Leveraging Model9 and the Power of AWS to Protect Mainframes from Cyber Threats
By Eddy Ciliendo, Chief Strategy Officer – Model9
By Dinesh Raveendran, Sr. Partner Solution Architect – AWS
Mission-critical data for bank transactions, travel bookings, billing systems, and more are often kept on mainframes by Global 2000 companies. These organizations once sought mainframes as their hosting venue because they were perceived as less susceptible to cyber attacks, but this viewpoint has changed over the past decade.
The institute for Security and Technology’s Ransomware Task Force reported that in 2021, ransomware payments by victims increased by 70% compared to the previous year. This was across multiple sectors including, but not limited to, financial firms, healthcare, and education. The impact affects supply chains, the environment, and the economy.
Mainframes are well-protected against unplanned outages and events such as a storage outage or data center power loss. One mechanism that’s employed by mainframes is a sophisticated means of synchronous data replication and shared clustering.
However, it’s the same continuous availability technologies that made mainframes a synonym for zero downtime computing that also make it more susceptible to logical corruption events such as ransomware. Data corrupted on one mainframe partition gets shared within milliseconds with all other shared databases and cluster (aka Parallel Sysplex) members.
Since mainframe data is mission-critical to many organizations, a single mainframe vulnerability can lead to a major breach, significant financial losses, painful reputational damage, and a more challenging recovery. Many mainframe shops have started looking into third-data copy solutions that create asynchronous data copies at defined intervals which can be isolated to reduce the risk of data contamination.
All existing solutions in this space are based on proprietary FICON storage technology that’s costly and complex to manage. Lack of access to a second data center, along with a skills storage of staff capable of maintaining the virtual tape library (VTL) and physical robot, are barriers limiting the ability for organizations to adequately protect themselves.
With the advent of cloud computing, companies are no longer constrained to these legacy data solutions, but instead have access to simpler and cheaper managed services. Often times, organizations leveraging Amazon Web Services (AWS) for data storage services also utilize artificial intelligence (AI) and machine learning (ML) services to extract business insights that lead to potential increases in revenue.
In a survey conducted by Known and AWS, it was identified that 65% of enterprises adopted managed data and found that lower costs led to an increase in storage utilization, and that increased business agility led to an increase in organizational revenue.
Model9 Shield takes advantage of Amazon Simple Storage Service (Amazon S3) to create multiple copies of mainframe data and inherently ensure all copies are protected. Data is compressed and encrypted end-to-end before the first byte is transmitted over the wire. When sent to Amazon S3, the data can also be air-gapped, which means an additional copy is isolated from the network and completely protected from any malicious attack.
Model 9 is an AWS Migration and Modernization Competency Partner and AWS Marketplace Seller that helps enterprises benefit from cloud economics while accelerating digital transformation and adoption of hybrid cloud architectures.
Data Ingestion: How Model9 Shield Moves Data to AWS
The graphic in Figure 1 illustrates an architectural view of the solution where we see an agent running in one or multiple logical partitions (LPAR) on a mainframe running z/OS. This agent collects individual datasets or full volume dumps from applications, databases, direct-access-storage-devices (DASD), and tape/VTL backups for transfer to Amazon S3.
The solution supports various mainframe source formats, which can either be stored in the source format or optionally transformed from EBCDIC into ASCII and formats like JSON or CSV for consumption in AI/ML analytics applications.
Data is encrypted by the Model9 agent in flight using transport layer security (TLS) with an encryption algorithm of the user’s choice and decrypted by the Model9 Management Server after landing in the S3 bucket.
Figure 1 – Data ingestion architecture.
The data ingestion process is running mainly on zIIP engines on the mainframe and causes little overhead on the mainframe which, in turn, results in lower cost. The mainframe data is read in parallel from mainframe disk or tape subsystems and moved in large, highly parallelized chunks over TCP/IP to AWS.
Figure 2 – Model9 parallel processing.
