Cyber Resiliency on the Mainframe: Protecting against Ransomware
Ransomware is a pernicious form of malware that encrypts important files on business systems. The attacker then requests a ransom to be paid in crypto in return for sending the decryption key. However, paying the ransom doesn’t guarantee the attacker will follow through (they are criminal, after all) – and even worse, paying the ransom may be illegal.
Ransomware can target any type of system, and attackers certainly favor the easier ones. One might wonder, therefore, whether they would ever attack a mainframe. Mainframes, after all, are well-protected, more isolated than distributed systems, and leverage proprietary protocols and relatively obscure languages and procedures.
Why, then, would an attacker ever want to target a mainframe? To paraphrase bank robber Willy Sutton: because that’s where the data are.
Understanding the Risk
Today, many mainframe users – even privileged ones – use Windows machines (or other phishing-susceptible computers) to access their mainframe accounts. All it takes is one privileged mainframe user to click on a malicious link and download a keylogger. The next time they log into the mainframe, BAM! The attacker is in.
Attackers will then use any available file transfer protocol to upload their malware to the mainframe and compile it in place. The next step: encrypt as many files as it can – and most importantly, encrypt as many backups as possible as well. Any backup connected to the network is fair game.
Mitigating Mainframe Ransomware Risk with the Cloud
Taking steps to prevent or disrupt the sequence of events I described above is a must. For example, every organization should institute multifactor authentication for all mainframe access. But in spite of such measures, security teams can never be entirely sure an attack won’t slip through nevertheless.
Therefore, protecting mainframe data from ransomware attacks is absolutely essential. Two mandatory components of this effort are an immutable copy of transactional data that you keep disconnected from the network, and a third copy of the data in air gapped mode.
Existing mainframe backup technologies aren’t up to the task. While there are air gapping point solutions for the mainframe on the market, finding a combination of immutability, real-time access, and air gapping is a stretch for the venerable platform – and in any case, even if an organization could implement this third copy protocol on the host, the mainframe processing costs would be prohibitive.
For these reasons (as well as many others), leveraging the cloud to back up and protect mainframe data is the fastest, most cost-effective solution to the ransomware risk mitigation problem.
Using technology from a company like Model9, a mainframe organization can implement primary ‘hot’ backup in the cloud. In many cases, such hot backup requires two identical instances of the data, ideally in different clouds, configured in a hot-hot architecture in order to avoid any loss of transaction data in the event of disruption.
In addition, such organizations should implement their immutable third copy, in a location suitable for air gapping – typically in the cloud or in on-premises object storage in a private cloud deployed for that purpose.
With this configuration, in the event of ransomware compromise of the hot-hot high availability backups, the organization can restore data from the air gapped, immutable store. Of course, the security team must remove the malware first to avoid recontamination, even though the malware cannot reach the air gapped third copy.
How Model9 Facilitates Mainframe Data Protection
Setting up mainframe data backups in the cloud requires careful consideration of the technical details – data formats, data structure, transfer protocols, and encryption, to name some of the most important.
With Model9, the mainframe’s System z Integrated Information Processor (zIIP) engine extracts both hot data (transactional data in data sets and databases) as well as cold data (tape and virtual tape-based data) faster and far less expensively than traditional mainframe data migration would normally entail.
Model9 then compresses and encrypts all the mainframe data in their original format for transport (again using zIIP and IBM Z compression engines), lightening the load on the network and improving the performance of the transfer.
Model9 transfers these compressed mainframe data to cloud-based object storage, and then transforms them, without the mainframe being involved at all, into open formats in the cloud for use in cloud applications facilitating cloud based cyber forensics (instead of transforming the data on the mainframe).
Model9 can also retain the mainframe data in their original format, should the organization require a restore to the mainframe environment, as might be the case as part of a mainframe ransomware mitigation.
Model9 thus establishes a bidirectional flow of data between the mainframe and the cloud, eliminating the need for legacy data management solutions, so organizations can backup, archive, and recover data directly in the cloud.
Finally, Model9 can transfer mainframe data (either in their original or transformed state) to or from air gapped object storage, either in the cloud or on-premises.
The Intellyx Take
While ransomware attacks on the mainframe are arguably less likely than many other types of cyberattacks, the fact that the targeted data are so mission critical to the organization requires careful planning and mitigation of such risks.
Imagine if a bank were to lose access to all its recent transaction data. Or an insurance company unable to access claims in progress. Or yet another instance an airline’s reservation system goes down – like we don’t have enough of those already.
Make no mistake: mainframes keep the economy up and running, and the data they process every day are critical to this vitally important responsibility.
The attackers know how important such information is – and they’re working day and night to compromise it. Don’t let them succeed.
Copyright © Intellyx LLC. Model9 is an Intellyx customer. Intellyx has final editorial control of this article.