Light Dark
July 9, 2018 By Mike Zagorski 3 min read
Mainframe
Identity & Access

Mainframes are built to be far more reliable and scalable than common endpoints and systems. However, the security guarding the valuable data they hold may not always meet the same standard.

But what can be done to strengthen mainframe security?

Today’s most advanced mainframes can process billions of high-value transactions per day — and if you’re authenticating users with passwords alone, it may be time to go multifactor.

What Is Multifactor Authentication?

Multifactor authentication (MFA) is an increasingly important tool for validating the identity of users accessing everything from desktops to cloud-based resources. MFA creates friction for attackers with minimal disruption to legitimate users.

How does it do this? MFA inspects multiple identifying factors associated with a specific user account. These factors can range from physical tokens to a user’s biometric and behavioral traits. Whatever the details, MFA throws a wrench into attackers’ plans by raising the authentication assurance level that the system can demand of a specific user.

Don’t Leave the Mainframe Key Under the Doormat

Mainframe infrastructure is different from most user-facing elements of an enterprise’s IT environment — and MFA may not be top of mind as an element of mainframe security.

Mainframes hold more mission-critical and sensitive data than any other platform. They also typically sit in a physically secured data center. Since only a small number of expert users work in these facilities, it’s tempting to think of mainframes as secure by default. However, these are not isolated systems — to achieve their high return on investment (ROI), mainframes must still connect to myriad systems and people outside of the data center.

The problem of password insecurity that affects smartphones, cloud-based systems and more also applies to mainframes. In fact, the stakes are much higher because mainframes store some of the enterprise’s most sensitive assets. Besides the threat of data theft, other risks include costly fines for regulatory noncompliance.

Attackers know mainframes hold vital data, and they do their best to steal the passwords that get them past the gate. No matter how physically secure they are, mainframes are typically accessed by network connections, which are often protected by passwords alone. If a threat actor gains the privileges of an authorized user, he or she may be able to bypass other security features of the mainframe itself.

Not even pervasive encryption can prevent data loss on its own if it’s transparent to a legitimate login that has been stolen. Every security administrator knows passwords can be compromised — whether through malicious or negligent insider behavior or brute-force guessing. Trusted and honest users also share passwords innocently for convenience, potentially exposing their credentials to interception.

A Layered, Flexible Approach to Mainframe Security

Strong security systems are all about reducing risk and closing the gaps that intruders can sneak through, but their value is greatly diminished if they interrupt or delay users or require complex changes to the security infrastructure. Mainframe users must carefully steward the resources they have access to — and every minute counts.

By adopting an MFA solution for mainframe security, administrators can present a layered defense without requiring any third-party software or hardware between a user’s remote system and the mainframe itself. Depending on the authorization method chosen, the solution can be hosted entirely on the mainframe.

Because risks vary, this MFA approach is flexible. The security administrator defines which authentication factors are appropriate and determines which users must supply additional factors. IBM MFA for z/OS, for example, is designed to centralize the valid factors within the context of the IBM Resource Access Control Facility (RACF), as well as CA Top Secret and CA Access Control Facility 2 (ACF2).

These factors can include:

  • Passwords and passphrases;
  • Cryptographic token devices, including both hardware and software-based tokens like RSA SecurID and Gemalto’s SafeNet Authentication Service tokens;
  • The entry of a timed one-time use password (TOTP) generated from a variety of sources, including IBM TouchToken, IBM Verify and any RADIUS-based server; and
  • Certificate-based authentication, including smart cards, personal identity verification (PIV) cards and common access cards (CACs).

Although mainframe security tends to fall off organizations’ radar, IT leaders should implement at least as much protection on these systems as they would on any mobile device, application or cloud-based service. After all, mainframes typically hold the enterprise’s crown jewels — making them prime targets for attackers. Given these high stakes, MFA is must-have for any mainframe system administrator.

Learn more about IBM Multi-Factor Authentication for z/OS

 |  |  |  |  |  |  | 
Mike Zagorski
Offering Manager, IBM

More from Mainframe
May 17, 2022

How dangerous is the cyberattack risk to transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

March 28, 2022

Low-code is easy, but is it secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

December 15, 2021

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature