 Hi, this is your host up in Bhartya and welcome to a brand new episode of T3M or topic of this month And the topic of this month is security and compliance and today we have with us April Hickle Vice President of Product Management at BMT Software. April is good to have you on the show Hi, thank you for having me. When we talk about security, we can look at it from so many different lenses If you look at traditional IT the security was someone else's problem Software used to be shaved and you know, it was run by someone else But when we you know fast forward all the way cloud native Contrationalized word security is moving in developers pipeline. We talk about shift let we talk about zero trust There's so many cultural technological changes are happening But I want to hear from your perspective from the perspective of kind of mainframe community as well Is that how have you seen the evolution of security? Well, I think it really just to start out The mainframe has always had a reputation as being a very secure platform and I think that over the years one of the most interesting things that speaks directly to the Importance of security is the mainframe survey that we do annually It was about four years ago that security became the number one priority for our mainframe Ecosystem and that is in both our technical and our business respondents and Since those four years as we watch it pass It continues to pull away from priority to and priority three so I think I would describe it swap now as The mainframe is a secure platform With security as the number one priority when we look at the modern world We are living in the multi cloud hybrid cloud world and then we are talking about multi cloud It involves mainframe it involves public cloud It involves a lot of on-prem as well Which also means we are mixing a lot of workload mixing a lot of environments mainframe Extremely secure on-prem can also be secure, but then we move to cloud So when your customers or users they do this multi cloud Have you seen where there are folks who are still trying to figure security out? Yes, I would say everybody's still trying to figure out security. I just think about your own experience You know every time you log on to an application You're looking at oh what password was that and a new password and passwords are getting longer and more complicated and that You know this this affects all people right the end user of a mainframe is the same person who's using an iPhone So they have to have user credentials. They are on LinkedIn They are on other social media platforms They're prone to the same level of security threats phishing as everybody else and I Think that the mainframe security Posture has been look we have a very good security platform We secure our users, but they're starting to realize that the same types of threats that are being seen everywhere Are risks for the mainframe so we see adoption of? Enterprise wide strategy so first versus trying to secure my data center assets one way and my cloud assets another way We see customers saying look I need to apply the same principles and techniques the same Frameworks whether it's the mitre attack framework whether it's zero trust whether it's any of the other security Approaches that you're looking at you're probably looking at all of them across Uniformly so at BMC one of the things that we've done to help clients is we've Connected and brought the mainframe into that so if you're thinking about how do I do secure? Certificate management in exactly the hybrid environment that you described you can do that now in a single way Using a single vendor across your entire set of infrastructure if you're thinking about micro segmentation this is to Prevent lateral movement right so bad guy gets in you know Have them stay contained and not be able to laterally move across to your environment You know, let's do that the same way on the mainframe as we do everywhere else So we're very focused I think in security in building all of these partnerships so that the customer has an end-to-end Solution which can be managed a single way which can function a single way Which is inclusive from the cloud all the way through their Infrastructure as you've described it and when I was listening to you It's it's of course technological solutions are there But also needs a lot of cultural change within organizations. So from cultural perspective How different is the mainframe ecosystem from the the cloud centric cloud native? Continuous ecosystem because when we are talking your teams and we're asking them to embrace things like shift that talk about zero trust We talk about DevSecOps we talk about we are not like I mean the thing is there will always be people who is specializing in security But we are expecting developers to do a lot of those things. So from cultural perspective what you're seeing there Security is a learning journey for everybody. So let's take a developer, you know in years past It was expected that developers use secure coding practices, perhaps But they weren't being held accountable for also understanding how code scanning worked and understanding The details of S-bombs where you have a secure bill of materials that's being digitally signed So, you know, what's in your package? So I think that role all the way through to administrator on the mainframe you used to be responsible for administering the security credentials of somebody and now not only that but you're looking for all privilege escalation file You know file access file integrity monitoring all these different things. So everybody's security Knowledge is being forced to elevate. It's like everybody has to know about security before when you were a developer You didn't have to know about some of the things you do now And I think this forces a cultural change in that Security is starting to come forward in everybody's position. You're no longer just an administrator of Infrastructure you're the guardian of that infrastructure and you've got to think about security in your role And it's forcing a lot of collaboration It's not just the the security operation center sits You know as an overseer of security and it's their job That has really come down into being everybody's job and then even from administrators as you rightly pointed out It's shift left into development. So I think Security awareness in culture is important I think really an understanding of the implication of security tools and how they work is Important and it's important administrators developers and the security operation center have a holistic Approach to how they're going to secure from delivery of the software all the way through Implementation in