6 min read time

Secure Mainframe Access—What Has Changed in the Last Year?

by   in Application Modernization

 More breaches than ever before

Threats are on the rise. Credentials are the primary means by which a bad actor hacks into an organization, with 61 percent of breaches attributed to leveraged credentials (Verizon 2021 Data Breach Investigations Report). Additionally, global ransomware attack volume increased by 151 percent for the first six months of 2021 as compared with the previous half year. And the costs just keep going up! The global average cost of a data breach in 2021 was $4.24 million, and the average cost of a data breach in the United States has hit an all-time high of $9.05 million. Your organization is at risk—and the potential costs of a breach are higher than ever.

What is happening?

This past year has seen an increase in breaches—more than we have ever witnessed before. In my last blog, I referenced the Colonial Pipeline ransomware attack, the JBS Meats ransomware attack, and the Nobelium attacks. These attacks cost the organizations money and resulted in shortages and downtime. But those weren’t the only ones. In May 2021, Brenntag, a world-leading chemical distribution company suffered a ransomware attack by a DarkSide affiliate (the same group responsible for the Colonial Pipeline attack). In this attack, the threat actors encrypted devices on the network and stole unencrypted files. To recover the files and to prevent the data from being leaked publicly, Brenntag paid $4.4 million in ransom. The DarkSide affiliate claims to have gotten access to the network after purchasing stolen credentials.

And it’s not just Colonial Pipeline, JBS, and Brenntag. HubSpot, the Red Cross, and Kaseya have all suffered breaches recently. These examples are not specific to the mainframe. However, the mainframe is vulnerable and needs to remain secure, as shown in the 2021 BMC Mainframe Survey. This survey found that for the second consecutive year security was considered a top priority for mainframe organizations.

But wait—there’s more

The statistics show that breaches are on the rise across the board. But there is more there are regulations with which your organization must comply. These regulations are designed to help. However, if you are out of compliance, you could face fines—in addition to any money you may lose from a breach itself. These regulations include Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the Homeland Security Presidential Directive 12 (HSPD 12).

These regulations protect individuals and their data. For example, PCI DSS mandates multi factor authentication (MFA) in certain scenarios regarding cardholder data, encryption, and data masking, as well as specifics around applying security patches. GDPR includes securing data in transit and at rest, and at its core, requires that personally identifiable information is only accessible by those with a legitimate reason to do so. CCPA shares much of the same foundation as GDPR. HSPD 12 is the start of the push for multi-factor authentication for government agencies.

But recently, HSPD 12 was not enough. In response to the high-profile attacks of 2021, the US president issued the Executive Order on Cybersecurity. The order mandates US federal agencies develop a plan on how they will implement zero trust architecture, deploy MFA, and implement encryption for data at rest and in motion. Additionally, in November 2021 the IRS released Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies. This publication sets guidelines to ensure that government agencies and their employees use policies, practices, and controls to protect its confidentiality (including MFA).

This is not a comprehensive list. There are other regional and local regulations as well. Your organization needs to be aware of all of these regulations—and comply with them—to help ensure that data remains secure (regardless of the systems that holds it) and to avoid non-compliance penalties.

What can you do?

There are controls that you can put in place today to help ensure that your organization is secure—and these controls are essential for mainframe access security. Here is a list of some of the available controls.

  • Strong authentication
    • Using strong authentication helps in reducing the likeliness of a bad actor getting into your system. and MFA is the best authentication control all around. Imagine if MFA had been in use at Colonial or JBS Meats?
    • In mainframe organizations-authentication is typically done in multiple places. This can be via the corporate identity and access management (IAM) controls to protect the majority of systems and data. And for the mainframe, RACF/ACF2 or TOP Secret controls access to mainframe apps and data.
    • Many mainframe organizations still use eight-character, case insensitive passwords to access mainframe data. Not because they think it is secure—but because they think the mainframe is impenetrable. However, the mainframe can be breached, and it needs to be protected. Organizations should consider an MFA platform that delivers MFA across the enterprise, including the mainframe.
  • Authorized access
    • Authorization should be based on the principle of least privilege. One must have a legitimate need to access data based on their role in the organization before access to data and/or systems is granted. This means that there must be a check before a user gets to the mainframe to ensure that they have authorized access, instead of depending solely on mainframe safeguards. Organizations should be protecting these valuable resources by leveraging their existing corporate directory services.
  • Data encryption and protecting sensitive data
    • Sensitive data must be protected at all times. This applies whether that data is at rest or in motion (moving into and out of your network). Organizations must also consider protecting data at the presentation layer. Encryption, redaction, and tokenization are all controls for keeping sensitive data secure. And, organizations need to be on the latest TLS encryption protocol, TLS 1.3, to ensure the greatest protection. Used together, these controls can minimize the sensitive information a bad actor can access, even if they breach the system.
  • Endpoint hardening
    • Endpoint hardening means strengthening security at the endpoints (devices) that access the mainframe to help prevent attacks. It secures systems by reducing the surface of vulnerability. This relies on installing the latest security patches and configuring operating systems and applications according to least privilege principles, policies, and standards.
    • In mainframe organizations, the key application requiring endpoint hardening is the terminal emulator, or other host access software. Owners must lock down terminal emulation, as not all users need to create new sessions, edit macros, or connect to unauthorized systems.

These controls work better together. Implementing one or more of these controls will help ensure that your data and systems are secure.

OpenText can help!

OpenText offers solutions that use the controls mentioned above to help protect your systems—including the mainframe. The solutions include NetIQTm Advanced Authentication, the Advanced Authentication Connector for z/OS, and Host Access Management and Security Server (MSS).

OpenText Advanced Authentication framework uses two-factor or MFA to strengthen authentication levels. OpenText Multi-Factor Advanced Authentication can provide MFA throughout the organization, while the Advanced Authentication Connector for z/OS extends that MFA to the mainframe, ensuring MFA protection for every IBM z/OS endpoint.

MSS enables centrally managed, secure terminal emulation, while the advanced authentication add-on leverages the same level of MFA and authorized access to valuable host systems. This ensures that only individuals who have proven their identity can access them.

Parting words

Your organization is at risk. The cost and frequency of attacks continue to increase. Don’t be the next JBS meats, Colonial Pipeline, or Brenntag. Make a plan, implement the plan, and let OpenText help you with that plan!

Learn more about mainframe access security: