^{Read time: 4 min}

_{Why Multi-Factor Authentication is essential for IBM i}

Perspective from our 20+ year IBM i security expert

‍

A cyber insurance webinar we recently hosted revealed the top cyber security practices with the most significant impact on risk. Some of these highest-ranking practices include:  

• Multi-Factor Authentication (MFA)
• Data encryption (both in flight and at rest)
• Employee security training
• Privileged access management
• Segregated and regularly tested backups

Taking the top spot on the list is Multi-Factor Authentication (MFA). According to our cyber insurance partner, over 70% of claims for cyberattacks could have been avoided had Multi-Factor Authentication been implemented.

What is Multi-Factor Authentication?

Multi-Factor Authentication (often shortened to 2FA or MFA) adds an extra layer of security to compensate for password challenges, such as weak passwords or overly complex passwords that users have been known to write down on paper and tape to their workstations.  

MFA provides an additional level (or levels) of identity authentication beyond the standard username/password validation we have used for years. MFA requires two or more of the following factors for authentication:

• Something you know:  Username/password, PIN (Personal Identification Number), or security question
• ‍Something you have:  Smartphone or token device ‍
• Something you are:  Fingerprint scan, iris scan, or voice recognition

Why is MFA important?

A major cause of cyber-breach is the ability of criminals to compromise standard user authentication through sophisticated password-cracking techniques or phishing attacks. By implementing additional layers of authentication, we can ensure the user is whom they say they are and reduce the risk of a successful attack.

Regulators and stakeholders recognize the importance of MFA. Today most cyber insurance policies require MFA. In addition, meeting regulatory compliance (PCI-DSS, GDPR, PIPEDA, and so on) is often dependent in part upon MFA.

Is Network Login MFA Sufficient?

Many companies only implement MFA at initial network login. This approach simplifies implementation and reduces user impact. Following this approach assumes that once a user is authenticated, they should be fine for all network access levels if they stay connected. However, this approach ignores the value of using MFA to further secure your most critical assets and processes, a fundamental factor in cyber-insurance approval, premium cost, and compliance audits.

For example, if you have a critical application that only certain users should be able to access, then adding an MFA layer when users log into that application will help prevent someone who can bypass the network login MFA (or compromise the identity post login) to have to go through yet another layer of authentication before accessing this most critical resource.

MFA for IBM i

MFA for IBM I, a third-party solution, is available from multiple vendors. It allows you to implement MFA specifically for IBM i login and target specific applications or processes running on the IBM i platform. It typically integrates with IBM exit point security as well as access control and elevated authority solutions. Most solutions utilize industry-standard authenticators such as Radius or RSA SecurID, although they also come with their own authenticators, if preferred.  

As the IBM i platform typically runs your company’s mission-critical applications and houses highly sensitive data, it certainly deserves the extra layer of security that MFA can provide.

Common Use Cases and Best Practices

The following are two common use cases for IBM i based MFA and their corresponding implementation best practices:

1. Your IBM i runs your corporate ERP solution. Most users in the company need to access your ERP and you don’t want to burden them with an extra MFA layer beyond the initial network login. However, some users have enhanced authority that allows them to take certain actions critical to the organization, or access information that is not available to most employees. By selectively adding MFA to those privileged users, you can ensure that if their credentials are compromised, their ERP logins are still protected.  ‍‍
2. This file contains critical information and should not be FTP’d by a user who is not the designated user. The company has implemented exit point security to ensure that only authorized user profiles can use FTP, but there is no protection if this authorized profile gets compromised. By adding an MFA step prior to the executing the FTP of the file off the system, the company has added another layer of security to this process.

In Summary

The objective of implementing a native IBM i MFA solution is to add additional layers of security to your environment beyond the standard network login MFA. It is not only best practice to utilize a layered approach to implementing your IT security infrastructure, but it will help you qualify for, and reduce the cost of, your next cyber insurance policy.  

For a broader discussion and review of IBM i security, look at the following blog titled “8 IBM i Security Tips.”

‍

Author

Brian Olson
Director, IBM Power Server – AIX and Security Solutions
Quadbridge