Mainframes are built to be far more reliable and scalable than common endpoints and systems. However, the security guarding the valuable data they hold may not always meet the same standard.
But what can be done to strengthen mainframe security?
Today’s most advanced mainframes can process billions of high-value transactions per day — and if you’re authenticating users with passwords alone, it may be time to go multifactor.
What Is Multifactor Authentication?
Multifactor authentication (MFA) is an increasingly important tool for validating the identity of users accessing everything from desktops to cloud-based resources. MFA creates friction for attackers with minimal disruption to legitimate users.
How does it do this? MFA inspects multiple identifying factors associated with a specific user account. These factors can range from physical tokens to a user’s biometric and behavioral traits. Whatever the details, MFA throws a wrench into attackers’ plans by raising the authentication assurance level that the system can demand of a specific user.
Don’t Leave the Mainframe Key Under the Doormat
Mainframe infrastructure is different from most user-facing elements of an enterprise’s IT environment — and MFA may not be top of mind as an element of mainframe security.
Mainframes hold more mission-critical and sensitive data than any other platform. They also typically sit in a physically secured data center. Since only a small number of expert users work in these facilities, it’s tempting to think of mainframes as secure by default. However, these are not isolated systems — to achieve their high return on investment (ROI), mainframes must still connect to myriad systems and people outside of the data center.
The problem of password insecurity that affects smartphones, cloud-based systems and more also applies to mainframes. In fact, the stakes are much higher because mainframes store some of the enterprise’s most sensitive assets. Besides the threat of data theft, other risks include costly fines for regulatory noncompliance.
Attackers know mainframes hold vital data, and they do their best to steal the passwords that get them past the gate. No matter how physically secure they are, mainframes are typically accessed by network connections, which are often protected by passwords alone. If a threat actor gains the privileges of an authorized user, he or she may be able to bypass other security features of the mainframe itself.
Not even pervasive encryption can prevent data loss on its own if it’s transparent to a legitimate login that has been stolen. Every security administrator knows passwords can be compromised — whether through malicious or negligent insider behavior or brute-force guessing. Trusted and honest users also share passwords innocently for convenience, potentially exposing their credentials to interception.
A Layered, Flexible Approach to Mainframe Security
Strong security systems are all about reducing risk and closing the gaps that intruders can sneak through, but their value is greatly diminished if they interrupt or delay users or require complex changes to the security infrastructure. Mainframe users must carefully steward the resources they have access to — and every minute counts.
By adopting an MFA solution for mainframe security, administrators can present a layered defense without requiring any third-party software or hardware between a user’s remote system and the mainframe itself. Depending on the authorization method chosen, the solution can be hosted entirely on the mainframe.
Because risks vary, this MFA approach is flexible. The security administrator defines which authentication factors are appropriate and determines which users must supply additional factors. IBM MFA for z/OS, for example, is designed to centralize the valid factors within the context of the IBM Resource Access Control Facility (RACF), as well as CA Top Secret and CA Access Control Facility 2 (ACF2).
These factors can include:
- Passwords and passphrases;
- Cryptographic token devices, including both hardware and software-based tokens like RSA SecurID and Gemalto’s SafeNet Authentication Service tokens;
- The entry of a timed one-time use password (TOTP) generated from a variety of sources, including IBM TouchToken, IBM Verify and any RADIUS-based server; and
- Certificate-based authentication, including smart cards, personal identity verification (PIV) cards and common access cards (CACs).
Although mainframe security tends to fall off organizations’ radar, IT leaders should implement at least as much protection on these systems as they would on any mobile device, application or cloud-based service. After all, mainframes typically hold the enterprise’s crown jewels — making them prime targets for attackers. Given these high stakes, MFA is must-have for any mainframe system administrator.
Learn more about IBM Multi-Factor Authentication for z/OS
Offering Manager, IBM
Mike Zagorski has over 20 years’ experience with IBM and is currently an Offering Manager in IBM Security division with a focus on IBM Z. He is responsible...