Kisco Rolls with 2FA, Revs Network Security Tool
May 20, 2015 Alex Woodie
Data security isn’t just nice to have–it’s the law in most industries. One of the best ways to keep unauthorized users from snooping where their snouts don’t belong is two-factor authentication (2FA), which requires users to have two pieces of identifying credentials before being granted entry. A new 2FA solution for IBM i was launched recently by Kisco Information Systems, which also updated its exit point monitoring program for IBM i.
Kisco’s 2FA solution, called i2Pass, puts a roadblock in front of attempts to access IBM i assets. If the users have the correct credentials–which is the combination of their user names and passwords, as well as a secret passcodes sent to enrolled email addresses–then they are granted access. If they don’t have those two pieces of authenticating materiel, then they are duly dispatched through a trap door in the floor. (Just kidding.)
Out of the box, i2Pass features a standard green-screen interface, which most customers will be familiar with. Alternatively, customers can take an API that Kisco provides for i2Pass and embed the 2FA process into their own custom applications.
When presented the 5250 sign-on screen, the user is asked to enter the secret nine-digit pass code that has been generated by i2Pass (which also runs on the IBM i server) and sent to their email; alternatively, a user may have the passcode sent as a text message, provided that his or her carrier supports email-to-text capabilities.
Once they retrieves the passcode from a smartphone, a laptop, or even an Apple Watch (which functions as the second device in the 2FA scheme), they enters the secret pass code into the i2Pass interface, and are granted access.
Once a passcode is used, it’s subsequently destroyed, never to be seen again. Kisco can also pre-generate a list of 2FA codes that can be used at a later time. This would be useful for situations when the user does not have access to an Internet connection or access to instant email.
Kisco president Rich Loeber says there is growing pressure to adopt security solutions like 2FA. “I think that the two-factor authentication requirement in PCI rules is providing the most push to implement this,” he tells IT Jungle, adding that auditors are pushing for solutions like this.
While i2Pass isn’t the first 2FA product in the IBM i marketplace, its 5250 interface should help it stand out from the GUI pack, Loeber says. “i2Pass provides a built-in 5250 two-factor authentication process and I don’t see that in a lot of the other offerings based on vendor website information,” he says.
Kisco also launched a new release of SafeNet/i, its network security tool for IBM i. With release 10.25, the company has added new context-sensitive source IP address controls, which gives administrators more granular control over the functions that IBM i users can access. For example, a user profile might be granted access to the system for FTP, but denied access for ODBC from a given source IP address or address range.
Telnet security has also been enhanced with this release. In the past, users may have been inclined to fire up an unencrypted Telnet session to do some quick work. But that would be impossible with the latest release of SafeNet/i, which can be set up to require a Telnet session be encrypted with SSL.
Last but not least is a new type of SafeNet/i account. By setting up a “read only” administrator account, an IBM i shop can provide a place for auditors to review security settings in SafeNet/i while preventing any changes (accidental or intentional) from being made.
Pricing for 2FA starts at $495 for a single server license with 25 users. Kisco sells user licenses in 25-user bundles, and for $1,295, customers can get a license for an unlimited number of users. The software supports i5/OS V5R4 through IBM i 7.2. SafeNet/i, meanwhile, costs $2,195 for a 20-user license. For more info see www.kisco.com.