Security 101: Multi-Factor Authentication for IBM i

Security 101: Multi-Factor Authentication for IBM i

• 1.
  Security 101: Multi-Factor Authentication forIBM i Guy Marmorat Sales Engineering Director, Syncsort 1
• 2.
  Today’s Topics 1 –Password Basics 2 – Are Complex Passwords the Answer? 3 – Multi-Factor Authentication 4 – Introducing Cilasoft RAMi5 – Options to Consider
• 3.
  Password Management Basics BasicsBenefits System Value for security level QSECURITY (10,20 & more) Makes passwords required System Values for Signon attempts QMAXSGNACN & QMAXSIGN Protects from guessed password & brute force attacks System Value for Password Level QPWDLVL (0,1,2,3) Strengthens passwords Additional System Values for Password management QPWD* Strengthens passwords Single Sign On & EIM Simplifies password management SSL, TLS Encrypts passwords These measures provide basic security. What’s next for passwords? 3
• 4.
  • Should weadd more complexity to passwords? Not really. • Why not? Because we write them down! • Complex password increase costs and introduce weaknesses: • Management is complex • Management is expensive • Impacts productivity (reenabling users, password changes, etc.) • Reliance on passwords alone puts all your eggs in the same basket! Complex Password Issues NIST’s latest Digital Identity Guidelines at https://pages.nist.gov/800-63-3/ recommend against complex password 4
• 5.
  Multi-Factor Authentication (MFA),or Two-Factor Authentication (2FA), uses two of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Introducing Multi-Factor Authentication 5 Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication.
• 6.
  Authentication/ Verification UserID Password Passcode Logged in Single Step SUCCESS FAILURE Multi-StepAuthentication • Two authentication steps are presented separately • If authentication fails, the user knows which step failed Multi-Step vs. Multi-Factor Authentication 6 Multi-Factor Authentication • Multiple authentication factors presented at the same time • All factors must be validated before granting access • If authentication fails, user doesn’t know which factor failed Authentication Verification User ID & Password Passcode Logged in Step 1 Step 2 SUCCESS SUCCESS FAILURE FAILURE Not understanding which authentication factor failed is frustrating for end users, but it is required by regulations such as PCI.
• 7.
  • MFA supportsthe requirements of numerous industry and governmental regulations • Multi-Factor Authentication is required by • PCI-DSS 3.2 • 23 NYCRR 500 • FFIEC • MFA is mentioned or the benefits of MFA are implied for: • HIPAA • Swift Alliance Access • GDPR • Selective use of MFA is a good Security practice. You may be required to use it tomorrow, if you’re not already using it today. Why Is Multi-Factor Authentication Required? 7 • SOX • GLBA • And more
• 8.
  • Regulations areevolving to require or recommend MFA. Consult the latest documentation for the regulations that impact your business! • MFA avoids the risks and costs of: • Weak passwords • Complex passwords • MFA is a good security measure when: • It is customizable and simple to administer • End users adoption is easy • MFA can support internal strategy and legal requirements • BYOD (Bring Your Own Device) vs COPE (Corporate Owned, Personally Enabled) • Multi-Factor Authentication is the direction! Why Adopt Multi-Factor Authentication? 8
• 9.
  Authentication Options Authentication options, beyond thebasic factor that the user knows, are delivered by: • Smartphone app • Email • Phone call • SMS/text message (see box) • Hardware device such as fobs or tokens • Biometric device Authentication services generate codes delivered to the user. For example: • RADIUS compatible (RSA SecurID, Entrust, Duo, Vasco, Gemalto, and more) • RFC6238 (Microsoft Authenticator, Google Authenticator, Authy, Yubico, and more) • Others (TeleSign, and more) 9 Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk.
• 10.
  • Option tointegrate with IBM i signon screen • Ability to integrate MFA with other IBM i applications or processes • Multiple authentication options that align with your budget and current authenticators • Certification by a standards body (e.g. RSA, NIST) • Rules that enable MFA to be invoked for specific situations or user criteria such as: • Group profiles, Special authorities • IP addresses, Device types, Dates and times • And more • Real Risk based authentication policy (integrated with Access Control and Elevated Authority) Key Features to Look for in an IBM i MFA Solution 10
• 11.
  • Delivers powerful,flexible multi-factor authentication for IBM i • Options to initiate from the 5250 signon or on-demand • Options for multi-factor or two-step authentication • Provides support for multiple authentication methods • Enables self-service profile re-enablement and self-service password changes • Supports the Four Eyes Principle for supervised changes • RSA certified Introducing RAMi – Cilasoft Reinforced Authentication Manager for i Username: Password: Token Code: Login Cancel 11
• 12.
  Cilasoft authentication • Tokenis transmitted by email and/or popup • Recommended for less demanding environments where cost is an issue RADIUS authentication • RADIUS client ported natively on IBM i via RAMi • Recommended for organizations that choose to use • Their own RADIUS server • Another solution based on RADIUS RSA SecurID authentication • RAMi is Certified with RSA SecurID (on-prem and cloud, Software tokens, Hardware tokens, Push, Biometrics) • Can provide SID different from the user name Supports Multiple Authentication Methods 12
• 13.
  Sensitive Data Protection Protectingthe privacy of sensitive data by ensuring that it cannot be read by unauthorized persons using encryption, tokenization and secure file transfer Intrusion Detection/Prevention Ensuring comprehensive control of unauthorized access and the ability to trace any activity, suspicious or otherwise Security & Compliance Assessments Assessing your security risks or regulatory compliance Auditing and Monitoring Gaining visibility into all security activity on your IBM i and optionally feeding it to an enterprise console 13 For all your security and compliance needs! Syncsort Security
• 14.
  Q&A Learn more at www.syncsort.com/en/assure