secure the enterprise with confidence using a mainframe infrastructure

7/28/2019 Secure The Enterprise With Confidence Using A Mainframe Infrastructure

http://slidepdf.com/reader/full/secure-the-enterprise-with-confidence-using-a-mainframe-infrastructure 1/16

A Forrester Consulting Thought Leadership Paper Commissioned By IBM

Secure The Enterprise With Confidence Using AMainframe Infrastructure

Firms Looking For A Secure Infrastructure And Application Platform Need To Consider The Mainframe

March 2013



Forrester Consulting

Secure The Enterprise With Confidence Using A Mainframe Infrastructure

Page 1

Table Of Contents

Executive Summary ............................................................................................................................................................................................ 2 Executive Insomnia: Threats Of An Information Security Breach ...................................................................................................... 3 Technical Trends Threaten Information Security ..................................................................................................................................... 5 Complexity Out — Integration In ................................................................................................................................................................. 7 The Modern Mainframe Shines As A Secure Application Platform ................................................................................................... 9 Key Recommendations .................................................................................................................................................................................. 12 Appendix A: Methodology ............................................................................................................................................................................ 13 Appendix B: Demographics/Data ............................................................................................................................................................... 13 Appendix C: Endnotes ................................................................................................................................................................................... 14

© 2013 Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources.

Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total

Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional

information, go to www.forrester.com. [1-KRNWBZ]

About Forrester Consulting

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in

scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who apply

expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.





Page 2

Ninety-seven percent of executives surveyed saidthat information securityis highly critical to their

company’s ability tocompete in their market

or industry.

Eighty-seven percent of research participants

recognized the mainframeas their most available,

scalable, and secureplatform.

Executive Summary

The explosive increase in cyberthreats poses an increasingly daunting challenge to

the confidentiality, integrity, and availability of intellectual property and other

sensitive information. Conflicting opinions about operational risk, myriad point

solutions for security technology, and dissimilar computing infrastructures create a

puzzling landscape for security and risk professionals. To assess the market,

Forrester Consulting interviewed 225 IT security leaders across North America and

Western Europe about their firm’s information security investments. Roughly 60% of respondents reported revenues

greater than $5 billion per year; 18% of respondents were in banking, 14% in government, 22% in insurance, 20% in

healthcare, 13% in financial services, and 13% in retail (see Appendix B).

Key FindingsSecurity executives need secure, proven solutions across a variety of workloads,

including traditional transaction processing, mobile, social media, and big data,

and they need the security engineered in rather than cobbled together or bolted on.

Security is quickly moving from an afterthought to a business and technology

imperative for all new and existing IT solutions, but there are challenges as

companies struggle to meet complicated security requirements across the

enterprise. Forrester’s study uncovered three key findings:

• Where security, scalability, and availability needs are high, mainframe technology shines. Modern

mainframes are highly secure extensible IT engines capable of running all types of workloads and powering

modern corporations with outstanding availability, scalability, and auditability while maintaining information

integrity and confidentiality. Because it can integrate state-of-the-art hardware and software, effectively protect

mission-critical production systems, and consolidate workloads while reducing costs, the mainframe is the

security platform of choice for cloud, big data, and analytics applications as well as traditional transaction and

batch applications.

• Complexity is a top security management challenge. Complexity introduces unanticipated security

vulnerabilities but also increases the risks and costs associated with implementing new secure solutions. Of all the

challenges that security professionals face, complexity management is No. 1. Today’s security environment is just

too complex — and the situation worsens as new technology is applied to basic compliance, data protection,

access control, system auditing, and secure virtualization. Sixty-five percent of executives surveyed agreed that

they have too many point solutions. Some security departments, for example, have more than 150 different

security tools to address the security needs of their organization.1 This number of technologies is difficult, if not

impossible, to adequately maintain and deploy.

• Pre-engineered integrated security is the preferred option for security managers. Security decision-makers

would prefer an integrated technology stack and platform. More than 90% of those surveyed and interviewed for

this research felt that using a platform that has security natively designed into its architecture made the most

sense.





Page 3

Ninety-one percent of research participants feltthat information security

was an imperative andthat IT must secure

critical information andsupport their company’s

compliance needs.

