Covered by Kelly Mantick, SHARE'd Intelligence Editor
SHARE in San Antonio brought together a group of talented professionals to discuss new industry standards and regulatory compliance in the panel discussion, “Potpourri of New Industry Standards and Regulatory Compliance.” Facilitated by Brian Marshall, Vanguard Integrity Professionals, the panel featured Carla Flores, CA Technologies; Charles Mills, CorreLog; Peter Roberts, Vanguard Integrity Professionals; Patrick Gray, IT Security Consultant; Chad Rikansrud, Wells Fargo; and Mark Conroy, Xbridge Systems. SHARE’d Intelligence has put together a snapshot of the conversations that took place around these standards.
Q: In the argument between the FBI and Apple, in terms of providing a method to unlock and decrypt the contents of the iPhone, who do you side with, how much real damage can be done by providing a backdoor to ONE phone and why?
In a four-to-two vote, the panelists sided with Apple. In defense of the FBI, former FBI Special Agent Gray explained that unlocking the phone is about protecting American citizens, and creating a backdoor to one phone would not damage anyone else’s privacy. On the other side, Roberts explained that, it might be one phone now for this terrorist activity, but more than seven other requests have since been submitted by the FBI. If Apple acquiesced once, where would it stop? Rikansrud said this issue hinted at the elephant in the room: the weakening of encryption. And while Apple could have handled this quickly and quietly, making the next version of ios something that could not be broken into, now, it would become a precedent, and we can’t afford to weaken our encryption.
Q: Does being compliant mean you are secure? In your own words please differentiate the two.
“The issue is that you can be compliant and not secure. The compliant standards are always going to be behind,” Roberts said. For example, you can be compliant if you are running SSL, but you aren’t necessarily secure. Mills liked compliance to “teaching to the test”; you end up studying for that test and forgetting everything afterward. Compliance can also give organizations a false sense of security, as those who boast about their compliance, usually aren’t secure, said Rikansrud. Gray summarized the conversation by explaining that it’s great to be compliant, but when it comes to protecting your data and your organization from invaders, you need to go further.
Q: From the perspective of compliance, should the mainframe be considered out of scope? In other words, should CIOs and CISOs be worried about the mainframe?
Rikansrud started off the conversation by saying that following regulations is not enough. When Microsoft releases an operating system, people break it — either purposefully or on accident — and the product gets better by going through this process. In contrast, Rikansrud liked the mainframe to a Ferrari; no one takes it out on a Sunday, pokes around under its hood, takes it apart and sees how it ticks. Yet, other countries, such as Russia and China, are taking mainframes apart and learning about them that way. If we aren’t doing aggressive testing, he said, we are behind the eight ball.
Roberts added that the attitude toward mainframes focuses on its security, as z/OS is the most securable commercial system, and for this reason, many upper-level management people ignore it. But he reminded everyone that it’s not inherently secure — it requires us to keep on top of it. People also forget that attacks often come from within, from someone who already has a high level of security, and it’s important to secure first from within, then from the outside.
While everyone who works on the mainframe probably would like it to be more secure, Mills said, the reality is that would require having an auditor come in and ask those difficult questions. We have to rethink mainframe security, looking at it in an adversarial way. Rikansrud agreed, saying that if you don’t have someone on your team who understands the adversary, you are behind. To know your enemy and what’s going on, Gray advised to keep up-to-date on the hacks that have occurred — he has 106 RSS that he pulls information from each day. Talk to CISOs and professionals, he bid, and be aware.
Q: After the OPM breach the head of OPM stated that the dated COBOL system was the problem. Is COBOL the problem? Can companies with MFs simply replace their COBOL apps and be secure?
“COBOL is not the problem,” Gray stated, “the mainframe is the problem.” Rikansrud elaborated that the biggest problem is the lack of people who understand how to secure COBOL, especially with the aging workforce and so many more people at the end of their careers rather than at the beginning. Flores added that if COBOL was indeed implemented at an organization 25 years ago, it’s the security process that needs to be updated, not necessarily COBOL itself.
Q: What do you consider to be the most robust industry standard for security? Can it be implemented on mainframe?
In one word: encryption. “If it’s encrypted it’s safe, unless there’s a back door,” said Gray. Rikansrud added that if you are going to encrypt data, you have to do it the right way; the encryption should not be readable by administrators, DBAs, etc. A broad encryption or self-encrypting drive is not going to protect you from all risk. He added that, while this is expensive and hard to do, you need to hire developers who understand how to properly encrypt data. He also emphasized that you need two-factor authentication for everyone. “There is no downside!” Mills added onto the argument by stating that one of the first principles of encryption is that you have to keep the keys secure.
This panel discussion was part of SHARE Live! To watch this panel — and other educational sessions from SHARE in San Antonio 2016 — take a look at the event recordings available in the SHARE store.