IBM Security Verify Privilege Vault - Part 5 - How to secure Privilege Vault using 2FA or MFA

View Only

IBM Security Verify Privilege Vault - Part 5 - How to secure Privilege Vault using 2FA or MFA

By Sivapatham Muthaiah posted Thu August 11, 2022 06:01 AM

Like

Introduction - Why 2FA or MFA needed to secure Privilege Vault?

Being a secret vault system which deals with privilege access and session management, IBM Verify Privilege Vault needs to be hardened properly during its installation and setup. After initial setup, access to vault should be protected with high complexity password policy due to its critical nature. In spite of that, it is still recommended to protect vault system using 2FA or MFA due to below reasons:

It acts as a additional security layer for all PAM Admins as well as for PAM Users; PAM Admins are super admins who are responsible for managing entire Privilege Vault setup itself and its user management; PAM Users are normal administrators who are responsible to manage and perform privileged tasks in servers like Windows or Linux or AD or Database machines.
When 2FA or MFA is used as a additional security layer to login to vault, then it helps in compliance and audit as a evidence to prove that 'you are what you say you are' due to personal device or identity used in MFA like bio-metrics, SMS OTP etc.

NOTE: If you are interested in knowing about the user story around this feature, please read our PAM Simplified - Blog Series - Part 5

Two ways to enable 2FA or MFA for Privilege Vault
We have seen why 2FA or MFA mush have in any Secret Vault setup above. 2FA or MFA can be enabled in Privilege Vault in two ways : One is using out-of-box 2FA feature available and second one is - using Verify SaaS MFA feature.

Note:
- Though any SAML identity provider with MFA capability can be integrated, our focus is on Verify SaaS - MFA integration in this blog.
- Multiple MFA methods are possible like Email OTP, FIDO2, TOTP Authenticator App; Our focus in this blog is to enroll Verify Authenticator mobile app as a MFA method

A. Using Out-of-Box 2FA capability in Privilege Vault

Step-1 : How to enable 2FA and configure 2FA for PAM Users
- To enable MFA at vault level, configuration has to be made in Admin > Configuration > Login page of Privilege Vault as shown below:

- After enabling MFA at vault level, particular MFA method has to be configured at individual user level as shown below under Admin > User Management > Users > [PAM username].; Typically, PAM Admin will make this configuration for particular PAM User while on-boarding him/her into Privilege Vault system

Step-2 : PAM User - TOTP MFA enrollment during first login after MFA enabled
Watch below video to understand all the steps involved in TOTP MFA enrollment

Step-3 : PAM User - TOTP MFA authentication during subsequent logins
Watch below video to understand MFA login using Verify authenticator mobile app

B. Using Verify SaaS MFA capability for Privilege Vault

Step-1 : How to configure MFA for Privilege Vault in Verify SaaS
^ First on-board Verify Privilege Vault as a custom application into Verify SaaS; Then configure SAML Single Sign-On for Verify Privilege Vault application in Verify SaaS platform; This step can be achieved by following below links; Configured custom application - IBM Security Verify Privilege will look like as show below in Verify SaaS:
Verify SaaS - On-boarding a custom application
Verify SaaS - Configuring SAML Single Sign-on for a custom application

^ After application on-boarding, then configure SAML configuration details in Verify Privilege Vault to enable SAML login for PAM Users as shown below in Admin > Configuration > SAML page of Privilege Vault as shown below:

^ Now in Verify SaaS, Access Policy has to be created and attached to Verify Privilege Vault custom application to enforce 'MFA Always' for all logins which is showcased in below video:

Step-2 : PAM User - Verify App MFA enrollment during first login
Once 'MFA Always' is configured in Verify SaaS for Privilege Vault application, it is time to perform the MFA enrollment of Verify Authenticator mobile app while accessing Privilege Vault first time after MFA configuration. PAM User will go through the steps given in below video to enroll:

Step-3 : PAM User - Verify App MFA authentication during subsequent logins
After successful enrollment, PAM User can login again to Privilege Vault to see MFA is in effect as shown in below video:

Summary
Learnt how to configure Verify Authenticator mobile app as either OOB 2FA or Verify SaaS MFA for Privilege Vault system.
Limitations with OOB 2FA of Verify Privilege Vault:

For each PAM User, PAM Admin has to enable a specific MFA in Vault configuration which is an over-head task
PAM User doesn't have any choice to use preferred MFA method; he has to use only enforced MFA by PAM Admin
Limited number of options available as MFA methods like Email, TOTP, FIDO

To overcome above challenges and to have better centralized user provisioning and application management of PAM Users, Verify SaaS - MFA would be a better choice overall.

Learn More:
IBM Security Verify Privilege Vault Product Details
IBM Security Verify Privilege Vault Technical Documentation

For any queries, contact @Sushmita Das / @Sivapatham Muthaiah

0 comments

45 views

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM Verify