Executive Insomnia: Threats Of An Information Security Breach

The industrial espionage and economic cyberterrorism epidemic is a huge concern

for business leaders around the world. The costs of a publicized security breach in

financial impact and damage to corporate reputation and brand increasingly make

prevention the best investment any business leader can make.2

The stakes could not be higher. Over the past five years, cyberinsurers paid $3.7

million per cyberbreach claim, with a majority of those funds going to cover legal

defense and settlement costs.3 The costs of lost intellectual property and market and brand dilution have not been

specifically calculated, but estimates put this in the billions of dollars.4 As a result, executives want to be more involved

in information security than ever before. In the course of this research we found that:

• Information security is the new imperative. Ninety-one percent of research participants felt that information

security was an imperative and that IT must secure critical information and support their company’s compliance

needs. As the number of publicized cyberattacks grows, executive awareness grows.

• Information security is core to new products and services. Ninety-one percent of research participants felt that

the mismanagement of information security would severely damage their firm’s brand. Sixty-one percent of

respondents felt that information security was core to their product and services offerings, and 67% percent felt

information security was highly critical to the company’s ability to compete, and (see Figure 1). 5

• Social media and mobile applications change the information security landscape. Social and mobile

technologies enable mobile workforces to more effectively understand customer wants and needs and deliver

products and services more flexibly and efficiently. Yesterday’s methods of protecting information assets behindan electronic perimeter based on first-generation firewalls are no longer effective.6 More than 90% of the security

leaders surveyed felt that social media and mobile devices increase the risk of an information security breach (see

Figure 2).

• Regulatory compliance requirements are growing in number and complexity. Eighty-eight percent of

respondents felt that regulatory authorities are increasing the information security requirements for these

companies’ applications and infrastructure and that stiff penalties would result if these companies failed to meet

necessary requirements (see Figure 3).





Page 4

Figure 1

Information Security Is Core To New Products And Services

Base: 225 global enterprise security professionals

(percentages will not add up to 100% because answers for “Strongly disagree,” “Disagree,” and “Neutral” have been removed)

Source: A commissioned study conducted by Forrester Consulting on behalf of IBM, January 2013

Figure 2

New Solution Types Such As Social Media And Mobile Devices Have A High Impact On Information Security


(percentages will not add up to 100% because answers for “Don’t know,” “Not important,” and “Somewhat important” have been removed)


27%

34%

30%

64%

60%

67%

We run the risk of damaging our brand if we insecurely handleclient and partner data

Information security is core to our offerings; we need to ensurethat information is kept confidential, available, with integrity intact,

meeting all necessary privacy and compliance rules

Information security is highly critical to our ability to compete in our market/industry

Agree Strongly agree

“How important are the following services and support functions for the

success of your IT management solution?”

15%

12%

29%

34%

48%

45%

The use of social media greatly increases the riskof information security breaches

Mobile devices greatly increase the risk of theloss of valuable information

Important Very important Essential

“Please answer each statement as it best describes the security requirements for applications and infrastructure confidentiality.”





Page 5

Social media, cloud,and compliance

present big informationsecurity challenges.

Keeping up with thesechanges requires a

secure platform as afoundation for new

technology solutions.

Figure 3

Complex Audit Requirements Drive Need For Improved Security Controls


(percentages will not add up to 100% because answers for “Strongly disagree,” “Disagree,” and “Neutral” have been removed)


Technical Trends Threaten Information Security

New technology trends and business models are changing the methods by which

employees access information — this makes confidentiality, availability, and

integrity much more important. To mount a credible response requires the use of

proven technologies that have security engineered into their DNA. Security

professionals have to move beyond simple network operations and look at their IT

infrastructure as a secure and integrated ecosystem. All of these platform

capabilities need to be strong and robust. The shift drives complex technical

requirements for security. For example, respondents articulated the following

necessary requirements for secure application and infrastructure solutions (see Figure 4):

• Access control (93%). Poorly implemented access control to sensitive information is one of the leading causes of

breach. Secure solutions need to authenticate and control the access of system users and then assist in the

identification, classification, and protection of system resources. Access control should allow users to use specific

system resources and log unauthorized system access attempts.

• Auditing and compliance (84%). The ability for a system to provide a detailed audit trail for threat detection and

compliance reporting is critical. Log management and archival of system events is an essential capability for

organizations needing to address compliance requirements such as PCI and HIPAA. Log management is also an

important method for detecting breach activity. Systems that have this as a capability engineered in are better

positioned to deal with these different types of security challenges and are easier to audit and provide security

assurance to regulators and auditors.

