In my last article I outlined why, for a number of reasons, mainframe shops are growing increasingly aware of the importance of bolstering security on their ‘Big Iron’ box. Despite that, in this piece I want to discuss why some organizations are procrastinating over introducing important technology that’s now available to help them strengthen mainframe security: multi-factor authentication (MFA), available from IBM and other vendors.
MFA works with IBM’s Resource Access Control Facility (RACF) to improve security surrounding application access. It goes beyond the traditional mainframe password verification system, introducing a more rigorous approach that involves authentication using multiple steps or factors. For example, through MFA you can require users to enter a time-restricted randomized PIN generated by an external device, such as a mobile app or pin-pad, which in turn may have required biometric verification such as a fingerprint scan.
In a Macro 4 poll conducted last year, 67 per cent of mainframe executives agreed that multi-factor authentication is a more secure way to control access to the mainframe, when compared with relying solely on passwords. Nevertheless, conversations we’re now having with our partners and others within the mainframe community indicate there is a hesitation about implementing MFA. Why?
One of the biggest barriers is ‘push-back’ from end users who are unhappy about being forced to learn and embrace new and unfamiliar authentication systems that aren’t as convenient or simple as typing in a user ID and password. This kind of end-user resistance is not unique to the mainframe, however. In a recent survey, 63 per cent of decision makers in large enterprises said they experienced a backlash from employees who did not want to use multi-factor authentication.
In the case of the mainframe, perhaps there’s also a hint of complacency. Some mainframers may still hark back to the old days when the platform was immune to many security risks – the era when it was essentially a closed-off system that was only accessible to specialist users within the confines of the data center.
But we need to recognize that the modern connected mainframe is now a different beast altogether, vulnerable to most of the same risks as any other enterprise IT platform. Today, core business applications and databases running on the mainframe are often integrated with web and mobile applications, for example. Large numbers of customer-facing employees – and even customers themselves – interact with the platform, either knowingly or unknowingly; at the same time, IT support teams might be using web and mobile interfaces to support z/OS applications remotely from home or on the move. All this means the mainframe is now more open to hackers and malicious attacks and therefore requires a greater focus on security.
So what can be done to address these end-user issues and encourage faster uptake of MFA?
Obviously there is a need to support any roll-out of MFA with a training program that educates users about the importance of good security on the mainframe, and the risks of relying solely on password authentication. Importantly, to reduce end-user resistance, MFA must be seen to have the full and firm backing of senior leadership across the enterprise – not just IT management and security experts.
Reducing friction with a session manager
At the same time, you need to make MFA as easy and frictionless as possible for the end user and this is where modern mainframe session management software can help.
For example, most mainframe users will be accessing multiple applications every day. That means it’s going to be particularly frustrating if MFA forces them to re-authenticate by generating a new time-restricted PIN via an external device every time they log on to a different application. Especially if they have to go through the same authentication routine every time their application locks them out due to inactivity, or they log out of the application while they take a break or go home at the end of the day, or when they are forced to restart their machine due to a Windows security update, and so on.
Session managers can drastically reduce the friction that MFA can create because they are designed to provide end users with streamlined, single sign-on access to all their applications. If you install MFA directly on a session manager instead of implementing it at the individual application level, end users will only need to log in once using the designated authentication factors. Accessing their applications can either be made automatic, by utilizing PassTicket technology, or they can just use their existing user ID and password, knowing that they have already been authenticated using MFA credentials. If they log out of their session manager to take a break or they are locked out of their session manager due to inactivity then they only have to use their MFA credentials once to log on again and their other applications are immediately available. If they log out of an application or an application times out due to inactivity then they can restart it using the PassTicket technology or just enter their user ID and password again. There is no need to log on to each individual mainframe application using MFA credentials multiple times during the day.
Session managers can provide additional capabilities to make the introduction of MFA a more user-friendly experience, too. For example, if your compliance policies allow it, a session manager can be configured to incorporate help and guidance messages – or reminders about the new authentication process – on the session manager login screen. Doing this can help to reduce end-user teething problems and wasted time, as well as potentially reducing calls to the helpdesk.
Easing the implementation challenge
While multi-factor authentication has been around for many years, it is still relatively new to the mainframe – and is something mainframe development teams will need to invest some time in understanding and rolling out. This is another reason for delays in MFA implementations.
Here again a session manager can provide some relief by cutting down the effort required. For example, if you rely on a session manager to control end-user access, then you will only need to configure the new MFA system in one place – on the session manager – and the job’s done. Compare that to implementing MFA on each application individually – separately configuring and testing every one. A session manager can deliver a significant time saving in this way, particularly for the many organizations running dozens or even hundreds of applications on the mainframe.
Moreover, some older applications may not support MFA at all, so additional systems changes would be needed to make them compatible. In those cases the enterprise might be understandably wary of touching the old systems – especially if they are running important business processes – so a session manager provides a low-risk alternative.
Don’t wait too long
Security measures such as MFA are in danger of being among the IT projects left on the ‘back burner’ due to inertia and the perceived hurdles to overcome. However, with security increasingly becoming a priority on the mainframe – as evidenced by the new security features that IBM has built into the Z14 box – and regulations, such as The Payment Card Industry (PCI) Data Security Standard v3.2.1 (May 2018), which requires MFA as standard, you would be wise not to put your MFA roll-out off for too long. And now that there are ways and means to address end-user resistance and to make implementing MFA a relatively pain-free task, there has never been a better time to get started.