Be absolutely certain who your users are.External Incidents:• Passwords as the sole authenticator introduce risk to an organization.o They’re not enough on their own: Too easy to crack, sniff, elicit “All passwords are crackable.” - SANSo Passwords are subject to credential theft, as well as creating additional work for service desk with managing forgotten passwords.
As an information security officer, I’m dealing with the following:Events/incidents:Compromised system or stolen passwords through phishing and/or employee negligence.Regulatory requirements for secure employee access to internal systems. For example, remote access to PCI data.
As the operations manager, I’m dealing with the following:Events/incidents:Users with password fatigue. Dealing with multiple different passwords for different systems/identities leads to substandard practices including insecure synchronization of passwords, use of weak passwords, and writing down and sharing of passwords.Proliferation of cloud services exacerbates this problem and exposes password stores to potential compromise by service provider and/or attacks against the service provider (service provider holds all passwords except in a federated IAM model).More opportunities for error.o Higher than optimal number of calls to help desk for password resets, resulting in unnecessary IT spend and reduced user productivity.Tie in with SSO/IAM – opportunities to reduce number of sign-ins at the same time as implementing strong/MFA authentication.o Regulatory requirements for secure customer access to services such as online banking.
Passwords are no longer sufficient for secure authentication. Anything less than 2-factor authentication is unacceptable in today’s world. • Password cracking requires no skill. Recent continuing high profile hacks involving release of ID/password underscore the risk to organizations from re-used passwords.• MFA and strong authentication is applicable to everyone and achievable for everyone.• Login and password reset help desk tickets account for a substantial portion of help desk load – reducing this through SSO may not be sufficiently secure without MFA.1. Understand the project2. Make the case for MFA and analyze requirements3. Identify best-fit MFA solutions4. Develop MFA implementation action plan
In today’s ever-changing threat landscape, passwords are an easy access point for attackers – they’re easy to hack and crack. If you’re not adding another layer of authentication onto your current practices, you’re leaving yourself vulnerable. MFA can apply to all organizations.You don’t want your organization in the news for stolen user credentials or a breach due to human error related to authentication mismanagement, nor do you want to lose credibility with clients for not having secure processes.Once you understand the user groups that are in scope and their security requirements – you can start to look at solutions that work for you.Use language that stakeholders and users will appreciate and emphasize the value the project brings to them and the organization – communication is integral to the success of your MFA implementation.
Recommended
