Regulatory pressure is mounting for organizations such as banks, airlines and hotel chains that depend on mainframes to run many of their critical business processes. But how can you shoehorn mainframes, some of which have been running for decades, into modern security and identity frameworks?"I wouldn't say that the mainframe is something that people were to adopt today, but most of the large industries that have been with the mainframe for a long time stick with them because it works," said Rocket Software Principal Product Manager of Host Connectivity Barbara Ballard in a recent CRA webcast.The skills to run a mainframe are rare, the documentation can be sparse, and changes to a mainframe system can be risky when their applications may be ancient and the humans operating them even older.Yet legal frameworks such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and Europe's Digital Operational Resilience Act (DORA) are expanding expectations for resilience, access control, and proof of security effectiveness, no matter what kind of system handles the data."The mandates don't care," Ballard added. "What they're protecting is personally identifiable data, credit card data, some form of sensitive data that shouldn't be shared with people that don't have a need to access it."That principle reshapes how organizations should view "legacy" environments like mainframes regarding modern regulations: If regulated data touches a legacy system, it's in scope.Finally, modernization must balance security with usability. Some longtime users will be maximally productive on green screens, while newer users need more approachable, modern-looking interfaces. The goal is to increase security using MFA, encryption and redaction without disrupting operations.
How new mandates change expectations of mainframe
Security and GRC teams increasingly face a reality that didn't exist decades ago when many still-running mainframes were first switched on: Regulatory mandates and updates arrive constantly."It seems like we see a new one, or talk of a new one, or new requirements for an existing regulatory standard every week," noted Rocket Software Principal Product Manager Kris Lall on the same webcast.NYDFS requirements and other state-level rules emphasize demonstrable controls such as multifactor authentication (MFA), while DORA focuses on operational resilience for financial services.Broader mandates such as PCI DSS, HIPAA, and GDPR raise the bar for access controls, auditability, encryption, and timely patching. The compliance challenge is less about the platform label and more about data flows and business impact."Nobody said what system had to be protected," Ballard said. "They said what data had to be protected and how."Colliding regulations create "crosswalking" work for global businesses that must map overlapping requirements, normalize controls, and determine what auditors should expect to find in environments they may not understand well.As webcast host Adrian Sanabria observed, auditors sometimes ask for controls that don't translate cleanly to mainframes, forcing regulated organizations to justify compensating controls."What do you typically see folks doing when the auditor asks them to do X, but you have to do Y or Z instead, because X just isn't possible there?" Sanabria asked his guests."They just ask for an exception because there's no tools to be able to do that on the mainframe," Ballard replied.Why mainframes are uniquely challenging — and uniquely risky
Mainframes remain widely used in finance, travel, retail, and other industries that computerized early because the systems are stable, highly performant, and historically secure. But that "different" security model is also why they can fall behind modern expectations.Ballard emphasized that mainframes tend to be siloed in identity and access, but in a good way. Enterprise credentials don't automatically extend to the mainframe, and common web-era standards don't apply."When you have a mainframe, you log into the enterprise [systems] with some credentials," she explained. "You log into the mainframe with different credentials. They're not the same. … The mainframe doesn't support SAML or OIDC."Yet modern regulations increasingly lean on strong authentication, passwordless strategies, and centralized IAM governance. Much of this is difficult to graft onto a mainframe, but Rocket Security sees it as a challenge."We're finally getting to the point where you can protect your host systems just like you do your other enterprise systems," Lall said."We're also open to the fact that if we don't have a solution for your problem, we'd love to hear the problem, because you're not the only one," Ballard added. " If we don't have a solution today, we'll figure out how to, even if it's not about buying and selling software."Practical approaches to improve mainframe compliance
The most manageable solution is to treat mainframe environments as part of the enterprise control fabric rather than an exception zone. Practical steps include:- Map regulated data flows: Determine whether PII, payment data, or other regulated data is stored, displayed, or transits mainframe applications.
- Prioritize access controls: Implement MFA on mainframe access and reduce reliance on passwords using available capabilities (e.g., Kerberos) or layered controls in front of host access.
- Use compensating controls where needed: You don't want to rewrite legacy applications, so instead adopt measures such as role-based data masking/redaction at the terminal layer, encryption in transit, and hardened client configurations.
- Improve audit readiness: Document how each mandated control's intent is met, especially where a specified control might not be possible, but another method might achieve an equivalent outcome.
