Firewalls and network security is a staple of cybersecurity, but in the modern world, it’s akin to the ancient castles in terms of military defense. The walls and moat are designed to keep enemies out and protect those that live inside of it. This tactic worked great when workers only accessed privileged information while at work and only need protection from threats during office hours.
The castle concept can only keep you and your data safe while you are inside of it. The problem is that the world has radical changes, and so has our relationship to work. We access sensitive information through smartphones and laptops. We work from home or remote locations and still require the same protection as though we were working from a cubicle at the corporate office.
The design flaw of the old castle method is that passwords are the point of entry required for access. This defense relies upon people for security. Employees routinely reuse passwords across multiple platforms. If a hacker breaches a single platform, then your data is vulnerable to attack. This can lead to loss of revenue or worse, hackers seeking to sell your legitimate credentials, and your organization never has time to recover and is constantly on the defense.
If one of your users is reusing passwords, their security becomes your security. If one of your users recycled their password on a foreign site and said site is hacked, there is a strong possibility that your data might be next. Single-factor authentication, the use of passwords alone, passwords leaves us increasingly more vulnerable as we become more predictable in generating them. Trying to combat this with requirements for stronger complexity and frequent updates makes
it harder to be productive, drives up already-high costs in password maintenance and support—and in the end, it still isn’t enough to keep up with current cybersecurity threats.
According to the Verizon: 2017 Data Breach Investigations Report, 81% of hacking-related breaches used either weak or spoofed passwords. This threat can be completely eliminated by implementing multi-factor authentication (MFA).
Multi-factor authentication (MFA) is when a security system uses two or more ways to identify a user’s credentials, often involving a username, password, and third mechanisms to verify the user’s identity and credentials.
This second step verification protects your data and infrastructure from outside attack. A password is a key to accessing an account and a security barrier to protect the account from the attackers. MFA establishes the identity of the account owner and authenticates their access to the data.
MFA works by requiring two or more of the following authentication methods:
- Something you know (typically a password).
- Something you have (a trusted device that is not easily duplicated, like a phone).
- Something you are (biometrics).
People want a highly secure, convenient alternative. Passwordless authentication is a form of multi-factor authentication (MFA) that replaces passwords with two or more verification factors secured and encrypted on a user’s device, such as a fingerprint, facial recognition, a device pin, or a cryptographic key. The credentials never leave the device, eliminating the risk of phishing. These alternatives are based on new industry standards developed by members of the Fast ID Online (FIDO) Alliance.
Your biometric signature is secured locally on the device, shared with no one but you, and is only ever used to unlock the device or key. It is never used to authenticate over the network. A common biometric attack method involves trying to spoof a person’s body part in an attempt to trick the system, but any spoofing would first require that the attacker gains custody of the device.
As biometrics for mobile phones and computers become universal, password replacement options have increased in the modern workplace.
The benefits to passwordless authentication are amazing:
- Gain a higher degree of trust and security for apps, devices, and service providers.
- Reduce IT support team costs from password resets.
- Reduce risk from phishing and password attacks. Switch to passwordless Multi-Factor Authentication (MFA).
Windows Hello for Business replaces passwords with strong multi-factor authentication on Windows 10 platforms. Use either a biometric or PIN to authenticate to enterprise apps, content, and resources without a password being stored.
Microsoft Authenticator is a free mobile app on iOS and Android that can replace or augment passwords with push notification approvals, one-time passcodes, and additional verification of a biometric gesture on the device or the device PIN.
FIDO2-compliant security keys are cryptographic credentials in a variety of form factors, including USB keys or NFC-enabled smartcards. They can be protected with a second factor such as a fingerprint (integrated into the security key) or a device PIN to be entered at sign in.
Moving to passwordless authentication offers improved security and better user experience, but requires a growth mindset internally.
- Start with a low-risk group and explain the benefits of eliminating passwords.
- Deploy MFA with a passwordless authentication option until people are comfortable with it and then start replacing passwords and dependencies on passwords in the background.
