IBM Support

Multi-Factor Authentication with PowerSC

This professional consulting service assists clients with deploying Multi-Factor Authentication (MFA) for mitigating the risk of data breach caused by compromised credentials. PowerSC Multi-Factor Authentication (PMFA) provides numerous flexible options for implementing MFA on Power. PMFA is implemented with a Pluggable Authentication Module (PAM), and can be used on AIX, VIOS, RHEL, SLES, IBM i, HMC, and PowerSC Graphical User Interface server.

One of the most important security measures for mitigating security risk is MFA.
 The National Institute of Standards and Technology (NIST) defines MFA as authentication that uses two or more factors to achieve authentication. Factors include "something that you know", such as password or personal identification number. Factors include "something that you have", such as a cryptographic identification device or a token. Factors include "something that you are", such as a biometric. (1)

Multiple consulting service options are available for this service. Options range from minimal 
proof-of-concept (PoC) to full deployment across the entire enterprise.

Relevance to "Cost of a Data Breach 2023" 2

Recommendations for MFA

Relevance to Zero Trust


Technical Details
  • Supports numerous MFA types, including "phishing-resistant MFA" (11)
  • Supports Single Sign-On (SSO) by using OpenID Connect Protocol (OpenID)
  • Numerous multi-factor policy configurations possible
  • Centralized management provided by using the PowerSC MFA Server
  • Automation supported by using REST API
  • Numerous PMFA Client configuration options that provide flexibility and ease of use
  • Supports high availability using PMFA server streaming replication
  • Supports Payment Card Industry Data Security Standard (PCI DSS) MFA implementation requirements

Authentication Methods Supported
  • TOTP (for example, IBM TouchToken for iOS)
  • Generic TOTP (for example, IBM Verify, Google Authenticator, Duo Mobile)
  • SafeNet RADIUS
  • RSA SecurID
  • RSA SecurID RADIUS
  • Gemalto SafeNet RADIUS
  • Generic RADIUS
  • YubiKey
  • PIV/CAC or X.509 Certificate
  • IBM Security Verify Access
  • LDAP Simple Bind
  • Local Password

Minimum Software Level Requirements (PMFA Client)
  • AIX 7.2 TL 3
  • AIX 7.3
  • VIOS 2.2.5.20
  • RHEL 8.x (Power LE and x86_64)
  • NOTE: RHEL 9 is not currently supported
  • SLES 15 (Power LE and x86_64)
  • IBM i 7.2
  • HMC V9R1.921
  • Virtual HMC V9.1.940
  • PowerSC Graphical User Interface Server – 1.2.0.2

Common Use Cases
  • Organizations needing to comply with regulatory or industry-specific requirements, such as PCI DSS
  • Organizations wanting to eliminate weak authentication methods, such as using passwords only
  • Organizations wanting to better protect sensitive data by ensuring only authorized personnel can access their systems
  • Organizations wanting to implement stronger authentication for remote and all administrative access
  • Organizations seeking to reduce the security risk of one of the top causes of a data breach: compromised login credentials
  • Organizations wanting to implement SSO for the PowerSC Graphical User Interface server using PowerSC MFA and OIDC
  • An organization that would like to automate PMFA using KSH, REST API, or Ansible

Engagement Process
  • Consultant arranges prep call to discuss requirements, scheduling, and agenda
  • Consultant works with client to install and configure PowerSC MFA in client environment
  • Consultant provides advice on best practice implementation
  • Consultant works with client to verify the PMFA functions that are most important to the client
  • Consultant provides presentations to facilitate knowledge transfer

Deliverables
  1. Presentation Slides – an electronic copy of all presentation slides
  2. Configuration documents – an electronic copy of configuration documents

References
  1. NIST.  Computer Security Resource Center - Glossary.
    https://csrc.nist.gov/glossary/term/mfa
  2. Ponemon Institute.  Cost of a Data Breach Report 2023.  (July 2023)
  3. National Security Agency.  Advancing Zero Trust Maturity Throughout the User Pillar. (April 2023)
  4. Center for Internet Security.  (2021).  CIS Controls v8 Guide, p. 25-26
  5. Jen Easterly, Director of CISA.
    https://www.cisa.gov/MFA
  6. Melanie Maynes, Senior Product Marketing Manager, Microsoft Security.  (2019).
    One Simple Action You Can Take to Prevent 99.9 percent of attacks on your accounts
    https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
  7. National Security Agency.  Embracing a Zero Trust Security Model.  (Feb 2021)
  8. Scott Rose, Oliver Borchert, Stu Mitchell, Sean Connelly.  (2020). 
    NIST Special Publication 800-207: Zero Trust Architecture, p. 7
  9. CISA.  Zero Trust Maturity Model v2.0.  (April 2023).
    https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
  10. CISA.  Implementing Phishing-Resistant MFA.  (October 2022).
    https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
  11. Lance Spitzner. SANS - What is Phishing Resistant MFA? (October 2022) .
    https://www.sans.org/blog/what-is-phishing-resistant-mfa/

For questions, please contact AIX/Linux Security consultant, Stephen Dominguez, at email
 

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS7FK2","label":"PowerSC Multi-Factor Authentication"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

More support for:
PowerSC Multi-Factor Authentication

Software version:
All Versions

Document number:
6592281

Modified date:
10 July 2024

UID

ibm16592281