There was a time when mainframes were in a world of their own, separated from other computing platforms. A world where even the mainframe staff seldom mixed with the distributed people, and managers had no idea what the mainframe did or how it did it. People who worked on green screens with things like IMS, CICS, and Db2 were in a different universe.
And that security by obscurity meant that the mainframe was pretty much immune from attack. But those days are long gone. CICS can connect to IoT (Internet of Things) devices. JSON and RESTless connections that once only existed on distributed systems are now commonplace on mainframes. And mainframes can connect to phones, tablets, the cloud – everything. It’s no longer a separate island. And that means the same tools that can be used to hack other devices can be used to attack mainframes.
The biggest problem with security is always people. Generally, people can remember one password and like to use it everywhere. It’s their Google password so they can use their phone. It’s their password for online banking, and it’s the same eight characters they use to access the mainframe. And it’s the one they used for that site where they once bought something and haven’t visited since. Or else they have two passwords – but that leads to the issue of not remembering which one goes with which site and so they have to write it down (probably on a sticky note on their computer, or all the different devices they use!!).
According to password security company SplashData, the top ten passwords for 2018 were: 123456, password, 123456789, 12345678, 12345, 111111, 1234567, sunshine, qwerty, and iloveyou. Not mainframe passwords, but it does show the lack of seriousness that ordinary people treat the use of passwords. And I know a number of people who use a word and simply change the digit at the end every time their password needs updating.
So, people and passwords are not the most secure way of protecting anything. Multi-Factor Authentication is the way forward. If your site has people using Office 365, they are probably used to using MFA. On mainframes, full-blown MFA has been available since the launch of IBM Multi-Factor Authentication for z/OS towards the end of 2017. MFA works by inspecting multiple identifying elements associated with a particular user account, which raises the authentication assurance level that a system requires from a specific user. IBM Multi-Factor Authentication for z/OS is integrated with RACF, and RACF has an MFA API set available for other vendors to use. Other options include OTP (One-Time Password) generators to create a password only valid for a short time, perhaps no more than 60 seconds.
IBM mainframe users need to authenticate using multiple factors, ie something they know (a password or security question), something they have (an ID badge or cryptographic token device), and something they are (eg a fingerprint or other biometric). Just having MFA may make the mainframe more secure, but does make it harder for people to use. Perhaps the best way to enjoy the benefits of MFA and provide a user experience that is acceptable to all is to use a Session Manager (eg Tubes for z/OS from Macro 4).
What most sites are coming to realize is that not only do they need to be secure, they also need to be compliant with all the regulations that apply to them. Failure to comply with GDPR can lead to fines up to €20 million, or 4% annual global turnover – whichever is higher. And the Payment Card Industry Data Security Standard (PCI DSS) requires MFA to be implemented.
So, if MFA makes your mainframe more secure in world where mainframes are more open and connected to the wider world; and in a world where compliance with regulations is so important to avoid very high fines, why aren’t people making MFA their top priority? There seems to be a mixture of reasons. Some people seem to be unaware that MFA is now available to control access to mainframe applications. And some people are unaware that MFA is a key component of compliance with regulations.
Some sites seem to be worried about changing application code in order to support MFA. Other sites claim to be worried about the skills shortage and not having anyone available to implement MFA. This is both lack of mainframe skills and lack of security skills. Other sites are worried about the cost of implementing MFA. And some people are worried about resistance to MFA from end users.
It seems strange that Office 365 sites are adopting a technology and mainframe sites are hanging back. It’s traditionally been the other way round. It’s most likely that the need to be compliant will be the biggest driver for sites adopting MFA because it is something that management will understand. And it seems there are ways to make the end user experience better. And there are third-party organizations that can help a site implement MFA.
I’m sure more sites will have MFA as we go through 2019 into 2020.
Regular Planet Mainframe Blog Contributor
Trevor Eddolls is CEO at iTech-Ed Ltd, and an IBM Champion since 2009. He is probably best known for chairing the Virtual IMS, Virtual CICS, and Virtual Db2 user groups, and is featured in many blogs. He has been editorial director for the Arcati Mainframe Yearbook for many years.