[Info-vax] VMS and MFA?

[Arne Vajhøj]

On 8/19/2020 3:08 PM, Dave Froble wrote:
> On 8/19/2020 2:13 PM, Arne Vajhøj wrote:
>> On 8/19/2020 11:44 AM, Jan-Erik Söderholm wrote:
>>> Thanks all. Yes, there are several "layers" before anyone reach the VMS
>>> "Username:" prompt. I first login to the Citrix Remote Desktop, and that
>>> is throught a MFA (6-digit code in SMS/text message). From there is it
>>> a Putty session against the VMS system "as usual".
>>>
>>> We had a discussion, and many of our "users" are generic and named
>>> after the workplace. There can be 10 different operators working there
>>> and using a group login VMS account setup for each "process terminal".
>>>
>>> So, the decision was that MFA is not suitable for us.
>>
>> If you have started a process of looking at security then
>> one account used by multiple persons could raise some
>> serious red flags.
> 
> In my opinion, the best security is being able to control what can be 
> accomplished.
> 
> As far as I'm aware, and I'd welcome any information I'm unaware of, a 
> captive account is very effective.  Of course, it depends on what 
> activity a captive account can accomplish.
> 
> It may be that multiple users can perform the same activity, and if so, 
> multiple users of the same user account need not be a problem.  Though 
> setting up individual user accounts is usually not a problem.
> 
> Depending on requirements, various amounts of logging of activity can be 
> implemented.  Perhaps good for exploring issues, but as always, who 
> watches the watchers?
> 
> While access control is possible, it's my feeling that trust of 
> authorized users is usually a much greater security issue.

It is usually considered a good thing security wise to be able
to actually log who successfully did what and who unsuccessfully
tried what.

Unique accounts helps with that.

It is not even a new thing.

Arne