MFA for GKLM
Protection against cyber attacks becomes more and more important. GKLM can be used to hold the key(s) for IBM Spectrum Virtualize storage systems, e.g. FlashSystems, SAN Volume Controller. When these systems are encryption enabled and a cyber crime gains access to GKLM he could potentially delete the storage system's key, initiate a restart (forcing the storage system to submit a key retrieve request) and the storage system ends up in a locked state, hence unusable, at least for a while.
If the storage system was in addition enabled to hold the key in directly attached USB flash drives, the system can restart.
If those USB flash drives reside in a safe, an admin has to get them, plug them and the system can restart. This can take up to hours.
If those USB flash drives have been stolen, or it has been decided to not use them and delete the key, the system cannot be brought up again. At least not with the existing customer data.
If LDAP is not an option for GKLM authentication and local authentication has to be used, a second factor authentication is a must to minimize the risk of a cyber crime to gain access and delete keys.