Several new cybersecurity regulations that focus on establishing precise control of access to sensitive information will enter the playing field in 2018. While this is all well and good, fraudsters can easily bypass this approach. How? By stealing user identities.
Security leaders must ask themselves some tough questions if they hope to achieve compliance before these regulations kick in: Does the organization properly govern access to critical systems? Does it adequately protect the credentials of those who manage cardholder data to prevent man-in-the-middle (MitM) attacks? What other identity protection strategies must be applied to the organization’s security infrastructure?
Where Basic Identity Protection Methods Fall Short
It’s no surprise that many organizations — across all sectors — still use basic authentication based on username and password combinations. This method is simple for security teams to manage and convenient for users to perform when logging in. However, these credentials are also easy for identity thieves to steal.
On the mainframe, malicious actors often take the form of privileged users rather than external attackers. In large environments that house greater volumes of data, the number of critical users who need to access that data increases accordingly. This further complicates the task of protecting user identities.
Multifactor Authentication: A Smarter Solution to Secure User Identities
A strong multifactor authentication (MFA) solution, such as IBM Multi-Factor Authentication for z/OS, can help organizations reduce the risk of identity theft. With the easy-to-implement in-band technique, multifactor credentials flow on a unique authorization channel that is based on the connection between the login application panel and MFA server. Users enter their assigned personal identification number (PIN), as well as the value generated by the SW/HW token. The MFA server then evaluates the credentials and sends feedback to the security server to allow or deny access.
In some cases, it is necessary to use an external server that manages the token life cycle and communicates with the MFA server to verify identities. This is a good solution, but the use of an external server introduces a potential point of failure that can compromise the authentication process.
Applications like IBM TouchToken, which works on iOS and Android operating systems, allow devices to be registered directly on the MFA server via a web interface. The app can then receive tokens for users to enter in the login application panel. IBM MFA V1.3 also introduces compound in-band authentication, which enables users to couple a Resource Access Control Facility (RACF) password with a token code.
Go Beyond Bare-Minimum Compliance With MFA
IBM MFA for z/OS supports myriad types of factors, including RSA SecurID, one-time passwords, TouchToken, Remote Authentication Dial-In User Service (RADIUS), Gemalto’s SafeNet, as well as smart cards like common access cards (CACs) and personal identity verification (PIV) cards. Additional enhancements enable users to log into applications using multiple authentication factors and organizations to exempt users from MFA processes for specific applications.
Most importantly: Out-of-band support bolsters identity protection because the authentication occurs over two separate channels. The first channel is used to authenticate users on the MFA web server after the device is registered and validated. Then, upon the user’s request, the solution generates a token to be used on the second channel where the application receives the credentials.
This token, called CacheTokenCredential (CTC), is stored in the MFA server to be used later in the credential verification phase. The implementation of two authentication paths makes it extremely difficult for attackers to compromise user identities.
As the age-old adage goes, compliance does not equal security. As regulations ramp up in the coming months, security teams must consider replacing basic, bare-minimum security controls with more advanced solutions that do more than simply check compliance boxes. Implementing a multifactor authentication solution that executes verification processes over multiple channels is a step in the right direction.
Senior Security Specialist, IBM