Given that a single security breach can cost USD 4 million on average, isn’t it time to stop relying on passwords alone? This financial services firm sought a better way to keep key systems protected.
The company uses IBM Multi-Factor Authentication for z/OS to add extra layers of protection to the logon process, safeguarding critical data and systems against unauthorized access.
Helps ensurethat only authorized users have access to key data and systems
Reduces riskof costly and reputation-damaging security breaches
Simplifiesauthentication management to save IT teams time and effort
Business Challenge story
Stepping up security
Data breaches are on the rise in financial services: a recent study by IBM found that more than 200 million financial services records were compromised throughout 2016, and that the sector was attacked more than any other industry.
What’s more, insider involvement accounted for the majority of these breaches, most of it inadvertent. Cyber criminals can compromise employees’ computers through malicious email attachments, clickjacking or phishing; they also leverage stolen or weak passwords to gain unauthorized access to an organization’s IT systems.
As a leading global provider of institutional investment services, this firm is well aware of the huge threat that cybercrime poses to its operations—and of the need for a robust line of defense against security risks.
A spokesperson begins: “Having great security is important for every organization. It’s an even bigger priority for a financial services firm like ourselves, where clients are entrusting us with their funds, as there’s a lot more at stake if our systems are compromised.”
While the firm has always taken a holistic, proactive stance to mitigating security threats, it felt that there was one area in particular with room for improvement: user access and authentication.
“We were still relying on the classic approach for authentication in our IBM Z environment—using passwords,” says the spokesperson. “While we always make sure to stress the need for users to create strong passwords, and to never write them down or share them with anyone else, it is difficult to ensure that people adhere to these standards.
“We needed to eliminate the possibility of these human risks occurring, and find a way to make absolutely sure that only authorized people were accessing our critical data and applications on the IBM Z platform. We were already using a two-factor authentication system, including the use of RSA SecurID tokens, and we wanted to extend this to our core banking environment.”
Enhanced authentication controls
The investment management firm decided to introduce IBM Multi-Factor Authentication for z/OS (IBM MFA). This solution raises the level of assurance of z/OS systems by requiring multiple authentication factors from users during the logon process.
Crucially for the company, IBM MFA integrates directly with IBM z/OS Security Server Resource Access Control Facility (RACF®), which it was already using to manage access on its local area network.
A spokesperson recalls: “When we saw an ad for the IBM MFA solution, and realized that it could work with RACF, we jumped at the chance to deploy it. Choosing IBM MFA meant that we weren’t locked in to using a specific set of authentication factors, and it was easy to integrate with our existing access and authentication management landscape.”
Together, IBM MFA and RACF help to create a layered defense by requiring selected IBM z/OS users to authenticate with multiple authentication factors. These can include:
- Something they know: A password or security question
- Something they have: An ID badge or cryptographic token device
- Something they are: Biometric details such as a fingerprint or iris scan
Requiring multiple authentication factors makes it much more difficult for users’ accounts to be compromised. Even if one of their authentication factors is discovered, there are still other layers of defense that a potential attacker needs to get through.
The firm can define which factors should be used for authentication at the user level, delivering a very nuanced level of control over access management. For example, one user might be required to use a password, security token and a PIN at login, while another might provide a password and a fingerprint.
Additionally, IBM MFA offers built-in support for RSA SecurID tokens, including hard tokens and software-based tokens.
“The fact that IBM MFA supports RSA SecurID was a great advantage for us, as we could protect our existing investment in the solution,” says a spokesperson. “We’re currently working to move from using hard tokens to the RSA SecurID Software Token for iOS. This will allow users to obtain authentication codes from their smartphone, instead of a separate physical token, which is much more convenient.”
With IBM MFA, the financial services firm can manage authentication in a more straightforward and controlled way, freeing its IT security team to focus on more strategic work that further strengthens enterprise protection.
One area where IBM MFA is making life easier for IT staff is around out-of-band authentication (OOBA), a form of two-factor authentication where a secondary verification key is sent through a separate communication channel.
A spokesperson explains: “Unfortunately, we still have to contend with some legacy systems that won’t support two-factor authentication, such as an application that only accepts eight-character passwords. The inclusion of support for OOBA in the IBM MFA solution gives us the flexibility to work around these kinds of restrictions and makes it relatively easy to hook OOBA into legacy applications. Using this approach increases security while buying us time to update the legacy applications.”
Introducing more rigorous access and authentication controls helps the company more easily address ever-increasing regulatory requirements.
“As a financial services company, the regulations we face are only getting more and more rigorous,” notes a spokesperson. “Investing in solutions like IBM MFA helps us stay one step ahead, and drive a more consistent, auditable approach to authentication management.”
Ultimately, a stronger authentication strategy strengthens the financial services firm’s broader security posture, harnessing multiple layers of defense to hinder unauthorized users from accessing sensitive data and systems.
A spokesperson concludes: “We believe that having IBM MFA as one of the pillars of our security strategy makes us more secure as an organization. Threats are evolving all the time, and adding to our levels of defense with leading technology like IBM MFA helps us stay ahead of the curve to keep our business and clients protected.”
Leading financial services provider
This financial services firm provides solutions and services to meet the needs of institutional investors, including investment servicing, investment management, and investment research and trading. It manages trillions of dollars in assets for clients all over the world.
- Banking: Risk & Compliance
Take the Next Step
To learn more about IBM Security, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/security
To learn more about IBM Z, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/z/security