According to Verizon’s 2025 Data Breach Investigations Report, credential abuse is the number one attack vector used in data breaches. That means that minimizing identity and access (IAM)-based risk is one of the most effective ways to reduce your attack surface — and the mainframe is not exempt.
Consider the fact that it takes an average of 276 days to identify and contain a breach of data that’s stored across multiple environments. What could a threat actor do with nine months of undetected, unauthorized access?
If your mind jumps to the worst case scenario, like stealing sensitive data, implanting ransomware, or exposing intellectual property, we’re on the same page. Threat actors know that the mainframe houses mission-critical data and processes. In fact, these platforms handle 70% of the world's production customer transaction workloads.
Security teams that rely on perimeter-based security strategies for the mainframe should be concerned. The modern IT ecosystem has become an intricate web of interconnected platforms, applications, and data storage, each with its own vulnerabilities and dependencies. And the mainframe rests at the center of it all, serving as the core of our most valuable operations. This requires a modern approach to security.
Adopting a new approach to security for the mainframe that has historically relied on perimeter-based methods may seem like a daunting task. Where should an organization even begin?
Here at Broadcom, we encourage our clients to start with Zero Trust, a foundational security model geared toward reducing identity and access related risk.
This blog is the first in our 4-part Zero Trust Deep Dive series. These blogs will break down:
- What Zero Trust is and why it’s fundamental to mainframe security
- What you need to set your implementation up for success
- How to implement a Zero Trust model
- How to prioritize and improve your Zero Trust architecture, once the basics are in place
For this blog, we’ll cover the foundations of Zero Trust and why you and your teams should care.
What is Zero Trust?
Zero Trust is a data-centric security model centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must assume they will be breached.
We’ve all heard the refrain, “never trust, always verify,” but what does that look like in practice?
Essentially, the model drives home the principle that trust is not automatic, nor is it assumed. Trust must be earned before entry, reevaluated at every step, and consistently validated. Resources should be shared in an intentional, individual manner, rather than a widespread accessibility option. Access should be granted to authorized individuals based on their specific need for that access; nothing more.
Trust must be earned before entry, reevaluated at every step, and consistently validated.
We recommend starting with Zero Trust for two reasons:
- It effectively enables multiple layers of protection.
- It also allows your security team to improve your security posture, even if you’re not (yet) able to see every component that integrates with your mainframe.
Zero Trust as a Mindset Shift
Think of Zero Trust as both a mindset and a tactical approach to security. The model suggests that we should always be prepared for breaches; if you assume there will be a breach, you can plan for it, work to avoid it, and minimize its impact when it happens. That’s the mindset portion. But if you expect that a breach will never happen to you, it’s very likely that you’re in for an unpleasant surprise.
The most secure organizations live every day assuming they have been or will be breached. They also assume that their current security controls are not good enough and are in need of continuous improvement. Preparation is the foundation for a Zero Trust strategy. And, as the name suggests, it creates a shift from the old school “trust but verify” methodology, to a modern “verify before you trust” model.
Does the Mainframe Need Zero Trust?
When the mainframe was first developed, it operated in a closed, siloed environment—physically and logically protected by four walls. Access was tightly controlled and largely limited to a small number of experts. Over time, as connectivity expanded and the mainframe became integrated into broader enterprise and hybrid cloud infrastructures, those walls came down—and the security model had to evolve.
Access control solutions like ACF2™ and Top Secret® were early responses to that need. ACF2™ introduced a model that began with no access and required explicit authorization for every system and resource, while Top Secret® strengthened identity protection and streamlined how that access was managed. Together, they embodied many of the same principles that define Zero Trust today—well before it became a guiding framework for enterprise security.
Today, most mainframe systems have hundreds of thousands of IDs, including human users, applications, and other entities that need access to the mainframe, as well as the associated entitlements that have been defined over the years. These entitlements are central to operations on the mainframe, as they grant access to mainframe resources. Without these entitlements, our businesses would grind to a halt.
Since this access to the mainframe is needed from a business perspective, how can we deploy the Zero Trust model?
Using Incremental Steps to Establish Zero Trust for the Mainframe
When nearly a third of data breaches occur via valid credentials, it’s clear that our approach to identity authentication and authorization must be safeguarded with granular security controls. But an all or nothing approach to implementing a new security model today isn’t an option. Security models and infrastructure are years in the making or, for the mainframe, decades in the making. Starting over by resetting every security control simply isn’t realistic.
Instead, it is perfectly acceptable to augment existing identity and access management (IAM) defenses with additional layers to provide a Zero Trust compliant model. As always, ‘rings of security’ and layered defenses are important in security architecture, and the same applies to implementing Zero Trust.
Nearly a third of data breaches occur via valid credentials, but you don’t have to do everything at once to make your mainframe more secure.
The first step is to understand which users have which entitlements and which are necessary for their job. That is often done at an annual review, where attestation is leveraged to query users as to whether they need the permissions currently granted. It’s also important to check that attestation against actual usage, confirming the need (or lack of) for entitlements.
By leveraging “clean up” tools, you can analyze your external security manager (ESM) database for entitlements and determine which entitlements are being used and against which IDs. This can even be automated, eliminating any entitlements that have not been used in the last year. The practice of assuming users don’t need entitlements they aren’t using and automatically removing them is a solid step toward Zero Trust.
What’s Next?
The mainframe, like any other platform, is only as secure as people and processes make it. We should assume that a breach will happen; it’s not a matter of if, but when. Everything should be verified and validated at every stage. Never trust, always verify.
In our next post, we’ll dive deeper into this concept of cleaning your security database and exploring what you need to set up to enable your Zero Trust implementation to be a success.
This blog post is provided to you by Broadcom as a courtesy and is for your informational purposes only. This blog post is intended to provide preliminary guidance in forming your plans and policies. You should consult your own legal, regulatory, and security advisors to confirm that the information in this blog post is correct and applies to your specific circumstances. Any reliance you place on the information in this blog post is solely at your own risk.