Bad actors often use phishing, smishing, vishing, and credential stuffing to obtain credentials, which they can use to gain a foothold in your systems. If an attacker can deploy ransomware and compromise the backups, it is impossible to recover, and this approach makes the ransom payment more likely. Your backup data is your last line of defense against such an attack, so you must protect it.
According to NIST’s Zero Trust architecture, the best way to protect against these attacks is to leverage multi-factor authentication, also known as MFA. MFA requires two or more pieces of information (or “factors”), typically something that you are (like biometrics), something that only you know (such as a PIN), and something that you have (like a security token or a cellphone). Sometimes, it might also extend to where you are, using geofencing to prevent access outside a trusted location. Think about going to the ATM to withdraw cash: you need both your bank card (something that you have) and your PIN (something that you know). Without both, you cannot withdraw funds or gain access to your bank details.
MFA helps protect against attacks like credential stuffing. Even if an attacker can obtain your password from a data breach dump, this is useless without the additional authentication factor(s). If you need to obtain cyber insurance, be aware that Cyber insurance companies may require you to protect your environment with MFA as a cover condition.
Time-based One Time Passwords
Rubrik already supports MFA to secure access to both CDM and the Rubrik Security Cloud. For local and LDAP accounts for CDM and local accounts on Rubrik Security Cloud, the use of Time-based One Time Passwords (or TOTP) provides an extra security factor.
Setup is simple: once enabled in Rubrik, a user installs a TOTP app like Google Authenticator, Authy, or Microsoft Authenticator to their mobile phone and then scans the QR code presented by Rubrik. This QR code provides the app with all the details required to set up and generate an initial code, which is keyed in after the username and password to log in to Rubrik. Going forward, this user will be prompted for their MFA code, securing the login process. You must then use MFA for both GUI and CLI access to CDM.
RSA SecureID
Rubrik CDM can also secure the login process using RSA SecureID tokens, with either RSA Authentication Manager or RSA Authentication Server handling the authentication requests.
SAML2.0
Rubrik also supports using SAML2.0 identity providers(IDP) such as Okta, PingIdentity, and auth0, for authentication. While this is outside this blog post's scope, most IDPs support one or many forms of MFA.
Secure By Default
As mentioned above, your backup data must be reliable when the rubber hits the road. Because of this, Rubrik is committed to enabling security controls, like Multi-Factor Authentication, by default, so your data stays safe. Below, we’ve detailed some common questions from discussions with our field team.
What if I lose my MFA device?
For non-administrative users, if they lose a device used for MFA (such as a mobile phone), they can have MFA reset on their login by contacting an administrator. Once reset, they can enroll their device for MFA on their next login.
For administrative users, any other administrator can reset their MFA and enroll their device on their next login. If no other administrator exists, contact Rubrik Support.
What about automation?
By its very nature, the use of user accounts (aka basic authentication) in automation isn’t particularly compatible with MFA: once Rubrik receives the username and password, it would require the current TOTP code as a further authentication factor, and this would cause any automation, such as scripts and API calls, to fail. With this said: it has long been a principle that you use API bearer tokens or Service Accounts for automation, and accounts using these security principles are not subject to MFA. This is because they have a restricted lifetime, are not used for interactive logon, and can be programmatically rotated as required. Because of this, they are much more challenging to obtain through social engineering.
What if we lose our connection to the MFA service?
As Rubrik TOTP is time-based, there is no dependency on a separate authentication service; the only requirement is that time be consistent. This highlights the importance of reliable time sources, and Rubrik has mechanisms to protect against NTP poisoning attacks.
I am already enforcing MFA. How does this affect me?
If you already have MFA enforced for all your accounts, you’re already doing what you need to protect your data, and this mandate does not impact you.
We protect our local and LDAP users with another MFA tool. What happens now?
Please contact Rubrik support to discuss an exemption to this change in this scenario. Be aware that you would be ineligible for the Rubrik Ransomware Warranty in this situation, as Rubrik cannot validate the deployment and configuration of 3rd party tools.
What if we are unable to use TOTP for MFA?
There are some situations where MFA is impossible due to regulatory requirements, use in secure government facilities, or other unique circumstances. Customers in these circumstances may contact Rubrik support to get their product installations exempted from this.
Please refer to rubrik.com/mfa and KB000007172 on the Rubrik support portal for more information.