Single sign-on (SSO) is a credential authentication process that allows a user single-entry access to access multiple applications. A user signs into an account once to access all company devices, software as a service (SaaS) applications, web applications. Afterward, the user can lunch applications from a single portal. Administrators then monitor user accounts to endure the right people have the right access to sensitive data.
This allows for smooth user experience. They no longer need to remember specific passwords for each application. IT staff monitors user accounts and then grants access to individual applications and data as needed. For example, an Administrator can approve access to Dropbox, Office 365, and Salesforce for a single user.
- With SSO, users sign in once with one account to access domain-joined devices, company resources, SaaS and web applications.
- IT admins can centralize user account management and automatically add or remove user access to applications based on group membership.
Identity as a Perimeter acts as a set of armor, providing additional layers of protection, outside of the classic castle and moat protection of the Network firewall. Together, they ensure that users may seamlessly access the material they need to do their job while feeling secure that they are protected. The credentials follow the identity no matter where the user might be.
Identity management is the duration of a user’s identity and defining a set of security roles and principals; they are allowed to access your system. This helps your IT department protect access to applications and resources across the corporate data center and into the cloud. This allows you finite control along with the principal least access according to what the role needs.
The foundation of all cybersecurity is a simple concept, the least privilege to accomplish the job. Limit access to only that which a user needs to do their job. This limits exposure to risk while encouraging productivity and privacy.
Work roles often shift and change as jobs change. Often, users have higher access than needed. Experts estimate that most user privileges are unneeded and unused. This represents a failure of the least privilege principle and a security risk. If a single user is hacked, they can access dangerous material far above their pay-grade because of unchecked privileges that they might not have even been aware of.
The least privilege principle into operation means identifying the needs of your users, their privacy requires, and the security needs of your company across different platforms and services. Once set, your organization will be able to respond to a user’s behavior in the context of their history and role. If they attempt to log into your system from a strange location and time, this could trigger additional identity verification, and if a high-risk scenario is detected, the user can be quarantined until the matter can be sorted out.
Detection and response are highly contextual, and data is needed to balance user requirements with risk. Orchestration and automation solutions can escalate privileges seamlessly during legitimate access attempts and immediately respond to risks, such as user attempts to download blacklisted applications.
Multi-Factor Authentication allows you to verify the identity of your user while Conditional Access policies how you to monitor their behavior and activity through reporting and auditing to prevent potential threats.
A role definition is a bundle of permissions associated with an established user identity. This role defines the access of the user through what they can and can’t do. For example, some of the functions might include read, write, or edit. A role can be vast in scope, such as an admin or manager, or it can be specific like a virtual machine reader.
Some platforms, such as Microsoft Azure, include several built-in roles that you can use. The following lists four fundamental built-in roles.
- Owner: full access to all data and resources. May assign or delegate access to others.
- Contributor: can create and manage all types of resources. May not assign or delete access.
- Reader: can review existing resources.
- User Access Administrator: may assign or delegate access to cloud resources.
Other roles may be designed as needed to monitor and manage specific resources. For example, a role might be created to access and write on a specific resource, but not be allowed even to read anything else.
Once an identity is established, the admin or a suitable role will assign roles to the user. Sometimes, roles are assigned to a wide group or managed identity. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
Conditional access is vital to your organization’s security. Identify and access is key to managing your cloud resources. Once a user might access company resources using a variety of devices from anywhere in the world. Gatekeeping is not enough. You need to monitor and manage your user’s access without damaging their productivity. How a resource is accessed can tell you a good deal about the validity of that access in a control decision.
A Conditional Access policy reviews the scenario of a point of access and makes a decision based on known parameters. For example, if a user attempts to access sensitive information outside their normal hours of operation, in a foreign country, using an unknown device, then a Conditional Access policy can determine the risk is too high and asked for an MFA verification of the identity or even lock down their access until human verification is involved.