It’s refreshing to know that there are still places where people can leave their front doors unlocked. It conjures notions of a bygone time and place replete with trust and respect. Sounds nice, but in the land of the cloud it doesn’t exist. In the cloud, you not only need a locked door, but additional security on top of that so thieves who think nothing about breaking down your door will have to go through an additional barrier. That barrier comes in the form of multi-factor authentication (MFA), and it’s a necessity for every organization so they can secure their valuable data and protect their users.
Even with new standards for passwords, hackers are finding it increasingly easier to compromise authentication credentials. The risk is compounded for organizations that use single sign-on or have lax authentication policies for unique applications and other internal assets. In these environments, once you’re in, you have access to multiple sources of sensitive data. Attacks that exploit this method are hard to detect and police because even though the credentials have been compromised, it appears that they are being used by a legitimate actor. It’s not until after you identify abnormally high resource costs or get a ransomware demand that you recognize the damage caused by a breach.
Interestingly, though, as effective a solution as MFA is, it isn’t widely used. IS Decisions, a credentials security vendor, published a study that indicates almost half of U.S. organizations do not use MFA. The reasons cited are not terribly surprising:
- Time needed to manage – 28%
- Infrastructure complexity – 21%
- Cost – 18%
Clearly, IT teams are dealing with limits on their time and budget, and that’s understandable. Yet, the expense of a breach caused by hacking at the ID layer and accesses private data could dwarf the cost required to implement and manage an MFA. This is a technology solution for sure, but executives need to recognize that the right investments in tools, talent, and infrastructure can protect theirs and their customer’s data, to say nothing of their company brand.
MFA’s selling point is something very simple, but critical: it dramatically increases the difficulty of access. Amazon, Microsoft, and Google all recommend using it, it’s simple to implement, and it has been proven to be effective and consistent. MFA functions as a countermeasure to the mindset of most hackers, whereby they tend to poke around until they find an easy opening. Make it too hard, however, and it’s easier for a hacker to just move on to the next network. Especially at a time when the black market for login credentials is booming, demanding access through a second physical or virtual device that is separate from standard username/password combinations is not just a good practice, but has to be an essential tool in an enterprise’s playbook.
All forms of cloud security are ultimately about control. The more of it you have, and the corresponding less control a bad actor has, combines to give you a more secure environment for your users and data. MFA is a powerful tool in the pursuit of control because it forces a lazy hacker to do do additional work, which he will likely opt out of. For diligent, goal-oriented hackers, attempts to bypass or compromise MFA codes will frustrate them and drastically reduce the potential for successfully completion of their mission.
Microsoft Azure and Amazon Web Services (AWS) both offer versions of MFA to accompany their offerings, and according to Symantec’s Internet Security Threat Report, 80% of breaches can be prevented simply by employing MFA. Adding MFA beyond just root account access is another way to expand security functionality across your cloud footprint. It can be added as a component to Identity & Access Management (IAM) policies, and by using it for access to specific data repositories (like AWS S3 and Azure Storage, for example), MFA can frustrate hackers who otherwise might have gained internal access to an environment. Most compliance standards support and encourage the use of MFA, but often require specific types of hardware or processes to deliver and manage it. AWS, for example, demands that virtual tokens be compliant with certain IETF standards in order to comply with FedRAMP requirements, and Azure maintains that the passcodes from MFA devices have to be compliant with Open Authentication (OATH) requirements.
It clearly is impactful and proven, but it also requires continued monitoring to ensure users are adhering to usage guidelines. Monitoring will also provide insight into the efficacy of authentication policies; if it appears that it’s easy to bypass those policies or that users are able to bypass them, organizations will be able to identify and quickly update policies so MFA is operating according to plan
I encourage you to learn more with these resources that are both instructional and actionable:
- [BLOG] Enable MFA Tokens Everywhere: John Robel is one of Evident.io’s chief solutions architects, and in this blog, he makes the case for MFA. In it, he cautions against relying on outdated password guidelines and other methods that may seem like good ideas, but aren’t as effective as MFA.
- [eBook] AWS Security Fitness Guide – Exercises To Get CloudFit: Here are 11 actionable practices, MFA among them, that can secure your AWS cloud environment and ensure greater control of your security posture.
- [Webinar] Cloud Security Bootcamp: Learn how to care for your cloud by implementing and managing a variety of actions, including enabling MFA.