Organizations in sectors like financial services and telecommunications often rely on mainframes to store vast quantities of historical customer data. While this data is critical, it frequently resides in cleartext, posing a significant security risk.
The inherent complexity and age of mainframe application code (e.g. COBOL) and legacy database structures make modifications high-risk, expensive, and time-consuming. Adding to this issue is the scarcity of skilled mainframe developers.
A key concern is that organizations typically want to avoid installing agents directly on mainframes because doing so can impact performance, introduce operational risks, and is often unsupported or restricted. Furthermore, sensitive data is often replicated from the mainframe to other systems.
This replication increases the attack surface, particularly when data traverses trust boundaries or different security zones. These downstream systems may also incorporate external enrichment data, such as geolocation or behavioural information, which must be protected with the same rigour as the original mainframe data.
Accessing data on mainframes introduces unique security challenges due to legacy protocols like TN3270, which are still widely used for terminal-based sessions.
Supporting TN3270 terminal sessions is a critical yet complex requirement for protecting data on mainframes. These legacy access methods allow users to interact directly with sensitive data, often out of reach for modern security controls. Because TN3270 transmits data in real-time to user screens, protecting information at the point of display becomes essential.
This requires role-based enforced dynamic masking, and the ability to apply policies inline, all without disrupting the user experience. The broader challenge lies in achieving unified visibility and control across both database replication and terminal access so that consistent, robust data protection can be enforced at every point where data leaves the mainframe.
