DevOps Impact on Mainframe Security
January 25, 2024

Phil Buckellew
Rocket Software

For years, mainframe systems have served as the bedrock of enterprise networks, standing unmatched in terms of reliability, scalability, and data protection. But with emerging practices like DevOps, the rise of open-source, and the move to hybrid cloud models, security risks have become a pressing concern. With constantly changing rules and shifts in how software is developed and used, it's more important than ever to focus on mainframe security. With over 70% of Fortune 500 companies still relying on mainframe infrastructure — mainframe security has never been more critical.

According to Rocket Software's latest research report, only 28% of IT leaders are extremely confident in their ability to proactively respond to mainframe security vulnerabilities — despite agreeing that mainframe security is a top priority for their organization. This is thanks in large part to the complexity of solutions like DevOps. While DevOps tools increase an organization's ability to deliver applications and services at a faster pace than ever before, security must remain a priority.

Risks of Open-Source Tools

While open-source DevOps tools pave the way for myriad benefits, they still come with a fair share of risks. These tools allow for community collaboration and transparency, but that also means that potential attackers can examine the code for vulnerabilities. A predominant concern centers around the security and integrity of open-source components embedded within mainframe applications.

The good news is that organizations are taking open source and mainframe security seriously. The report found proactive measures dominate the landscape, with 62% of organizations routinely conducting vulnerability assessments and security audits.

Additionally, 58% of respondents noted they engage in continuous monitoring and updating of open source to address security patches promptly, and 54% noted they are training developers on best practices for secure coding and proper usage of open-source components.

Incorporating security best practices into the DevOps toolchain — also known as DevSecOps — helps ensure security remains a consistent, shared responsibility throughout the software development life cycles and that security updates are added quickly and smoothly. This reduces the chance of threats within the mainframe and ensures companies get the most out of their DevOps investments.

Compliance and Third-Party Security

While many organizations take mainframe security seriously, about 68% according to the report, unfortunately compliance can fall to the wayside. Only 27% of survey participants are highly confident in their organization's mainframe security compliance effectiveness. Compliance regulations provide guidelines for how businesses should be protecting critical customer data. Due to the sensitive nature of this data — and the potential harm to customers if it is not protected — the penalties for organizations that fail to comply with security regulations are quite considerable.

The large fines given to businesses that do not meet compliance can cause irrevocable damage to the business both financially and in terms of the organization's reputation. Following relevant security compliance regulations will help maintain the security and integrity of sensitive data stored on mainframe systems. Organizations that implement security-focused tools on the mainframe will be in a better position to comply with their compliance requirements.

Compliance isn't just an internal endeavor. Businesses must also keep an eye on their third-party suppliers. Making sure suppliers meet quality standards (QA) is as important as internal compliance, especially for heavily regulated industries like banking and healthcare. Yet only 31% of respondents are fully convinced of their organization's effectiveness in making certain that vendors stick to these rigorous QA benchmarks. Organizations should maintain ambitious standards for vetting third-party vendors, ensuring the rights of individuals and their data are at the forefront of each digital interaction within the vendor. These evolving regulations underscore the need for businesses to be transparent, accountable, and proactive in safeguarding user data in an increasingly interconnected world.

Taking an Integrated Approach

Resilient mainframe security programs do not rely on a singular strategy — instead, business leaders should modernize their infrastructure and take a holistic approach. Integrating security best practices into the DevOps toolchain and mainframe ensures that security remains an unwavering, collective responsibility throughout software development life cycles. This integration promotes swift and efficient security updates, diminishing potential threats.

Rocket Software found that many organizations already take an integrated approach — 44% of organizations implement DevSecOps, 56% implement encryption of data, and 57% implement user authentication access controls. This is the most effective way to buffer against both internal and external controls and make sure any threats are identified quickly and efficiently. Upgrading security measures to be more integrated empowers organizations to keep their mainframe secure while opening the door for the level of growth and innovation necessary for modern business success. By taking a holistic approach, organizations can take proactive steps to protect the mainframe and its assets.

In this age of rapid technological change, mainframe systems remain a cornerstone for businesses. With digital transformation projects well underway and the introduction of DevOps tools in every enterprise, modernizing mainframe systems and security approaches will enable businesses to better adapt to new risks and data management needs. Organizations must consider solutions that leverage the security and reliability of the mainframe. A resilient defense mechanism for mainframes is not a singular strategy, but instead, an integrated approach.

Phil Buckellew is President, Infrastructure Modernization, at Rocket Software
Share this

Industry News

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.

February 21, 2024

Pulumi now offers native ways to manage Pinecone indexes, including its latest serverless indexes.

February 21, 2024

Orkes, whose platform offers the fastest way to scale distributed systems, has raised $20 million in new funding.

February 20, 2024

JFrog and Carahsoft Technology announced a partnership that empowers U.S. Government organizations to safeguard their software supply chains with automated DevSecOps workflows to secure software services consumed by citizens.

February 20, 2024

Multiplayer, a collaborative tool for teams that work on system design and distributed software, announced its public beta.

February 20, 2024

DataStax announced its out-of-the-box retrieval augmented generation (RAG) solution, RAGStack, is now generally available powered by LlamaIndex as an open source framework, in addition to LangChain.

February 20, 2024

UiPath announced new features in its platform designed to enable developers to build, test, and accelerate implementation of automations.

February 15, 2024

Kong announced a suite of open-source AI plugins for Kong Gateway 3.6 that can turn any Kong Gateway deployment into an AI Gateway, offering unprecedented support for multi-Language Learning Models (LLMs) integration.

February 15, 2024

ngrok unveiled early access to its API gateway-as-a-service.

February 15, 2024

Tabnine announced a strategic partnership with DigitalOcean.

February 15, 2024

Salt Security announced that the Salt Security API Protection Platform is now available for purchase in the CrowdStrike Marketplace, a one-stop destination for the world-class ecosystem of CrowdStrike compatible security products.

February 14, 2024

Perforce Software signed a definitive agreement to acquire Delphix.