Implementing the foundational elements of Zero Trust on the mainframe is a huge accomplishment, but your journey doesn’t end there. Instead, think of your Zero Trust strategy as an iterative process, one that you continuously refine based on your evolving technological and threat landscapes. Essentially, start small, start somewhere, and scale gradually.
To guide you on this journey, we’ve broken down our Zero Trust Deep Dive series into digestible installments, including:
- Establishing the mainframe’s need for Zero Trust (Part 1)
- Outlining the necessary steps to set your implementation up for success (Part 2)
- Detailing the key components of a Zero Trust strategy (Part 3)
So, what’s next?
In our opinion, simply allowing a security-based mindset to guide strategy will serve your Zero Trust implementation — and your overall security and compliance posture — better than any single, prescriptive recommendation. But we want to leave you with more actionable takeaways.
After you’ve shifted your mindset around mainframe security, done the prep work, and rolled out your initial security enhancements, use the following recommendations to determine your immediate priorities and long-term security goals.
Non-Negotiable Factors that Influence Your Security Priorities
The process of determining security priorities and resource allocation is very subjective. But no matter where you are on your Zero Trust journey, there are some events and circumstances that demand your immediate attention.
Whether a governing body is pushing your organization to act or there is internal pressure to address something — often, it’s both at the same time — these elements will impact and sometimes compete for the top slots on your To-Do list.
From there, risk level, potential fiscal impact, your organization’s risk appetite, and deadlines guide your short and long-term goals.
Non-negotiable factors may include:
- Industry, business model, and business size
- Region(s) in which the business operates
- Business goals (e.g., pursuing a new certification or improving business continuity by integrating certain operations with the cloud)
- Regulatory updates and deadlines
- Recent findings from an internal or external audit
- Discovery of a new high-risk threat (e.g., evidence of threat actors using quantum computing capabilities)
- Notification of a third-party vulnerability or exposure
- Recent security event or exposure
While it would be great to have the best encryption tool, the cleanest ID database, and the perfect security controls, it isn’t possible to do everything at once. Often, your business priorities or regulatory deadlines will drive prioritization. Regardless of what prompts the next step, you need to know where you are.
Understanding Your Baseline — Where Are You Now?
Once you determine the internal and external factors that may add specific requirements or time restrictions to your mainframe risk and compliance strategy, it’s time to assess your current risk posture.
It is important to always know your current state, which includes these steps:
- Inventory your assets: Know your systems, applications, users, data and implemented policies
- Map data flows: Discover where and how your systems interface with each other, how data moves between them, and which authorized parties access the above
- Perform risk assessment: Identify high-value assets, sensitive data, and privileged identities, both human and non-human (e.g., service accounts)
These tasks might not be quick or easy to complete, but they will give you the visibility needed to set clear and accurate priorities.
Measuring Progress Through Desired State and KPIs
Defining a desired state for your mainframe security strategy is a critical part of the goal setting process. Not only does this ensure all stakeholders are aligned with your proposed destination, but it also helps you visualize the gaps between that destination and your current baseline.
Intentionally select key performance indicators (KPIs) that can both quantify these gaps and enable you to measure the effectiveness of the changes you go on to make. Your security team should develop a strategy that drives progress toward each individual KPI, monitors your ongoing progress, and uses this data to adjust your course as needed.
Consider the real-world examples below.
Example #1: MFA Coverage
Current Status: Only highly privileged accounts, such as mainframe systems programmers and database administrators, have MFA enabled.
Goal: Implement MFA across all users who access sensitive data or systems on the mainframe to enhance overall security posture and comply with relevant regulations, like PCI DSS 4.0.
Suggested KPI: Use “MFA Coverage,” which describes the percentage of user accounts that are currently protected with MFA.
Safeguarding users with the ability to modify mainframe infrastructure is an excellent first step. Despite being a small percentage of your overall user database, these are valuable targets for phishing or brute force attacks because of their extensive privileges. Once this is accomplished, it’s time to expand your MFA coverage to other users with elevated access.
Next Steps: Define small, manageable wins for your team, such as increasing MFA coverage by 30% over the next 3 months, aiming to achieve 90% over the course of the next year.
