Multifactor Authentication
In Multifactor Authentication (MFA), access to the requested data is granted only after the requester satisfies two or more authentication criteria.
CTE adds an extra layer of security before granting access to the protected GuardPoints. If MFA is enabled, the users performing specific tasks on the configured GuardPoints need to perform an additional OpenID Connect (OIDC) based authentication.
MFA can be helpful in scenarios such as when the credentials of a client machine are compromised. As an additional level of authentication is enforced, the data security cannot be breached.
Note
MFA is supported in CTE for Windows Agents 7.5.0 and above. MFA is supported in CTE for Linux Agents 7.6.0 and above.
Prerequisites
Before configuring MFA, make sure that:
-
A valid OIDC connection exists on the CipherTrust Data Security Platform Service. Refer to Connection Manager for details. Use this connection to configure MFA in CTE profiles.
-
MFA is configured in profiles, which can be associated with the clients and client groups. Refer to Setting MFA Configuration for details.
After you have configured MFA, you can enable it for individual clients and GuardPoints at the client and client group levels.
MFA at Client Level
You can enable or disable MFA for all of the GuardPoints on a client. When MFA is enabled at the client level, the CTE Agent enforces MFA configuration for all GuardPoints configured on the client. It overrides any MFA configuration set for individual GuardPoints.
Enabling or Disabling MFA on Client Level
To enable MFA at client level (that is, for all GuardPoints on a client):
-
Open the Transparent Encryption application.
-
Click Clients > Clients.
-
Under Client Name, click the desired client.
-
In the mini details view, select Multifactor Authentication.
-
Select Apply.
On the GuardPoints tab, the Multifactor Authentication toggles for all the GuardPoints will be turned ON. The GUI may take some time to reflect the changes. You can click the Refresh GuardPoints icon () to refresh the status. At this point, you can't disable MFA for individual GuardPoints.
Note
To disable MFA for all GuardPoints on the client, clear the Multifactor Authentication check box in the mini details view and click Apply. On the GuardPoints tab, the Multifactor Authentication toggles for all the GuardPoints will be turned OFF. You can now enable MFA for individual GuardPoints.
MFA at GuardPoint Level
GuardPoint-level MFA can be enabled at the time of GuardPoint creation. Also, you can enable or disable it later.
-
GuardPoints on Clients
When MFA is disabled at the client level, you can enable MFA for individual GuardPoints on clients. In this case, the CTE Agent processes the MFA configuration of individual GuardPoints. However, if client-level MFA is enabled, the MFA configuration of the client takes priority.
-
GuardPoints on Client Groups
MFA cannot be enabled at the client group level. However, you can enable MFA for individual GuardPoints on client groups.
While propagating the MFA-enabled GuardPoints to the member clients, the CTE service on the CipherTrust Data Security Platform Service checks the MFA capability on the member clients. If a client is MFA-capable, the GuardPoints are added to the client. If a client is not MFA-capable, the GuardPoints are skipped.
Note
After GuardPoints are propagated to the member clients, the MFA configuration specified in the profiles associated with the member clients is used to send the security configuration to the CTE Agent.
Therefore, if the profiles of a client group and its member clients are different, the profiles of the member clients are used.
Enabling MFA on GuardPoints
MFA for individual GuardPoints can only be enabled when the client-level MFA is disabled.
To enable MFA on a GuardPoint:
-
Open the Transparent Encryption application.
-
Select the client or client group on which you want to enable the GuardPoint.
-
Click a client under the Client Name column (Clients > Clients).
-
Click a client group under the Client Group Name column (Clients > Client Groups).
-
-
On the GuardPoints tab, turn ON the Multifactor Authentication toggle corresponding to the desired GuardPoint.
MFA is enabled on the selected GuardPoint.
Disabling MFA on GuardPoints
MFA can't be disabled on individual GuardPoints of a client if MFA is enabled at the client level. Before proceeding with disabling MFA for individual GuardPoints, make sure that MFA is disabled on the client. Refer to Enabling or Disabling MFA on Client Level for details.
MFA enabled on the GuardPoints created on client groups can be disabled directly.
To disable MFA at GuardPoint:
-
Open the Transparent Encryption application.
-
Select the client or client group on which you want to disable the GuardPoint.
-
Click a client under the Client Name column (Clients > Clients).
-
Click a client group under the Client Group Name column (Clients > Client Groups).
-
-
On the GuardPoints tab, click the expand icon () corresponding to the desired GuardPoint.
-
Clear Multifactor Authentication.
-
Click Apply.
MFA is disabled at the GuardPoint level.
For steps, refer to Enabling and Disabling MFA on GuardPoints.