Time To Get Your 2FA On, IBM i Admins
April 3, 2017 Alex Woodie
System administrators working in regulated industries will soon be required to sign-in to servers using two-factor authentication (2FA), according to the latest PCI requirement. The industry regulation will impact administrators working with all types of computer systems, and will likely be enforced in late 2017 or early 2018, security experts say.
In prior versions of the Payment Cardholder Industry Data Security Standard (PCI DSS), only remote administrators were required to use 2FA, which bolsters the security of the sign-on process by requiring users to show “something you know,” like a password, as well as “something you have,” like a hardware key fob or an automatically generated code.
But when PCI DSS version 3.2 was released late last year, the standards body changed that rule, and now requires all administrators – even those signing on locally – to use 2FA, or multi-factor authentication, as the group prefers to call it.
This change was made in response to the evolving cybersecurity threat in the corporate landscape, says Patrick Townsend, CEO and founder of Townsend Security.
“The thinking is that anyone with administrative privileges, whether they are local or not, represents a risk in that environment,” Townsend tells IT Jungle. “So many attacks now involve comprising a user’s PC. I’m sitting here right now and I’ve got access to IBM i servers. If I have administrative capability and my PC gets infected, in essence I’ve given the attackers a way to get to that environment.”
By requiring all admins to take the extra authentication steps that 2FA entails, the PCI standards body hopes to add one more layer of protection around sensitive data stores. “What the guidance is reflecting is just an understanding that the attacks are distributed,” Townsend says. “Every PC, every server inside your organization, is an attack point against credit card data. And so everybody who can log in – no matter from where – should use 2FA.”
For now, the PCI group is not requiring end users who are involved with credit card data – such as a customer service agent who places orders into a system – to use 2FA. There are other elements of the PCI DSS that cover the use of powerful authorities, and if a company is adhering to them properly, then regular users will not be given user profiles that give them super-user capabilities.
Because administrators do have that kind of access, it’s important to lock down use of those user profiles, Townsend says. “The assumption is that that CSR doesn’t natively have administrative authority on the IBM i server,” he says. “But if I’m an IBM i QSECOFR or if I have ALLOBJ authority, if I’m highly privileged and there’s credit card processing going on there, then yes, those people have to implement 2FA with the system.”
PCI DSS version 3.2 was issued last fall. The PCI typically gives the industry a cushion of six to 12 months to implement its guidance before it starts requiring adherence to the new regulations, so the clock is ticking. “We’re in the transition period now but it will become a hard requirement probably early next year,” Townsend says.
While security firms like RSA have been building 2FA systems that use random number generators for decades, it’s still a relatively new phenomenon in the wider corporate culture. American consumers have only recently started using a version of 2FA with the “chip plus PIN” authentication method, where the PIN represents “something you know” and the chip on the card represents “something you have.”
Three years ago Townsend Security launched a 2FA solution for IBM i called Alliance Two Factor Authentication that uses auto-generated PIN sent to the user via SMS as the second piece of the 2FA puzzle. Sales of the product have been modest but Townsend expects business to pick up once the PCI puts some teeth behind its guidance.
“Nobody wakes up saying ‘Gee I really want to do a security project today.’ People tend to be quite reactive,” Townsend says. “I think your average customer, whether they’re IBM i or not, tend to put these projects off until they absolutely have to do them. That’s just the world we live in.”