Mainframe State of the Platform: 2025 Security Assessment
Over the past four years, NetSPI has established itself as a leader in mainframe penetration testing, conducting dozens of comprehensive security assessments across multiple industries. This extensive hands-on experience, spanning financial services, healthcare, government, and other sectors, provides us with unique insight into the current cybersecurity landscape facing enterprise mainframe environments.
Despite decades of evolution in enterprise computing, mainframe systems continue to serve as the backbone of critical business operations across industries worldwide. These systems process trillions of dollars in transactions daily, manage sensitive customer data, and support essential infrastructure that modern businesses depend upon. But the very characteristics that make mainframes indispensable—their longevity, stability, and deep integration into business processes—also bring forward unique cybersecurity challenges that require special expertise and attention.
We’ve observed that the security posture of these critical systems varies dramatically across organizations, with some implementing robust, defense-in-depth strategies, while others maintain configurations that would be considered inadequate for far less critical infrastructure. This is particularly concerning given the sensitive nature of data and processes these systems typically handle.
This analysis presents our findings on prevailing security trends, common implementation gaps, and emerging challenges observed across enterprise mainframe deployments. Our goal is to provide security professionals and business leaders with actionable intelligence to better understand and improve their mainframe security posture.
Current Market Landscape
Multiple businesses remain heavily dependent on mainframe technology, with over 71% of Fortune 500 financial institutions relying on mainframes for mission-critical workloads¹. Our assessments across multiple financial institutions reveal several key security trends driving investment priorities:
- Multi-Factor Authentication Implementation: While adoption remains limited, financial institutions are increasingly implementing multi-factor authentication for mainframe access, with deployment rates growing year over year.
- Cryptographic Modernization: The industry is transitioning from legacy DES password hashing algorithms to more robust AES implementations, reflecting a broader commitment to modern cryptographic standards.
- Network Architecture Challenges: Network segregation between mainframe infrastructure and corporate environments remains quite rare. Among dozens of client engagements, only one organization had effectively segregated their mainframe environment.
- Security Analytics Integration: While most organizations successfully transmit SMF records from z/OS to SIEM environments, the analysis and response to generated alerts often falls short when compared to other technologies.
- Regulatory Compliance Pressure: Requirements from PCI-DSS, SOX, GDPR, and emerging standards such as the EU’s Digital Operational Resilience Act (DORA) are driving enhanced mainframe security controls, though adoption rates remain slower than anticipated.
Organizational Alignment
IT and Cybersecurity Communication – A major organizational challenge we see across most client environments is the disconnect between mainframe IT teams and cybersecurity organizations. In most of our assessments, CISO offices and cybersecurity teams have limited visibility into their mainframe security posture, often due to historical organizational silos and communication barriers between teams. This gap frequently results in cybersecurity policies that don’t translate well to mainframe environments or security requirements that aren’t properly implemented on the mainframe side. The specialized nature of mainframe technology, combined with the critical operational requirements these systems support, creates a situation where mainframe teams operate with significant independence while cybersecurity teams lack clear insight into actual security controls and risk exposure.
Security Capability Assessment
Our pentests over the years reveal significant variations in cybersecurity control implementation across the industry. The table below presents an assessment of capabilities, overall observations, and commentary based on penetration testing findings across multiple mainframe environments observed during various security assessments.
| Capability | Implementation Level² | NetSPI Observations |
|---|---|---|
| Multi-Factor Authentication | Limited Implementation | The organic growth of mainframe environments over decades has created complex authentication pathways that are difficult to map. Organizations wish to avoid implementing changes that could inadvertently cause service disruptions, resulting in slower multi-factor authentication deployment than we see on other platforms. |
| Increased Maximum Password Length | Limited Implementation | Due to design decisions in the past the maximum password length for RACF passwords was 8 characters. This has since been rectified, decades ago allowing for passwords up to 100 characters. However, for the same reason Multi-factor is not widely implemented we’ve rarely come across a site that has implement long passwords (called passphrases) in z/OS. |
| TSO User Enumeration Prevention | Infrequent Implementation | Despite IBM introducing the TSO option TSOPASSWORDPREPROMPT a decade ago, implementation remains uncommon due to similar operational concerns regarding system stability and availability. |
| Dataset Access Controls³ | Limited Implementation | Multiple tools enable attackers to map datasets and their access permissions effectively. The vast number of datasets combined with data availability concerns creates challenges for appropriate access control implementation. Overprivileged dataset access remains a consistent finding across virtually all of our assessments. |
| APF Authorized Dataset Protection | Wide Implementation | Allowing access to APF authorized datasets essentially provides administrative privileges, making their protection critical for system integrity, confidentiality, and availability. Most organizations have done a good job implementing appropriate controls for these high-risk datasets, though we have seen this ineffectively implemented in development environments and in some production environments. |
| Job Output Security | Infrequent Implementation | Assessments frequently reveal job output containing sensitive client or system information. Only a small number of organizations have implemented access restrictions limiting visibility to job owners or groups. Most organizations should be implementing robust job output protection. |
| Pervasive Encryption | Rarely Implemented | While pervasive encryption represents one of the most advanced data-at-rest encryption implementations available at the file system level, we haven’t encountered it at any client sites to date. This technology enhances dataset protection by decoupling file system access rights from data access rights and is strongly recommended for highly confidential datasets. |
| MVS Command Authorization | Mixed Implementation | While most enterprises appropriately restrict MVS commands that enable administrative functions, many organizations still permit unrestricted access to DISPLAY commands. These commands provide system configuration information that can help attackers understand and navigate the environment. |
