Going out of privileged account
Francis Amigorena, Founder and CEO, IS Decision
Given the current global cyber threat landscape, multi-factor authentication (MFA) is one of the most effective ways to prevent breaches and secure network data. However, although the adoption of MFA from the epidemic has accelerated, it is slow to stop. Why? For MFA adoption to be truly comprehensive, companies must understand the true value of MFA and how it can be effectively implemented.
MFA adoption is slow
In their daily lives, most people ignore two-factor authentication (2FA), or hesitate to apply 2FA, mostly, for the same reason: trusting their passwords is wrong, frustrated or confused with setup, or they’re just lazy. Fact: Less than 10% of Google users are enrolled in 2FA.
This reluctance has led some tech giants to make MFA mandatory: Salesforce now makes MFA mandatory, 2FA will gradually become mandatory for all Google users, and Amazon.com Inc. Its ring has already made 2FA mandatory ৷
Unfortunately, the same attitude exists in the workplace, with enterprise MFA acceptance still low.
Why do companies hesitate? To accept MFA?
Some common MFA myths make many companies reluctant to accept MFA. Many see MFA only as the best fit for:
- Many large organizations.
- Beneficial accounts, such as Windows Local Administrator Accounts, Domain Admin Accounts, Active Directory Service Accounts and anything that governs a large part of the network environment.
First, the question of whether or not to apply MFA has nothing to do with the size of your organization. Whether it’s a small business or a global enterprise, your data should be just as sensitive and just as secure.
But does MFA really only apply to the most privileged accounts?
Protecting privileged accounts Enough?
The concept behind the “privileged account” is to have a specific security system called privileged access management (PAM). In this process, securing the login of your privileged accounts is the first step in securing access.
PAM relates to an old-school, perimeter-based security approach, when the login security of the “average” user account was not as important as that of those privileged accounts. Nonetheless, PAM must have a place to monitor and secure privileged accounts, such as Active Directory Administrator Accounts.
But the modern enterprise today faces a different cyber-threat landscape, even more recently than it did two years ago. Factors such as the rapid transfer of remote work and the rapid relocation of many organizations, including both corporate networks and the cloud, call for a new approach.
Minimum privileges are as relevant as ever
The Minimum Privilege Policy restricts users’ access to data, applications, and system sets that they absolutely need. This has been going on for years (Microsoft wrote about it 30 years ago), but today the minimum privilege is more relevant than ever as the risk of attack increases:
- An external attack helps the user’s accounts gain control over the endpoint, move sideways within the network and, ultimately, gain targeted access to valuable data.
- Insiders use data and applications for malicious purposes to access their own granted access or other compromised accounts.
The point is, that minimum privilege is more than a privilege. In essence, the policy has always been about preventing the compromising use of an account with access to valuable data.
Its real value MFA
In a modern organization, the rights and privileges of access to each user have been assumed For login security purposes, it makes all users somehow privileged users. Companies can reduce the risk by extending login security to the user as much as possible under the “non-privileged” path.
This brings us to the true value of MFA: securing any account, including critical data, applications and access to the system.
Special consideration for setting up MFA for all users
When MFA rolls out to any number of users, preparation is important. Obviously, applying MFA for all users will probably require more planning than applying MFA to your privileged accounts. Here are six key points to keep in mind for a smooth MFA deployment:
- Securing logins significantly improves your security position
- MFA is not just for privileged users
- The MFA should not be a disappointment for the IT department
- MFA must strike a balance between user safety and user productivity
- Educate and empower your users to support MFA
- Management commitment and buy-in are important
The future of MFA: Protecting all users
Tech giants may pressure some companies to accept MFA, but real growth in MFA adoption will require a fundamental change in the company’s security system. The more companies understand the value of applying minimum privileges and privileged account management policies to all accounts, the more they will understand the benefits of securing all user logins. Companies will make further efforts to strike a balance between productivity and safety for employees. And when they do, be prepared to see the demand for granular, customizable MFAs.
About the author
François Amigorena is the founder and CEO of IS Decision, a global software company that specializes in access management and MFA for Microsoft Windows and Active Directory environments. François, a former IBM executive, is also a member of CLUSIF (Club de la Sécurité de l’Information Français), a non-profit organization dedicated to information security.
Francois can be reached online via LinkedIn and on our company’s website https://www.isdecisions.com/
Notice of fair use: Under the “fair use” law, other authors may restrict the use of the original author’s work without permission. 17 In accordance with US Code § 107, certain uses of copyrighted material “for the purposes of criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship or research, are not copyright infringement.” As a matter of policy, fair use is based on the belief that parts of copyrighted material are free to be used for the purpose of public comment and criticism. The privilege of fair use is perhaps the most significant limitation of the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and much more on our website Cyber Defense Magazine at no charge. All images and reporting are done exclusively under the fair use of US copyright law.