General Page
This professional consulting service assists clients with deploying Multi-Factor Authentication (MFA) for mitigating the risk of data breach caused by compromised credentials. PowerSC Multi-Factor Authentication (PMFA) provides numerous flexible options for implementing MFA on Power. PMFA is implemented with a Pluggable Authentication Module (PAM), and can be used on AIX, VIOS, RHEL, SLES, IBM i, HMC, and PowerSC Graphical User Interface server.
One of the most important security measures for mitigating security risk is MFA. The National Institute of Standards and Technology (NIST) defines MFA as authentication that uses two or more factors to achieve authentication. Factors include "something that you know", such as password or personal identification number. Factors include "something that you have", such as a cryptographic identification device or a token. Factors include "something that you are", such as a biometric. (1)
Multiple consulting service options are available for this service. Options range from minimal proof-of-concept (PoC) to full deployment across the entire enterprise.
One of the most important security measures for mitigating security risk is MFA. The National Institute of Standards and Technology (NIST) defines MFA as authentication that uses two or more factors to achieve authentication. Factors include "something that you know", such as password or personal identification number. Factors include "something that you have", such as a cryptographic identification device or a token. Factors include "something that you are", such as a biometric. (1)
Multiple consulting service options are available for this service. Options range from minimal proof-of-concept (PoC) to full deployment across the entire enterprise.
Relevance to "Cost of a Data Breach 2023" 2
- Use of stolen or compromised credentials was the initial attack vector in 15% of all breaches. 2
- IBM Security recommends:
"As organizations continue to move further into hybrid multicloud operations, it’s essential to deploy strong identity and access management (IAM) strategies that include technologies such as multifactor authentication (MFA), with particular focus on managing privileged user accounts that have an elevated access level." 2
Recommendations for MFA
-
The Center for Internet Security (CIS) recommends all organizations to use MFA for "externally exposed applications", "remote network access", and "administrative access". 4
-
Jen Easterly, Director of the Cybersecurity & Infrastructure Security Agency (CISA), said, “Implementing MFA can make you 99% less likely to get hacked”. 5
-
Microsoft stated that 99% of breaches can be prevented by multi-factor authentication. 6
Relevance to Zero Trust
-
The National Security Agency states, "Zero Trust requires strong authentication for user and device identities. Use of strong multi-factor authentication of users, which is recommended for Zero Trust environments, can make stealing the user's credentials more difficult in the first place." 7
-
A tenet of Zero Trust Architecture (ZTA) is that "all resource authentication and authorization are dynamic and strictly enforced before access is allowed". NIST goes on to state that, "an enterprise that is implementing a ZTA would be expected to have Identity, Credential, and Access Management (ICAM) and asset management systems in place." ZTA includes the use of "multi-factor authentication for access to some or all enterprise resources." 8
-
The Cybersecurity & Infrastructure Security Agency (CISA) describes different types of MFA that can be used in different stages in the Zero Trust Maturity Model (ZTMM). 9
-
"As part of long- and intermediate-term plans to apply Zero Trust principles, CISA encourages all organizations to implement phishing-resistant MFA." 10
Technical Details
- Supports numerous MFA types, including "phishing-resistant MFA" (11)
- Supports Single Sign-On (SSO) by using OpenID Connect Protocol (OpenID)
- Numerous multi-factor policy configurations possible
- Centralized management provided by using the PowerSC MFA Server
- Automation supported by using REST API
- Numerous PMFA Client configuration options that provide flexibility and ease of use
- Supports high availability using PMFA server streaming replication
- Supports Payment Card Industry Data Security Standard (PCI DSS) MFA implementation requirements
Authentication Methods Supported
- TOTP (for example, IBM TouchToken for iOS)
- Generic TOTP (for example, IBM Verify, Google Authenticator, Duo Mobile)
- SafeNet RADIUS
- RSA SecurID
- RSA SecurID RADIUS
- Gemalto SafeNet RADIUS
- Generic RADIUS
- YubiKey
- PIV/CAC or X.509 Certificate
- IBM Security Verify Access
- LDAP Simple Bind
- Local Password
Minimum Software Level Requirements (PMFA Client)
- AIX 7.2 TL 3
- AIX 7.3
- VIOS 2.2.5.20
- RHEL 8.x (Power LE and x86_64)
- NOTE: RHEL 9 is not currently supported
- SLES 15 (Power LE and x86_64)
- IBM i 7.2
- HMC V9R1.921
- Virtual HMC V9.1.940
- PowerSC Graphical User Interface Server – 1.2.0.2
Common Use Cases
- Organizations needing to comply with regulatory or industry-specific requirements, such as PCI DSS
- Organizations wanting to eliminate weak authentication methods, such as using passwords only
- Organizations wanting to better protect sensitive data by ensuring only authorized personnel can access their systems
- Organizations wanting to implement stronger authentication for remote and all administrative access
- Organizations seeking to reduce the security risk of one of the top causes of a data breach: compromised login credentials
- Organizations wanting to implement SSO for the PowerSC Graphical User Interface server using PowerSC MFA and OIDC
- An organization that would like to automate PMFA using KSH, REST API, or Ansible
Engagement Process
- Consultant arranges prep call to discuss requirements, scheduling, and agenda
- Consultant works with client to install and configure PowerSC MFA in client environment
- Consultant provides advice on best practice implementation
- Consultant works with client to verify the PMFA functions that are most important to the client
- Consultant provides presentations to facilitate knowledge transfer
Deliverables
- Presentation Slides – an electronic copy of all presentation slides
- Configuration documents – an electronic copy of configuration documents
References
- NIST. Computer Security Resource Center - Glossary.
https://csrc.nist.gov/glossary/term/mfa - Ponemon Institute. Cost of a Data Breach Report 2023. (July 2023)
- National Security Agency. Advancing Zero Trust Maturity Throughout the User Pillar. (April 2023)
- Center for Internet Security. (2021). CIS Controls v8 Guide, p. 25-26
- Jen Easterly, Director of CISA.
https://www.cisa.gov/MFA - Melanie Maynes, Senior Product Marketing Manager, Microsoft Security. (2019).
One Simple Action You Can Take to Prevent 99.9 percent of attacks on your accounts
https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/ - National Security Agency. Embracing a Zero Trust Security Model. (Feb 2021)
- Scott Rose, Oliver Borchert, Stu Mitchell, Sean Connelly. (2020).
NIST Special Publication 800-207: Zero Trust Architecture, p. 7 - CISA. Zero Trust Maturity Model v2.0. (April 2023).
https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf - CISA. Implementing Phishing-Resistant MFA. (October 2022).
https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf - Lance Spitzner. SANS - What is Phishing Resistant MFA? (October 2022) .
https://www.sans.org/blog/what-is-phishing-resistant-mfa/
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS7FK2","label":"PowerSC Multi-Factor Authentication"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
10 July 2024
UID
ibm16592281