Cyber Security for Mainframe Using Secure Snapshots to Create an Air Gap

Mainframe computing continues to run the world’s most mission critical environments. While considered highly secure, mainframe apps can be attractive targets for cyber threats. IT organizations are deploying “air gap” solutions via vaulting to better secure their Mainframes and enable fast recoveries if an app is compromised. Dell’s Cyber Security for Mainframe delivers advanced virtual and physical vaulting solutions. Implementing Dell’s air gap solutions has proven to be successful for many clients in securing their Mainframes.

Today’s Cyber Threats Reality

The threat of a Cyber Attack is a top on mind concern for every organization. The increased frequency of these attacks has many IT organizations developing security strategies not based on “if”, but “when” an attack occurs. Research shows that a cyber or ransomware attack occur every 11 seconds. Almost all are financially motivated and can cost tens of millions of dollars in damages. Businesses of all sizes can be targets, but large organizations are often attractive targets and represent a significant percentage of breaches. Many large organizations have a range of computing platforms, including mainframes that very often handle their core business applications and must also be secured.

Reports of the Death of the Mainframe Have Been Greatly Exaggerated

The saying “reports of my death have been greatly exaggerated” is a famous quotation of Mark Twain, who many people believed to be dead, when in fact he was merely abroad. And while for years many IT pundits have predicted its death, the mainframe is very much alive and well. The global Mainframe market was valued at $4.9 Billion USD in 2020 is expected to reach $5.9 Billion USD by the end of 2026, growing at a CAGR of 2.6%. Mainframes continues to be computing “work horses” that run many of the applications we use every day. They are used by 71 percent of Fortune 500 companies, process 90 percent of all credit card transactions, and handle 68 percent of the world’s production IT workloads yet they account for only 6 percent of IT costs.

From a cyber threat perspective, Mainframes are recognized as one of the most secure platforms available today. But they are not immune from attackers. Studies show that while most threats come from external entities, about a third of all cyber-attacks involve hackers with insider access credentials. Security strategies must not only include how to keep the bad actors out, but also being able to recover in the event a bad actor is able to get in.

Air Gap’s to secure the apps and keep the bad guys out

An air-gapped environment is a network security measure employed to ensure a computer or computer network is secure by isolating it from unsecured networks, such as the public Internet or an unsecured local area network. For high-assurance organizations like utilities, critical infrastructure, banks, government agencies and other heavily regulated companies, air-gapped devices can be a key solution to today’s complex data security challenges.

The idea behind air gap technology is simple: leave no doors or windows open, and criminals will have no way in and data no way out. There are very few ways to infiltrate air-gapped computers because data can only be shared to and from the machine via a controlled connection such as a network port.

Air gaps can be either virtual or physical. A virtual air gap is intended to achieve the same level of separation as a physical air gap. Instead of using separate physical infrastructure dedicated for recovery, a virtual air gap uses shared physical infrastructure with the controls to deliver the same level of separation as a physical air gap.

Recovery to restart the apps and keep the business running 

IT teams have learned firsthand in recent years air-gapped devices aren’t immune to insider threats, zero-day attacks, or the risk of coming into physical contact with infected peripherals such as a malicious USB. Air gaps can help increase security by assuring data that has not been compromised and can be recovered. Breaches can sometimes take a week or longer to recover critical data. Even worse, ransomware spreads quickly and often require organizations to pay to recover their data. Dell’s Cyber Recovery for Mainframe was developed to ensure copies of data that have not been compromised and can be used to quickly recover an application after an attack.

There are several requirements that must be addressed to ensure the apps can be recovered. This includes a surgical recovery capability that provides the ability to selectively restore a portion of data as needed to repair only what was corrupted. In addition to a granular level a recovery, a catastrophic recovery capability is required to provide a valid recovery point after an attack in the event 100% of the data needs to be recovered. There also needs to be a forensic analysis capability to allow inspection and determination to find a “known good state of data”. Data validation is also required to provide a methodology for restoring data to the desired known good state.

Dell Cyber Recovery Solutions for Mainframe

Dell offers a comprehensive suite of mainframe solutions and services to provide cyber resiliency, data protection, and automated recovery backed by over 30 years of expertise. PowerMax storage arrays continue the mainframe legacy of Symmetrix, DMX, and VMAX arrays that have come before it. It reduces risk while delivering mission-critical mainframe storage with scale, performance, availability, and security that IT organizations have relied on for years.

PowerMax includes several key built in security capabilities. It includes features like SnapVX and zDP to create virtual and physical air gaps by creating copies of an applications via Snapshots. Organizations use Snapshots to create and manage highly scalable and space efficient copies that can be used to restore mainframe applications in the event of a cyber-attack. Snapshots provide granular recovery points (RPO’s), from minutes to hours, and are highly scalable. For example, PowerMax can support up to 32 million snaps of mainframe CKD devices within a single array. Snapshots can also persist indefinitely, although retention policies usually last several days to weeks. Snapshots are pointer-based copies and only consume capacity as new data is written making them highly space efficient.

In addition to granular RPO’s, Snapshots can also significantly reduce recovery times (RTO’s). They eliminate the need to move data to recover and provide immediate application access without time-consuming background copy operations. Data synchronization between snaps and source volumes happens in the background to maintain both data consistency and protection while the process occurs.

PowerMax also supports the ability to create “Secure Snapshots” that expire when an expiration date is reached. Secure Snaps are an optional way to create copies and cannot be terminated by an admin. It provides an added level of security to prevent snaps from being deleted accidently or by a rogue authorized admin with malicious intents.

PowerMax also provides Mainframe admins with the ability to create a Two-Actor Security policy. The policy requires two people to execute certain critical Mainframe commands or alter the existing policies and definitions. Once the policy is enabled by Dell Support, it cannot be disabled by customer systems support personnel. Think of it as the “Missile Keys” approach to protect from a single malicious privileged insider attacker.

Creating virtual air gaps using Snapshots is a common use case. Snapshots are also used to create physical air gaps using a backup “vault” array. The vault array is ideally physically isolated – a locked cage or room – and is always logically isolated via an operational air gap. The vault array’s components are never accessible from the source side, and access to the vault array when the air gap is unlocked is extremely limited. The array vault is not always an extra data center. It is often located at the same data center as the source array, and more frequently now, with a third party hosting provider.

Critical applications are synced through the air gap, which is unlocked by the management server into the vault array and replicated into the vault array’s storage. The air gap is then re-locked. Next, a snapshot of that data is made as a recovery point. The snapshot retention is configurable, but most keep about a month’s worth of recovery points. Then the application’s snapshot retention locked using Secure Snaps to protect it from accidental or intentional deletion.

Historically, mainframe recovery had a DR focus, to minimize downtime and unavailability due to a system failure or site disaster. Today’s threats now also include intentional compromising of applications, data corruption and even data destruction. Often these threats are not immediately identified or understood. Having a Cyber Recovery strategy protects data and but also provides for recovery from an attack is critical. That’s why organizations continue to rely on Dell’s comprehensive suite of mainframe solutions and services to provide cyber resiliency, data protection, and automated recovery backed by over 30 years of proven mainframe expertise.

For more technical details and geeky goodness, check out this video from the latest Share Mainframe user conference. This features Dell’s Carol Elstien, Principal Solutions Partner (consulting in the area of distributed and mainframe Cyber Protection) and Brett Quinn, Distinguished Member of Technical Staff, Mainframe Storage Engineering.

One thought on “Cyber Security for Mainframe Using Secure Snapshots to Create an Air Gap

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s