Iron Giant: Q&A with the Father of Mainframe Security

Barry Schrager, the original architect of mainframe security, hasn't lost faith that his approach to securing the enterprise is the superior approach. And he believes the future of security can be found in the past.

October 17, 2007 — CSO — The whole idea that data needs to be protected, and that users need to convince a computer that they're worthy of seeing the data on that computer—in other words, the entire information security industry—exists because of some punk undergraduates at the University of Illinois.

It was the early 1970s and, as Barry Schrager remembers it, the undergrads were accessing the mainframe in order to trash graduate students' research data. But why? "Just for fun," says Schrager, who at the time was assistant director at Illinois' computer center. Schrager realized that the mainframe, the data on it, needed protection from a perpetual threat that one should never underestimate: typical undergraduate behavior.

By 1972, IBM had learned of Schrager's security efforts and asked him to create a security project for its flagship mainframes. The foundation of this work with IBM, called the Share project, was based on the concept of system integrity, meaning a normal user must be incapable of bypassing the formal interfaces of an operating system to gain access. It seems obvious now, but back then, with a bunch of researchers sharing a few big computers in a collegial atmosphere, it was a fresh, even daring idea. To look at data, you had to have permission. Later in the '70s, Schrager would develop ACF2, a mainframe authentication mechanism that succeeded IBM's own software, RACF. ACF2 and its descendants are still used today.

Fast-forward three-plus decades and Schrager, like everyone, sees an entirely different computing landscape. Yet when he thinks about how to secure it, he keeps coming back to the original tenets that came out of 1972. He keeps returning to centralized authentication, to simplification, to shared services, to default protection. He keeps coming back to mainframes. CSO Executive Editor Scott Berinato spoke with Schrager, who now works with software and services provider Vanguard Integrity Professionals, still preaching the mainframe-centric security gospel. Schrager spoke about his faith in the mainframe security model, the challenges he sees in securing today's enterprise and how information security problems that we think are new are nothing of the sort.

CSO: What was the primary concept behind the Share project that you still find so appealing?

Schrager: The concept here was that the application and delivery system shouldn't do their own security. They should be calling a central service. The idea was to specifically take security out of the application. Then, if you have two different ways you're updating payroll, the security will be consistent. If security is not centralized, each payroll is doing its own, you have inconsistency. The idea was to share security. And, beyond the technical, the Share project was the ability for people to get together and work together. Still, it took five or 10 years for applications or vendors to follow suit and externalize security.