Until recently, mainframe penetration testing was performed onsite for no other reason than “it’s a mainframe.” Yet the majority of non-mainframe pen tests have always been carried out remotely.
I visited a bank in North America shortly before the pandemic. The bank’s pen testing lab had a long bench with 10 laptops and five servers, all lined up. This was the bank’s service partners remotely connecting into its systems to carry out their work: quick, simple and secure. But my team was onsite, at the client’s request. I’d flown half-way around the world.
It had always been that way because of sensitivities among mainframe managers and systems programmers that led to the reflex reaction, “Thanks but no thanks, if you’re testing our mainframe systems we want you here while you’re doing it.” In a pre-coronavirus world, we’d performed quite a few mainframe security assessments remotely, but remote pen tests were few and far between.
This sensitivity was a cultural hangover from the old days of big iron. For many years the mainframe had too often been given a “pass” when it came to pen tests. The system programmers, mainframe managers and other platform custodians didn’t want us touching their systems because they didn’t really think the mainframe needed it. Safe in the heart of the data center, they believed they were secure by default.
Those days are gone. The world has changed. One catalyst pre-dates the pandemic and was more of a slow burn: a gradual understanding that mainframes are no longer “special” or “unique” when it comes to hacking and data breaches. To the bad folks, it’s just another computer. Even then, as we engaged with clients for mainframe pen tests and security assessments, conversations were invariably all “onsite, onsite, onsite.” Then COVID-19 and the lockdowns came: the big catalyst for change and more of a shock to the system. But even then, at the start, we had clients saying “We’ve decided not to do tests at this time because you can’t come onsite.” But the clock was ticking.
With the situation persisting for so long and clients needing their systems testing, they’ve changed how they think about it. The security people and mainframe people came together, with the security side convincing the mainframers that we can do this remotely—if you have the right processes, procedures and controls. And guess what? Those processes and controls are already in place.
Mainframers have pivoted to a position in which their systems are regarded in much the same ways as how their wider enterprise security colleagues work. The situation has changed to such a degree that in the summer, we built and delivered a laptop for a longstanding client, a major insurer, as would any other non-mainframe service provider. We shipped it to their data center, we connected securely to it, and reached into their mainframes to work. That was a first for us. But definitely not the last.
In addition to helping client sites to stay COVID-secure, it’s lower-cost to do a mainframe pen test remotely because we can price the work more attractively, and there are no travel and expenses. It’s also a more carbon-friendly way to work, which is increasingly important as calls for ‘Net Zero’ operations continue rising in volume. On the delivery side, we can work more efficiently, using our time even more productively. We can be more responsive, delivering tests faster and extending our professional reach to an even wider client base in any location worldwide, and all from our central service center. And we do so securely.
We reach into client systems in exactly the same way as they provide remote access to their own home workers and support staff: via a VPN over encrypted links and typically using multi-factor authentication (MFA). We’re not asking the client to do anything they don’t already do. We don’t need any special treatment or procedures in terms of access and privileges. Of course, we undergo all the proper onboarding you would expect, the identity and verification (ID&V) and background checks that a client needs to do.
Back to my earlier point: there was no real business or technical reason that required us to be onsite. It was a culture, a mindset, and that has now changed. And our customers love it. Both customers and security teams believe it’s a positive change as we enter an era of “mainframe as innovation hub” that will feature ever-greater security, resilience, adaptability and automation.
Mark Wilson, senior director, consulting services, BMC Mainframe Services