One of the biggest problems faced with the accelerating pace of applications moving to cloud based infrastructure is security. When an application is internal or only available over an intranet there is additional security in place by default, as only authorised users will have access to that network. With a cloud-based application this layer of security is no longer available. This places even more importance on the User’s Password.
Is a Password Policy enough to secure your data?
If a Password Policy is not enforced by your organization, the majority of users will not use a strong password. Even with a Policy in place (which might require upper case letters, lower case letters, some numbers and a special character), users will simply add something wholly predictable like “123!” to the end of their weak password. To make matters worse, this password is likely used for all of the user’s credentials! This means the password doesn’t have to be stolen from the cloud-based application itself, if it is acquired from elsewhere – the cloud-based application may be at risk.
Troy Hunt one of Microsoft regional directors and the creator of the website have I been pwned? said, “The only secure password is one you can’t remember”. His Web Application highlights this brilliantly. I recommend opening this application and entering one of your personal email addresses, this website will then search through a database of password lists which have at one time or another been available on the dark web and will show you which accounts have been compromised.
Now it may be that recently you have started using a password manager, so you now have strong unique passwords for all your logins for all websites and applications you use. Great stuff – your personal online security is hardened! However, with a cloud hosted web application there is no guarantee that all or any of your users are using strong passwords and may actually still be using passwords which have been compromised and sold.
A Secure Solution that works for Asset Management?
The solution here goes back to Troy’s quote – force the users to use a password they can’t remember! This approach can be implemented using Two Factor authentication. As well as having to enter a Password, the users are forced to enter a number which is unique to them. They can’t remember this number as it changes every 30 seconds.
A lot of the bigger sites and applications have already implemented Two Factor Authentication, although they leave it as an optional setting in your account. Take Gmail’s 2-Step Verification for example. First, you’ll enter your password as usual when you sign in. Next, a code will be sent to your phone via text, call or app. Or, if you have a Security Key, you can insert it into your computer’s USB port. If a bad guy hacks through your password layer, they’ll still need something else to access your account.
Other providers may send you an SMS with a onetime password or code which expires after a short period of time or may even have an automated service call you with a onetime code. A lot of banking services send out fobs which generate one-time passwords required when logging in. All these methods use a one-time password in one form or another to help protect the data they are responsible for as well as the user’s privacy.
For some organizations, especially where asset data is particularly sensitive, Two Factor Authentication would be an ideal solution to add that extra layer of security – and peace of mind.
Locking down Maximo EAM with Two Factor Authentication – SEMaximo
I have built a framework which allows Maximo Administrators to set up user access using a Two Factor Authentication system. I have called it Security Enhanced Maximo (SEMaximo).
~ Checkbox from the User Application “Use TFA”, when this is checked the user is forced to setup TFA/MFA on their next login ~
SEMaximo makes a checkbox available in the Maximo Users application which when checked will present the User with a QR Code at next login – this is used to setup and sync Google Authenticator on their device. They will be logged out of Maximo, then every time they log in from that point on, they will have to enter a generated number from the Google Authenticator application on their phone – as well as their Password.
~ The next time they login, they are presented with this QR Code and instructions for setting up MFA. Once set up, click return to login page. When they login they now have 3 boxes: normal user name, password and the MFA code generated on their device ~
The SEMaximo framework also allows E Signature to be configured to require two factor authentications for running tasks like Database Configuration or Switching Admin mode on and off.
SEMaximo Two factor authentication has be configurable on an Account by Account basis because not all accounts will be able to use this method of Two Factor authentication (we can assist with alternatives). Integration service accounts for example won’t always be able to use Two factor authentication but this is different to a user account as the system administrator has control of that password and can guaranteed it to be strong.
This extra layer is substantially more secure than the first, so together they offer a tight, secure Asset Management solution! With SEMaximo in place, as with all security measures – it is then up to Maximo administrators and users to implement these security enhancements and ensure asset information and data is never compromised!
We’re aiming to build Two Factor Authentication into the Maximo Integration Framework (MIF) further down the line for any integrations which may be able to make use of it.
BPD Zenith offer SEMaximo as an add-on Solution for Maximo. If you’re interested in the solution, or would like more information about it, please get in touch!