During our conversations with customers and prospects these days, the question of implementing multi-factor authentication (MFA) usually begins with “when do you plan to?” instead of “are you planning to?” We no longer need to ask:
“Are you planning to implement MFA for remote server access and application access?”
“Are you planning to implement MFA for password checkout and privilege elevation?”
Starting the question with “when” assumes it’s a given. It is. The power and value of MFA is now broadly recognized. More so in the U.S. now that the Payment Card Industry Data Security Standard (PCI-DSS 3.2, April 2016) has expanded its MFA requirements to include BOTH remote login and internal login (requirement 8.3). PCI-DSS touches every entity that stores, processes, and/or transmits cardholder data.
Are you ready?
If you’re not ready to implement MFA now, you still have some time before the PCI requirements are enforced (Jan 31, 2018). But as the alien journalist, Ford Prefect said, “Time is an illusion. Lunch time doubly so.”
There may be a litany of reasons to delay. You may be inclined to put it off “until the end of the quarter,” or “when this next project is complete.” After all, isn’t MFA a complex effort?
- Deploying MFA is going to consume all your time.
- Good luck getting ubiquitous coverage across all your critical internal systems.
- Is MFA for login good enough? What about application access?
- What about MFA for access to SaaS services on on-prem apps?
- What about external users vs. internal?
- How can I accommodate PIV/CAC?
- Such an administrative pain, dealing with multiple vendors with their different interfaces and processes.
- Then there’s the end users and their complaints of having to carry multiple tokens or devices: “which one do I use for this login?,” “why am I constantly being asked for a 2nd factor even when I’m not accessing a critical system?”
These are all legitimate concerns. But there’s a better way. Centrify covers all your MFA worries — and then some.
“But really. What’s the risk of putting it off?”
It could be catastrophic. The corpus on how compromised credentials have been used to gain access to your data is huge. Verizon, Mandiant, Gartner, Forrester — they’ve all chimed in. Let’s take one particular vector as a very relevant example: Outsourced IT.
In a Forrester study commissioned by Centrify, 100% of companies surveyed outsource at least part of their application development and some IT functions. Now, combine that with Verizon’s 2016 Data Breach Investigations Report, where they say “63% of confirmed data breaches involved stolen, weak or default passwords,” and you get a sense of just how big this issue really is.
Ask yourself, “Do I have full control of 3rd-parties who have remote access to my internal systems?”
Or “do I even know how many 3rd-parties have remote access to my internal systems?”
So I’m picking on the external supply chain a lot, but to be frank it’s strongly representative of the risks in general. Solve for this use case with MFA and you can solve for other vectors including the insider threat.
“OK, but my network security is pretty tight so…”
That’s great, but one interesting dynamic is how the age of blasting through the firewall and dodging IDS and IPS systems is long gone. Covert is the now the name of the game. Attackers hack a remote user (e.g., a 3rd-party or contractor) and login through a VPN with the user’s credentials. Network security controls see them as legitimate users. So, the attackers stroll in like they own the place and camp out. They dig in, stay quiet, look for vulnerabilities, privileged account hashes and default accounts, install tools/malware, elevate privileges, and then move laterally, exfiltrating sensitive data
In its 2016 M-Trends report, Mandiant was clear. They said that outsourced service provider (OSP) abuse is now a “trend turned constant.” In their study, they “continued to observe advanced attack groups leveraging OSPs to intrude onto the networks of our customers”
Bite the bullet — NOW
All the more reason to tackle this now, not later. And with Centrify’s help, we can calm your nerves with the tools to overcome every one of those concerns:
- Single vendor for consistent application of MFA across servers (Windows, Linux, and UNIX), VPNs, cloud and on-premise apps. MFA everywhere you need it.
- If you have an existing investment in a 3rd-party such as Yubikey, Duo, or RSA SecurID, we’ll work with it!
- An integrated identity platform for consistent policy and enforcement that reduces overall cost and complexity.
- Security coverage across all users (end, privileged, internal, external).
- MFA for login to servers as well as privilege elevation on those servers.
- MFA for remote server login or password checkout.
- Adaptive MFA based on context so you’re not challenging users for every access to every resource.
MFA = fantastic mileage
Properly implemented with appropriate coverage across your critical systems and applications, MFA can be a quick win in your battle against cyberattacks. You don’t have to sacrifice productivity or usability for strong security.
In our most recent Server Suite 2016.1 and Privilege Service 16.5 releases, we expanded our MFA capabilities even further by adding Server MFA for Windows privilege elevation and MFA for password checkout and remote login. We also expanded our Server MFA for login to UNIX platforms — IBM AIX, HP-UX, and Solaris.
So, when do you plan to implement MFA?
Check out a short video of MFA in action across the Centrify solution: