Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-2642 Setup OCP build of Azure Service Operator
  3. OCPCLOUD-2794

T1: Every offering should enforce or provide the option to enable multifactor authentication

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • False
    • None
    • False
    • CLOUD Sprint 255, CLOUD Sprint 256, CLOUD Sprint 257, CLOUD Sprint 258, CLOUD Sprint 259, CLOUD Sprint 260, CLOUD Sprint 261, CLOUD Sprint 263, CLOUD Sprint 264, CLOUD Sprint 262, CLOUD Sprint 265, CLOUD Sprint 266

      Guidance applicable to Red Hat (What do offerings need to do to fulfill this?)
      ------------------------------------------------------------------------------

      There are two parts to the guidance here:

      1. Implement multi-factor authentication for access to privileged accounts.

      1.  Logon access to the offering has support for multi-factor authentication. It may not be enabled by default, but the support should exist and can be enabled at the discretion of administrators of that particular installation.
2.  The guidance also says that "Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." More rigorous can be a stronger password policy in cases where MFA is not viable to be used.

      2. Implement multi-factor authentication for access to non-privileged accounts.

      1.  Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.
2.  Offerings and security architects need to determine the risk for these kind of accounts. In case of user accounts bound by strong authorization rules, MFA can be replaced with stronger password policies based on the amount of risk involved with these accounts.

      For products, the requirement is that they have the possibility to enable MFA by themselves or by the use of a third party authentication server.

      For services, any public endpoint must enforce MFA for privileged access for redhatters, for example for maintenance or troubleshooting. For customers, it should be possible to enable MFA and for the ones without MFA enable, a message should be shown recommending it and explaining how to enable it.

      Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-1-foundational-platform-offering-openshift/azure-service/tasks/phase/specifications/261-T1/

      Training Modules

      Secure Software Design
      OWASP Top 10 2021

              Unassigned Unassigned
              sdelements Jira-SD-Elements-Integration Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated: