Authors:
@AMEY GOKHALE, Ratan Swami,
@SANDEEP PATILToday, Cybersecurity is very important for all organizations. It protects all types of data, such as sensitive data, personally identifiable information(PII), protected health information(PHI), personal financial information(PFI) and Intellectual Property(IP) etc, from theft and damage. Authentication plays an important role in cybersecurity, as it is an entry point defense mechanism, to protect the confidentiality of the information. It allows a system (device, software etc) to verify the identity of a user trying to connect to the system.
What is MFA?Various authentication types are available today, such as password/credentials, multi-factor, token, certificate based authentication etc. Instead of relying only on a single authentication type, organizations prefer to use combination of authentication types, for improved security.
Multi-Factor Authentication involves using two or more factors, for authenticating user requests. The factors may include the information users "know" (such as passwords or PIN-personal identification number), the information that users "have" (such as OTPs-one time passwords generated and sent to users' personal mobile or email), and unique information "about" the user (such as bio-metric or retina scans etc). There are various other factors too, which could be used in a multi-factor authentication. Combination of at least two (2FA) or more factors is recommended. MFA adds another level of security to the organization's IT infrastructure, by limiting the potential threat of stolen credentials.
MFA is gaining the groundMFA is considered as one of the simplest and yet effective mechanism, in this age of growing cybersecurity threats. It is a "visible" cybersecurity measure, that helps build trust with clients. "Cost of a Data Breach Report 2021"[1] published by IBM states that, compromised credentials was the most common initial attack vector, responsible for 20% of the data breaches, and costed $4.37 million. It also took the longest number of days to identify (250) and to contain (91), totaling 341 days. A breach caused by stolen credentials that occurred on January 1st would take until December 7 to contain. That shows the great risk associated with lost or stolen credentials, where MFA would play a vital role in mitigating this initial attack vector.
According to a Gartner report[2], by 2022, 60% of large and global enterprises, and 90% of midsize enterprises, will implement password-less methods in more than 50% of use cases. According to "IDC FutureScape: Worldwide CIO 2022 Agenda Predictions" [3], 60% of CIOs will adopt multi factor authentication mechanism by 2023, to counter the rising cybersecurity threats.
Another factor that is driving MFA implementation is NIST's Zero Trust architecture[4]. As more and more organizations start adopting "Zero Trust" framework, MFA becomes a critical requirement. One of the basic tenets (Tenet-6) of this Zero Trust cybersecurity model clearly mandates that, all resource authentication and authorization needs to be "dynamic" and "strictly enforced" before granting access. This indicates the use of multi-factor authentication for access to enterprise resources.
IBM Spectrum Scale MFA SupportIBM Spectrum Scale is an enterprise grade high performance cluster file system. Two broad categories of customers deploy it - HPC (high performance computing) and new-age Enterprise customers. Spectrum Scale is administered and configured by users/administrators with primarily 3 interfaces - CLI, GUI & REST. GUI is the predominant interface used by enterprise customers today. Hence, MFA support is currently targeted only for GUI users. IBM Spectrum Scale v5.1.1 added MFA support for GUI users in 2Q-2021. IBM Scale documentation[5] provide detailed steps for configuring MFA for GUI users. Currently, MFA is supported with "IBM Security Verify" repository. IBM Spectrum Scale customers who have also purchased IBM Security Verify, can benefit from this integration, which further enhances the security for Scale GUI users.
References[1]
https://www.ibm.com/security/data-breach[2]
https://www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security[3]
https://www.idc.com/getdoc.jsp?containerId=US48297821[4]
https://www.nist.gov/publications/zero-trust-architecture[5]
https://www.ibm.com/docs/en/spectrum-scale/5.1.1?topic=users-configuring-multi-factor-authentication-gui