Have compliance anxiety? Learn what the mainframe can do for your regulated workloads

Approximately 9 in 10 IT executives surveyed indicated that their organization promotes hybrid architectures, according to the most recent report by the IBM Institute for Business Value (IBV). Companies in highly regulated industries such as financial services are steadfast on maintaining a robust on-prem mainframe infrastructure to keep their mission-critical operations and data highly available, resilient and protected. But many of their noncritical services have moved or are moving to a hybrid cloud architecture, which is flexible yet highly complex. Applications, workloads and data can be dispersed across multicloud, mainframe and edge environments, and there is inherent complexity in such a highly distributed architecture.

IBM’s client engagements have shown that many enterprises have the added complexity of having built their hybrid architectures in a piecemeal fashion—as specific needs arose. Organizations that have adopted cloud in pursuit of “quick wins” have seen technology applied inconsistently across the business. These inconsistencies create heterogeneous and siloed environments that drive up complexity and costs, in addition to inhibiting the ability to transform the more critical workloads and meet ongoing business demands. This hybrid by default approach has left IT dictating business limitations rather than creating the flexibility and scalability needed to address current and future business demands.

Common byproducts of a hybrid-by-default approach include a lack of integration, data that’s siloed within applications and cloud sprawl. A hybrid-by-default approach often results in fragmentation, high costs and limited opportunities for innovation, according to the IBV report, Mainframes as mainstays of digital transformation. The IT teams that support these applications and environments too often find themselves siloed and honing different and incompatible skill sets.

There’s a better way—one that has “three-quarters of executives reporting positive results” in key areas, including operations, security and compliance, according to the IBV report. It’s known as hybrid by design and is an approach to building a cloud architecture that’s intentional and business-first focused. According to the IBV report, 88% of executives say that modernizing mainframe applications in a hybrid-by-design environment is a crucial step in their digital transformation journey. Among the key priorities underpinning successful hybrid-by-design initiatives is the “[creation] of a consistent development and operational experience across platforms.” This cross-platform consistency paves the way for consolidation, which can significantly reduce complexity. And complexity in the design of your IT architecture can increase risk and make complying with the various regulations difficult.

Building hybrid enterprise cloud architectures that support a key challenge—compliance—is increasingly important. To help ensure that sensitive business and individual data is protected, industries and government agencies continually introduce regulations requiring mandatory compliance. The increase in laws and regulations to reduce risk and preserve privacy, security, safety and ethical standards makes compliance a priority for many industry leaders as costly fines loom over them.

The IBV survey indicates that a hybrid-by-design approach “improves consistency in sharing skills and data across platforms, as well as consolidating operations and unifying security and compliance policies.” Taken together, this is a critical benefit because compliance touches all aspects of an organization’s technology environment and all industries.

Hybrid by design provides simplification and standardization around IT security tools and processes, bringing higher-standard cloud security measures and consistent tooling for cost-reduction opportunities. A 2024 paper from IBM Consulting® on how to maximize the value of hybrid cloud in the era of AI asserts, “Hybrid by design can increase the speed of detecting and addressing cyberattacks and is secured by design—no matter where the workload runs.” Greater consistency of data and processes can result in organizations that are more equipped for business regulations.

The Mainframes as mainstays of digital transformation report concludes that “a hybrid by design approach recognizes the central role of mainframes in storing and sharing critical data.” It can be argued that the mainframe is also the platform best suited to the consolidation of highly distributed IT assets.

This platform can help organizations eliminate complexity and lay the groundwork for simplifying and ensuring regulatory compliance. When organizations keep the mainframe at the center of their hybrid cloud architecture—and build it intentionally—the tendency of regulatory compliance to make IT leaders fear the audit process is mitigated.

There’s an important role for mainframe hybrid cloud capabilities and built-in compliance and security controls, which enable organizations to quickly prepare for dynamic regulatory changes.

The mainframe platform is built to help your organization address regulatory standards in several ways. The most advanced mainframe systems boast various certifications, including Federal Information Processing Standards (FIPS) 140-2, Level 4, and Common Criteria for Information Technology Security Evaluation. Such advanced systems are designed to deliver insights into your organization’s compliance status to help you address potential risks associated with noncompliance by providing vital information before an audit.

The Digital Operational Resilience Act (DORA), European Union Artificial Intelligence (EU AI) Act and Payment Card Industry Data Security Standard (PCI DSS) are regulations some organizations must comply with. Equally important are compliance with and attainment of Common Criteria Evaluation Assurance Levels (EAL), PCI PIN and Hardware Security Module (HSM) certifications.

Taking advantage of our IBM Z® Security and Compliance Center (zSCC) and IBM Z Multi-Factor Authorization (IBM Z MFA) software solutions can help prepare you for compliance adherence.

IBM Z Security and Compliance Center (zSCC) software is an integrated set of microservices that collects evidence data from participating IBM software components and products. It works with your IBM Z platform, whether you’re running IBM® z/OS®, Linux® or Red Hat® OpenShift® on IBM Z. This approach is designed to address the complexity and ambiguity associated with compliance audits by providing automated fact collection and clear one-to-one mappings of regulations.

The zSCC software automates assessments, monitoring and reporting for IBM Z systems and supports your adherence to regulatory standards as it collects and validates this data against the expected compliance controls. In addition, CISOs receive current views of their compliance posture to help facilitate and accelerate the remediation process.

The zSCC has many predefined profiles to support various compliance requirements and cybersecurity standards, and recently a DORA predefined profile was added. Predefined profiles do the heavy lifting of mapping the compliance regulations to the relevant controls on the mainframe. This mapping currently consumes human, capital and energy resources that could be used to greater effect elsewhere.

Key capabilities of zSCC include monitoring, automaton and visibility, process standardization and auditor collaboration. Integrated encryption and streamlined policy management round out its capabilities. The offering features dashboard-style visualizations that track compliance drift—with historical compliance scores, while automated data validation helps increase visibility into potential compliance oversights.

In addition, the IBM Z Multi-Factor Authentication (IBM Z MFA) offering helps ease compliance with regulatory requirements. Designed specifically for z/OS, IBM z/VM® and Linux on IBM Z systems, IBM Z MFA uses multiple authentication factors to enhance the security of user logins to critical applications and data. In addition to helping secure logins against cyberthreats, IBM Z MFA can help you address the compliance requirements of numerous regulations, including PCI DSS*, NIST, GDPR, PSD2, CCPA and LGPD.

*PCI DSS 4.0 requires multifactor authentication.

The opportunity for new technologies to be built on the mainframe platform is expansive. By using mainframe platform-specific security capabilities together with IBM Z security software, regulated industries can deploy workloads in a manner that’s more outcome-oriented, securable and compliant.