Why Multi-Factor Authentication Has Never Been More Important
Over the past few years, mainframe security breaches have been in the news with increasing frequency. The recent SolarWinds breach highlighted the vulnerability of information systems, even including government systems and mainframes that must adhere to very high standards for security. For many, it served as a wake-up call and underscored the importance of multi-factor authentication as a critical tool in the fight against malicious attacks.
What is multi-factor authentication?
Simply put, multi-factor authentication (MFA) is a process in which a user’s identity is verified using more than one means. MFA dictates that the user must provide proof of their identity using at least two of the following:
- Something you know, such as a password, PIN, or private personal information
- Something you have in your possession, such as a smartphone, badge, or token device
- Something you “are”, in other words, something that is tied to physical attributes such as fingerprints, voice, or facial features
For example, when a user is asked to enter a username and password, they are providing something from the first item on this list, that is, something they know. Experience has shown us that this kind of information is easily compromised, though. As users struggle with an ever-increasing number of passwords, the likelihood of compromising any of these passwords increases dramatically.
With multi-factor authentication, that same user would also be asked to provide validation using one of the two other items from the list above.
Watch the Webcast
Best Practices for Multi-Factor Authentication on IBM i.
Fear of security breaches, coupled with best practices and regulatory requirements, have driven companies to adopt multi-factor authentication (MFA) procedures that require users to enter an additional form of identification beyond passwords. There are numerous approaches and features to consider when choosing an MFA solution for IBM i. View this on-demand webcast to learn more.
Many of us are using MFA already, without necessarily having identified it as such. When you log into your bank’s website to pay bills online, for example, you may be prompted for a one-time access code that is sent to you by e-mail, text message, or phone call. Although there are some risks associated with that approach (because e-mails and SMS text messages can be compromised), it still provides substantially greater protection than a simple combination of login and password.
Much greater levels of mainframe security can be achieved using biometric or secure token devices. An example of the latter is the RSA SecurID token, a small electronic device that can be carried in one’s pocket or on a keychain.
Many companies have implemented MFA using mobile devices. Google Authenticator and Microsoft Authenticator are apps that can be installed on a mobile phone and function in very much the same way that a secure token device would. Every 30 seconds, the app generates a new code. Banks and websites can offer MFA authentication using the Google and Microsoft apps, without the need to provide electronic token devices to each of their users.
It is important to note that systems requiring two or more instances of the same authentication factor do not comprise multi-factor authentication. For example, if a login requires a valid combination of username and password, but also requires the user to answer a question about their Social Security number, that is not MFA, because it is limited to only one of the three factors. In this case, it is asking for multiple items from the “something you know” category.
Why MFA is especially important for mainframe security
Multi-factor authentication is especially important today because of the proliferation of devices and the dramatic increase in remote access scenarios. Most organizations have shifted to a hybrid on-site and remote workforce, resulting in more remote connections. In addition, many have instituted “bring your own device” (BYOD) policies that present new challenges in terms of mainframe security.
At the same time, organizations must comply with increasingly long list of standards to improve the security of critical information, including protected health information (HIPAA), credit card transactions (PCI-DSS 3.2), financial data (23 NYCRR 500), and more.
Multi-factor authentication has the benefit of being easy for end-users as well as simple and cost-effective to customize and administer, while remaining very effective as a means of authenticating users’ identities.
The world is moving toward ever-greater adoption of multi-factor authentication as a standard in the fight against cyber criminals.
Advanced applications for MFA
Advanced applications for MFA may include conditional rules-based scenarios in which multiple factors are required only under certain circumstances. Imagine, for example, that John Smith is an employee who normally logs into the system from home every weekday around 9 AM. We can easily identify the IP address from which his login originates, so when we combine that information with the timing and compare it to existing patterns, we can be reasonably confident that the attempted access is legitimate. In this case, we might configure our MFA rules to allow access with a simple username and password combination.
If, on the other hand, we notice that John Smith is trying to access the system at 4 AM from an IP address based in eastern Europe, it should prompt us to take additional care in authenticating his identity. With the right solution, MFA rules can be configured to require multi-factor authentication under those circumstances.
MFA can also be used to provide additional security in a “four eyes” scenario where highly sensitive information requires two authorized people to participate in the login process together, both using multi-factor authentication.
What to look for in an IBM i MFA solution
If you are considering an MFA solution for your IBM i systems, is important to look for products that can integrate with the IBM i signon screen, as well as with other IBM i applications or processes. Any process that access the mainframe data, including external databases or cloud-based applications, should be securable using the MFA solution.
You should also look for an MFA solution that works with existing authentication solutions already in use by your organization.
Finally, seek out solutions that are certified by a widely recognized standards body such as RSA or NIST.
Precisely’s Assure Security provides a complete suite of security and access control capabilities for IBM i Series environments. We have years of experience with IBM systems, and can provide custom risk assessment services along with a range of product capabilities to enhance mainframe security. We offer flexible buying options, enabling customers to choose between our entire Assure Security product, selected feature bundles, or specific capabilities.
To learn more about multi-factor authentication for IBM i Series mainframes, check out our on-demand webcast Best Practices for Multi-Factor Authentication on IBM i.