MAINFRAME > Administrator > Security

IBM Multi-Factor Authentication for z/OS Helps Maintain a Secure Infrastructure

IBM Multi-Factor Authentication for z/OS

Applications can support MFA as part of their existing RACF authentication process. MFA is integrated with System Authorization Facility and the RACF. When a user authenticates MFA with hard or soft tokens, the RSA Authentication Manager determines whether the user’s credentials are valid. If they are, MFA then returns control to RACF to resume the authentication and authorization process. The solution is extensible, and as new authentication factors become available they can be added without requiring changes to the base infrastructure.

MFA support introduces extensions to a variety of components in RACF. For instance, it stores MFA fields in user and resource profiles managed by new RACF commands and callable services. The RACF database serves as the data repository for MFA data for auditing and reporting purposes. Simple user commands allow the provisioning and definition of the acceptable tokens for a user. Tokens can be specified during user authentication requests, enabling MFA-aware applications to allow for factors in addition to RACF passwords. Auditing extensions track which factors were actually used during the authentication process.

Phased Approach

IBM delivered MFA enhancements in phases, beginning in February. The first MFA solution involved the use of RSA SecurID Tokens—hardware or software—that require an RSA SecurID server configured to the MFA server. SecurID Software tokens use the same algorithm used in popular RSA SecurID hardware tokens. (Many companies may find that the use of software tokens may be preferable to key fobs, however, as there are fewer physical assets to manage, and it’s easier to provision or de-provision users with software tokens.) The RSA SecurID solution requires the licensing of the RSA Secured Server, which can run on an x86-based platform. RSA tokens are available for a number of mobile platforms as well.

In addition to the RSA support, IBM issued a statement of direction for future authentication factors and additional ecosystem support1:

1. The IBM TouchToken authentication, a Timed One Time use Password (TOTP) generator that enables strong authentication for iOS environments. The TOTP is evaluated on z/OS directly to ensure two-factor authentication is enforced.
2. Personal Identity Verification/Common Access Cards frequently used in government applications will be included.
3. zSecure* support is intended to simplify administration by helping to enforce authentication policy, providing alert notifications and reporting on authentication audit events and compliance.

Protection Today and Tomorrow

IBM offers a highly flexible solution with RSA soft and hard token support. Multiple authentication methods are designed to be supported, and tight integration with RACF provides a consistent, policy-based, auditable approach.

IBM MFA for z/OS can help clients accelerate deployment, simplify management and more easily address regulatory compliance.

It can be used to secure mission-critical applications today as well as provide needed authentication to protect new mobile and cloud applications going forward.

1IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Barbara Sannerud is responsible for z Systems Enablement and has 25 years of industry experience in servers, software and services, with a focus on risk and security management.

John Petreshock, project management professional, is z Systems security offering manager with 19 years of experience covering development, test and product management focusing on z Systems security.

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Implementing Cryptographic Keys

Protect your Linux server from root password-guessing attacks.

Network Security

The zEnterprise System changes firewall requirements.

Data Lockdown

Use DB2 and z/OS to prevent security breaches.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters