Multifactor Authentication (MFA) - Committing to modernization
Senior Cloud Security Consultant
Article published 1 October 2020
One of the single most pragmatic actions that an organization can take for a quick security win with a very high ROI is to implement Multifactor Authentication (MFA). The benefits to the business are that the risk of a breach based on identity compromise is significantly reduced, potential future breach costs are in turn reduced, and public perception will be less likely to be negatively affected by a future breach based on this reduction in risk.
In their sixth annual CISO Benchmark Report, Cisco report MFA adoption rates of only 27% across those surveyed.
MFA augments the popular username and password pair with additional factors to increase security of the account, with the end goal of reducing the risk of account and information compromise. These factors comprise what you know, what you have and who you are. Components include passwords, pin codes, rotating codes (tokens) on a mobile phone app or hardware device to biometrics such as fingerprints, face recognition and retina scans. The field is constantly developing with areas such as passwordless authentication and the FIDO2 project, and we recommend monitoring for changes, new technologies and factors that add to your options in the space.
Do not be one of the organizations who have not yet implemented MFA. Harden your posture to protect your critical assets and your brand. If you have implemented MFA in production, we recommend looking at advanced adaptive MFA features, a selection of which are discussed below.
We will now explore MFA and how it can be leveraged successfully as part of the secure digital transformation of your workforce.
What is blocking organizations from embracing MFA?
Is it the perceived complexity?
This could be old-world thinking. MFA is not what it was previously. It has evolved and simplified with multiple offerings now available from service providers and application developers.
Could it be a perceived negative impact on the workforce and IT Operations?
This is the age-old discussion around the conflict between security and operations. We recommend setting up a Proof-of-Value exercise with a subset of your team to understand the real-world operational implications and the value-add to the business. MFA is also freely available with consumer applications and users might be surprisingly familiar with the technology.
Might it be a strong legacy system footprint that is the source of the resistance?
BSI would recommend reviewing the vendor options and also reviewing against your future plans and options for business, workload, and service modernization. Challenging those providers to enhance their security offering is recommended and a risk assessment from a supply chain perspective should be carried out for mitigating controls in the absence of MFA. It could even be that some organizations are not even aware of the existence and benefits of MFA, or that it is an option that could be easily enabled in the organisation’s current environment. Stakeholder education and buy-in is crucial here to align with business goals and security best practice.
The risk versus the reward here is weighted highly in favour of implementing MFA across your organization. The objections above must be managed with data, and this is an opportunity for business improvement, that must be prioritized as part of your strategy, regardless of size. Microsoft studies report that accounts are 99.9%+ less likely to be compromised, should you implement MFA.
Due diligence around vendor assessment and onboarding is critical. The Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) could be utilized as part of this process for cloud provider offerings such as Identity and MFA.
Committing to Modernization
A technology leader understands the shift from the network to identity as the security perimeter especially in this increased remote working world we find ourselves in. They are seeking a solution for strong authentication to protect their users as the organization migrate their workloads to the cloud.
It should be noted that there is an emerging trend of attackers working around MFA which we have discussed in our Emerging Trends 2020 whitepaper and so building on traditional MFA, adaptive MFA considers additional factors such as geolocation and impossible travel. An example would be that a user logging in from Asia should not then be logging in from Europe ten minutes later. We can also talk about login traffic coming from unknown or known locations, and the technical policy options that are opened to the organization when designing their controls. Device posture is where we can check and treat managed and unmanaged devices differently (managed would be sanctioned devices controlled by the organisation). An example could be checking for a certificate or a software agent on a device and only allowing access when this step has been validated, among others.
Adaptive MFA can address the above and more. Vendor offerings differ and should be assessed accordingly with appropriate due diligence.
The items in your security technology stack may be very capable as silos but would it not be ideal if they could talk to each other and share information? Your chosen MFA vendor may integrate with other parts of your security technology stack. Step up authentication could prompt for an additional factor when attempting to carry out a highly privileged or suspicious action in an integrated platform. Other MFA integrations could include email security solutions, Cloud Access Security Brokers (CASB), workload access solutions, identity solutions, and more. Integration can bring great benefits around intelligence, automation, and hardening of posture.This can also include threat intelligence partnerships and shared feeds. Here we can talk about user risk awareness, where the system can assess risk and apply controls based on the parameters previously discussed such as, but not limited to IP address, device, and geolocation.
In summary, by effectively leveraging MFA, organizations will reduce risk and the potential for business disruption. Successfully enabling MFA is not the end of the journey. There are multiple residual considerations and employing the correct technologies combined with empowering your workforce in their contribution to hardening the overall organisation security posture will result in a layered security defense strategy and reap real business benefits.