Example #2: Privilege Elevation Utilization
Current Status: You’ve identified instances where users were able to access critical resources, such as z/OS configuration datasets, outside of your privilege access management (PAM) system.
Goal: Ensure all access to critical resources is subject to and compliant with your organization’s PAM policies and security controls.
Suggested KPI: "Privilege Elevation Utilization" highlights the percentage of access elevation that is being granted via business validation processes.
If you’ve discovered that there are instances in which critical assets are being accessed outside of your PAM procedures, you should be concerned about insider threat activity. Flag these as high-risk for immediate remediation.
Next Steps: First, determine if the user or users are authorized to access said critical resources. If not, this warrants immediate investigation. If yes, determine where the authorized user is intentionally or accidentally bypassing your PAM procedures. Modify these processes and controls to ensure comprehensive and dynamic, just-in-time privileged access.
Example #3: Event Detection Rate
Current Status: Security events are logged on the mainframe, but detection is mostly reactive. Critical activity, like unauthorized access attempts, misuse of privileges, or configuration changes, is often discovered after the fact, during audits or manual reviews.
Goal: Move from reactive discovery to real-time awareness. A mature Zero Trust strategy depends on quickly detecting and responding to critical security events before they escalate into incidents.
Suggested KPI: Event Detection Rate measures the percentage of critical security events detected and flagged in real time (or near real time), rather than uncovered after impact. Essentially, this metric answers the simple question: How quickly are you made aware if something goes wrong on the mainframe?
A strong Event Detection Rate reflects effective monitoring of high-risk activity, including unauthorized access attempts, privilege escalations outside PAM controls, security configuration changes, and anomalous behavior.
Next Steps: First, define what constitutes a critical event, focusing on events that are linked to sensitive data or privileged access. Stream mainframe security events to centralized monitoring tools in near real time, prioritize high-risk alerts to reduce noise, and set clear expectations for rapid detection and response. As maturity grows, refine detection logic and expand coverage to catch issues earlier — before they become incidents.
Empowering Your Employees to be Part of the Solution
So far, this series has focused primarily on high-level security mindset, technology, and process, but we can’t forget the people portion of this complex equation. Every employee across your enterprise can — and should — play a role in safeguarding the organization’s critical systems and assets. This starts with leadership and trickles down by baking Zero Trust into the company’s culture.
All users must be educated on common threats and trained in safe access practices. Recognizing phishing attacks, identifying new AI-infused methods, and the dangers of sharing login credentials are just a few examples. Promote individual accountability by monitoring and logging actions, especially for roles that access critical data or systems, and ensure privilege escalations are based on business need.
Arming employees with the necessary information to be part of the security solution serves another purpose. When users understand why they’re being asked to complete additional verification steps or to submit a ticket before privilege escalation, they’re more likely to comply with and uphold these standards rather than looking for workarounds.
Ultimately, collaboration between security, IT, and business units is key to a more effective and smoother Zero Trust implementation.
Progress Over Perfection
No matter where you are in your mainframe Zero Trust journey, the most important thing is to take the next step. Set your sights on the next hurdle and get to work — we’re settling in for the long haul!
Follow the path of the KPIs you've established and adjust as you go. Zero Trust cannot be achieved overnight, and every time you delay implementation, you allow unchecked potential risk into your environment. These delays can also represent the potential for brand damage, financial penalties, lawsuits, and more.
It is progress, not perfection, that builds resilience and ensures you continue to strengthen your mainframe’s security posture.
To help you make the most of the security features built into your mainframe, Broadcom offers:
- Workshops to help you define your priorities and develop a custom action plan that’s informed by security best practices.
- Self-paced and instructor-led training to facilitate building your internal mainframe expertise.
- Hands-on support through migration and upgrade services, health checks, and more to increase and accelerate your return on investment.
This blog post is provided to you by Broadcom as a courtesy and is for your informational purposes only. This blog post is intended to provide preliminary guidance in forming your plans and policies. You should consult your own legal, regulatory, and security advisors to confirm that the information in this blog post is correct and applies to your specific circumstances. Any reliance you place on the information in this blog post is solely at your own risk.