MAINFRAME > TRENDS > SECURITY

Passwords Won’t Cut It in Enterprise Security

Multifactor Authentication


Lessons of bitter experience explain why access to computing resources has grown more onerous to users, albeit much more secure. Enterprise security teams know that protecting any IT resource with only one method is an invitation to trouble. Malicious attackers are on the prowl for inadequately secured systems, especially ones that can yield up juicy personal data or financial details.

That means that passwords—and any other authentication methods based purely on knowledge held by the user—aren’t enough to protect your IT resources. Passwords can be compromised through loss or theft, or can simply be too weak to face sophisticated software designed to crack them. From cloud-based services (such as webmail services or remote banking applications) to end-user devices, user access is increasingly reliant on multifactor authentication, whether mandated or as a smart security upgrade.

The Problem With Passwords

While passwords in an enterprise are typically created to be strong and are regularly changed to meet security policies, this simply isn’t enough. Enterprise systems are probed constantly by bad actors for vulnerabilities, including weak passwords.

Considering these threats, protecting your systems with additional safeguards is a must. When a system is protected only by passwords, a password breach can mean a halt to system operations until the system is scanned for data loss or other evidence of intrusion and new passwords can be issued. Multifactor authentication is a tested, user-friendly upgrade to a password-only system.

Multifactor Authentication Explained

Put simply, multifactor authentication ensures that no single factor—such as a possession of a login/password pair—is enough to establish access to a computing or data resource. Instead, multifactor authentication allows users access only in the presence of more than one security identifier.

Passwords can be guessed or coaxed from unwary users through fraud or social engineering, or simply stolen. Requiring more than one factor means that criminals have to work harder to break in. Beyond that, multifactor authentication best practices dictate using factors that can’t be readily stolen at all, such as biometric identifiers and one-time tokens.

The identifiers that a multifactor authentication system makes use of are often grouped into three categories:

  1. Something you know: This includes passwords, password phrases, security questions and personal identification numbers.
  2. Something you have: This could include an electronic key from providers such as RSA, software-generated tokens from Gemalto SafeNet Authentication Service, a smart security badge or a device such as a mobile phone or tablet that can be used to receive out-of-band communications.
  3. Something you are: Factors that distinguish one person from another, from fingerprints to voice texture to typing speed and rhythm. All of these factors serve to establish identity.

A multifactor authentication system requires that factors be chosen from more than one of these categories. In the event that an attacker is able to fake or bypass a particular biometric identifier, for instance, that attacker might be stymied by the lack of an additional factor such as an electronic token. By specifying identifying factors with different qualities, multifactor authentication systems implement a central idea of modern security: overlapping defenses arrayed against malicious entry.

Given attackers’ persistence in obtaining security credentials, one key advantage that multifactor authentication provides to security administrators is time. If any one factor is compromised, as might occur if a password list leaks or an employee’s badge is stolen, administrators can replace or repair the damage without suspending all user access to a system.

Multifactor Authentication Matters on the Mainframe

Users are increasingly familiar and comfortable with multifactor authentication as a security measure when it comes to typical end-user applications such as mobile banking or logging in to a cloud-based system from a new location. But one non-intuitive fact about multifactor authentication is that the same advantages that make multifactor security valuable in protecting local systems or cloud resources apply just as much to mainframe data, despite the mainframe’s different scale and applications. Enterprises have long turned to the mainframe for its high performance and reliability along with its industry-leading encryption and security.

IBM offers a mainframe- specific solution in IBM Multi-Factor Authentication for z/OS. The mainframe may be physically segregated from the bulk of your information infrastructure and most users, but it’s the cornerstone of many high-value transactions that involve multiple systems, making it an excellent candidate for multilayer security implementation.

Mike Zagorski is an offering manager in IBM Security with a focus on IBM Z.


comments powered by Disqus

Advertisement

Advertisement

2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

Upgrade Your Mainframe with Operational Business Intelligence

Companies race to transform their businesses by delivering operational insights to their employees

MAINFRAME > TRENDS > SECURITY

CICS Security With RACF

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters