IBM rightly boasts that the System z is the most secure commercial computing platform available and few quibble with that claim. It has rock solid authentication and seems impervious to viruses and hacking attacks.
I myself have researched claims of security flaws in the System z and reported the results on this blog [see Hacking the Mainframe, Mar. 29] and come up with little of substance. But is it really secure?
The problem is that System z is only as secure as its weakest links and one link in particular presents a glaring weakness, the people who work with the System z and use its systems. A study by Insight Express, funded by Cisco, showed that people produce a gaping security hole. Long before you get to hackers, System z security gets compromised every day by the behavior of IT staff and users, the very people who depend on it for their livelihood.
Insight Express identifies the 10 most dangerous behaviors from the system security standpoint:
- Changing security settings on computers
- Use of unauthorized applications
- Unauthorized network/facility access
- Sharing sensitive corporate information
- Sharing corporate devices
- Blurring of work and personal devices, communications
- Unprotected devices, computers left logged on and/or unlocked
- Storing logins and passwords on the computer or in obvious places
- Losing portable devices containing data
- Allowing unsupervised roaming around offices by non-employees
OK, I’ve been guilty of more than a few of these sins at various times. I’m sure you have too. And the best System z security architecture and technologies won’t help much if you leave your cell phone containing confidential CICS data on the seat of the taxi. Ooops.
A recent study from Ponemon Institute, Traverse City, MI, quantifies the frequency people commit risky behaviors.
- 61% download data onto unsecured mobile devices
- 47% share passwords
- 43% lose data-bearing devices
- 21% turn off their mobile devices’ security tools
- 52% use web-based personal email in the office
- 53% download Internet software onto the organization’s devices
- 31% engage in online social networking while in the workplace
I know of one company that furloughed each of its employees for a week to conserve cash and avoid layoffs. While on furlough, however, the employee could have absolutely no contact with the company, not by phone, not by email, none, nothing, nada. If they did, it would violate some labor regulations and nullify the whole thing. That’s when the company realized how many of its people regularly use the company email for personal email. There were a lot of unhappy campers and not just because they were doing without a paycheck that week.
So, what’s the solution? It’s definitely not more tools and technologies. Part of it entails creating, communicating, and enforcing security policies, but given human nature that’s not a sure bet. In the end, it really comes down to calculated risk management. You do the most you can with security tools, rigorous policy enforcement, and ongoing refresher training. Then keep your fingers crossed.