Modern IAM meets legacy systems: Closing the mainframe security gap

For many organizations, the mainframe remains a workhorse—processing 90% of credit card transactions and serving as the system of record for critical financial data. But its security infrastructure often operates in isolation.

While corporate IT environments adopt tools like Okta or Azure AD to manage identities, mainframe access still relies on older systems like RACF, ACF2, or Top Secret. The result? A dangerous IAM blind spot where MFA is difficult to enforce, audit trails are disconnected, and attackers can exploit silos.

According to Rocket Software, a majority of security teams don’t even realize their IAM coverage doesn’t extend to the mainframe. It’s not a matter of poor security hygiene—mainframe teams often think they’ve got it covered. The problem is that enterprise security leaders can’t get visibility or enforce modern controls across all systems, especially when IAM is fragmented.

Why current workarounds aren’t enough

Many organizations try to bolt MFA onto the mainframe by adding IBM’s zMFA or similar tools. But this adds complexity—users now face multiple login flows, credentials, and inconsistent MFA experiences. Worse, some organizations still leave “backdoor” paths open that bypass these protections altogether, leaving the door open to credential theft, fake workers, and other insider threats.

The security team may have MFA in place at the enterprise level—but attackers only need to find one weak link. Without integration, you can’t enforce conditional access policies (like location-based restrictions) or use behavioral analytics to detect anomalies. You also can’t guarantee that every user has the minimum access necessary, violating core Zero Trust principles.

Solution: Defense-in-depth with modern integration

Rocket Software’s approach is to modernize mainframe security without disrupting existing systems. Their tools enable organizations to integrate mainframe IAM with their enterprise IAM infrastructure—so that controls like SSO, MFA, and conditional access policies can apply before a user ever reaches the mainframe.

It’s a defense-in-depth model: authenticate and authorize users in the enterprise IAM (e.g., Okta), then validate access through the mainframe’s existing systems. The result is a seamless experience for users—and a consistent, enforceable security policy for teams. With standards-based integration (SAML, OIDC, OAuth 2.0), organizations can also future-proof against regulatory shifts like PCI DSS 4.0, DORA, or HIPAA MFA requirements.