Identity is the beating heart of cyber security
Before going deeper on multifactor authentication, first is necessary to recall the concept of identity and its importance for cybersecurity. Even before all the pandemic situation that forced us to adopt, widely, the remote work, for a while that the security community started to understand that the concept of perimeter was changing radically. The days of keeping security efforts mainly focus on the datacenter perimeter and access management based on network controls are faraway. The pandemic situation had the merit to make it clear, to whole organization, with a sense of urgency, that access to organization informational resources and systems might potentially occur from everywhere, anytime, by anyone and through an enormous variety of devices, so we need to protect the identity, that becomes the modern security perimeter. No security control will protect you if I can become you!
An identity can be an internal employee, an external contractor, a robot (increasingly in use in our organization) or even any kind of a computer device, which raises a fundamental question for cybersecurity: how we ensure that an entity is who it claims to be? That’s the authentication mission.
The need for Multi Factor Authentication
Identity compromise has become a common factor in almost every breach with over 80% of hackings involving brute force or the use of lost or stolen credentials(source: 2020 Verizon data breach investigation report)! Usually cyberattacks starts with credentials obtained by phishing attacks, and since ever we have relied mainly on passwords to protect identity. Passwords are still important, but clearly are not enough to protect organizations from modern cyberattacks. We know that strong passwords are difficult to manage, and phishing schemes are more sophisticated, while brute-force attacks break, easily, weak passwords, creating a situation where cyber attacker’s lives are easier than it should be.
It becomes clear that it was necessary increase confidence in authentication and to achieve this, additional control layers were added, based on the three types of authentication: something you know (e.g. passwords); something you have (e.g. tokens, nowadays mobile phones) and something you are (biometrics).
Depending on the organization dimension and technology complexity, implement MFA could be an enormous mission so, from our experience at EDP, it’s important to start defending the most critical systems, like domain controllers or authentication servers, as also VPNs, that are essential to protect today’s massive accesses from remote work. Usually, office collaboration tools, like we have at EDP, are also good resources to start, since we can obtain quick-wins as they provide access to more critical data that we might thought and could facilitate attacker’s intrusion in organization’s networks.
Another strong reason to adopt MFA is to comply with standards and regulations. MFA could be mandatory for companies who deal with sensitive data or critical systems, however, even in cases where it is not specifically required, adopting it shows diligence in case of legal issues.
Resisting to MFA Myths
The first myth that we have rejected at EDP is that MFA should only be used to protect privileged users. Organizations consider most of their employees as not having access to critical information, however, increasingly, employees are accessing more and more information, as digital transformation democratizes data access, and it is also known that most cyber attackers leverage any regular account to perform lateral movements on the network, until they find valuable data to exfiltrate or a system administration account to abuse.
Other myth that we have abandoned is that MFA provides bad user experience. Nowadays solutions are more intelligent and allows users don’t be prompted with additional validations each time they log in. Contextual controls can check and decide access based on user’s conditions like location or used device, improving this way identity assurance and, inclusively, allowing organizations to dream a password-less experience.
Password-Less a Holy Grail for Cyber Security
Itseems a crazy step considering security, but, in fact, it could be a major step for security and business. Password-less is only possible with MFA, since we are eliminating the traditional method of authentication. We have decided to pursue this objective, since we believe it will bring many benefits, like users sign-in faster in apps and services (user experience improvement), improve security and reduce IT costs (e.g. password reset not needed and according to Gartner estimations, between 20-50% of help desk cost is due to password resets).
With password-less security is improved, due to technology evolution, where more intelligent and contextual information allow a better decision on authentication. We are initiating this password-less journey starting to choose the right technology, understanding how it works in different contexts and gradually increase user adoption.
MFA will probably evolve in the future to break their dependence from passwords, however current technological developments and MFA evolution already changed the face of cybersecurity, promising affordable, user-friendly solutions, which are cornerstone for system’s security and data privacy. MFA would not solve all cybersecurity problems but is fundamental to disrupt attackers return on investment. Our objective, as risk managers, is to raise attacker’s cost required to carry out a successful attack. MFA is a fundamental investment for risk mitigation.