The new normal is where users are no longer accessing your company systems from inside the company network and where the explosion of cloud services has compounded the need to focus on security and identity management.
You can no longer limit or even trust the location from where users are coming from – this could be the office, home, car, customer site, coffee shop, literally anywhere. I’m sure you’ve had calls, maybe even video calls, with people in all sorts of places! And working from anywhere is here to stay!
To succeed, an organisation first needs to accept that IT is now a service to the business and the employees of the business will need to access it anytime, anyplace and anywhere. In other words, to be more secure, IT needs to relinquish its tight control and historic centralisation of data and applications as this is simply fuelling increasingly capable end user focused / shadow IT solutions which fundamentally decrease your security as IT will no longer know what data users are interfacing / sharing and worse still, where the data is being stored and if it is secured or accessible by others.
The term “Zero Trust” creates the right mindset that ALL systems MUST have a robust level of security, both from outside AND INSIDE the network.
We must assume that anyone can, and already is, trying to access to your systems. This could be external or internal threats, malicious software, or configuration oversights. Usernames and passwords simply don’t cut it. Users can reuse passwords and choose weak passwords. Enforcing complex passwords or password change policies result in passwords getting written down, put on sticky notes, stored in browser caches. None of this is ideal from a security point of view.
Greater levels of protection are needed using multifactor authentication. It relies on something the user physically has access to, like a token or phone, rather than something they know, like a username and password. The process works by the user logging in with their username and password, and then entering a code that changes every 30 seconds, or maybe responding to a push notification on their mobile phone, or automated phone call.
This has two benefits
1) Whoever is making the logon attempt must also have access to the phone or token and…
2) If utilising push notifications, and a logon request is made that wasn’t by the user, the user will be alerted that someone tried to logon as them. At that point they can notify IT who can change passwords, check access logs and look for other indicators of compromise.
I’m sure you have experienced something similar already, perhaps with online banking. Like me, you may have even experienced a new IT issue known as “MFA sprawl”. This is a situation when you have many different MFA tools / accounts setup for use with different systems or applications. This invariably leads to MFA fatigue for users and also presents a challenge for IT as it now needs to track all these authentication systems plus providing ad hoc support for the end users and deal with a plethora of device or mobile application management issues.
We here at PAV are often asked to help our customers with device, application and identity management solutions and after scrutinising the solutions in the market place today, we chose the CISCO Duo MFA platform for the following reasons:
- It has the largest number of native application integrations, which means one app, one set of end user documentation, training and support, one enrolment of a device
- It has a very easy setup process for IT administrators, coupled with excellent step by step documentation on how to configure integrations with your systems
- It has flexible and easy to configure policy management – to ensure you restrict or relax access where required, and easy to understand and follow
- It has excellent reporting and logging – to allow anomalies, or user issues to be detected, and that could even be fed in to a SIEM or some automated/AI/ML system
- And for companies of 10 or under users – it’s actually free!
Fundamentally, CISCO Duo is easy to use, easy to administer and can tie all your cloud and on-premise MFA needs in to a single product.
I’d be delighted to talk with you about this topic, product demos, trials and whole lot more.
Pete Clements – PAV i.t Services