Several new cybersecurity regulations that focus on establishing precise control of access to sensitive information will enter the playing field in 2018. While this is all well and good, fraudsters can easily bypass this approach. How? By stealing user identities.

Security leaders must ask themselves some tough questions if they hope to achieve compliance before these regulations kick in: Does the organization properly govern access to critical systems? Does it adequately protect the credentials of those who manage cardholder data to prevent man-in-the-middle (MitM) attacks? What other identity protection strategies must be applied to the organization’s security infrastructure?

Where Basic Identity Protection Methods Fall Short

It’s no surprise that many organizations — across all sectors — still use basic authentication based on username and password combinations. This method is simple for security teams to manage and convenient for users to perform when logging in. However, these credentials are also easy for identity thieves to steal.

On the mainframe, malicious actors often take the form of privileged users rather than external attackers. In large environments that house greater volumes of data, the number of critical users who need to access that data increases accordingly. This further complicates the task of protecting user identities.

Multifactor Authentication: A Smarter Solution to Secure User Identities

A strong multifactor authentication (MFA) solution, such as IBM Multi-Factor Authentication for z/OS, can help organizations reduce the risk of identity theft. With the easy-to-implement in-band technique, multifactor credentials flow on a unique authorization channel that is based on the connection between the login application panel and MFA server. Users enter their assigned personal identification number (PIN), as well as the value generated by the SW/HW token. The MFA server then evaluates the credentials and sends feedback to the security server to allow or deny access.

In some cases, it is necessary to use an external server that manages the token life cycle and communicates with the MFA server to verify identities. This is a good solution, but the use of an external server introduces a potential point of failure that can compromise the authentication process.

Applications like IBM TouchToken, which works on iOS and Android operating systems, allow devices to be registered directly on the MFA server via a web interface. The app can then receive tokens for users to enter in the login application panel. IBM MFA V1.3 also introduces compound in-band authentication, which enables users to couple a Resource Access Control Facility (RACF) password with a token code.

Go Beyond Bare-Minimum Compliance With MFA

IBM MFA for z/OS supports myriad types of factors, including RSA SecurID, one-time passwords, TouchToken, Remote Authentication Dial-In User Service (RADIUS), Gemalto’s SafeNet, as well as smart cards like common access cards (CACs) and personal identity verification (PIV) cards. Additional enhancements enable users to log into applications using multiple authentication factors and organizations to exempt users from MFA processes for specific applications.

Most importantly: Out-of-band support bolsters identity protection because the authentication occurs over two separate channels. The first channel is used to authenticate users on the MFA web server after the device is registered and validated. Then, upon the user’s request, the solution generates a token to be used on the second channel where the application receives the credentials.

This token, called CacheTokenCredential (CTC), is stored in the MFA server to be used later in the credential verification phase. The implementation of two authentication paths makes it extremely difficult for attackers to compromise user identities.

As the age-old adage goes, compliance does not equal security. As regulations ramp up in the coming months, security teams must consider replacing basic, bare-minimum security controls with more advanced solutions that do more than simply check compliance boxes. Implementing a multifactor authentication solution that executes verification processes over multiple channels is a step in the right direction.

More from Identity & Access

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today