Changing the Monolith, Part 4: Quick Tech Wins for a Cloud-First World
Transformation is a daunting task. In this series, I explore how change is possible when addressing the components of people (see Part 1 and Part 2), process (Part 3), and technology that make up the organization. Let’s now discuss, Part 4: Technology.
You may have heard that identity is the “new” perimeter. Indeed, with the proliferation of phishing attacks over the past few years, one of the best ways to secure data is to ensure that identity, the primary way we access data, can be trusted.
How do we secure identity?
Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.
Start by evaluating how users are authenticating to all applications inside and outside the organization.
Similarly, multifactor authentication must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.
Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users — these factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).
Requiring multifactor authentication (MFA) for all applications, whether on-premises or in the cloud, is a great start. When using multifactor authentication, consider enforcing an Authenticator app or One-time Password mechanism as Authenticator and One-Time Password Apps are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.
The least vulnerable multifactor authentication mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and Machine Learning Systems that can provide conditional access based on zero trust and time-of-authentication context.
Here is the context commonly evaluated by machine learning (ML) authentication systems:
- Can an authentication token be obtained?
- The user must have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or three-dimensional facial recognition) through an Authenticator App.
- What is the Risk Score of the User?
- Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
- Has that user’s password been discovered on the Dark Web because of an account and password database breach?
- Is this a reasonable time for the user to be signed in based upon past behavior?
- Is the User signing-in from an anonymous source like a Tor exit node?
- What is the Risk Score of the Device?
- Has the device experienced unresolved risk in the last several days?
- Has the machine been exposed to malware?
- Is the machine running a high-risk application?
- Are its antimalware signatures up to date?
- Are all the Critical and High software patches applied?
- Are there sensitive documents on the device?
With the enforcement of Multifactor Authentication, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service applications, multifactor authentication is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and Cloud applications should be able to consume Single Sign-On authentication standards like SAML or OpenID and OAth2 authorization.
Moving toward a Secure Single Sign-On Posture
Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure Single Sign-On posture:
- Single Sign-On reduces the number of passwords that users need to remember or save, quite often insecurely, to access their applications.
- Single Sign-On also introduces pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and Cloud apps, using the same security token created when they logged on to the Operating System using Multifactor authentication.
- Single Sign-On reduces the threat of untimely termination/missed identity decommissioning by decreasing ‘identity sprawl,’ which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to Single-Sign-On can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.
Multifactor authentication and Single Sign-on together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock.
Multifactor authentication and Single Sign-on together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based Multifactor Authentication and Single Sign-On directory systems have been shown to be more available than on-premises directory or federation services with many Cloud providers providing 99.9% uptime. A three-nines Service Level Agreement is challenging to achieve on-premises with limited IT staff and budget!
