Macro 4’s session manager improves mainframe security through roll-out of MFA

Macro 4 has launched a new version of the Tubes for z/OS session management software that enables enterprises to roll out IBM’s multi-factor authentication system for z/OS as they bid to make access to mainframe applications more secure.

Tubes for z/OS 7.8 has a new multi-factor authentication capability which provides a way for organizations to introduce additional security tests or ‘factors’, such as a randomized PIN or a fingerprint scan, to strengthen mainframe access security.

According to Keith Banham, Mainframe & Manager at Macro 4, improving security is a growing priority as modernization initiatives are exposing mainframe applications to new threats: “Mainframe applications are becoming much more connected to the outside world, with users logging on from outside the data center on mobile devices. That’s great for digital business but this increased openness also provides more opportunities for hackers, so you need to strengthen your defences.

“Tighter regulatory controls such as the GDPR are also raising the bar for security. Companies need to demonstrate that they’re using advanced access mechanisms such as multi-factor authentication to safeguard data privacy and security.

“There’s widespread recognition that the old single factor static password authentication system is no longer fit for purpose. In a poll of mainframe users we conducted last year, 67 per cent agreed that MFA is an important additional security measure.”

The Tubes session manager controls user access to all of an organization’s mainframe applications through a single sign-on, so rolling out MFA through Tubes saves effort and reduces risk as no additional systems changes are required, explained Banham: “Many organizations will be running numerous applications on the mainframe, so trying to implement the new MFA system on each one individually – involving separately configuring and testing every application – would be a massive challenge. If they use a session manager such as Tubes to control end-user access to applications, then they only need to configure MFA in one place – Tubes – and the job’s done.

“Some older applications don’t support MFA at all, so more systems changes are needed to make them compatible. And do you really want to risk touching those old systems? With Tubes you’re talking about a few minutes’ work rather than weeks or months of effort.”

Introducing MFA through the Tubes session manager also minimizes the impact on users as it avoids the inconvenience of re-authenticating every time they log on to a different application, said Banham: “Say you work with several mainframe applications and for each one you have to get a new access code from your mobile phone or pinpad every time you log on. The time all adds up and it can be frustrating, as well as reducing productivity. The beauty of using a session manager such as Tubes is that users need to go through the MFA authentication process only once and they are then automatically logged into any of the applications they are authorized to use.”

The Tubes software provides capabilities to make the introduction of MFA a user-friendly experience. Help and guidance or reminder messages about the new authentication process can be added to the Tubes login screen, helping to reduce end-user frustration and time as well as reducing calls to the helpdesk.

The new version of Tubes also supports real-time management reporting through Splunk, allowing systems administrators to monitor and analyze application access from a graphical dashboard.

For example, information such as the patterns of access to specific applications can be used to identify suspicious online behavior, and response time data can be analyzed to assist capacity planning and performance management.

Tubes management reporting also supports business intelligence and reporting tools, including TIBCO JasperReports and Oracle Business Intelligence.

Tubes is a session management solution that provides secure, user-friendly access to mainframe applications. From a single sign-on, users can log in to all the applications they are authorized to access and switch from one application session to another, with no loss of context.

An optional browser interface offers a way to web enable mainframe applications; users are no longer tied to a computer running a terminal emulator and can access their applications from any PC or mobile device.