Today’s threat landscape leaves little room for assumptions. Attackers are faster, regulations are stricter, and IT environments are more complex than ever. For mainframe teams, maintaining the same level of trust and access that once kept systems running smoothly can now expose significant risk.
The good news? The mainframe is highly secure when the right controls are in place. Establishing those controls begins long before deploying new tools or technologies. It starts with preparation.
Here at Broadcom, we recommend taking a few deliberate steps before implementing a Zero Trust model. Part 1 of our Zero Trust Deep Dive series covered why Zero Trust is imperative for mainframe security. Now, in Part 2, we’ll explore how the right tools and buy-in can set up Zero Trust implementation for success. By aligning leadership, cleaning up your environment, and understanding your data, you’ll set the stage for a smoother, more effective rollout of Zero Trust across your mainframe ecosystem.
#1 Gain Stakeholder Buy-In
Zero Trust requires sustained commitment. Without executive sponsorship, even the best-planned security initiatives can stall.
Security is often viewed as a cost center, and proving its value can be challenging. It’s not always possible to quantify the value of breaches you’ve prevented or the ROI on eliminated and avoided risk. But when you frame Zero Trust as a safeguard against unplanned costs and compliance exposure, leadership begins to see it differently.
A proactive investment in Zero Trust is always cheaper — and safer — than a reactive scramble after a breach.
Executives respond to two motivators: cost and compliance. To gain executive buy-in, it’s important to highlight how audit findings can force immediate remediation — often within 90 days — and how regulatory bodies are tightening expectations around identity controls. You should also position Zero Trust as a tool to build trust and a cost-control strategy, not just a compliance afterthought.
Lastly, tie your proposal to tangible business risks:
- Financial: Unplanned breach response and recovery costs
- Operational: Unexpected downtime, staff diversion, reputational damage
- Regulatory: Audit findings, fines, or loss of processing ability
A well-informed leadership team will allocate the resources and risk tolerance needed to support sustained progress. This will transform Zero Trust from a security aspiration into a business-backed mandate.
#2 Run CleanupTM Early — and Keep It Evergreen
Once leadership is on board, the next priority is accuracy. Zero Trust depends on knowing who has access, what they can do, and whether that access is still valid.
Over time, mainframe security databases accumulate unused or outdated IDs and entitlements — accounts that may still exist but no longer match a person’s current role. That clutter doesn’t just slow performance; it introduces uncertainty and risk. Broadcom Cleanup™ helps you regain control by continuously monitoring, identifying, and removing what no longer belongs.
Don’t spend time researching who owns an ID that hasn’t been used in 10 years — Cleanup™ does it for you.
Why it matters:
Cleanup™ simplifies and automates what was once a tedious, error-prone task. It tracks which entitlements are actually used, flags what’s inactive, and eliminates redundancy, reducing administrative overhead while tightening your security posture. The result is a cleaner, more efficient, and more compliant environment.
By maintaining an always-on, 24x7 view of access activity, Cleanup™ also supports ongoing security recertification and regulatory due diligence.
Here’s how to make the most of it:
- Start early: Run Cleanup™ well before implementing Zero Trust.
- Collect history: Let it run continuously for at least 15 months to capture a full activity cycle.
- Operationalize it: Schedule monthly scans and unneeded entitlement and ID removal to prevent future buildup.
This “evergreen” cadence means Cleanup™ never really stops — it becomes part of your daily operations rather than an occasional project. By keeping it on a monthly cadence, you avoid the six- or 12-month “big bang” sweeps that tie up teams, and you maintain an always-current view of who uses what. Instead, administrators can maintain accuracy in smaller, more manageable increments — keeping entitlements up to date without major effort.
This steady-state model pays off in three ways:
- It saves time.
- It keeps data reliable.
- It ensures the organization is always audit-ready.
Operationalizing Cleanup™ gives teams ongoing visibility into access activity, helps catch structural inconsistencies early, and strengthens the foundation for every Zero Trust control that follows.
#3 Discover and Classify Sensitive Data
The final step before implementation is visibility — understanding who owns your data and how access is managed across teams. Over decades of mainframe operation, ownership lines can blur, especially when applications and datasets have changed hands multiple times.
A Configuration Management Database (CMDB) can help answer the two questions that stall security work: who owns this and who approves access? You typically won’t run a CMDB on z/OS itself; instead, most enterprises already maintain one at the enterprise level. Extending that inventory to include mainframe applications, datasets, and dependencies ensures that owners and approvers are clearly identified before changes are made.
With a complete picture, security teams stop chasing down contacts and can align decisions across business, application, and infrastructure teams.
Zero Trust isn’t a one-time project — it’s a continuous practice of knowing and protecting what matters most.
To make this effective:
- Define ownership: Every dataset and application should have a named owner.
- Refresh regularly: Review and update ownership as people change roles or retire.
- Collaborate cross-functionally: Align security, operations, and business units on access decisions.
When combined with Cleanup™, this process gives you a full picture of your environment — clean, validated access data and clearly mapped ownership. Together, they form the groundwork for a Zero Trust rollout that’s informed, transparent, and built to last.
Start Small. Build Momentum. Stay Consistent.
Implementing Zero Trust doesn’t require a full overhaul from Day One. Start with the basics to set yourself up for success. Get leadership on board, run Cleanup™ to make sure your data’s right, and use your CMDB to clarify who owns what.
With the right preparation, you can move into Zero Trust implementation with confidence, and your mainframe can evolve into a model of Zero Trust maturity — secure, efficient, and built for the long term.
In our next post, we’ll show you how to move from planning to execution with practical steps for implementing Zero Trust.
Read Zero Trust Deep Dive, Part 3: Coming Soon
This blog post is provided to you by Broadcom as a courtesy and is for your informational purposes only. This blog post is intended to provide preliminary guidance in forming your plans and policies. You should consult your own legal, regulatory, and security advisors to confirm that the information in this blog post is correct and applies to your specific circumstances. Any reliance you place on the information in this blog post is solely at your own risk.