During the ingestion process, Model9 analyzes the logical structure of the mainframe data and alerts the user in case the data structure has been corrupted. While the mainframe data is securely stored in the cloud, customers have the flexibility to copy the entire backup data into additional object storage buckets to allow for cyber forensics on said data.
Once on AWS, the data at rest can be encrypted using any of the S3-specific encryption mechanisms. In order to make mainframe data immutable, Model9 Shield utilizes Amazon S3 Object Lock, which prevents an object version from being deleted or overwritten for a fixed amount of time or indefinitely, so that retention policies can be enforced as an added layer of data protection and for regulatory compliance.
Amazon S3 Object Lock can be configured at the object- and bucket-level to prevent object version deletions. Its protection is maintained regardless of which storage class the object version resides in and throughout S3 lifecycle transitions between storage classes.
Every Model9 management task—such as backup or restore policy definition, checking for errors, information gathering on compression, and throughput performance—can be easily managed via the Model9 Management Server which is a containerized application running in an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Detection of Logical Corruption and Cyber Forensics
The logical data structure of the mainframe-specific datasets being sent to the cloud for protection can be analyzed for logical corruption. This approach is fundamentally different from storage-based data protection solutions that rely on flash copy technology which will copy any data, regardless of whether it is corrupted or not.
In contrast, the Model9 agent analyzes the data structure of a mainframe dataset. During the ingestion process, the agent reads mainframe data according to predefined data structures. If a dataset no longer conforms to the standard data structure for a specific data type such as VSAM or PDS/E because of a logical corruption, then the Model9 agent will stop the upload operation.
The same inherent understanding of the proprietary mainframe data can also be used to enable cyber forensics once the data is in AWS. Model9 can transform the mainframe data into cloud-native formats such as JSON in order to make mainframe data accessible by cyber forensic tools hosted on AWS.
Finally, periodical recoverability checks are performed to verify that backups in the cloud can indeed be recovered. This is essential as an increasing number of cyber attacks target backup data first.
Clean-Room and Bare-Metal Recovery
Once the mainframe data is protected in Amazon S3, the flexible nature of the cloud can be used to recover an entire mainframe installation from virtually anywhere in the world, provided there is a fast-enough IP connection available.
Typically, organizations building this type of third-copy solution would have an optimized route to the S3 bucket, such as AWS Direct Connect.
Below, Figure 3 describes the recovery architecture in three steps:
- Starting the initial program load (IPL) or booting via the mainframe’s hardware management console (HMC) of a one-pack system.
- Once the recovery system has been IPLed connect to S3 via the Model9 agent for data recovery from the cloud.
- Recovering all mainframe data from the cloud leveraging the parallel architecture of Model9 data transfer outlined in Figure 3.
Figure 3 – Data recovery architecture.
AWS and Model9 present a best practice-based approach to secure mainframe data from ransomware attacks or any other source of logical data corruption. Leveraging the scale, performance, and innovation of AWS allows mainframe customers to achieve cyber resiliency faster and more efficiently than with an on-premises solution.
Software-defined cloud solutions are inherently more flexible than on-premises hardware that needs to be procured and installed, and which requires regular maintenance and eventually replacement. A cloud-based object storage solution, on the other hand, can be scaled up or down in a matter of minutes; tiering can be adjusted on the fly, and complex maintenance becomes a remnant of the past.
Having a distinct infrastructure for the enterprise’s cyber solution also reduces the likelihood of attacks by adversaries who are familiar with common vulnerabilities, design flaws, and misconfigurations of mainframe-based solutions.
A third-data copy is a tool of last resort, and does not eliminate the need to have a solid cybersecurity solution in place, based on a holistic zero-trust concept. Model9 Shield and AWS can extend an on-premises cybersecurity architecture into a hybrid-cloud model that offers the enterprise better and faster protection, as well as more flexibility at a lower total cost of ownership (TCO) than other solutions on the market.
Model9 – AWS Partner Spotlight
Model 9 is an AWS Migration and Modernization Competency Partner that helps enterprises benefit from cloud economics while accelerating digital transformation and adoption of hybrid cloud architectures.