While organizations with mainframes aim to establish consistency throughout the enterprise via modernization technologies, the challenge often faced is the tools used are not suitable for both mainframe and enterprise environments. This results in disparate solutions, training methods, and user experiences – highlighting the urgent need for greater uniformity across the entire enterprise.
Security and Mainframe Access
Mainframe access must meet modern security standards. This means that organizations must know who is connecting to the network and ensure they are authorized to access sensitive data, typically done on an identity and access management (IAM) system.
However, for most mainframe organizations the IAM system used in the enterprise is not used for authentication to the host. To ensure complete protection and consistency across the organization, the same IAM should be used on the host as is used on the enterprise. This will help create secure host application access, enabling regulatory compliance and helping to prevent cyberattacks.
What is the Right Authentication Experience?
When considering any authentication experience, convenience with risk must be balanced. To maximize value from investment, organizations should make it easy for users to access information and services, while ensuring that the right security measures are in place to help prevent a breach.
To further increase security for host access, organizations can implement multi-factor authentication (MFA). In today’s threat landscape, having any form of multi-factor authentication (MFA) is better than none – but the most broadly adopted systems of MFA rely on human behavior, which opens organizations to multiple paths for attack. A recent example is the cyberattack on US company Twilio, compromising its widely-used two-factor authentication service after multiple employees were duped into providing their credentials to threat actors.
Increasing Threats and Higher Stakes
As cyberattacks and breaches increase, mainframe organizations face two major challenges: Many users are accessing the mainframe using an eight-character, case insensitive password; and organizations often struggle with having separate MFA appliances – one for the mainframe and one for the enterprise.
Text messages, email and one-time passwords are susceptible to attacks, allowing threat actors to bypass MFA. When choosing and deploying an MFA solution, it is important that authenticating factors fit the organization’s use cases. The MFA product should also be role-based to ensure roles that require more secure access to an organization’s data and applications provide stronger authentication to prevent breaches.
Let’s explore how OpenText’s Application Modernization solutions can support mainframe access security consistency across the enterprise, while providing an improved user experience:
Centrally Managed Host Access
Consider how users access the host today. In most cases they use a terminal emulator configured with an IP address, a port and encryption level, and they land at a mainframe login screen. In many cases, the only thing a user needs to provide to access the applications and data is an eight-character case in sensitive password.
The solution is to eliminate eight-character passwords through strong access controls and unify authentication by extending the same MFA to the host as is used in the enterprise. OpenText’s Host Access Management and Security Server provides the ability to control access to the host though the enterprise’s IAM.
With OpenText Host Access Management and Security Server, users are required to provide their enterprise credentials – Security Assertion Markup Language (SAML) or Active Directory – and are authorized via the organization’s directory services before getting access to the host. Unless access is granted, users won’t be able to connect to the mainframe.
To make authentication stronger, the IAM can be the OpenText Advanced Authentication Server or another trusted MFA solution. Now, not only can MFA be used throughout the organization. but that proven identity can be leveraged to authorize access to those critical mainframe applications and data.
Another feature of OpenText’s Host Access Management and Security Server is Automated Sign-On for Mainframe. Once authenticated and authorized via Managed Security Services (MSS), the server gets a one-time pass ticket from The Digital Certificate Access Server located on the mainframe and passes it programmatically to the end user. This allows the user to automatically sign in – and eliminates the need to remember a different password for the mainframe.
This process adds layers of security to ensure that only authenticated and authorized users get to the mainframe.
Secure and Zero Footprint Host Access
Host Access for the Cloud: no desktop installation, managed deployment, and scalable access. This newly introduced product is a centrally managed zero footprint emulator. It includes OpenText’s Host Access Management and Security Server and is the administrative console of this HTML based emulator.
Looking at the above image, devices on the left have a modern browser – desktops, laptops, mobile devices. These connect to the Session Server in the center, managed by OpenText’s Host Access Management and Security Server. A user’s authentication is required; authorization is checked; and then a host connection is displayed via HTML5 in the browser. OpenText Host Access for the Cloud connects to all major host systems and Micro Focus Enterprise Server, as well.
Key benefits from a security perspective:
- Control who can access your host applications and data, using your organization’s IAM and user directory
- Manage the change at the emulator from a centralized console
- Lockdown the emulator to only the features and functionality required for the end user
- Encryption to ensure all communications are secure from the client to the host
- Ease of applying security patches at the server versus each desktop
- Combined with the ability to scale, support high availability, and designed to be deployed in the cloud, this product it is revolutionary compared to other terminal emulators in the market
Advanced Authentication Supports Mainframe Users
OpenText’s solution for MFA is OpenText Advanced Authentication, which offers multifactor authentication to enterprises around the world – and can now extend MFA authentication to mainframe users. This means that organizations can use the same MFA product for their enterprise authentication and mainframe authentication.
The range of authentication factors supported by this platform is its greatest advantage. When planning multi factor authentication you need the right factors for the right use cases. Consider the privileged users – they may need to use more advanced authentication factors, but not all users can be required to have biometric support. Consider users who may require access, but control of their hardware is not needed – what type of factors will work for them? Organizations can then extend this type of authentication to the mainframe and use the same resources across the organization.
The Modern Mainframe – Automated, Protected, Connected
In this complex market, solutions need to address both legacy challenges and modern expectations while preserving existing advantages. Competition, including from the platform provider, exists, but there’s a shared belief that enhancing the mainframe benefits the entire ecosystem.
To get full value from mainframe systems and data, organizations must integrate the host with modern systems. However, integration has challenges – the greatest being security.
To learn more, download and read the IDC white paper commissioned by OpenText: The Modern Mainframe – Automated, Protected, Connected.
- Customer use case: Federal Agency enabled mainframe single sign-on using current infrastructure
- Customer use case: E.Miroglio EAD opened up a key business application to remote and mobile users
- Explore OpenText Host Access for the Cloud
- OpenText white paper: Integrating Host Systems with Modern Security Frameworks
- OpenText Application Modernization: Modernize core business applications