6 min read time

Four Layers of Mainframe Defense–Is MFA Enough?

by   in Application Modernization

The mainframe can be vulnerable

The Mainframe continues to be essential for many organizations—and the way it is used continues to evolve as part of the connected, hybrid IT world. Because of this, the mainframe can be vulnerable to attack. A recent IDC whitepaper found that, “there are still significant numbers of mainframe users who use nothing more than an eight-character, case-insensitive password to access their organization's mainframe.” This type of authentication does not provide the protection that an organization needs. In fact, the Verizon 2022 Data Breach Investigations Report shows that 63% of breaches attributed to leveraged credentials. Organizations need a better way to protect their systems and data, and should switch to  modern security tools for the entire enterprise, including the mainframe 

There are four layers of defense that your organization needs to reduce the impact of a breach. These layers include:

  • Strong authentication such as Multi-Factor Authentication (MFA)
  • Strong access control
  • Data encryption and redaction
  • Endpoint hardening

Multi-Factor Authentication

Using strong authentication helps in reducing the likeliness of a bad actor getting into your system and MFA is the strongest authentication control available. MFA requires a user to provide two or more factors to prove they are who they say they are, and only then enables them to access systems or data—which decreases the likelihood of a breach.

Mainframe organizations typically authenticate in multiple places:  via the corporate identity access management (IAM) tool to protect most of your organizations systems and data and on the mainframe itself, and with RACF/ACF2 or TOP Secret to authenticate them as a valid user on the mainframe. What if you could use the same enterprise MFA on the mainframe as you do in the rest of the organization  rather than having two disparate systems? You can. This helps ensure complete protection for the entire organization—with one solution. And with less systems to maintain and oversee, that means less complexity, less costs, and less that can go wrong - leading to better security.

Learn more on using MFA with your mainframe with the whitepaper “Using Multifactor Authentication to Authorize Mainframe Access

MFA may not be enough

Recently, a breach at Twilio showed us that MFA is not a silver bullet. Their widely used two-factor authentication service was compromised in August after multiple employees were duped into providing their credentials to threat actors. It can be argued in today’s threat landscape that while having any form of MFA is better than no MFA, the most commonly used factors rely on human behavior, which opens organizations to multiple paths for attack.  Text messages, email, and one-time passwords are susceptible to adversary-in-the-middle attacks that allow threat actors to bypass MFA.

It is important when choosing and deploying an MFA solution to consider organizational use cases when choosing authenticating factors. To reduce risk, the MFA product should also be role based, and require stronger authentication for those who need more secure access to an organization’s data and applications. For example, a system administrator should need a more stringent set of factors to access systems and data than a common user, as a system administrator would have more privileges on the system than other users.

You need defense in depth

MFA is a great control.  However, it does not solve every security issue. So what is needed as best practice? How can you be protected? The answer is defense in depth. Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier.

Applying this to mainframe security means you must implement multiple security controls. These controls include:

  • Strong authentication, such as MFA (as mentioned above).
  • Access control: Access should be based on the principle of least privilege. There must be a legitimate need to access data based on organizational roles before access is granted. Start by giving users less—or no—access, then grant them access only to those systems and data that they really need to access are critical to their job function. Do not just giving wide unrestricted access to all users.

    –What if you could restrict access to the users before they get to the mainframe login screen? And what if you could use your existing directory structure to control access to that mainframe connection? With this type of granular control, your mainframe can be more secure, and only authorized users would be granted access to it.
  • Encryption and Redaction/Tokenization - To protect sensitive data only allow users to access the sensitive information that is required to do their job—nothing more (see access control). Next, ensure that sensitive data is protected—both at rest and in transit—using encryption, redaction, and tokenization.
    • Encryption encodes data in transit and at rest so that only authorized parties can decode it in order to get value from it. Typical encryption technologies for mainframe data include TLS and SSH, and encryption protocols often need upgrading to counter security vulnerabilities.
    • Redaction is the process of masking or obscuring of data and should be role-based, according to the principle of least privilege.
    • Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Examples of sensitive data include credit card numbers, social security numbers, account numbers, birthdates, or other personally identifiable information.

      Redaction and tokenization can be used together or separately to protect sensitive data in transit and at rest, including at the presentation level. In today’s cybersecurity climate, it time to challenge yourself, if everyone who has mainframe access needs to see credit card information, account data, or other sensitive information.
  • Endpoint hardening - Endpoint hardening is the process of securing a system by reducing its surface of vulnerability—so for this discussion, any endpoint with access to the mainframe. This requires installing the latest security patches and configuring operating systems and applications according to the principle of least privilege. In mainframe organizations, the key application for accessing the host is the terminal emulator. So, the terminal emulator should have the latest security patches applied and be locked down, using the principle of least privilege. And again, it’s time to challenge yourself. Not all users should be able to create new sessions, edit macros, or change security configurations.

Using these controls together provide you with multiple layers of protection to help reduce the surface of vulnerability and help ensure that your data and systems are secure.

For more information about these controls, see the blog post, Secure Mainframe Access—What Has Changed in the Last Year?


Every organization is vulnerable – there have been countless breaches over the past few years that have shown this. Because of this, you need a strategy to ensure that your systems—including the mainframe—stay secure. Defense in depth, or a multi-layered approach to security is the best way to reduce the likelihood of a breach.

Learn more about securing your systems and data.