Sunday, 20th September 2020

Mainframe Security: Why Authentication is the Elephant in the Room

By Keith Banham, mainframe R&D manager at Macro 4, a division of UNICOM Global.

IBM continues to spend millions on bringing new security and compliance advances to the mainframe, making it extremely attractive to banks, government departments and the military – or indeed any organisation seeking watertight security and privacy. The latest z15 mainframe, for example, combines pervasive encryption with new data privacy passport technology which lets enterprises protect and control access to data both on the mainframe and across hybrid cloud environments.

Any platform, however, is only as secure as its weakest link. And for the mainframe, its big vulnerability is its authentication process. Perhaps surprisingly, while mainframes are renowned for being highly secure in other ways, the elephant in the room is that they still depend largely on passwords for access control. This is despite it being widely accepted that passwords offer insufficient protection.

79 per cent of mainframe professionals who took part in a Macro 4 survey at the last GSE UK mainframe user conference said relying on password authentication alone poses a security risk. Nearly three-quarters (74 per cent) want stronger protection such as multi-factor authentication (MFA), which incorporates multiple security tests or ‘factors’, such as a randomised PIN or a fingerprint scan, to strengthen security.

Despite the widespread recognition of its benefits, adoption of MFA on the mainframe has been slow, with just 27 per cent of respondents in the same survey saying that their organisation had implemented it.

MFA technology is already proven. It has been both available and widely used in the open systems environment for many years. MFA for the mainframe has also been around for a while; IBM launched its z/OS MFA solution, which works closely with its RACF security manager, back in 2016, and subsequently introduced a more complete MFA solution in 2017. Other non-IBM MFA and security managers have also been available for some time.


What has held back MFA adoption?

Given that organisations understand the need for MFA, and the technology is available, the big question is: why hasn’t it been more widely adopted in the mainframe world?

There are a number of underlying issues. Like any new technology rollout, deploying and supporting MFA will incur costs, and there are the usual challenges of getting new projects agreed and budgeted ahead of other, competing, priorities. It is also a relatively new technology to many IT staff on the mainframe side, who may not have experience of working with MFA or confidence in how to implement it.

There might also be an element of complacency. The mainframe is one of the most secure platforms in IT history and IBM is continually introducing new security features. This might lead some IT teams to treat MFA as a low priority, but inertia like this brings real security risks. Using passwords alone for user authentication effectively leaves the door open to increasingly sophisticated cyber criminals. They know that mainframes contain a treasure trove of business-critical and sensitive information and that passwords are relatively simple to steal or crack, making them a hugely attractive target. Credentials misuse is rife: the Verizon Business Data Breach Investigations Report 2020 identified use of lost or stolen passwords or brute force in 80 per cent of all data breaches.


The disconnect between mainframe and non-mainframe authentication

One other, less frequently discussed issue might explain the slow adoption of MFA by the mainframe community: the disconnect between authentication in the mainframe and non-mainframe worlds. For example, very few enterprises are using a single, cross-platform authentication mechanism (single sign-on) which can authenticate users to access both mainframe and non-mainframe applications.

Connecting the two separate worlds has a number of benefits, particularly around costs and user experience. Deploying a single sign-on system requires less financial outlay as well as involving shorter implementation timescales. It also increases productivity. Users can switch seamlessly between mainframe and non-mainframe systems throughout the working day without wasting time going through separate login routines, and without the hassle of having to remember multiple login credentials.

These benefits explain why 39 per cent of survey respondents said MFA is more likely to be deployed if the same system could be used for both mainframe and non-mainframe environments. 63 per cent also pointed to the fact that supporting multiple authentication systems ties up IT resources.


Creating a single cross-platform authentication system

Deploying the same authentication method across different platforms, all of which have their own underlying security processes, is not a common practice. However, the benefits (and reduction in risk), especially for the mainframe, should make it a priority.

Cross-platform MFA can be successfully implemented in-house if the skills are at hand. Alternatively it is possible to use an off-the-shelf solution. A good starting point is to implement single sign-on, along with MFA, at the Windows login level as this is where most users commonly access enterprise IT. Authentication can be synchronised between Windows and the mainframe so that users’ login credentials are automatically authenticated by the mainframe security system: usually RACF. After signing on once, users can access and switch between their authorised applications, whether on Windows or the mainframe.

This approach simplifies the user experience and reduces the overall IT workload. It also enables the mainframe to benefit from the latest identity management and access technology available on Windows – such as advanced geolocation – without needing these capabilities to be implemented on the mainframe platform itself.

The mainframe is lauded for its security, yet its authentication system is no longer fit for purpose. While the large majority of mainframe customers acknowledge the need for multi-factor authentication and the benefits it brings, they are wary of the cost and potential implementation challenges. Adopting a cross-platform approach that integrates the same authentication solution, for example across Windows and mainframe environments, simplifies the implementation process, reduces costs and delivers a better user experience.

How IT managers protect corporate networks from targeted attacks By Chris Connell, Deputy Vice Pre...
Why business decision makers should expand their network security strategy, By Chris Connell, Deput...
By Joseph Carson, chief security scientist at Thycotic.
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Dan Schiappa, Executive Vice President and Chief Product Officer, Sophos.
By Jesper Frederiksen, VP and GM EMEA at Okta.
By Mikkel Stegmann, Principal Scientist at Fingerprints.