A Security Wish List for the New Administration Starts with Multi-Factor Authentication
Late last year, the government’s Commission on Enhancing National Cybersecurity published a detailed report, at President Obama’s request, to provide short- and long-term recommendations to strengthen cybersecurity in the public and private sector (you can read the full report on the NIST website).
Essentially, the report contains a guiding set of principles for the next four years. It’s a big document, but one thing pops out that is critical for putting an immediate stake in the ground now to underpin our security infrastructure. According to the report:
The next Administration should launch a national public-private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.
So where does this fit in within a federal IT landscape where CIOs are under pressure to innovate faster, provide employees with flexible and mobile working environments, and enforce the basics of good security hygiene? All in an environment where attackers have the advantage, complexity is creating vulnerabilities, and government is just as operationally dependent on cyberspace as the private sector is.
This was the topic of a recent webinar by DLT partner, Centrify, in which Security Strategist, Chris Webber, shared his vision of a security wish list for the new Administration – with one definitive focus that can underpin all other security measures – multi-factor authentication.
Consider the immediate landscape. 63% of data breaches involve weak, default or stolen passwords (source: Verizon 2016 Data Breach Investigations Report). But end users aren’t the only target. Hackers target privileged users too. After an initial attack on end users, attackers get a foothold on a device or network, wait until they can get their hands on privileged users (system admins, etc.) then leverage that account to exfiltrate data. Something must be done to protect both.
If you’re relying on passwords to secure your infrastructure, you better expect that your security has already been breached. Attacks are becoming more and more prevalent, to the point where you can assume that “every single password has been stolen,” says Webber. The state of the state, to use Presidential terms, is not looking good. If we don’t do anything different, the password risk will increase.
MFA Everywhere Isn’t that Hard, and Baselines Everything
Which leads us back to the key recommendation in the government report above. If you can implement multi-factor authentication (MFA) today – and implement it everywhere and across everything – it will buy you the time to do other smart security things. This includes things like least privilege management, auditing, monitoring, risk-based heuristics, etc. – all of which take time – knowing that you have a stake in the ground to curb password-based attack vulnerability.
Without MFA everywhere, no matter how hardened your security infrastructure, the attackers can still walk right through the front door.
MFA is nothing new, but it’s a new time to do it, says Webber. “I want to think that the new Administration will continue what the past Administration has done, which is to recommend multi-factor authentication, everywhere we can have it. And we can do it now, because MFA is a lot simpler than it used to be.”
In the past, MFA was difficult to deploy and painful for users to use. Today, and with solutions from Centrify, agencies can balance convenience, cost, and security with adaptive MFA and make it easy for your users to use with an integrated identity platform that protects everything from cloud and on-prem apps, VPNs, endpoints, servers, privilege elevation, and more.
Check out the webinar, now on-demand, to learn more.