Mainframe Security in a Changing Regulatory Landscape: Aligning with NYDFS, DORA, and Beyond

Post Views: 7

Regulatory Pressure Mounts for Mainframe Security

Organizations reliant on mainframes for critical business processes are facing increasing regulatory pressure to modernize their security and identity frameworks. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation and Europe’s Digital Operational Resilience Act (DORA) are expanding expectations for resilience, access control, and proof of security effectiveness, regardless of the system handling sensitive data.

Mainframes Pose Unique Challenges

Mainframes, often in use for decades, pose unique challenges due to their siloed identity and access models, which can make it difficult to implement modern security controls. The skills required to operate mainframes are rare, and changes to these systems can be risky. However, regulatory mandates are clear: if regulated data touches a legacy system, it is in scope.

“The mandates don’t care what system handles the data; they care about protecting personally identifiable data, credit card data, and other sensitive information.” – Barbara Ballard, Rocket Software Principal Product Manager

The compliance challenge is not about the platform label, but about data flows and business impact. As Ballard notes, “Nobody said what system had to be protected; they said what data had to be protected and how.” This creates a challenge for global businesses, which must map overlapping requirements, normalize controls, and determine what auditors should expect to find in environments they may not understand well.

Mainframes Remain Widely Used

Mainframes remain widely used in finance, travel, retail, and other industries due to their stability, performance, and historical security. However, their unique security model can make them fall behind modern expectations. Mainframes tend to be siloed in identity and access, with enterprise credentials not automatically extending to the mainframe. Common web-era standards, such as SAML or OIDC, do not apply.

Improving Mainframe Compliance

To improve mainframe compliance, organizations can take practical steps, including mapping regulated data flows, prioritizing access controls, and implementing compensating controls where needed. This may involve adopting measures such as role-based data masking/redaction at the terminal layer, encryption in transit, and hardened client configurations.

Modernization Must Balance Security with Usability

Ultimately, modernization must balance security with usability. Long-time users may be productive on traditional interfaces, while newer users require more modern-looking interfaces. The goal is to increase security using multifactor authentication, encryption, and redaction without disrupting operations.

Conclusion

As regulatory pressure continues to mount, organizations must adapt their mainframe security strategies to meet the evolving expectations of NYDFS, DORA, and other regulatory frameworks. By taking a proactive approach to mainframe security, organizations can ensure the protection of sensitive data and maintain compliance with regulatory mandates.

Note that