36% 52%

Regulatory authorities are increasing the informationsecurity requirements for our applications and

infrastructure, with stiff penalties if we don’t meetnecessary information security requirements


“Please evaluate the following statements about the importance of

information security to your organization.”





Page 6

• Data protection (95%). A company’s lifeblood is the information it manages about its products and services.

Secure platforms should use techniques such as end-to-end encryption from endpoint to server to make sureinformation is kept safe and away from unauthorized use. Data access should be controlled by and linked to

policy management.

• Network security (94%). The use of encryption and other techniques to protect data in motion is necessary for

secure workloads. The network, as opposed to the endpoint or host platform, has become an important

battleground for dealing with security threats, especially as more workers use mobile technology and more

workloads move to the cloud.

• Secure virtualization (86%). Secure virtualization is an essential security need in the virtualized data centers

deployed today. Secure virtualization allows a system to run, Microsoft Windows® or Linux, as virtual machines

in their own secure environments or containers on an application service platform. The value to security is thateach virtual machine can run in its own secure container, isolating different workloads from one another.

• System memory protection (87%). Memory protection, although a very technical issue, is important for secure

applications since it’s possible for hackers to use system memory as an attack vector. Systems that have strong

memory protection engineered into their architectures are resistant to these types of attacks.

• Workload isolation (74%). Workload isolation, another technical issue, is an important security requirement.

This capability is especially important in multitenant applications such as those used in private and public clouds.

Workload isolation protects applications running alongside each other from hacking and other types of data and

process corruption.





Page 7

Multiple point solutionsare costly, technicallydifficult to integrate,

offer less control oversecurity features andfunctions, and don’t

stand up to a changingthreat landscape andregulatory compliance

regime.

Figure 4

Critical Requirements For Secure Applications And Infrastructure


(percentages will not add up to 100% because answers for “Not important” and “Somewhat important” have been removed)


Complexity Out — Integration In

Should your firm integrate point solutions to provide a security applications

infrastructure or use a pre-integrated application platform that has information

security engineered into its underlying architecture? The issue has been complex

because there has been an incorrect assumption that mainframe technology is more

expensive to implement and operate than other types of point solutions. In this

study, executives were asked how they have met information security requirements

in the past and how they plan to address these requirements in the future. Consider

the following information (see Figure 5):

• Multiple point solutions are more complex. A clear majority of our survey respondents (65%) felt that

integrating point solutions increases complexity, making the infrastructure more difficult to manage.

• Multiple point solutions are more difficult to implement. Sixty-one percent noted that point solutions are

more difficult to implement, increasing complexity and risk. Technical implementation challenges increase the

41%

39%

40%

36%

43%

38%

30%

31%

39%

33%

45%

46%

51%

46%

54%

63%

63%

56%

Workload isolation

Auditing and Compliance

Secure Virtualization

System memory protection

Secure Interoperability with other Applications

Storage security

Access Control (Identity & Access ManagementIntegration)

Network Security

Data Protection and Encryption of Data

Very Important Essential

“When considering the security requirements for new applications and

infrastructure, how important are the following aspects of security?”





Page 8

risk of implementing a secure system. Integrating point solution systems and data is not only technically

challenging but it lengthens the time solutions can be put into production to meet real business needs.

• Multiple point solutions are more expensive. Complexity drives cost — 57% of survey respondents felt that

implementing a series of point solutions was more expensive that using a comparable mainframe or similarly

integrated platform.

• Integrating point solutions is technically difficult and often leads to gaps and interoperability issues. As

noted, many organizations have many security tools, network, platform, and application technologies.

Engineering security into these solutions is technically difficult. Also, because security is a constantly changing

discipline with new attacks and compliance requirements, keeping up with this change is a real challenge.

• Multiple point solutions offer less control over features and functions. Complex solutions require finer-

grained controls, yet 52% of respondents indicated that integrating point solutions provided less control over the

features and functions.

Figure 5

Implementing Secure Solutions Is Risky


(percentages will not add up to 100% because answers for “Don’t know”, “Strongly disagree”, “Disagree”, “Neutral” have been removed)


41%

44%

40%

43%

41%

24%

17%

17%

13%

11%

Too many point solutions increases the complexity of our IT infrastructure and makes it hard to manage

Integrating point solutions increases complexity and risk

Implementing a secure solution on a distributed platformusing multiple point solutions is more expensive than

using a mainframe or similarly integrated platform

Integrating point solutions is technically difficult andoften leads to gaps and interoperability issues

Integrating point solutions allows less control over features and functionality


“Please evaluate each statement about your experiences with implementing

secure applications and infrastructure.”





