Hackers are now very adept at misleading people into revealing their passwords. And they are able to use clever technology to crack, steal or bypass passwords altogether. No hardware platform is immune. So why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication? What are the hurdles they face and how can they overcome them?
The state of mainframe security
Research tells us that only one in five mainframe customers are already using –
or planning to introduce – multi-factor authentication (MFA) to protect access to data and applications. MFA involves using an extra authentication step or ‘factor’ that is much harder to crack than a password, such as a physical token, a biometric identifier or a time-sensitive single-use PIN generated by a pin-pad or mobile phone.
Low take-up of MFA means the vast majority of mainframe users are still relying on password protection alone. This shocking statistic is one of the key findings of a poll of 81 mainframe users conducted by Macro 4 at the end of last year.
Let’s just stop and think about the implications of that. Mainframe systems are used by many of the world’s biggest enterprises – including the ten top insurers, 44 of the top 50 banks, 18 of the top 25 retailers and 90 per cent of the largest airlines – to run their business. If these systems were undermined by hackers, revenue and reputation would be at risk. The organisations could also face heavy fines for breaching compliance regulations such as GDPR.
The problems with passwords are not all down to hackers, either. There are risks from within the enterprise, too. Users don’t always follow best practice around protecting their passwords. They write them down and don’t update them regularly, or they share them with work colleagues, for example. Like ‘hiding’ your front door key under a stone, a casual attitude to password protection effectively leaves the door open for a current or ex-employee with malicious intent to infiltrate your company’s core business systems.
All this means that, in 2019, relying exclusively on passwords can expose business-critical applications to unacceptable risk.
Multi-factor authentication on the mainframe: awareness is not the problem
Multi-factor authentication (MFA) technology has been around and widely used outside of the mainframe environment for many years. IBM introduced their z/OS MFA solution, which works closely with IBM’s RACF security manager, back in 2016. But it was only in November 2017 that IBM introduced a more complete MFA solution. And there are of course other non-IBM MFA and security managers available.
As part of our research we wanted to gauge awareness of MFA amongst the mainframe community. When questioned, 64 per cent of mainframe users in our survey sample said they are aware that MFA is now available to control access to mainframe applications.
And 59 per cent were aware that MFA is a key component of compliance with regulations – such as the GDPR and the Payment Card Industry Data Security Standard (PCI DSS) – which require enterprises to take effective measures to control and protect access to personal information.
So we can conclude that the low adoption of MFA is not simply due to a lack of awareness.
The number one challenge: changing old code
When asked what they felt were the barriers to implementing MFA, the biggest concern of mainframe users – raised by 28 per cent of our survey sample – was the risk of changing application code in order to support it.
That is not surprising when you consider that mainframe systems have been around for a very long time – having been introduced as far back as the 60s and 70s as a reliable platform to host business-critical applications. Many mainframe applications are old, bespoke, and extend to millions of lines of code that companies are wary of changing due to a lack of people within the business with the right knowledge and skills to do so.
Changing code in an application that is not well understood or perhaps even well documented could have unpredictable results, so many companies would understandably prefer to leave well alone.
The impact of skills shortages
A lack of skills was in fact among the other barriers highlighted. 25 per cent of the sample said they felt MFA was not being adopted by the mainframe community due to a lack of mainframe skills. A further 22 per cent mentioned the lack of IT security skills.
On top of this, 22 per cent of the mainframe users we surveyed cited the challenges and cost of installing MFA hardware and a further 17 per cent mentioned the challenges and cost of installing MFA software as barriers to implementation.
Expect end-user resistance
Another barrier to MFA adoption is resistance from end users, highlighted by 21 per cent of the sample. It is common to experience ‘push-back’ from colleagues who are unhappy about being forced to learn and embrace new and unfamiliar authentication systems that aren’t as convenient as just typing in a user ID and password.