| TSO Authorized Command Security | Wide Implementation | Most clients have properly secured TSO authorized command tables, though we still occasionally find unexpected programs in these critical tables. |
| CICS Default User Access | Rarely Implemented | CICS default configuration allows users to exit the signon screen while maintaining their connection, enabling transaction access without authentication. IBM recommends configuring GMTRAN to DISCONNECT rather than the default EXIT setting. We’ve only observed this recommended security configuration implemented at one of our clients. |
| CICS Transaction Security | Wide Implementation | External security managers (RACF, ACF2, TopSecret) enable effective restriction of CICS transaction access, particularly for high-risk transactions such as CECI and CEMT. Production environments typically implement appropriate access controls, though non-production environments often have more relaxed protections, sometimes enabling unauthorized activities through default CICS users. |
| Secure Communication (TN3270) | Generally Well Implemented | Most organizations have implemented TLS security for web, TN3270, and other connections, though we occasionally see multiple TN3270 servers without consistent TLS implementation across all instances and sometimes no TLS implementation. |
| Secure Communication (FTP) | Rarely Implemented | Despite FTP’s capability to encrypt both authentication and data transmission, most of our assessments still find unencrypted FTP servers, representing a gap that’s often easy to address. |
| Network Segmentation | Rarely Implemented | Effective network segmentation has been observed at only one client organization. Most enterprises allow direct access to mainframe systems from corporate networks, often with broad connectivity. In some cases, we’ve even discovered mainframe systems allowing direct access from the internet. |
| Egress Filtering | Mixed Implementation | While corporate network egress filtering is commonly implemented, mainframe-specific egress controls are often overlooked. We’ve successfully demonstrated direct connections from mainframe environments to cloud-hosted systems on multiple engagements, allowing us to exfiltrate sensitive information without generating any alerts. |
| z/OS UNIX Filesystem Permissions | Rarely Implemented | Limited Unix expertise among mainframe system programmers can result in misconfigured z/OS Unix file permissions, creating situations where critical files become world-writable or sensitive information becomes world-readable. |
| z/OS UNIX Privileged Command Protection | Generally Well Implemented | Organizations have largely implemented appropriate access controls for dangerous z/OS Unix commands, particularly extattr, which enables users to grant APF authorization to Unix executables. |
| SMF Logging | Well Implemented | Most organizations have implemented solid SMF logging capabilities within z/OS environments. |
| Syslog Logging | Rarely Implemented | While SMF record implementation is generally good, we’ve observed that syslog logging implementation remains less consistent. |
| Log Centralization | Rarely Implemented | Although z/OS logging enablement is well understood by system programmers, log transmission to enterprise SIEM systems for correlation isn’t as common as we’d expect. Despite the availability of multiple commercial products enabling mainframe log integration with SIEM platforms such as BMC AMI and Splunk, deployment remains limited. |
| Real-Time Security Monitoring | Rarely Implemented | Organizations that successfully centralize SMF and Unix syslog records often don’t fully leverage this data for analysis and response capabilities. Many organizations don’t generate alerts for obvious indicators of compromise, which limits the security value of their logging investments. |
What You Can Do About It
As a cybersecurity professional, it’s important to ensure your critical systems are following appropriate security guidelines and configuration standards. For z/OS, fortunately, there are several excellent resources available:
- NIST Recommended Security Checklist: https://ncp.nist.gov/checklist/55
- Broadcom ACF2 and TopSecret Security Guidelines: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/using-stig-articles.html and https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/using-stig-articles.html
- CIS Benchmark for RACF: https://www.cisecurity.org/benchmark/ibm_zThese guides should be reviewed and used for gap analysis against your current implementation to understand where your mainframe sits relative to industry standards. They’ll also help you identify which controls may not be appropriate for your specific environment.
These guides should be reviewed and used for gap analysis against your current implementation to understand where your mainframe sits relative to industry standards. They’ll also help you identify which controls may not be appropriate for your specific environment.
Additionally, mainframe systems and their applications should be treated just like any other critical system in your environment. They should be scanned by vulnerability scanners on a regular basis and have regular penetration tests covering network components, the operating system, databases such as DB2, and the CICS and IMS applications you’re likely running. For more information about NetSPI’s offerings in these areas visit https://www.netspi.com/netspi-ptaas/network-penetration-testing/mainframe/
The Bottom Line
If you ask other mainframe cybersecurity researchers, they’ll tell you that z/OS is the most securable platform available. And they’re absolutely right—almost everything we find in our testing is preventable through proper configuration and management. The question is really about how much effort and attention organizations want to dedicate to securing these critical environments.
While these observations might not shock experienced mainframe professionals, for such critical infrastructure, we hope these findings encourage organizations to take a fresh look at their mainframe security investments and priorities. The good news is that most of these issues are entirely solvable with the right focus and resources.
Sources
- https://planetmainframe.com/2022/12/relevance-of-mainframe/
- These observations are based on NetSPI experience at multiple client sites running z/OS and one of RACF, ACF2 or TopSecret.
- Dataset access evaluation specifically examines excessive read, update, control, or alter permissions to sensitive system datasets.
Explore More Blog Posts
Part 2: Ready for Red Teaming? Crafting Realistic Scenarios Reflecting Real-World Threats
Learn to craft realistic red team scenarios that reflect real-world threats. Gain actionable insights to strengthen detection and response capabilities.
Detecting Authorization Flaws in Java Spring via Source Code Review (SCR)
Discover how secure code review catches privilege escalation vulnerabilities in Java Spring apps that pentests miss - identify insecure patterns early.
Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key
NetSPI discovered a remote code execution vulnerability in SailPoint IQService using default encryption keys. Exploit details, discovery methods, and remediation guidance included.