Last month, my dear colleague Magnus Mårtensson talked about Privileged Identity Management (PIM). I love PIM as it implements two principles, JIT (just-in-time administration) and JEA (just enough administration), in one take.
However, I started to wonder if the topic was too advanced, and if we should maybe return to some more basic concepts? In my experience, most organizations still struggle to adopt the ‘Cloud way of doing things’ and fully take control of the new identity approach. So, in this article we are going back to the basics to talk about identity and how to protect it in the Cloud.
Did the principles around identity change? And if yes, how?
We can no longer hide behind four concrete walls and a password: Security has changed
If we look at the most traditional way to authenticate any IT service, without a doubt it is going to be combination of username and password (often referred to as credentials). For many years, enterprise IT considered a strong password enough to ensure the security. And to some extent it has been, as most services were not only protected by credentials, but also by our four walls. All services were available only inside our offices and isolated networks.
But with current rise of Cloud computing, a password no longer provides enough protection. Services in the Cloud are not available only from our own offices, but from anywhere in the world. If we combine this with a fact that the majority of data breaches are caused by leaked credentials, it is obvious that we need to have tighter security.
… And out of this quickly shifting IT reality, the concepts of multi-factor authentication (MFA) were born!
What is MFA exactly?
Multi-factor authentication has brought additional security to credential-based security by combining something we know (username and password/pin) with something we are (biometric authentication such as a fingerprint or a retina scan) or something we have (token or mobile devices).
Note that the concept of MFA recognizes three different categories, and the credentials can be any combination of these. The most common option is to use a combination of the two, also referred as two-factor authentication (2FA). For 2FA, a very popular option is to use your mobile phone in addition to a username and a password, probably because of convenience, as we mostly always have our phone with us anyway.
A potential thief would need to steal a password and the mobile phone of the target they are seeking to impersonate - and be able to gain access to the contents of the mobile phone. Microsoft reports that enforcing MFA for users’ identities will block 99,999% of all credential theft attacks.
Why does it work
So, how does it work? Once we try to sign in using our credentials, the process is not finished once username and password are provided. Instead, additional steps are required to prove our identity. With mobile phone, these additional steps can be a phone call (during which we need to provide a pin), a message (we receive the additional code we need to enter to complete sign in), or the very popular option of the mobile application (we get prompted to confirm our sign in attempt).
In this way, even if credentials are compromised, culprits cannot use them, as an additional check is required. There is a possibility that the additional check is compromised, but as noted above, the risk of both credentials and the MFA method being compromised at the same time are very, very low.
Sticky notes on your monitor...
Another bad habit from ‘the old days’ is to use multiple identities for different services. It was just a way of doing things and a lot of 3rd party tools used their own way of authentication. The first issue with this is that there is no control over credentials in terms of password complexity or how often the password needs to change, etc.
For any organization, it’s a complete nightmare in terms of security and compliance. Another issue is that once we overload users with too many passwords, they will start cutting corners and simplify things as much as possible. If any user needs to remember five passwords for five different services, they will try to make it as easy as possible and use passwords that are simple and easy to remember. In terms of brute-force attacks, simple passwords are more likely to be cracked. There are similar problems with social engineering: there is a very high chance of birthdays, pet names and other personal information being used for passwords, not to mention passwords written on a piece of paper and placed under the keyboard, or sticky notes on your monitor…
One ‘ring’ to rule them all
In this situation, we want to eliminate all things unnecessary and use single identity for everything. This includes both on-premises and Cloud identities. We want these identities synced, being one and the same. As most software solutions are also moving to the Cloud, most vendors now offer support for identity integration. The dream of a single identity is becoming a reality.
This allows users to have a single identity for everything and be in total control of their movements in different services and applications. They are not burdened by remembering too many passwords or being afraid of their credentials being compromised and can instead concentrate on their work. We also keep our IT people happy, as they can own the identity process and implement the tools and checks needed to be secure and compliant. It’s a win-win for everyone. Well, maybe not for the bad guys…
Can we make it easier on the users?
The choice of moving towards the single identity dream might seem straightforward but creating changes can create a lot of friction and users may not accept it as easily as we want them to: “Sure, single identity may be cool but why do we need to use MFA? Every time I sign in, I need to take additional steps… I use different services and every time I sign in, I need to verify my attempt and it’s annoying”.
Explaining why MFA matters to IT people is one thing, but why would accounting and HR care about all that? There are couple of tricks to make the transition a little bit easier.
Implementing SSO (Single Sign-On) is one of these tricks. Using SSO, a user is required to sign in only once and then use any service without additional login prompts as long as they have an active session. If you have implemented single identity correctly, this means that the user will sign in once, get one MFA prompt and then jump between services without any additional authentication steps. This makes your work easier, and the number of MFA prompts significantly lower. And, if SSO is combined with conditional access, you have a total win!
Conditional access is my second trick to ease your organization into a new MFA reality. Ideally, it makes users happier and increases your security at the same time by combining different conditions (types of devices, locations, types of services) into an expected response (allow, require MFA, deny). For example, if an authenticated user tries to access a simple application from a known location and a known device, it is safe to assume their request would be granted. If the request for a sensitive document is coming from a known location and a known device, additional MFA checks will likely be performed. If the request is flagged as dangerous ,you can deny it and block the account from further attempts.
To wrap it up
Some of these settings may look like security measures and some more like user adoption, but as a package they create much better security for your entire organization on all levels. We need to change our way of thinking and use every tool available to our advantage in order to stay one step ahead. By combining MFA with SSO and conditional access, you will create more secure environments and protect both identities and assets. Modern IT as well as the threats to it move fast, so we must move even faster and be creative and innovative in our solutions. Be responsible and stay secure!