DUO 2FA MFA Security Impact | Digital Assurance Advisors LLC

Security Impact

The most critical security aspects of an authentication solution are: 1) effectiveness against threats related to credential theft, and 2) underlying security and reliability. The primary goal is to reduce the risk of a data breach to your organization. If a solution is easily bypassed or doesn’t provide comprehensive protection, it’s not worth implementing (at any cost!).

Secure Everything, Everywhere

FOCUS ON REMOTE LOG INS Before you implement a new security solution, take full inventory of your organization’s applications, networks and data that can be accessed remotely. If you can log into an application or a system over the internet, you should protect it with more than just a username and password. VPN, SSH and RDP connections are gateways to your corporate networks and therefore require added layers of protection to prevent unauthorized access. Wherever possible, use FIDO-based (Fast IDentity Online, an open industry standard for strong authentication) security keys that leverage WebAuthn and provide the highest level of assurance for authentication. With a modern MFA solution built on zero trust principles, you can get a clearer picture of the users and devices that are trying to access your network. It is no longer enough just to verify the user before granting access. Consider verifying the device status as part of the authentication workflow. Ensure your solution can integrate with any custom software, VPNs, cloud-based applications and device management tools.

REDUCE DEPENDENCY ON PASSWORDS Passwords are a thorn in the side of enterprise security. An average enterprise uses more than 1,000 cloud apps today. That’s too many passwords for IT to manage securely, and for users to remember. This results in password fatigue, and it’s no surprise that weak and stolen passwords are among the leading causes of a breach. Eliminating passwords from authentication sounds very attractive; however, as with any new technology, it is wise to take a thoughtful approach to adopting passwordless authentication. Passwordless is a journey that requires incremental changes for both users and IT environments. Ask security vendors how their products can help you embrace a passwordless future without creating security gaps or causing IT headaches. Enabling a single sign-on (SSO) option along with MFA is a great way to start the passwordless journey without compromising on security. For end users, SSO provides access to multiple applications with a single login (using one master set combination of username and password) — and reducing the number of passwords eliminates bad password habits such as password reuse. For administrators, SSO serves as a unified point of visibility for authentication and access logs, and an effective policy enforcement point to apply security policies for each application depending on its risk profile.

If you can log into it over the internet, you should protect it with more than a username and password.

ADAPTIVE POLICIES & CONTROLS
An advanced two-factor authentication solution lets administrators define rules and levels of access with adaptive controls, balancing security and ease-of-use based on the users, groups, devices, networks and applications involved.

Examples of adaptive policies and controls include:
+ Require admins and IT staff to perform two-factor authentication using biometrics or a FIDO-based security key every time they log in to protect privileged access
+ Allow users to authenticate less often when using the same device
+ Block login attempts from foreign countries where you don’t do business, and block access from anonymous networks, like Tor
+ Allow users to only access critical applications from corporate managed devices

While traditional solutions such as firewalls and network access control (NAC) can do this, they’re typically limited to protecting your on-premises resources. But by focusing only on the local network perimeter, these solutions leave many security gaps and zero coverage for cloud applications. Look for a solution that offers protections beyond a traditional network-based perimeter and truly protects access from any device and from any location.

SECURE SENSITIVE DATA Check that the solution allows you to create and enforce advanced policies and controls that you can apply to environments with sensitive data – whether it is internet-accessible or a private network. Examples include: + Define how users access sensitive systems, such as servers containing financial data + Set a stricter policy for servers with customer payment data vs. public file servers

DEVICE STATE Consider a solution that offers comprehensive device verification capabilities across laptops, desktops or mobile devices. The solution should ensure that devices accessing your environment are in compliance with your organization’s security criteria. This includes verifying that the devices have critical software patches installed and enabling end-user remediation where applicable. Check that the solution can leverage telemetry from your endpoint security agents and device management tools as part of posture assessments.

Check that your provider offers different authentication methods to fit every user’s need.

VISIBILITY & ANALYTICS Ask your provider if your solution gives you insight into your users and the devices they use to access your organization’s apps and data. An advanced authentication solution should give you an at-a-glance picture of the security profile of all devices in your environment, letting you take action to protect against known vulnerabilities. Because data is only as useful as it is accessible, make sure your dashboard provides a comprehensive bird’s-eye view along with the ability to quickly zoom or filter into more granular information. Ensure your solution comes with detailed logs about your users, devices, administrators and authentication methods. The solution should allow these logs to easily export to your SIEM tools and help create custom reports, ideal for security analysts and compliance auditors. Choose a solution that gives you visibility into authentication attempts, including data on IP addresses, anonymous networks, blacklisted countries and more – useful for determining where and when certain attacks may occur. Ask if the provider can detect and automatically alert administrators in case of risky login behavior or suspicious events, such as new device enrollment for authentication or login from an unexpected location.

FLEXIBILITY It’s expensive to rip and replace a solution, so choose one that can scale to support new users, integrations and devices – no matter where they are, including on-premises and in the cloud. Check that your provider offers different authentication methods, including smartphone apps, biometrics, phone callback, passcodes and hardware tokens to fit every user’s need. AVAILABILITY A security solution is only as valuable as it is available, and resilient against security incidents and downtime. A cloud-based 2FA provider should maintain their solution independent from your systems. That way, even if you’re breached, access to your applications is still securely managed by your provider. To protect against downtime, your provider’s service should be distributed across multiple geographic regions, providers and power grids for seamless failover. Reliable vendors should demonstrate 99.99% uptime, guaranteed by strong service level agreements (SLA).

Ensure your solution comes with detailed logs about your users, devices, administrators and authentication methods.

Digital Assurance Advisors, your personal authority in cyber security, will assist in securing your Authentication Validation needs and more. Contact us for more information or to begin your complementary 30-day Proof of Value! +1.414.236.4200