Multifactor authentication (MFA) and data encryption are the best means to reduce the risk of hacking attempts on a platform. However, it's critically important to understand that an MFA solution targeted to one platform, say a mobile device or desktop as the system of engagement, is probably insufficient to address the security needs of another platform that gets accessed later, such as a system of record.
IBM Z systems are considered the most secure enterprise platforms in the world. That's the myth. The reality is, they are the most securable. They are just as vulnerable as any other platform when critical vulnerabilities are left open. Good mainframe security is a triumvirate that includes processes and people, in addition to technology. Unfortunately, based on the reputation of the mainframe, many customers are not leveraging the best processes available to them. According to the 2019 Verizon Data Breach Incident Report, human error continues to be one of the top causes of data breaches.
Let's take a look at two common, dangerous situations and how to address them.
First, consider the business that adopts MFA for access to their desktops and mobile devices. This is a smart proactive step to reduce the risk of unauthorized access to those devices. The user subsequently uses the internet to access mail, web links, download files or any number of other ways in which a virus or trojan horse can infect their desktop. With the mistaken belief that the desktop MFA will make all subsequent system accesses secure, they go to log on to another system, like IBM Z, using traditional passwords or pass phrases. Unfortunately, their internet behaviors may have enabled a key stroke logger, or for an insider attack, allowed someone else in their organization to see their password, and now that back-end system is at risk. In other environments, a business may use a third-party tool to request a temporary password to access a back-end system. Again, a key logger could be in place that enables that service to be subverted for malicious purposes.
To defeat these problems, ALL systems should have MFA deployed.
Second, many businesses believe that only privileged users (e.g. system programmers, database administrators) need MFA. Again, a mistaken and perilous belief. Any system access on IBM Z by a business usually includes access to personally identifiable information, money management, intellectual property or other valuable assets that a business believes should be protected. As a result, all IBM Z users, regardless of role, should leverage MFA to sign on directly to the mainframe. The good news is that the same MFA logon processes used on the desktop can be used on many of the backend systems, such as IBM Z, because of the open way in which the IBM Z Multi-factor Authentication product has been developed. While it doesn't provide a single-sign-on solution (and I don't believe there is any product that meets that goal), it can provide a consistent sign-on with a wide variety of third-party MFA solutions.
Don't leave your IBM Z system at risk. More importantly, don't leave your critical business processes at risk. Protect your business and your users with IBM Z Multi-Factor Authentication to align your people, process and technology.