Iron Giant: Q&A with the Father of Mainframe Security

Barry Schrager, the original architect of mainframe security, hasn't lost faith that his approach to securing the enterprise is the superior approach. And he believes the future of security can be found in the past.

Schrager: Yes. In the early '70s, the computing industry was a bunch of odd ducks. It was anyone with a computer center that wasn't closed. It was universities, service bureaus and the Department of Defense. I didn't get input from private industry or from financial institutions at all, even though they used mainframes. Then in '77, the Foreign Corrupt Practices Act dictated that companies had to prove they were securing international transactions. Suddenly, everyone got on board.

CSO: Radically insecure private sector, followed by legislation that forces companies to adopt more secure practices. That sounds awfully familiar.

Schrager: Yes. What you're seeing now with Sarbox, HIPAA and other things. I've seen this before.

CSO: We tend to characterize the current security landscape as new and uncharted territory. You're saying it's not?

Schrager: Not at all. Take identification. How many do you have? Too many, right? One of the biggest concerns as mainframes took off was identities. All these mainframe guys were complaining they had too many and it was hard to manage them all. That was a huge problem on the mainframes! We talked authorization, about logical security and journaling capabilities. Now they call it authentication, authorization and accounting, AAA, but it's the same concepts that we were talking about in 1974.

CSO: Of the security concepts from the mainframe that you believe can help improve enterprise security today—including making data protection default on, simplifying enterprise architecture, to centralization of security—which is most important?

Schrager: The most important lesson we should have is to have a conceptually centralized security approach. Nowadays we have SAP, Oracle and everyone else having their own security. What we really need to create is a framework for a single security approach. We also really need a centralized place that recognizes an attack in progress on a computer. If you have to look at billions of log entries stored all over the place to find unusual events in your enterprise, it's too late.

CSO: It sounds like you're saying we need more architects and fewer engineers.

Schrager: Yes. We need a lot more architects. And a lot more cooperation between the people designing products. Cooperation with other people designing products around their products. How do I provide better enterprisewide security? I get Oracle and SAP to provide a common interface that allows me to manage and use one security product regardless of the applications I'm using.

CSO: And to do this you say we should rely on mainframes for security.