In these times of rapid digital transformation and unprecedented global challenges, organisations are navigating new business complexities. Alongside this, the shift to a predominantly digital work environment has introduced significant security concerns. Protecting account access has become more critical than ever.
IBM Storage Copy Data Management often store sensitive data on behalf of its users. As such, organisations using IBM Storage Copy Data Management want to ensure that administrators and users attempting to connect really are who they claim to be, and not an impostor trying to break in to the server to steal or destroy data.
Historically, SCDM has relied on passwords to authenticate administrators. Over time, we have strengthened password requirements by
- removing the ability to disable password to requiring passwords at all times
- allowing use of 3rd party LDAP servers to enforce strong password rules
- increasing default minimum password length even when not using LDAP for authentication
Despite our efforts to make passwords more secure, the fact is that they are just one kind of proof of identity. And since passwords are often lost, stolen, guessed, or cracked via brute force methods, they aren't form an especially solid foundation on which to secure the server. Which takes us to Multi-Factor Authentication (MFA)
Understanding Multi-Factor Authentication
Wikipedia defines Multi-Factor Authentication (MFA) as an electronic authentication method requiring users to provide two or more pieces of evidence before accessing a website or application. At IBM, we prioritize the protection of customer data, making security the core of every product and solution we develop.
MFA is now a critical component of IBM® Storage Copy Data Management’s login security. Starting with IBM® Storage Copy Data Management 2.2.21, you can set up multi-factor authentication (MFA) on IBM® Storage Copy Data Management new and existing user accounts.
This allows users to secure accounts through additional verification methods such as authentication apps, security keys, or biometric authentication. This balance between security and user convenience makes MFA one of the simplest and most effective ways to safeguard critical data. Best of all, it’s available to all our customers at no additional cost.
Think of MFA as a combination of two factors: first, something you know, like your login credentials, which rarely change; and second, something you have, like an authenticator app or a security key, which frequently changes and generates random codes. This dual-layer approach makes it highly unlikely for attackers to gain access to your accounts.
The question isn’t whether to implement MFA, but rather how soon to embrace it to secure your entire integration infrastructure.
Setting up MFA for storage copy data management
Enabling MFA is a simple two-step process. First, the admin enables MFA for users. Once enabled, users won't be able to log in until they configure MFA. Second, users must set up at least one verification method.
Here’s how an admin can enable MFA for the entire organisation:
- Log in to IBM® Storage Copy Data Management with admin permissions and click on Configure.
- From the left navigation menu, select the Access Control.
- Choose the user for whom you want to enable MFA; at this point, the MFA Actions on the toolbar will be enabled.
- Select "Enable TOTP."
- A confirmation pop-up will appear asking, "Are you sure you want to enable Time-based One-time Password (TOTP)?"
- Click "Yes" to enable.
- Success! MFA is now enabled.
Next, when users log in, they’ll be prompted to configure their verification method.
User experience with MFA
To set up MFA, users must register at least one verification method. Step one is to download and install an authenticator app on their devices. Step two is to register this method, which begins automatically upon login. To complete the setup, users must scan the displayed QR code or paste the provided URI into their authentication application. Following this step, they will enter the one-time passcode generated by the app to gain access.
After setup, users will need to provide one time passcode whenever they log in.
Understanding MFA user lifecycle in storage copy data management
The diagram below illustrates the lifecycle states of an user in SCDM with MFA-enabled. It highlights key states such as Disabled, Enrolled, Active, and Expired, along with the transitions between them.
Authenticator Apps
Use apps like Google Authenticator, or Microsoft Authenticator to generate time-based one-time passwords.
IBM does not support email, SMS, or phone-based verification methods due to their vulnerability to compromise or interception.
Conclusion
To recap, today we learned what Multi-Factor Authentication is, how it significantly improves the login security of Storage Copy Data Management, and how easy it is to set up across an organisation with just a few clicks. If you have further questions, please visit our documentation or reach out to your IBM team.
Before closing, I’d like to extend a special thanks to @Albee Jhoney @Justin Albano for their thoughtful review of this article. Grateful for your time and insights!
Thank you for reading and see you next time!
#IBMStorage #IBMSpectrumProtect #IBMSpectrumProtectPlus #ibm storage copy data management
#Highlights#Highlights-home