The Future of Multifactor Identification in Privileged Access Management

03

February 2020

By: Ali Gomulu

Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.

While “2FA” is enough for basic purposes, the enterprise security world has moved to multifactor authentication (MFA) out of an abundance of caution and as part of a robust Privileged Access Management (PAM) program.

As adversaries invest more in attacking organizations, they’ve learned to circumvent the second step in 2FA, interfering with SMS messaging, for example, sometimes persuading employees to give away their credentials without realizing they have.

MFA can be three or more steps, and for every added step (some systems require five or more depending on the sensitivity of what they manage or access and related risk) it becomes increasingly difficult for adversaries to succeed at getting in. Deploying multifactor authentication works as cybersecurity protection and as a deterrent to unintentional breaches by an employee who may share a password with another trusted employee for convenience, which could lead to the second employee accidentally reconfiguring something that renders a network or service unavailable.

While MFA does not replace a comprehensive security posture, it can be used creatively to support passwordless authentication through WebAuthn API for example. MFA can be integrated into hardware for biometric authentication (fingerprint, iris and more, often used in highly secure buildings, including data centers) and more.

ISO 27001 and COBIT have actively driven MFA adoption by providing best practices and standards, and enterprise IT teams have looked to those best practices when setting up the PAM strategies that are right for them.

It’s one thing to employ MFA, and another to manage it, which is where the orchestration of many different PAM applications comes into play. Unified management of environments that include MFA can incorporate all factors and make it possible to efficiently leverage role-based security credentials. For example, if an accountant needs to access only the accounting system for reports, there may be no need for more than two or three steps, as long as the reporting domain does not allow them to pivot into other domains. A controller in the same company who authorizes payments may need four or five steps, since a transfer of cash is at stake.

MFA adds layers of security that allow organizations to protect against today’s leading cause of data breaches — privileged access abuse. Privileged users simply provide extra information or factors when they access critical enterprise resources.

Intelligent PAM solutions, like the industry-leading MFA Manager provided by Ironsphere, makes MFA more streamlined to implement and efficient to manage. For example, our MFA Manager Identifies anomalous behavior while it is happening, enforces risk-aware policies for users who are initiating a privileged session and, leveraging role-based access controls, enables intelligent, automated, real-time decisions on whether to grant privileged access. These dynamically enforced access policies grant the user access after prompting for however many authentication steps are in that privileged users’ profile and can grant or block access immediately.

Password sharing becomes irrelevant because any passwords shared with colleagues are useless by leveraging the Ironsphere MFA solution.

Deploying multifactor authentication begins with selecting the right IAM or privileged access management (PAM) solution for your enterprise. Privileged access management especially helps protect users’ identities through strong authentication, including superusers. In fact, many have served as contributors in Ironsphere’s MFA design.

Multifactor authentication can involve any number of potential factors, including time of access request, location, physical biometrics (fingerprint, iris, voice, etc.), behavioral biometrics, SMS, token devices, and more, with new innovations coming online every day.

When deploying multifactor authentication, there are many considerations: the end points being protected, the locations being protected, the applications, clouds and network elements being protected, and more. Every MFA architecture will vary based on business needs and risks, and security systems in place, including comprehensive PAM, which is what Ironsphere provides. To learn more about how your organization can benefit from our unified PAM platform, feel free to reach out to us at info@ironsphere.com.

Similar Blogs