One of my favorite Simpsons episodes is titled “Last Exit to Springfield,” and it includes a scene where Mr. Burns and Smithers are accessing a secret control room to shut off the power to the entire town. They proceed to walk through multiple levels of security with video cameras, an eye scanner, and even a hidden library passage unlocked via a fake book. They finally arrive at the control room only to find the back door broken and wide open, with a stray dog walking in. In the late 90’s I used this reference all the time when assessing the security posture of my customer’s network firewalls.
“Yes it’s great that you have over 1200 detailed firewall rules that whitelist the specific ports that are opened across your network. But you see this ‘Allow All’ rule that’s linked to the static IP address of your VP’s desktop? This one bad firewall policy pretty much negates all the rest of them.”
I’ve written this before, but it bears repeating: in IT security you’re only as strong as your weakest link. Would any security administrator be OK with allowing even a single “Allow All” firewall rule to exist? Probably not. Identity is the new perimeter and multifactor authentication (MFA) policies are the virtual firewalls that protect them, so why have many corporations and federal agencies implemented MFA polices for only most of their systems and privileged accounts? That’s on par with having a few “Allow All” firewall rules since all it takes is one compromised identity to negate the rest of your security policies.
Implementing MFA within federal agencies should not be a herculean task, and Centrify is here to help. Centrify Server Suite joins your non-windows systems to Active Directory, thus allowing federal users to use their PIV or CAC smart cards at their desktop and Kerberos Single Sign On (SSO) throughout the enterprise, to include *NIX servers and their applications. Centrify’s cloud services provides Identity-As-A-Service (IDaaS) to extend MFA and SSO to applications and servers residing both outside and inside the enterprise, as well as allowing external users to securely access these same resources without a VPN. The idea is to eliminate passwords completely by requiring users to use their smart cards to obtain some type of temporary token (Kerberos ticket, SAML assertion, etc), while also locking down systems and applications so that password based authentications are not allowed. If access to all resources and data can only be obtained via these temporary tokens and those tokens can only be obtained via smart card authentication, then you’ve successfully implemented MFA everywhere and for everybody.
So how do we force the use of smart cards for everything and eliminate passwords? One method is to modify a user’s account in Active Directory by selecting the “smart card is required for interactive logon” checkbox, or by doing this for all users via an AD Group Policy. However this is easier said then done and many organizations are finding that modifying AD accounts in this manner end up breaking some critical applications downstream. Another option is to enforce “no passwords allowed” at each endpoint itself, and Centrify implements this via Mac and *NIX Group Policies that only allow authentication directly via smart cards, or indirectly via Kerberos tokens obtained by a smart card. Centrify supports Microsoft’s Authentication Mechanism Assurance (AMA), which places a user into a dynamic user group whenever they authenticate using a smart card, so therefore it knows the difference between Kerberos tickets obtained via a password and those obtained via a smart card. Again the ultimate goal is usually to enforce smart card authentication directly from within the Active Directory account itself, however enforcing it at the endpoint adds an additional layer of security that might but the only option in some cases.
Remember all it takes is one compromised identity to expose your enterprise to hackers and allow them in, regardless of how many layers of advanced firewalls and intrusion detection systems you employ. In order to be truly secure, you need to eliminate passwords and implement MFA policies for 100% of your privileged accounts, as well as ensure that all critical resources can only be accessed by accounts who have authenticated using MFA policies. Otherwise you’ll find yourself in the same situation as Mr. Burns with the unauthorized stray dog, except in your case simply kicking the dog out won’t suffice.