities will be recorded and searched. This warning serves as a valuable deterrent to the malicious breach of data by a trusted user. Someone with criminal intent will realize it is not worth the risk of exploiting the data.

Unfortunately, data breaches are bound to happen and can be especially disruptive if they originate internally. The key to minimizing their impact and deterring future malicious activity lies in the ability to identify their origins and scope. With the right tools, your organization can respond to these breaches and implement measures to mitigate future risk, giving your customers, as well as your employees, peace of mind that their data is safe.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

Business, Faster than Humanly Possible

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Glenn Everitt

Glenn Everitt joined BMC as part of the Compuware acquisition and is now working with AI/ML Operations Monitoring Products as a Principal Product Manager. Prior to Compuware he was the Chief Architect of a startup company’s core application acquired by Compuware. Glenn has architected products that run on Mobile, Windows, Linux and Mainframe platforms. He is actively involved in technical due diligence and patent review for BMC.

About the author

Mark Schettenhelm

Mark is a DevOps Evangelist and Lead Product Manager at BMC who has experience working with developers around the world in Source Control Management, Testing, DevOps and Application Portfolio Analysis. He is a frequent conference speaker, webinar presenter, blogger, and columnist, often explaining the benefits of bringing Agile and DevOps to mainframe development and encouraging development teams to adopt new methodologies and continuously improve.

His writing has appeared in Enterprise Executive and Enterprise Tech Journal and he is a frequent contributor to and SHARE Tech Watch. Mark is currently the Lead Product Manager for BMC products in Source Control Management, Deploy, Code and Fault Analysis.