Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-7861

T1: Every offering should enforce or provide the option to enable multifactor authentication

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Guidance applicable to Red Hat (What do offerings need to do to fulfill this?)
      ------------------------------------------------------------------------------

      There are two parts to the guidance here:

      1. Implement multi-factor authentication for access to privileged accounts.

      1.  Logon access to the offering has support for multi-factor authentication. It may not be enabled by default, but the support should exist and can be enabled at the discretion of administrators of that particular installation.
2.  The guidance also says that "Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." More rigorous can be a stronger password policy in cases where MFA is not viable to be used.

      2. Implement multi-factor authentication for access to non-privileged accounts.

      1.  Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.
2.  Offerings and security architects need to determine the risk for these kind of accounts. In case of user accounts bound by strong authorization rules, MFA can be replaced with stronger password policies based on the amount of risk involved with these accounts.

      For products, the requirement is that they have the possibility to enable MFA by themselves or by the use of a third party authentication server.

      For services, any public endpoint must enforce MFA for privileged access for redhatters, for example for maintenance or troubleshooting. For customers, it should be possible to enable MFA and for the ones without MFA enable, a message should be shown recommending it and explaining how to enable it.

      Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-pipelines/tasks/phase/specifications/37-T1/

      Training Modules

      OWASP Top 10 2021
      Defending Web Applications
      Defending Android (Java)
      Defending Android (Kotlin)

              Unassigned Unassigned
              sdelements Jira-SD-Elements-Integration Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: