Multi-Factor Authentication In Cloud Environments
Multi-Factor Authentication In Cloud Environments : One of the biggest security threats today comes from compromised credentials and abuse of privileged accounts. Accordingly, securing privileged access to applications, servers, and infrastructure is the basis of an effective security strategy. Most of those responsible for security in companies are also aware of this.
However, in practice, many still need help distinguishing between a legitimate administrator and a threat actor using compromised credentials, especially in distributed and hybrid cloud infrastructures. Consistent multi-factor authentication (MFA) can prevent the worst case, but its success stands and falls with the selected method and the place of implementation.
Table of Contents
Proven Means For More Security
Enforcing MFA across the board is undoubtedly one of the most effective access control best practices. However, although it is easy to implement and even mandatory for regulated industries such as financial services, healthcare or e-commerce under various guidelines (such as PCI, HIPAA, PSD2, NIST, etc.), MFA is far from becoming the standard for many companies.
A global survey of CISOs and security officers shows that 52 percent of companies do not use MFA to protect privileged access, such as administrator access. This is all the more astonishing as analyst reports and studies repeatedly make clear the importance of multiple authentications for sustainable cyber security:
- According to Forrester Research, 80 percent of data breaches can be traced back to compromised credentials.
- According to a Bitkom survey, 36 percent of users in Germany use the same password for several online services.
- According to a Cofense study, 90 percent of verified phishing emails were found in environments with a secure email gateway.
- According to Gartner, companies that expand their remote access without implementing MFA experience five times as many account takeovers as those that rely on MFA.
Why Do Hybrid Cloud Environments Need A Behavioral MFA?
The MFA principle is not new, but due to the increased cloud migration in recent years and the resulting greatly increased attack surface, the importance of multiple authentications as part of a strong Privileged Access Management (PAM) strategy has increased significantly.
IT departments need modern MFA solutions that secure both their on-premises and cloud environments and, at the same time, strike a good balance to avoid a meltdown if their multi-cloud infrastructures are configured improperly or passwords for cloud applications are compromised between security and usability.
However, traditional MFA solutions that rely on static policies to define queries can no longer meet the requirements of the new perimeters cloud environment. They need to provide dynamic context and force all users to follow similar policies under all circumstances, making accurate risk measurement impossible.
Contextual MFA goes a step further here because it clearly defines from which location, device or network a corresponding user may log in, and identity security can thus be implemented in a more targeted manner. At the same time, this method is also more time-consuming and ties up more resources: contextual MFA requires a higher level of maintenance and upkeep, potentially resulting in not considering all possible risk conditions.
Adaptive and behavior-based MFA, in which access is granted or blocked according to the analysis of the user’s session behavior, offers a much more innovative and, therefore, more approach for cloud environments. Some solutions use advanced machine learning and behasecure vioural analysis algorithms to examine privileged users’ behavior carefully and
effectively identify anomalous and potentially malicious activity.
Machine learning allows millions of events to be continuously scrutinized in ways manual forensics could not. This enables security officers to respond actively to incidents by interrupting ongoing sessions, setting up additional controls, or setting flags for forensic follow-up.
Where MFA Is A Must-Have
When you think of MFA, the first classic use case that comes to mind is admin access. MFA should be mandatory for IT administrators and other privileged users with sensitive data and systems access. However, IT departments should also enable MFA for non-human accounts and resources such as password vaults, firewalls, network devices, workstations or servers – on-premises or in the cloud.
One problem is that many PAM strategies only provide MFA for the classic vault login. This may seem convenient at first glance, but it only offers a limited level of security. It is better to enforce multiple authentications at all important access points consistently. This includes the password or personal checkout, the server or system registration, and the increase of authorizations.
If these critical points are protected with several factors, the risk of privilege abuse can be significantly reduced. Because if an attacker manages to get a valid ID and password and use it to log into a server or increase privileges, MFA can nip this attempt in the bud. Another vulnerability in MFA implementation arises when organizations combine MFA products from different vendors and deploy them in different locations.
This leads to inconsistent policies, security vulnerabilities, and high management overhead. IT departments should therefore be careful to select solutions that provide them with a central management interface for MFA policies. This allows server login and elevation of privilege policies to be defined and managed centrally and enforced by server PAM clients on the server.
Ideally, PAM solutions support leading providers such as Duo, YubiCo and RSA and common protocols such as RADIUS and FIDO2 because the support of a wide range of authenticators offers IT employees the flexibility they need for company-wide protection of access to the AWS infrastructure, for password verification, session initiation, server login or for the critical increase in authorizations.
MFA, Yes And Consistently
Multi-factor authentication offers companies high benefits with minimal effort. However, to fully benefit from the advantages and to know that important administrative access points are well protected in the long term, IT departments must rely on modern MFA methods and enforce them across the board at all critical points. This enables them to minimize the lateral movement of threat actors across their networks and harden their cloud security strategy with effective identity assurance.