This kind of end-user resistance is even higher outside of the mainframe world. In a separate survey of large enterprises, 63 per cent of decision makers said they experienced a backlash from employees who did not want to use multi-factor authentication.
User resistance is therefore to be expected, but should not deter companies from adopting MFA. Instead they need to put measures in place to make the authentication process easier for users.
So what can be done to reassure enterprises that introducing MFA on the mainframe is viable? And what options are available to help them take on the perceived challenges?
1 Minimising application disruption
First let’s address the concerns around disruption. The truth is that introducing MFA does not always require changes to be made to the mainframe application itself.
This is the case, for example, if you are using modern mainframe session management software to provide end users with ‘single sign-on’ access to their mainframe applications.
Many z/OS customers already use mainframe session managers. They require users to go through the login process only once – at the start of the day – after which they can access all their applications without having to log in to each one separately. Users can also switch between their applications throughout the working day without having to re-authenticate each time.
By choosing to introduce MFA on the session manager, you don’t actually touch the underlying applications themselves, so there are no risky changes to worry about. Some older mainframe applications may not even be compatible with MFA, so using a session manager avoids additional coding, testing and deployment to support MFA.
2 Getting users on side
Next let’s tackle the challenge of end-user resistance. First, make sure any roll-out of MFA is underpinned with a training programme that educates users about the importance of strengthened security on the mainframe, and the risks of relying solely on password authentication.
Second, get executive sponsorship. MFA must be seen by everyone to have the full and firm backing of senior leadership across the enterprise – not just IT management and security experts. It should be explained that improving security is not just an IT initiative: it is an important business priority that reduces risk to the whole organisation.
Third, make MFA as easy and frictionless as possible for users. For example, when logging on, users could be shown help and guidance messages – or reminders about the new authentication process – to minimise any initial confusion and to help make the introduction of MFA a user-friendly experience. Displaying this kind of on-screen guidance is simple and easy to do on a session manager login screen, for instance.
3 Mainframe skills shortages
One way to minimise the impact of skills shortages is to limit the need for mainframe specialists when installing and supporting MFA on IBM Z. Once again it’s session management software that comes to the rescue. By introducing your MFA system on a session manager you save time and effort and minimise the amount of application coding, testing and deployment required. It means MFA only has to be implemented in one place – the session manager – rather than on the many individual applications that are typically hosted on a mainframe.
Similarly, once you have implemented MFA on a session manager, there is a limited requirement for mainframe skills for ongoing administration and support. If you want to change something, such as introducing new MFA hardware – different key fobs, for instance – or just roll out software updates, then this can all be implemented and tested against the session manager rather than against the multitude of underlying mainframe applications.
4 Managing MFA costs and complexity
Mainframe IT teams that do not have experience of MFA should consider involving a specialist security consultancy – both when selecting the appropriate software and hardware options and to help with the overall complexity of creating an effective, secure, long-term solution for the organisation. Any solution has to be easy to use and support, while providing a high level of protection. All without breaking the bank.
A consultant can help you save money by providing advice on hidden costs such as the end-user training required for different authentication options and the ease of administration of those options. Should you use a mobile app or a separate pin pad that users carry with them, for example? And what is the backup plan if a user loses their phone or hardware device?
Considering these issues at the outset, avoids problems later. I have come across mainframe users who have tried to implement MFA without either recruiting people with the right specialist skills or involving a third party, and their plans have dragged on with recurring delays. In the long run, if you want to limit the cost and ensure a successful and timely implementation, it makes sense to invest in the right skills to help you make the right technology decisions.
Any new technology roll-out will bring challenges, whether they are technical hurdles, concerns over resources or reluctance from those who aren’t comfortable with having to change. However, there are ways and means to address these issues and limit the costs. Adopting MFA is something mainframe shops simply must find a way to do, and the good news is that there are options available to make the whole process easier.
Keith Banham, mainframe research and development manager, Macro 4
Image source: Shutterstock/scyther5