Hi Jim, Compliance with an auditing requirement may not specify a specific platform or architecture for MFA implementation but in my opinion there are many benefits to keeping as much of the authentication process on the mainframe as possible. Many clients prefer to keep the mainframe security administration and processing within the scope of the mainframe. Relegating these types of processing from the mainframe to other platforms comes with risks that must be quantified and mitigated. With a mainframe MFA solution, user provisioning information is stored in the mainframe security database. There it can be protected, backed up and managed with already in place robust security policies. Authentication requests are made directly from the mainframe security product to the authentication provider, such as RSA Secure ID, which reduces complexity and keeps security decisions on the mainframe. There are also some MFA authentication factors which are implemented fully on the mainframe without needing to call out to an external authentication provider. A mainframe MFA solution can also provides additional capabilities to handle applications with problematic authentication use cases like support for session managers, PassTicket authentication, applications that re-play password or applications that do not support password phrases.
There are several solutions available for implementing MFA on the mainframe from various ISVs and IBM. If you would like more information on the IBM z MFA solution, you can email me at: [email protected] Best Regards, Ross Cooper From: Jim Mooney <[email protected]> To: [email protected] Date: 08/30/2019 10:20 AM Subject: [EXTERNAL] MFA: An acronym that doesn't start with the word Mother Sent by: IBM Mainframe Discussion List <[email protected]> We've been asked to implement MFA on the zOS Mainframe. I've read some threads on here, and it seems some have implemented IBM's MFA solution on zOS, and some have implemented MFA on 'winders.' The zOS solution is pricey so we are looking at alternatives. My question is: Does a windows implementation (tied to AD) meet audit requirements requiring MFA on the mainframe? IOW, can the requirement be met with MFA running on another platform? We currently use RSA Secure server for VPN access and could possibly leverage that for all MF access. Our security people are doing a POC on something called PAM (Privilege Access Mgmt/windows) to secure the mainframe, and I would like to make sure they are not taking a wrong turn. So any input from those ahead of us on this path would be very helpful. Thanks for looking. -Jim ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