Page 9

The Modern Mainframe Shines As A Secure Application Platform

The rumors of the death of the mainframe have been greatly exaggerated — and chiefly by its competitors. 7 Participants

in this research painted a very robust picture. For example, one systems manager viewed the mainframe as his most

secure platform and would deploy new solutions on the platform “without hesitation.” Another felt that because the

platform was so difficult to hack it was “the only platform that made sense” to use for the most sensitive high-volume

workloads. Why do modern mainframe architectures shine and outperform other platforms for security applications?

• Security is engineered into the platform, not cobbled together or bolted on. Seventy-six percent of

organizations surveyed designate mainframe technology as a valid/preferred platform to deploy secure

applications and infrastructures. Why? Perhaps because the modern mainframe supports all of the features

needed for secure applications. Encryption with key management for example, is one of the most, if not most,

effective means for securing data in motion and data at rest. Mainframe technology really excels in this area. Themodern mainframe has the necessary security controls engineered into its foundation for secure applications,

including: network security, access control, data protection and encryption with key management, storage

protection, memory protection, secure virtualization, secure interoperability, auditing and compliance, and

workload isolation (see Figure 6).

• Mainframes provide extensive security logs and audit reporting to address industry standards and

regulations. Mainframe logging provides the in-depth security controls and audit information required for

industry compliance and regulations. Eighty-four percent of organizations surveyed ranked auditing and

compliance as a very important or essential security requirement for new applications and infrastructure.

• Mainframes are the secure, high-availability, multi-workload platform of choice for big data. Survey

respondents note that mainframe applications are the most secure for processing big data (78%), have a lower

total cost of ownership for some applications (76%), and are the most available, scalable, and secure platform

(87%). At the same time, many organizations have additional mainframe capacity available to run new workloads

(77%) (see Figure 7). Mainframes provide secure workload isolation, with data protection and privacy making

them the ideal platform for system consolidations, big data analytics, and private cloud implementations.

• The number of hacked mainframes is very low.8 In fact, most attacks on these platforms come from

compromised system administrators. Tooling in mainframe technology helps prevent erroneous or problematic

security commands from entering the system. Mainframe technology now even addresses this scenario by

providing administrative security features. For example, if for any reason logging is terminated, modern

mainframe technology will not allow processing to continue. Mainframe technology is hardened by design and

may be the best choice for a security platform.





Page 10

Figure 6

Mainframe Standard Security Features


(percentages will not add up to 100% because answers for “Not important” and “Somewhat important” have been removed)


6%

7%

4%

6%

9%

12%

10%

16%

18%

31%

30%

39%

38%

36%

40%

43%

39%

41%

63%

63%

56%

54%

51%

46%

46%

45%

33%

Network security

Access control (identity and access managementintegration)

Data protection and encryption of data

Storage security

System memory protection

Secure virtualization

Secure in teroperability with other applications

Auditing and compliance

Workload isolation

Importan t Very importan t Essential

“When considering the security requirements for new applications and infrastructure,

how important are the following aspects of security?”





Page 11

Figure 7

Mainframe Technology — A Secure And Capable Platform


(percentages will not add up to 100% because answers for “Don’t know,” “Strongly disagree,” “Disagree,” and “Neutral” have been removed)


38%

43%

34%

39%

29%

44%

48%

44%

44%

38%

38%

33%

It houses most of our important data

It is our most available, scalable, and secure platform

Provides the most secure platforms for processing big

data and analytical applicationsProvides a lower total cost of ownership for some types

of analytic workloads

Our mainframe skills are much better than on other platforms

We have available/underutilized mainframe storage andprocessor capacity


“How strongly do you agree with the following statements about your mainframe(s)?”





Page 12

KEY RECOMMENDATIONS

The survey data shows that business and security leaders are very concerned about information security. They see

cybercrime as a major threat to their businesses, with security breaches strongly affecting their company’s brand,

competitiveness, and long-term viability. They want their IT departments to deploy solutions that confidently protect the

company and at the same time support new technology such as social media and big data. Effectiveness is the real issue for

business leaders, and anything that is too complex or doesn’t have the ability to secure valuable data won’t cut it today.

Therefore, as IT security leaders, you should:

• Consider all of your platform options. Mainframe technology presents a very capable and robust platform that is

tough to hack and has security engineered into its foundation. These systems have nearly 50 years of security

hardening engineered into their designs. They have great availability, ability to support encrypted workloads

natively, superb memory and process protection, and some of the most advanced audit and reporting features of

any platform operating.

• Choose a proven platform. It’s just not about data in motion but also about data at rest. The mainframe as the

repository of some of the most s ensitive data in your organization offers performance, confidentiality, availability,

and integrity that other platforms may struggle to deliver. Secure applications not only require transaction security

but also storage security. Big data, for example, represents some of the biggest security risks for companies today,

and the mainframe and associated storage technology is more than up to the task of running these applications

and securing this information. Mainframe technology, quite simply, is one of the best options for these secure

workloads.

• Consider all the costs associated with the security requirements for your applications and infrastructure.

Mainframes have a reputation for being expensive. That’s only when companies don’t consider all the costs and

risks of using and integrating point solutions. Using a series of point solutions implemented on less integrated

platforms could actually make your organization less secure. As you think about platform selection, the mainframe

is one very viable choice for applications with strong security requirements. Remember, the cleanup of a serious

breach is always more expensive than engineering a solution that will actually protect against the breach.





Page 13

Appendix A: Methodology

In this study, Forrester conducted an online survey of 225 organizations in Brazil, Germany, the US, and the UK to test

their attitudes, perceptions, needs, and plans for investing in security applications and infrastructure. Survey

participants included business and security decision-makers. Questions provided to the participants included “How

critical is information security to your ability to compete in your market or industry?” “Are you an advocate for

information security as it relates to IT applications and infrastructure” and “What are your perceptions about the

mainframe as a secure application platform?” The study began in November 2012 and completed in January 2013.

Appendix B: Demographics/Data

Figure 8

Survey Demographics: Geography And Industry



Brazil27%

Germany26%

US23%

UK24%

“In what country are you based?”

Banking18%

Government14%

Healthcare20%

Insurance22%

Financialservices

13%

Retail13%

“Which of the following best describes your industry?”





Page 14

Figure 9

Company Profiles

Base: 225 global enterprise data analytics professionals


Appendix C: Endnotes

1 Forrester does an ongoing survey of its clients’ use of tools through a continuous interview process. Forrester obtained

this information during a recent interview conducted concurrently with this research. Source: Forrsights Security

Survey, Q2 2012, Forrester Research, Inc.

2 Source: “Determine The Business Value Of An Effective Security Program — Information Security Economics 101,”

Forrester Research, October 2, 2012.

3 Cyberinsurance premiums and claim payments are just one indicator of the costs of cyberbreach. The data cited here

comes from NetDiligence’s 2012 Cyber Risk and Privacy Liability Forum in Philadelphia. Source: Gresinger, Marc;

Parisi, Robert. “NetDiligence Cyber Breach Claims Filing.” In NetDiligence® 2012 Cyber Risk & Privacy Liability

Forum. Philadelphia, Pennsylvania, USA: HB Litigation Conferences, 2012.

4 By 2015 the impact of digital piracy alone will reach $240 billion to the world economy. Source: “Estimating the global

economic and social impacts of counterfeiting and piracy: An executive summary commissioned by business action to

stop counterfeiting and piracy (BASCAP),” Frontier Economics. February

2011(http://www.conimit.de/fileadmin/files/Fakten_und_Statistiken/Studien/Global_Impacts_-

_Executive_Summary.pdf).

7%

34%

59%

$500 million to $999 million

$1 billion to $4.99 billion

$5 billion or more

“Which of the following most closely describes

your company’s total annual revenue?”

63%

71%

77%

80%

Midrange

Mainframe

Unix/Linux

VMware with Windows or Linux

“Does your firm employ these platforms when

implementing applications?”(Select all that apply)





Page 15

5 Forrester’s yearly Forrsights information security survey validates this information — it showed that 63% of

respondents “raised executive awareness and increased attention on the security of our intellectual property and

corporate secrets.” Source: Forrsights Security Survey, Q2 2012, Forrester Research, Inc.

6 Source: “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture,” Forrester Research,

November 15, 2012.

7 Paraphrased from a quote attributed to Mark Twain “The rumors of my death are greatly exaggerated.”

8 Mainframe hacking is a lost art if it ever really existed. These systems designed with military grade security are a

hacker’s nightmare.

ZSL03233-USEN-00

secure the enterprise with confidence using a mainframe infrastructure

Documents