Iron Giant: Q&A with the Father of Mainframe Security

Barry Schrager, the original architect of mainframe security, hasn't lost faith that his approach to securing the enterprise is the superior approach. And he believes the future of security can be found in the past.

October 17, 2007 — CSO — The whole idea that data needs to be protected, and that users need to convince a computer that they're worthy of seeing the data on that computer—in other words, the entire information security industry—exists because of some punk undergraduates at the University of Illinois.

It was the early 1970s and, as Barry Schrager remembers it, the undergrads were accessing the mainframe in order to trash graduate students' research data. But why? "Just for fun," says Schrager, who at the time was assistant director at Illinois' computer center. Schrager realized that the mainframe, the data on it, needed protection from a perpetual threat that one should never underestimate: typical undergraduate behavior.

By 1972, IBM had learned of Schrager's security efforts and asked him to create a security project for its flagship mainframes. The foundation of this work with IBM, called the Share project, was based on the concept of system integrity, meaning a normal user must be incapable of bypassing the formal interfaces of an operating system to gain access. It seems obvious now, but back then, with a bunch of researchers sharing a few big computers in a collegial atmosphere, it was a fresh, even daring idea. To look at data, you had to have permission. Later in the '70s, Schrager would develop ACF2, a mainframe authentication mechanism that succeeded IBM's own software, RACF. ACF2 and its descendants are still used today.

Fast-forward three-plus decades and Schrager, like everyone, sees an entirely different computing landscape. Yet when he thinks about how to secure it, he keeps coming back to the original tenets that came out of 1972. He keeps returning to centralized authentication, to simplification, to shared services, to default protection. He keeps coming back to mainframes. CSO Executive Editor Scott Berinato spoke with Schrager, who now works with software and services provider Vanguard Integrity Professionals, still preaching the mainframe-centric security gospel. Schrager spoke about his faith in the mainframe security model, the challenges he sees in securing today's enterprise and how information security problems that we think are new are nothing of the sort.

CSO: What was the primary concept behind the Share project that you still find so appealing?

Schrager: The concept here was that the application and delivery system shouldn't do their own security. They should be calling a central service. The idea was to specifically take security out of the application. Then, if you have two different ways you're updating payroll, the security will be consistent. If security is not centralized, each payroll is doing its own, you have inconsistency. The idea was to share security. And, beyond the technical, the Share project was the ability for people to get together and work together. Still, it took five or 10 years for applications or vendors to follow suit and externalize security.

1 2 3 »

Barry Schrager

RESOURCE CENTER

buy a link »

E-GUIDE

Log Management in a Cyber World

With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.

» Read this eGuide

WHITE PAPER

Comparing Research in Motion and Microsoft Mobile Solutions

Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.