IBM System Storage Ideas Portal
Hide about this portal
This portal is to open public enhancement requests against IBM System Storage products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
For multifactor authentication, this is already supported. There is a parameter when you configure MFA that selects what behaviour you want:
Secure: means that if the MFA server can't be reached that you can't login
Insecure: means that if the MFA server can't be reached that you can login with just a single factor
In the security world, "insecure" mode is frowned on. A more secure way of configuring your system is to have secure MFA enabled for most of your users and then have some other way of accessing your system when the MFA server is broken. For example you could configure a security admin without MFA but with CLI only access using a SSH key + password as a way of getting emergency access to your system.
The technician port also provides another way of getting emergency access - although you will obviously need physical access to use this.
For remote authentication, you can enable/disable MFA and password+SSH key controls on a per user group basis. You can also choose whether a user group has CLI, REST and GUI access. For example:
Create an emergency_access user group with a local SecurityAdmin user, configure this with password+SSH key for best security and disable GUI+REST access so that you have to use the SSH key and a password to login
Create another user group using remote LDAP authentication, no MFA and enable just REST access and use this for automation (e.g. Ansible playbooks)
All the other user groups use remote LDAP authentication + MFA and/or Single Sign On. Best security practice says you do not permit a fall-back to allow these users to login if LDAP/MFA/SSO is not working.
One additional observation is that these security best practices are hard to find. So we have opened a development epic to enhance the documentation and help provide some of these best practices above.
Thanks,
FlashSystem Team
philipclark@ibm.com
Alternatively: Enable creation of an account that uses only local authentication. Make this account disabled whenever remote authentication services are operational, and automatically enabled when remote authentication is not operational.
Thank you for submitting this Idea. We are currently evaluating your request.
Thanks,
SpecV Team
philipclark@ibm.com