Important Factors of Implementing Multi-Factor Authentication Security
Multi-Factor Authentication (MFA) is covered across most internet services and by nearly every manufacturer and developer out there. That said, the importance, best practices, and consistency in standards regarding efficiently and effectively implementing MFA across an organization, are far too often overlooked.
Who Should Have mFA Enabled
A common question asked by business leaders is, "Does every employee really need MFA enabled? Does MFA really need to be enforced as part of our cybersecurity policy?" The short answer is YES and YES. Simply put, anyone that has access to company resources needs to have MFA enabled on their accounts. Don't cut corners. Accept no substitutions.
For example, if someone in your company has access to Human Resources, Accounting, Manufacturing, Sales, or any other corporate data they need to be protected. Attackers are trying to find a foothold in any company, regardless of size or industry. Once attackers have access to an account it doesn't matter whether it's a front-line worker or a C-suite executive. Access is key—whether it be to an email account on Microsoft 365, a Virtual Private Network (VPN) into a private cloud, or a Microsoft Azure virtual desktop.
Once an account is accessed by an attacker, they can impersonate users by using email accounts, take over additional accounts within your organization, or siphon data regardless of the user's position or access level. The higher the level of access, the easier it is to move and gain information within your organization. The most common scenario is when executives have their accounts compromised, get hit with ransomware requesting funds to be transferred, or bank routing information is changed.
Services That Should Have MFA Enabled
Most companies struggle to fully deploy, or even get funding for, a single MFA solution that can integrate across multiple technologies and services. Having MFA enabled for just email isn't enough to provide complete identity protection within the environment. With the advent of working remotely, once internal-only tools and services are now available externally through cloud and Software-as-a-Service (SaaS) solutions for file storage, databases, email, and HR portals. Any resource that is accessible externally should have MFA enabled, including administrative access to a websites, email portals, Remote Desktop Services (RDS), VPNs, or other third-party portals.
common MFA Challenges and Issues
An issue often experienced by organizations that enable MFA security is when there is an authentication conflict, or legacy authentication enabled, for a service that bypasses the use of MFA all together. The most common scenario is within Microsoft Office 365's legacy authentication. Legacy authentication is the most basic authentication used with cloud-based services. Legacy authentication is utilized by several services within 365, including Microsoft's Autodiscover and Outlook Anywhere services. Without disabling support for legacy authentication, attackers can abuse access to these services and bypass MFA—leaving your organization vulnerable to a breach. Microsoft has some shocking data around legacy authentication and how frequently it's abused:
Why Consistency is Critical to Enforcing MFA
Consistency is critical to any business. Business processes are in place to make sure that work is performed quickly and efficiently every time with repeatable results. Businesses also put processes in place to help onboard employees—because a consistent onboarding process makes for happier employees. These same repeatable results are desired for the security of your company and its data. Having MFA enabled across the environment ensures a consistent predictable outcome in terms of cybersecurity protection.
A Virtual Private Network (VPN) is a critical entry point into any corporate environment. VPN services provide a direct connection between an endpoint device (like a laptop) and your internal network resources (like a server in an office, private cloud, or datacenter). VPN accounts (sometimes referred to as 'local accounts'), especially those not integrated with Active Directory, are less likely to be removed when an employee leaves your organization or is no longer with the company. Without consistency on account provisioning and deprovisioning, these accounts become a prime target for attackers. VPN accounts are commonly seen for sale for as low as $15 on the dark web and allow easy access to internal resources. When MFA security isn't enabled or enforced on VPN accounts, those accounts become susceptible to abuse—leaving your organization open to a breach.
The same mindset and attention to consistency applies when publishing a remote desktop service. A remote desktop typically will have access to server resources for allowing easy access to a Windows-based machine. Unfortunately, these types of unsecured accounts are made available online for purchase by attackers—for very cheap with multiple accounts included for the same company. Without MFA enabled, login activity can become difficult to track.
Furthermore, company-wide portals, such as those containing HR and other sensitive data, should also be protected via MFA. Because these services are not hosted internal to the company and are hosted by third party providers, monitoring log ins and access becomes extremely difficult without access to the supporting infrastructure. The creation and removal of accounts is critical to making sure data is not leaked.
How Often MFA Should Be Authenticated
Determining how often to force MFA authentication, and under what circumstances, are two of the biggest questions to answer when forming an MFA policy. Consistency across platforms, including VPN, RDS, email, and third-party hosted services is essential to securing the identity of your employees and your organization's data—no matter where corporate information lives. With the shift of workers between in-office and out of the office statuses, IT departments and Managed Services Providers (MSPs) are seeing an increase in the deployment of Multi-Factor Authentication (MFA) on employee desktops at home.
When working remotely from home, employees are no longer protected by most of the corporate security products and services. These home computers are not only more easily accessible by family members when working remotely, but are typically connected to a home network (like internet access) that isn't segmented from other less secure devices (like printers and smart TVs). Confirming the identity of who is using specific endpoints is paramount to ensuring the security of those endpoints.
Want to Fortify Your Multi-Factor Authentication (MFA) Deployment?
Let Centre Technologies help to improve your security posture by requesting a meeting to discuss your current (or future) MFA posture and ways to improve it.