Survey uncovers mainframe vulnerabilities
ITWeb, in partnership with Micro Focus South Africa, conducted a Mainframe Access and Security Survey to examine the state of enterprise-level mainframe security in South Africa.
The survey ran online for three weeks during November/December 2020 and asked, among other things:
- What regulatory compliance requirements are currently impacting your organisation?
- Is there centralised management of distributed mainframe access systems and applications?
- What authentication methods are required to access the mainframe?
A total of 95 responses were captured, with 53% of respondents being at executive or middle management level, working in a range of industries, with 61% of respondents coming from the IT, financial and public sectors.
Here are some of the key findings:
Fifty-six percent of respondents believe that increased vulnerability of the mainframe to attacks owing to the lack of enterprise-level modern security is a real concern, and say they have addressed this completely. Twenty-one percent say they are concerned but plan to address it within the next six months to a year. Kevin Kemp, Business Development Manager: Application Modernisation at Micro Focus South Africa, says: “Just under half believe that there’s a lack of enterprise-level modern security on the mainframe, making it vulnerable to attack.”
Asked to list the regulatory requirements currently impacting the organisation, 66% of respondents cited GDPR; 54% cited POPIA; a quarter (25%) said PCI DSS compliance (credit card transactions); and 20% said payment services directive (PSD2). Kemp says: “Organisations are struggling to juggle multiple compliance requirements, with many having to allocate resources and funds to more than two or three initiatives. Prioritising is a challenge.”
A third (33%) of respondents said they were in the process of handling the adoption of the TLS 1.3 cryptographic protocol and the SHA-2 cryptographic hash functions. Almost a quarter (22%) said adoption was complete and a further 22% said it was on the cards for the next six months. Kemp says: “Only 22% have managed to adopt the new standards, but all respondents plan to conclude in the next year, as most want to benefit from the improved speed, security and browser support.”
This adoption was primarily driven by GDPR (57%) and internal requirement or mandate (56%). Thirty-seven percent said it was an internal partner, customer or vendor requirement, and 36% said it was driven by POPIA. “The improved security to support multiple compliance requirements is paramount, but 56% of respondents also want the speed and flexibility to more effectively support business.”
Asked about centralised management of distributed mainframe access systems and applications, 41% said they already managed these centrally, 17% said they would like to be able to do this and planned to address it within the next six months and 14% said they’d address it within the next 12 months. Fifteen percent felt it wasn’t a concern for them. “Only 41% have central management of applications and mainframe access systems. There is a realisation that a centrally managed platform can save time, cost and vastly assist in improving customer experience,” says Kemp.
Username and passwords were the authentication methods required for mainframe access by nearly half (43%) of respondents. “Twenty percent of respondents are already using Micro Focus technology, with a large portion (43%) using only username and password.”
Almost all of the survey respondents (93%) agreed that they’re concerned about high levels of user frustration owing to lack of operational efficiency, as users demand faster and more modern applications for accessing mainframe applications. Kemp agrees: “Customer experience is a big challenge that needs addressing. There’s a large concern over operational efficiency, with more than 60% citing this as either critical or very important.”
A large proportion – 85% of respondents – is concerned about the lack of integration of terminal-based host applications with mainframe tasks and systems. “Integration with mainframe operational systems remains a top priority, with the majority of respondents seeing this as requiring action.”
The distributed management of terminal-based applications is a concern owing to a greater chance of attacks due to lack of access control for half (49%) of respondents; 47% are concerned about increased administrator overheads; and 44% are concerned about weak passwords and access management. “Managing terminal-based desktop applications centrally is now becoming a big priority as overhead costs increase and the risk of managing security challenges increases.”
Finally, 67% of respondents have embarked on their POPIA journey, whereas 20% plan to within the next six to 12 months. Kemp finds it concerning that only 32% of respondents have POPIA compliance in place.
Micro Focus offers solutions to help secure your mainframe, ensure your organisation complies with regulations and avoids breaches, working to ensure your mainframe remains protected and connected, the company says. Read more about securing your mainframe and preventing breaches in this Micro Focus blog post, Prevent Mainframe Breaches with Multi-Factor Authentication.