Here at Predatar, we keep a very close eye on everything Storage Protect. After all, it’s IBM’s powerful storage software that underpins the Predatar recovery platform and our cyber orchestration capabilities. So naturally, when IBM released version 8.1.14 last week, we were keen to pop the hood. Predatar’s Technical Director, Steve Miller shares his thoughts:
– – –
I’m pleased to see there is a handful of useful updates for Storage Protect in the new release, with one in particular that customers have been looking out for. Multi Factor Authentication for Admin Users has made its way into version 8.1.14.
In 2021 IBM released Command Approval for the product. Put simply, this meant that organisations could use roles to determine what functionality was allowed for individual users, and would require administrator approval for potentially destructive commands. This was an important first step, but it left loopholes for organisations that might have shared user IDs or common passwords – even if not intended maliciously, it would have been possible for a user to enter a delete command and then use an admin ID to authorise it without proper oversight.
This will now be much harder to do using the new MFA. Essentially, when an administrator is created, they are given a key that is used by an authenticator app to generate a code – then, when the user logs in they are required to enter both their password and the code which regenerates every 30 seconds.
If this is configured properly, then, in conjunction with Command Approval, it’s going to massively reduce the possibility of an accidental deletion of critical data within the Storage Protect environment.
Further – it can be used to lock down access to the environment more generally. There will still be automated IDs that can’t use MFA, but it should be possible to use this to secure access to the Storage Protect environment, and, even if users are using common passwords, the requirement for them to also enter the code would mean that a malicious actor is going to find it very difficult to get access.
IBM had to make lots of choices when they implemented MFA. They could have over-complicated things or mandated that customers use a particular piece of software for the token. By adhering to open standards and providing a list of approved applications, they are encouraging wide and early adoption of this enhancement, something to be applauded.
As always, a couple of caveats apply – this still won’t prevent access to the logical infra behind the Storage Protect environment – if a rogue administrator or malware gets access to the box and is able to delete or encrypt database or storage volumes, then it really doesn’t matter if they can login to the application or not – they can still wreak havoc, so it’s important to ensure there are additional copies of the data behind an airgap, either physical or logical.
Secondly, large organisations that are going to upgrade and take advantage of MFA should make sure to plan it carefully. Server to server operations need to be considered and its important that, although you are making your environment more secure, you don’t make it impossible for administrators to carry out their day-to-day functions.
If you need more information, help setting this up, or advice on configuration, get in touch with your Predatar account manager or contact info@predatar.com. We’re always happy to help.