Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Mainframe security and EDR mandates: where do federal controls fail?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Federal agencies are being pushed to meet EDR requirements on mainframes that cannot support endpoint agents, creating a compensating-control problem rather than a tooling problem, according to Illumio. The practical issue is how to secure mission-critical legacy workloads without forcing unsupported architecture changes that weaken Zero Trust outcomes.

NHIMG editorial — based on content published by Illumio: How Illumio Helps Federal Agencies Secure Mainframes

By the numbers:

  • Illumio supports a wide range of older and uncommon operating systems, including IBM Z, iSeries, Solaris, AIX, Oracle Linux, Windows Server 2003 and 2008, Citrix, F5, and BMC.

Questions worth separating out

Q: What breaks when EDR is required on systems that cannot support it?

A: The control model breaks because compliance assumes a deployable agent, while some legacy systems cannot host one without destabilising operations.

Q: Why do mainframes complicate Zero Trust programmes?

A: Mainframes complicate Zero Trust because they are often essential, long-lived, and technically incompatible with the same agent-based controls used on modern endpoints.

Q: How do security teams know if compensating controls are actually working?

A: They should test whether segmentation, privilege reduction, and monitoring can stop movement before the vulnerable path reaches critical assets.

Practitioner guidance

  • Define compensating controls for unsupported workloads Build a formal exception path for mainframes and other systems that cannot host EDR, including the control objective, the accepted alternative, and the evidence required for audit.
  • Map legacy workloads to Zero Trust objectives Document how each mainframe or older operating system enforces continuous verification, segmentation, and constrained communication even without endpoint telemetry.
  • Use flow data to prove segmentation boundaries Capture permitted communication paths and reduce east-west exposure so reviewers can see how lateral movement is limited across IBM Z, iSeries, and similar environments.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • How the platform classifies mainframe and legacy workloads using flow data and context rather than endpoint telemetry.
  • Which unsupported operating systems and platform families the article says can still be governed under the same policy approach.
  • Why the article frames segmentation as a compensating control for federal validation and Zero Trust requirements.
  • How the source positions the approach across IBM Z, iSeries, and other legacy environments.

👉 Read Illumio's analysis of mainframe security and federal EDR mandates →

Mainframe security and EDR mandates: where do federal controls fail?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Mainframe security has become a compensating-control problem, not a retirement problem. The article shows that federal agencies are still operating mission-critical systems that cannot support standard endpoint tooling. That makes the control question more important than the age of the platform. If the workload remains in production, the security model has to be designed around its constraints, not around a replacement timeline that may never materialise.

A question worth separating out:

Q: Who is accountable when a legacy system cannot meet a mandated control?

A: Accountability sits with the control owner, the security programme, and the approving authority for the exception. The key question is whether the alternative control was formally defined, tested, and mapped to the original objective. Frameworks such as NIST SP 800-53 and Zero Trust guidance expect evidence of equivalent protection, not a blanket waiver.

👉 Read our full editorial: Mainframe security exposes the gap in federal EDR mandates



   
ReplyQuote
Share: