Iron Giant: Q&A with the Father of Mainframe Security

Barry Schrager, the original architect of mainframe security, hasn't lost faith that his approach to securing the enterprise is the superior approach. And he believes the future of security can be found in the past.

By Scott Berinato

Page 3

Schrager: It's a great option. For some reason people keep thinking that the mainframe is dying. It's actually enjoying growth. But there are ways to adapt the ideas to nonmainframe environments.

CSO: Which era appreciates security more, the current one or the 1970s mainframe era?

Schrager: Right now, it's the same as the early 1980s. People found out you could do these things with security we developed in the 1970s and they jumped on the bandwagon. People are jumping on the bandwagon again, but it's so complex now. And the thing to do is to try and simplify the enterprise.

CSO: But often people will say that to achieve simplicity you must give up flexibility or functionality.

Schrager: If you look at the mainframe, from an application point of view, it's pretty simple but highly functional. Yes, there's complexity behind it. But the point is just because there's a lot going on underneath doesn't mean it has to be complex for the administrator.

CSO: In other words, the current generation hasn't done a good job keeping the complexity under the hood?

Schrager: Right. Take SOA, for example. You have one delivery system passing data through 12 layers of transformation.

CSO: But enterprise computing is so complex now, it seems a little quixotic to think you can simplify.

Schrager: That's why the role-based stuff is coming. I put a person in a role, then create groups of people in similar roles, and I reduce complexity. I categorize the data. Once you start talking about that, you have a better chance. The only way you can deal with it is at the architectural level.

CSO: So the barrier to your vision of simplicity is the up-front cost of transforming the enterprise. Of creating roles and groups and categorizing data and so forth.

Schrager: Yes. You read the discussion lists, and that's a huge problem when you're trying to move over to the simpler approach. One company, it took them a year. It's hard.

CSO: Hard, but you still believe inevitable.

Schrager: It is. Otherwise you are exposed to the atrophy effect. You won't be able to keep up. Systems fail over time, and the more places you have the data, the more rules you have in more places, the worse the problem. Eventually it's not even that you can't keep up, it's that you can't grasp what's going on in the enterprise from a security perspective. Total atrophy.