Mainframes are built to be far more reliable and scalable than common endpoints and systems. However, the security guarding the valuable data they hold may not always meet the same standard.

But what can be done to strengthen mainframe security?

Today’s most advanced mainframes can process billions of high-value transactions per day — and if you’re authenticating users with passwords alone, it may be time to go multifactor.

What Is Multifactor Authentication?

Multifactor authentication (MFA) is an increasingly important tool for validating the identity of users accessing everything from desktops to cloud-based resources. MFA creates friction for attackers with minimal disruption to legitimate users.

How does it do this? MFA inspects multiple identifying factors associated with a specific user account. These factors can range from physical tokens to a user’s biometric and behavioral traits. Whatever the details, MFA throws a wrench into attackers’ plans by raising the authentication assurance level that the system can demand of a specific user.

Don’t Leave the Mainframe Key Under the Doormat

Mainframe infrastructure is different from most user-facing elements of an enterprise’s IT environment — and MFA may not be top of mind as an element of mainframe security.

Mainframes hold more mission-critical and sensitive data than any other platform. They also typically sit in a physically secured data center. Since only a small number of expert users work in these facilities, it’s tempting to think of mainframes as secure by default. However, these are not isolated systems — to achieve their high return on investment (ROI), mainframes must still connect to myriad systems and people outside of the data center.

The problem of password insecurity that affects smartphones, cloud-based systems and more also applies to mainframes. In fact, the stakes are much higher because mainframes store some of the enterprise’s most sensitive assets. Besides the threat of data theft, other risks include costly fines for regulatory noncompliance.

Attackers know mainframes hold vital data, and they do their best to steal the passwords that get them past the gate. No matter how physically secure they are, mainframes are typically accessed by network connections, which are often protected by passwords alone. If a threat actor gains the privileges of an authorized user, he or she may be able to bypass other security features of the mainframe itself.

Not even pervasive encryption can prevent data loss on its own if it’s transparent to a legitimate login that has been stolen. Every security administrator knows passwords can be compromised — whether through malicious or negligent insider behavior or brute-force guessing. Trusted and honest users also share passwords innocently for convenience, potentially exposing their credentials to interception.

A Layered, Flexible Approach to Mainframe Security

Strong security systems are all about reducing risk and closing the gaps that intruders can sneak through, but their value is greatly diminished if they interrupt or delay users or require complex changes to the security infrastructure. Mainframe users must carefully steward the resources they have access to — and every minute counts.

By adopting an MFA solution for mainframe security, administrators can present a layered defense without requiring any third-party software or hardware between a user’s remote system and the mainframe itself. Depending on the authorization method chosen, the solution can be hosted entirely on the mainframe.

Because risks vary, this MFA approach is flexible. The security administrator defines which authentication factors are appropriate and determines which users must supply additional factors. IBM MFA for z/OS, for example, is designed to centralize the valid factors within the context of the IBM Resource Access Control Facility (RACF), as well as CA Top Secret and CA Access Control Facility 2 (ACF2).

These factors can include:

  • Passwords and passphrases;
  • Cryptographic token devices, including both hardware and software-based tokens like RSA SecurID and Gemalto’s SafeNet Authentication Service tokens;
  • The entry of a timed one-time use password (TOTP) generated from a variety of sources, including IBM TouchToken, IBM Verify and any RADIUS-based server; and
  • Certificate-based authentication, including smart cards, personal identity verification (PIV) cards and common access cards (CACs).

Although mainframe security tends to fall off organizations’ radar, IT leaders should implement at least as much protection on these systems as they would on any mobile device, application or cloud-based service. After all, mainframes typically hold the enterprise’s crown jewels — making them prime targets for attackers. Given these high stakes, MFA is must-have for any mainframe system administrator.

Learn more about IBM Multi-Factor Authentication for z/OS

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…