Sponsored Content by Broadcom

Jigsaw puzzles come in many shapes, sizes, and complexities. But they all are completed in a similar way — viewing the end goal, determining a strategy, and implementing piece by piece. Similarly, IT environments come in varied architectures, sizes, and complexities and may seem just as daunting as the most complex jigsaw puzzle at first glance. Does anyone in an organization really understand how all the pieces of the security puzzle fit together? Not an understanding of how general security models are implemented, but how all the pieces of the entire enterprise security puzzle fit together. What is this puzzle supposed to look like when finished?

IT operation models, architecture models, platforms, hardware, software, employees, and outsourcers all come together to form the full picture of effective security. While users can probably never get to zero risk of a security issue, by implementing the Zero Trust security model, we can enable a layered series of controls that give us peace of mind amid the complexities of the IT environment. The Zero Trust model enables users to manage all the pieces of the puzzle with the least risk. It is imperative in today’s IT environments.

A Model Designed to Calm the Storm

The Zero Trust security model can give us peace of mind, even if we are not aware of every piece in our IT environment. At its most basic — never trust, always verify — the model advises IT professionals to prepare our environments assuming we will be breached. By making this assumption, we will be proactive in a way similar to how we proactively safeguard our homes before going on vacation. Before we leave, we lock up valuables, stop the newspaper and mail, automate lights, alert the neighbors, and lock the doors. All of these are mitigation efforts to discourage burglars from targeting us and to reduce exposure should they access our house even after the best of security intentions. Just as with our house, we can do the same with our IT environments.

The Zero Trust model also drives the principle that trust is neither automatic nor assumed. Trust is gained at the entry point and reevaluated at each step on every journey. Resources are doled out in a granular fashion and only to those authorized. The trust level is commensurate with the task and not granted in excess. The Zero Trust model gives layers of protection and constantly verifies and validates. In total, it gives reassurance of security within the most complex of IT environments.

Where Can Zero Trust Help?

Implementing a new security model by resetting every security control just isn’t an option our businesses can entertain. Security models and infrastructure are years in the making or, for the mainframe, decades in the making!

But we don’t need to start from scratch to create a Zero Trust model that will lower our risk. What’s even more assuring, it is not necessary to conduct a massive evaluation and make changes to Identity and Access Management (IAM) content. Instead, it is perfectly acceptable to augment existing IAM defenses with additional layers to provide a Zero Trust compliant model. As always, “rings of security” and layered defenses are important in security architecture, and the same works for implementation of Zero Trust. Advanced authentication at boundary or entry points and contextual granular just-in-time authorization drives layered security checks in a series. Zero Trust is simply implemented with a combination of additional tools and by following best practices with existing tools. From Multi-Factor Authentication, often easily or already adapted to existing architectures, to practices such as more granular controls, separation of duties and stringent adherence to least access privilege standards can all lead to a model of access driven by the goals of Zero Trust.

Analysis of a few well-known data breaches can illustrate where implementing the Zero Trust model —even just incrementally — may have reduced the success and impact of the breach, perhaps resulting in the hackers abandoning their efforts:

1. In March 2020, Marriott disclosed that credentials from two employees were used to access a large amount of guest information. A Zero Trust model could have reduced risk by:

• Requiring Multi Factor Authentication to confirm the individual’s identity. Credential compromise is much more difficult when additional authentication factors are required.
• Using views or stored procedures to restrict access to data on a need-to-know basis and validating business justification for access.
• Continuous monitoring to alert the egress of classified data and abnormal behavior from otherwise steadfast employee accounts.

2. The credit union Desjardins Group suffered an attack from a malicious insider. Under the Zero Trust model, where a breach is assumed from internal or external sources, additional preventive or deterrent controls could have been implemented:

• Granular business-justified access: 17 people were questioned on suspicion of involvement in this incident. That large number of potential attackers suggests that need-to-know, granular access, and business-justified access were likely not followed.
• Physical and/or data segregation: This would have allowed for granular access controls and required a business need to gain access to data stores containing personal information.

The illustrations above describe incremental changes that, when added to a layered series of security controls, would have reduced these companies’ risk of security breaches. Incremental changes are manageable and often simpler. It’s just a matter of committing to and implementing the next step toward completing the puzzle.

Using Incremental Steps to Grow Your Achievement of Zero Trust

Many Zero Trust efforts focus on specific challenges, such as controlling access to cloud resources. But security objectives are rarely achieved by a single-point fix or even a tool deployment. Zero Trust requires giving attention to all aspects of every platform. While ignoring some platforms or focusing only on specific business units might lead to quickly achieving a “check box” result for the security and IT team, it often does little to deliver on actual improvement in security posture. This consistently applies to the mainframe, where there is a common belief that it is secure, simply because it is a mainframe. However, just as with any platform, the mainframe is only as secure as people and policies make it. Much new thinking in security has led to changes in policies, procedures, and practices across many platforms, but often, mainframers do not participate in these new practices, despite the critical nature of the platform in running most businesses.

We’ll continue with a series of posts, videos, how-to content and more on Broadcom’s Zero Trust web page. The goal is to provide pragmatic practices that can be adopted by any mainframe team, allowing them to leverage the benefits of Zero Trust sweeping the security community.

Admittedly, enterprise IT environments are large and complex. This applies to the mainframe as well, but don’t be overwhelmed. On our Zero Trust web page, we will discuss how to implement a Zero Trust model with the mainframe in mind. Note this won’t be and can’t be exclusive to the mainframe, as it is part of a larger hybrid environment delivering applications that span cloud, on premise, and mainframe assets to deliver value to customers. But it is time that mainframers adopted critical security models such as Zero Trust. In order to do so, we will approach the topic in several segments:

• What makes the Zero Trust model difficult to implement in the mainframe environment?
• How to adopt Zero Trust on the mainframe
• Developing deeper trust in the identity of those accessing the mainframe
• Authentication verification
• Who and what are privileged accounts on the mainframe?
• Where does continuous monitoring factor into Zero Trust?
• Zero Trust and Hybrid IT

In summary, the bad news is that mainframers need to assume and prepare for the worst-case scenarios. The good news is that security efforts are layered and can be implemented incrementally. Risk reduction is gained at each step. 

Learn more about what Broadcom is doing to implement Zero Trust on the mainframe with the Broadcom Mainframe Security Suite here. Also, learn more about phishing resilience and how to avoid “the hook” here.