Unknown Stakeholders May Require Quicker IBM i MFA Implementation
Multi-Factor Authentication (MFA) adds an extra layer of security to IBM i systems by requiring two verification factors to access the system. MFA makes it much more difficult for unauthorized users to gain access, even if they have a stolen password.
There are two main reasons to implement IBM i MFA:
- Security: MFA provides additional user login security. By requiring two verification factors for IBM i access, MFA stops bad actors from signing on to your system just by using a stolen password.
- Compliance: Many organizations are required to implement MFA for IBM i access by government regulations, industry standards, insurance policy requirements, and other entities.
If you have not implemented IBM i MFA yet, consider determining whether your organization has any unknown MFA stakeholders and what their requirements are. By doing this, you may uncover already-existing MFA requirements and justifications for deploying IBM i MFA.
Identifying MFA stakeholders
A good start to finding unknown MFA stakeholders is to contact your current audit and regulatory entities before they contact you. Ask if there are any new MFA requirements that your IBM i systems will now have to comply with. MFA stakeholders can include internal or external groups, such as:
Major MFA Stakeholders and Their MFA Requirements
There are many different entities where MFA requirements can originate. Here are several of the most important organizations and their standards, laws, orders and directives for MFA implementation. This list is not exhaustive. It provides a starting point for determining what unknown MFA requirements and stakeholders apply to separate groups.
European Union (EU)
General Data Protection Regulation (GDPR): GDPR is a data privacy regulation that applies to all organizations that process or store the personal data of European Union residents. It imposes obligations and levies fines on any organization or entity anywhere in the world that targets or collects the personal data of EU residents. GDPR requires data processors to implement appropriate technical and organizational measures to protect personal data.
Multi-factor authentication is not considered mandatory for GDPR personal data protection. However, the European Union Agency for Network and Information Security (ENISA)’s regulation has the same level and type of rules for the protection of personal data as the GDPR, and ENISA recommend that organizations “activate multifactor authentication whenever possible for all of your accounts,” which should help satisfy GDPR data protection needs.
Banking
Gramm-Leach-Bliley Act (1999): Public Law 106-102: Gramm-Leach-Bliley requires the Federal Trade Commission (FTC), along with Federal banking agencies and other regulators, to issue regulations ensuring that financial institutions protect the privacy of consumers’ personal financial information. Part 314—Standards for Safeguarding Customer Information (67 FR 36493) under (FTC) Commercial Practices regulations, implements Act provisions and specifies that covered entities “…Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.” MFA or an equivalent control is now a requirement for entities covered by Gramm-Leach-Bliley.
Healthcare
Health Insurance Portability and Accountability (HIPAA) Act of 1996: 45 CFR Part 160, Part 162 and Part 164: HIPAA requirements apply to healthcare organizations in the United States. HIPAA does not explicitly spell out what authentication mechanisms to use for accessing electronic protected health information (ePHI). Technical safeguard requirements including authentication are contained in the (HIPAA) Security Rule. MFA can help organizations meet ePHI technical safeguard requirements.
Insurance Companies: Cyber Insurance Policies
Insurance companies are increasingly requiring clients to implement multi-factor authentication on organizational systems, when purchasing cyber insurance coverage. Many insurance carriers have been burnt by large ransomware payouts they have had to reimburse their cyber insurance clients for, and they are adjusting their coverage accordingly.
Insurance carriers are responding to cyberattacks by:
- Requiring multi-factor authentication and other upgraded cyber protections
- Significantly raising rates for organizations without MFA
- Cancelling cyber insurance policies for organizations without MFA
In some instances, organizations are not even able to get a cyber insurance quote until their systems are protected by multi-factor authentication and other protections, such as Anti-Ransomware, Anti-Virus, Firewalls and in-depth security risk assessments.
Cyber insurance is highly recommended for enterprise systems. It is also recommended that organizations check with their insurance companies for any hidden MFA requirements.
Payment Cards
Payment Card Industry Data Security Standard (PCI DSS), Requirements and Testing Procedures, Version 4.0, March 2022. PCI DSS is intended for entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). PCI DSS Includes all entities involved in payment card account processing. MFA requirements are listed in Section 8.4, Multi-Factor Authentication is implemented to secure access into the CDE and in Section 8.5, Multi-factor authentication (MFA) systems are configured to prevent misuse.
Publicly Traded Companies
Sarbanes-Oxley (SOX) Act of 2002: H.R. 3763: SOX applies to publicly traded United States companies, plus subsidiaries and foreign companies doing business in the US. SOX does not explicitly mandate MFA or two-factor authentication (2FA). SOX sections 302 and 404 are frequently cited to implement adequate internal controls to ensure accurate financial reporting, that MFA can help satisfy.
United States Department of Defense (DoD)
Cybersecurity Maturity Model Certification (CMMC) and DFARS: CMMC is a cybersecurity certification program developed by the DoD. The CMMC program (CMMC 1.0) was published as an internal rule for the Defense Federal Acquisition Regulation Supplement (DFARS) in September 2020 with a five-year phase-in period. CMMC requires organizations to implement MFA for all users who access Controlled Unclassified Information (CUI). After its rulemaking codification, CMMC 2.0 is expected to be required for all contractors who work with the DoD.
Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR): DFARS specifies cybersecurity regulations that US Department of Defense (DoD) contractors and suppliers must follow to be awarded DoD contracts. DFARs was mandated to regulate the use and dissemination of Controlled Unclassified Information (CUI).
DFARs contractors must adhere to National Institute of Standards and Technology (NIST) special publication 800-171, that requires DoD contractors to implement MFA for local and network access to privileged accounts and for network access to non-privileged accounts (section 3.5.3) for CUI protection.
United States Federal Government
United States Government, Executive Order citation: E.O. 14028 of May 12, 2021, Improving the Nation’s Cybersecurity: E.O. 14028 established MFA requirements for federal agencies to adopt multi-factor authentication and encryption within 180 days of May 12, 2021. All Federal Civilian Executive Branch (FCEB) agencies are required to comply.
United States Government, Executive Office of the President, Office of Management and Budget (OMB) June 26, 2022, Moving the US Government Toward Zero Trust Cybersecurity Principles: This order requires agencies to meet specific cybersecurity standards and objectives by EOY 2024, including greater use of password-less MFA and phishing-resistant MFA.
United States State Governments
Many individual US state governments also require or encourage multi-factor authentication for data protection and security for state residents and other entities. Some of the more prominent states to require and encourage MFA protection include California, Massachusetts, and New York. Check with individual governmental entities to determine if MFA protection is required for your state.
More to come
With heightened cyberattacks, financial costs and bad actors everywhere, no one expects IBM i MFA to go away anytime soon. In fact, MFA usage is increasing. In a recent IBM i software survey, it was reported that from 46 – 48% of respondents already had MFA software installed on their IBM i servers. IBM i MFA deployment is growing. It may not be that long before MFA is required in even more IBM i shops.
MFA has always been good for enhancing IBM i user login security. MFA is not just nice to have. It has quickly become a critical piece for many organizations’ IBM i security strategy. It may also soon become a required technology for one of several IBM i MFA stakeholders.