their own systems when we do look at organizations. What what what are they doing realistically because security, you know once again It should become part of their processes. That's that's what we expect there, but Should there be specific teams? Besides security who are responsible for Security like depth set cost we talk about what I'm trying to understand is that in the traditional word They used to be silos right networking folks and stories folks, you know security folks But now those silos are breaking but they are still folks who specializing security and security is not enough folks We just you know, they love security. There are people who love networking So what I'm trying to understand is that as much as we like to talk about it. What is happening in reality? So I would say that there's a security consolidator, so if you think about An organization, right? I and I would argue that there are probably still network specialists Linux specialists CICS specialists and mainframe So you're always going to have people that specialize in a function today in security in the mainframe there are still people who specialize in the Access control technology that all customers run whether it's rack out for a CF2 or top secret Those people know how to administer those user profiles and those tools However, there's a consolidator So what you really need is you need a system to detect anomalies and threats into that and you need to Elevate the information about those anomalies and threats and you probably need automation And that's probably going to elevate to a centralized group the security operation center still has a key role in Really consolidating all the threat vectors that are out there And then making sure they have an automated response or a run book or playbook or however They call it to quickly respond now I one of the you know, the cautions I give customers is especially as mainframe becomes more and more Integrated into your standard Enterprise approach to security You also have to bring some of that specialty knowledge either directly or through some sort of tooling Because you know somebody copies your security database from the mainframe and you send notification to the security Operations center and nobody in there knows what that that that type of file or database is unique Because it has all the user IDs and passwords in it, you know, that's different So, you know, you have to blend it But I would say our customers the thing I hear from more and more customers is we want a single approach to doing something certificate management a perfect example and We want it connected to the expertise we have in the security operations center where they're really good at handling incident response Can you also talk about, you know, about BMC solutions? How you folks help? Customers irrespective of whether they are pure mainframeers or they also have a mix of you know other technologies So that they can improve their security two things that I think that we do really well to help customers the first thing that we do is we've built a detection solution based on Years and years of doing penetration testing in customers Environments so we've taken all of the knowledge from our penetration testing practices From the individuals who hack into mainframe systems and we've built that into threat Intelligence and we've embedded that in a system which allows us to quickly recognize if one of those security access points exists in your environment and with that we can provide Notification to a security operation center with the Enrichment about that so that they know what to do. We can also automate response So if we see something as an example like a user with a privilege doing something that they don't normally do We can withdraw those privileges from the user to prevent anything. So that's sort of one thing I would call it Detect Respond and integrate with the sock then the second thing we've done is we've built specific mainframe connectors for the mainstream Enterprise products that the security operations teams are already familiar with so if you're doing Certificate management and you're securing your connections it is likely that you're using Venify and we have built a mainframe connector to Venify so you can use the same Administrative team that you have the same people that look after it the same people that configure at the same people that respond to it And that now covers your mainframe Similarly, we've built and delivered a connector for a Lumio who specializes in network segmentation So I think you know along those two vectors really understanding based on lots and lots of very specific and detailed mainframe knowledge our our protection intelligence and then Combining that with connections to these what I'll call mainstream specific security use cases Making sure they cover the mainframe as you earlier also talked about when it comes to mainframe and security is one of strength, but You know the ecosystem is changing folks are leveraging all these technologies What can a distributed or cloud native word learn from mainframe security approach? Are you seeing that no they are moving in the right direction or you have some advice for them? Hey, this is how they should approach security whether it's come to solutions or it comes to you know Just like practices my recommendation is that there's always been a great deal of Discipline around the mainframe and that has been really driven from the high standards of resilience Reliability performance that have been expected And so I would say you know the Disciplined approach to understanding and configuring your security profiles Is a discipline that's strong on the mainframe However, I feel the mainframe has a lot to learn from the distributed side as the attack surfaces and sort of the experience in the public facing systems Has really created a lot of lessons learned so whether it be You know poor configurations in a cloud system which allow a user to get in So you know applying the discipline of the mainframe to the Really to the frameworks which have come out from incident management on the distributed side You know bringing those together would be my advice discipline Pick a framework. Look at zero trust. Look at the this is digs Look at the mitre attack framework and make sure you're taking that really intentional approach to your configuration to your code testing to your Detection notification and response process. April. Thank you so much for taking time out today and talk about security mainframe security actually in general multi-cloud security I really appreciate your insights and I would love to talk to you again soon. Thank you. Thank you so much