Mainframe security has long carried a reassuring reputation: stable, resilient, and secure by design. But the conversation has shifted. Today, the biggest risks aren't tied to the platform itself – they're tied to how users access it. Three themes are emerging with increasing urgency across the industry: uneven MFA adoption, modernization efforts centered on identity controls, and regulatory frameworks making strong authentication non-negotiable. Together, they reveal where mainframe security is heading – and where the gaps still remain.
The MFA gap is becoming harder to ignore
Organizations have made real progress on MFA adoption, but the finish line isn't in sight yet. Around 83% still rely on passwords for at least some systems, and a meaningful share of users remain without full MFA coverage. That gap has real consequences: stolen credentials now account for roughly 22% of breaches, making identity the single most common initial attack vector.
For mainframe teams, this dynamic is familiar. MFA integrates cleanly with RACF and z/OS – but deployment is often partial, focused on select users or specific access paths rather than applied consistently. The result is a subtle but significant exposure. Systems widely considered secure remain accessible through authentication patterns that attackers know how to exploit. The platform hasn't fallen behind. Identity practices have.
Modernization is putting identity at the center
The latest wave of mainframe modernization isn't about migrating off-platform. It's about bringing the mainframe into alignment with modern architectures and security expectations. A recent ISG report confirms that enterprises are pursuing long-term strategies that preserve and strengthen mainframes – especially in hybrid and regulated environments.
What's changed is security's role in that conversation. It's no longer a supporting consideration – it's a primary driver. Organizations are pairing application modernization and API enablement with RACF hardening, encryption, and expanded MFA deployment as foundational controls. Tooling is evolving to match. IBM zSecure 3.2 introduces capabilities like RACF user quarantine and tighter MFA data integration, making it easier to detect and respond to identity-based threats directly within the mainframe environment.
The shift is clear: modernization is no longer defined by what runs on the mainframe, but by how securely identities interact with it.
Regulation is making MFA everywhere mandatory – including the mainframe
If modernization is the strategic driver, regulation is the forcing function. PCI DSS 4.0 has significantly raised the bar, requiring multi-factor authentication for all access to cardholder data environments – with full enforcement now in effect. This marks a notable departure from earlier requirements that focused primarily on administrative or remote access. Under the new standard, MFA must be universal, covering both privileged and non-privileged users regardless of where the system resides.
Crucially, that includes mainframe environments. Organizations can no longer treat z/OS as an exception or rely solely on RACF-based authentication to satisfy auditors. Compliance now depends on demonstrating that strong authentication is consistently enforced across every system handling sensitive data. In practice, MFA coverage must be auditable, provable, and aligned with enterprise-wide identity policies – not selectively applied.
Closing thoughts
These trends point to a straightforward but important reality: the mainframe security conversation has moved on from platform strength. It's now about the strength of access controls. MFA gaps represent measurable risk. Modernization efforts are putting identity at the heart of transformation. And regulatory frameworks are ensuring that strong authentication is no longer optional.
For security practitioners, this creates both pressure and opportunity. The tools to secure mainframe identity already exist – what's expected now is that they're fully implemented, fully integrated, and consistently enforced.
