Enterprise Knights of IBM Z - Group home

Thwarted by IBM Z! - Episode 4

  

IBM Z solutions can process billions of high-value transactions per day.  The platform is built to be reliable, scalable, and securable for the enterprise’s most critical data.  “Securable” includes choices: business decisions related to mitigating risk - and if you’re authenticating users with passwords alone, it may be time to go multi-factor.
 
What Is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is a technology that provides more than the secret knowledge of a password or passphrase to complete a user’s authentication to the system.

How does it do this?
MFA inspects multiple identifying factors associated with a specific user account. These factors can range from physical tokens to a user’s biometric and behavioral traits.   Whatever the details, MFA throws a wrench into attackers’ plans by raising the authentication assurance level that the system can demand of a specific user.


Mitigate Against Malicious Login
IBM Z holds mission-critical and sensitive data, and often sits in a physically secured data center.  Since only a small number of expert users work in these facilities, it may be tempting to think of them as secure by default. However, these are not isolated systems — to achieve their high return on investment (ROI), IBM Z systems often connect to a myriad of systems and people outside of the data center.

The risks of password insecurity that apply to smartphones, cloud-based systems and more, also apply to the data center.  In fact, the stakes can be considered higher, because that is where the enterprise’s most sensitive assets are store.  In particular, users with a high level of privilege or greater access level to that data present a greater risk, should their credentials be compromised. 

Security guidelines and compliance regulations are increasingly recommending, or even requiring, MFA.  Consider for example, in the financial industry, the Payment Card Industry Data Security Standard (PCI DSS).  Specifically, PCI DSS 8.3 states, “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.”  Besides the threat of data theft and supply chain attacks, other risks can include costly fines for regulatory noncompliance.   

A Layered, Flexible Approach to Mainframe Security
Strong security systems are all about reducing risk and closing gaps of previously accepted business risk, but their value is greatly diminished if they interrupt or delay users or require complex changes to the security infrastructure.  IBM Z security architects must carefully steward the resources they protect.

By adopting an MFA solution for mainframe security, administrators can present a layered defense without requiring any third-party software or hardware between a user’s remote system and the mainframe itself. Depending on the authentication method chosen, the solution can be hosted entirely on the mainframe.

This MFA approach is flexible. The security administrator defines which authentication factors are appropriate and determines which users must supply additional factors. IBM Z Multi-Factor Authentication, for example, is available on supported levels of z/VM and z/OS, and is designed to centralize the valid factors within the context of the IBM Resource Access Control Facility (RACF), as well as Broadcom Top Secret and Broadcom Access Control Facility 2 (ACF2).

These factors can include:
  • Passwords and passphrases
  • Cryptographic token devices, including both hardware and software-based tokens like RSA SecurID, Yubico’s Yubikey and Gemalto’s SafeNet Authentication Service tokens
  • Any RADIUS based solution
  • The entry of a timed one-time user password (TOTP) generated from a variety of sources, including IBM Verify
  • Certificate-based authentication, including smart cards, personal identity verification (PIV) cards and common access cards (CACs)
Consider the importance of authentication on these systems to be at least as strong, if not stronger, than mechanisms used on any mobile device, application, or cloud-based service leveraged by your enterprise. After all, IBM Z typically holds the enterprise’s crown jewels.  And those crown jewels of data are worth protecting, even stronger than they have been before.  MFA provides an essential element in that defense-in-depth strategy. 

Reference links: