You might think a mature industry like mainframes means low growth, but IBM is still selling mainframes like hotcakes. IBM said its mainframe business rose 32% in the second quarter compared to overall sales growth of 13%. How many 1960s technologies are putting up these numbers in 2008? The reality is that what mainframes do, they do well. While some companies invest 8 figures in moving to a supposed latest and greatest ERP or CRM solution, many would be better served by putting a Web services gateway in front of the mainframe to address the mainframe's chief weakness - distribution.
From a security point of view, mainframes are interesting because they were designed for a closed environment. Their advocates generally talk about the beauty of RACF and so on, and that is all well and good until people go and put them on the web! Approaches vary, but it usually amounts to MQ Series with not authentication, sitting in front of the mainframe with a J2EE server talking to the queues. What happens then is a major shift, because the mainframe security model is designed (rightly for its time) to be focused on the resource owner (remember the R in RACF). There is a minimal effort on securing the subject, the claim and so on.
Again the mindset is fine when its your own employees in a room using a terminal, but its another thing altogether when you are integrating with a distributed system. This is where we need more focus on securing the subject and the claim, not just the resource. This is of course where new standards and technologies such as SAML and Information Cards come in. Its not enough to protect the object resource and assume a benign controlled (or controllable) subject and claim, you have to add layers of protection to the subject and claim as well.
Comments