CyberTalk is Check Point’s executive-level thought leadership website. Check Point is a Security key collaborator of DXC. This article originally appeared in CyberTalk and is reprinted by permission.
To best protect systems and data in the current cyber threat landscape, organisations must move beyond traditional perimeter defenses. Because the majority of modern cyber criminals leverage credentials to access networks, user identities are the new perimeter.
From major brands to SMBs, businesses are turning to multi-factor authentication to secure their employee base. Multi-factor authentication (MFA) represents one of the most effective means of preventing unauthorized access to a business’s owned resources, keeping data and intellectual property confidential and secure.
Whether a single individual’s credentials see compromise or a roster of credentials are stolen, multiple factors of authentication prevent attackers from exploiting accounts, infiltrating a network, and causing damage.
MFA best practices: Implement MFA across the business
Multi-factor authentication isn’t difficult to implement, but planning your approach can save time and energy.
- One common business mistake consists of deploying MFA in silos. MFA gets deployed in some areas of the business, but not others. To minimise potential exposure to threats, consider all access points across the business, including the cloud. Some companies have shifted data and workloads to the cloud without implementing consistent security across cloud components.
- Implement MFA for privileged user accounts. This will limit the degree of damage that affects your enterprise in the event that cyber criminals manage to breach your ecosystem.
- Implement MFA across all end and privileged users, cloud, on-premise applications, VPN, server login and more to prevent password-based breaches, unauthorised access and disruptions to your business.
Leverage context for Adaptive MFA
Adaptive MFA improves user experiences and increases your security. Instead of using an ‘always on’ approach that continually asks users to type in a code sent to a phone, leverage context to develop an adaptive, advanced means of authenticating a person’s identity. Adaptive MFA uses contextual information, such as location, network, device settings or time of day to determine whether or not the user is who they purport to be.
A variety of authentication factors
To make your multi-factor authentication successful, prioritize user convenience. An inflexible ‘one-size-fits all’ approach tends not to work well. For example, an adaptive MFA policy that relies on location may not work well for distributed employees or sales representatives who travel for business.
MFA methods include:
- Hardware tokens
- Soft tokens
- SMS/Text message
- Phone call
- Biometrics
- Security questions
Select a standards-based approach
Standards help ensure that the MFA solution can function effectively within your existing IT infrastructure. For example, an MFA solution should comply with standards such as Remote Authentication Dial-in User Service and Open Authentication. The former is a networking protocol that uses centralized authentication, authorisation and account management for people who connect and rely on a network service. The latter represents an open technology standard that permits solutions to deliver strong authentication across all devices and networks.
MFA + complementary identity security tools
Reduce risk by combining MFA with other solutions, like single sign on (SSO) and least privilege access.
- SSO removes the need for employees to remember a pile of passwords, each of which applies to a different corporate account. It also eliminates potential for and potential risk from weak passwords, re-used passwords or poorly safeguarded passwords.
- In the event that an attacker manages to obtain a rank-and-file employee’s credentials, least privileged access can prevent the attacker from gaining access to a business’s ‘crown jewels’. While least privileged access isn’t a panacea, it can mitigate a certain degree of risk.
Regularly re-evaluate MFA
The MFA best practices of today are not necessarily the MFA best practices of tomorrow. The cyber security threat landscape is a dynamic environment that continually changes and evolves. Because of this, businesses need to conduct regular assessments to ensure that MFA technology continues to meet employee needs and those of the organisation as a whole.