How to Extend Enterprise IT Security to the Mainframe

While organizations with mainframes aim to establish consistency throughout the enterprise via modernization technologies, the challenge often faced is the tools used are not suitable…

Que Mangus profile picture
Que Mangus

November 17, 20237 minute read

While organizations with mainframes aim to establish consistency throughout the enterprise via modernization technologies, the challenge often faced is the tools used are not suitable for both mainframe and enterprise environments. This results in disparate solutions, training methods, and user experiences – highlighting the urgent need for greater uniformity across the entire enterprise. 

Security and Mainframe Access 

Mainframe access must meet modern security standards. This means that organizations must know who is connecting to the network and ensure they are authorized to access sensitive data, typically done on an identity and access management (IAM) system.  

However, for most mainframe organizations the IAM system used in the enterprise is not used for authentication to the host. To ensure complete protection and consistency across the organization, the same IAM should be used on the host as is used on the enterprise. This will help create secure host application access, enabling regulatory compliance and helping to prevent cyberattacks. 

What is the Right Authentication Experience? 

When considering any authentication experience, convenience with risk must be balanced. To maximize value from investment, organizations should make it easy for users to access information and services, while ensuring that the right security measures are in place to help prevent a breach.  

To further increase security for host access, organizations can implement multi-factor authentication (MFA). In today’s threat landscape, having any form of multi-factor authentication (MFA) is better than none – but the most broadly adopted systems of MFA rely on human behavior, which opens organizations to multiple paths for attack. A recent example is the cyberattack on US company Twilio, compromising its widely-used two-factor authentication service after multiple employees were duped into providing their credentials to threat actors.  

Increasing Threats and Higher Stakes  

As cyberattacks and breaches increase, mainframe organizations face two major challenges: Many users are accessing the mainframe using an eight-character, case insensitive password; and organizations often struggle with having separate MFA appliances – one for the mainframe and one for the enterprise.  

Text messages, email and one-time passwords are susceptible to attacks, allowing threat actors to bypass MFA. When choosing and deploying an MFA solution, it is important that authenticating factors fit the organization’s use cases. The MFA product should also be role-based to ensure roles that require more secure access to an organization’s data and applications provide stronger authentication to prevent breaches.    

Let’s explore how OpenText’s Application Modernization solutions can support mainframe access security consistency across the enterprise, while providing an improved user experience: 

Centrally Managed Host Access 

Consider how users access the host today. In most cases they use a terminal emulator configured with an IP address, a port and encryption level, and they land at a mainframe login screen. In many cases, the only thing a user needs to provide to access the applications and data is an eight-character case in sensitive password.    

The solution is to eliminate eight-character passwords through strong access controls and unify authentication by extending the same MFA to the host as is used in the enterprise. OpenText’s Host Access Management and Security Server provides the ability to control access to the host though the enterprise’s IAM.  

With OpenText Host Access Management and Security Server, users are required to provide their enterprise credentials – Security Assertion Markup Language (SAML) or Active Directory – and are authorized via the organization’s directory services before getting access to the host. Unless access is granted, users won’t be able to connect to the mainframe.   

To make authentication stronger, the IAM can be the OpenText Advanced Authentication Server or another trusted MFA solution. Now, not only can MFA be used throughout the organization. but that proven identity can be leveraged to authorize access to those critical mainframe applications and data.  

Another feature of OpenText’s Host Access Management and Security Server is Automated Sign-On for Mainframe. Once authenticated and authorized via Managed Security Services (MSS), the server gets a one-time pass ticket from The Digital Certificate Access Server located on the mainframe and passes it programmatically to the end user. This allows the user to automatically sign in – and eliminates the need to remember a different password for the mainframe.   

This process adds layers of security to ensure that only authenticated and authorized users get to the mainframe.   

Secure and Zero Footprint Host Access 

Host Access for the Cloud: no desktop installation, managed deployment, and scalable access. This newly introduced product is a centrally managed zero footprint emulator. It includes OpenText’s Host Access Management and Security Server and is the administrative console of this HTML based emulator.

Accessing the mainframe from the cloud

Looking at the above image, devices on the left have a modern browser – desktops, laptops, mobile devices. These connect to the Session Server in the center, managed by OpenText’s Host Access Management and Security Server. A user’s authentication is required; authorization is checked; and then a host connection is displayed via HTML5 in the browser. OpenText Host Access for the Cloud connects to all major host systems and Micro Focus Enterprise Server, as well.   

Key benefits from a security perspective:  

  • Control who can access your host applications and data, using your organization’s IAM and user directory 
  • Manage the change at the emulator from a centralized console  
  • Lockdown the emulator to only the features and functionality required for the end user 
  • Encryption to ensure all communications are secure from the client to the host 
  • Ease of applying security patches at the server versus each desktop  
  • Combined with the ability to scale, support high availability, and designed to be deployed in the cloud, this product it is revolutionary compared to other terminal emulators in the market   

Advanced Authentication Supports Mainframe Users 

OpenText’s solution for MFA is OpenText Advanced Authentication, which offers multifactor authentication to enterprises around the world – and can now extend MFA authentication to mainframe users. This means that organizations can use the same MFA product for their enterprise authentication and mainframe authentication.  

The range of authentication factors supported by this platform is its greatest advantage. When planning multi factor authentication you need the right factors for the right use cases. Consider the privileged users – they may need to use more advanced authentication factors, but not all users can be required to have biometric support. Consider users who may require access, but control of their hardware is not needed – what type of factors will work for them? Organizations can then extend this type of authentication to the mainframe and use the same resources across the organization.  

The Modern Mainframe – Automated, Protected, Connected 

In this complex market, solutions need to address both legacy challenges and modern expectations while preserving existing advantages. Competition, including from the platform provider, exists, but there’s a shared belief that enhancing the mainframe benefits the entire ecosystem. 

To get full value from mainframe systems and data, organizations must integrate the host with modern systems. However, integration has challenges – the greatest being security.  

To learn more, download and read the IDC white paper commissioned by OpenText: The Modern Mainframe – Automated, Protected, Connected. 

Further information:  

Share this post

Share this post to x. Share to linkedin. Mail to
Que Mangus avatar image

Que Mangus

Que Mangus manages the product marketing for OpenText host connectivity solutions. Que has 14+ years of experience in software solutions marketing and received ITIL version 3 Foundation Certification in 2010. Que graduated from Utah Valley University located in Orem, UT, USA with a Bachelor’s Degree in Business Management.

See all posts

More from the author

The Mainframe Turns 60: A Milestone in Computing History  

The Mainframe Turns 60: A Milestone in Computing History  

Time Flies: Celebrating 60 Years of the Mainframe

6 minute read

OpenText Introduces New ‘COBOL Webinar Wednesdays’ Series 

OpenText Introduces New ‘COBOL Webinar Wednesdays’ Series 

If mainframe and COBOL are at the heart of your operations, breaking the bounds of mainframe architecture to scale and innovate at speed can seem…

4 minute read

Mainframe Modernization: Should I Stay, or Should I Go?

Mainframe Modernization: Should I Stay, or Should I Go?

Mainframes still matter today. According to IBM, 45 of the world’s top 50 banks run on IBM zSystems. Furthermore, mainframes are used by 71% of…

4 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.