By François Amigorena, Founder and CEO of IS Decisions
As global cyber security risks abound, multi-factor authentication (MFA) is one of the most effective ways to protect access and prevent breaches. While MFA has gained momentum over the past two years, it’s still not in widespread use. Why? For MFA adoption to really take off, organizations need to understand the real value of MFA and how to effectively implement it.
MFA Goes Mainstream
Outside of work, most people ignore the option of two-factor authentication (2FA) or are reluctant to enroll in 2FA for a few common reasons: misplaced confidence in passwords, frustration or confusion about setup, or pure laziness. Less than 10% of Google accounts have two-factor authentication enabled, and only about 12% of Americans use password managers.
This has driven many tech giants to make MFA mandatory: Salesforce now requires MFA, Google is gradually making 2FA mandatory for all users, and Amazon.com Inc.’s Ring made 2FA mandatory in 2020.
Why Are Organizations Slow to Adopt MFA?
Unfortunately, the same attitude exists in the workplace, with enterprise MFA adoption still low.
Organizations often believe common MFA myths, seeing MFA as a tool only for:
- The largest organizations, or
- The most privileged of accounts: Windows local administrator accounts, domain admin accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment.
But MFA is equally important for both small and large organizations. No matter the size of your organization, your data is equally sensitive and should be equally well protected.
Whether or not MFA should be only for the most privileged accounts merits a closer look.
Protection Now Needs to Go Beyond Privileged Accounts
Let’s start with a look at the security approach behind the idea of “privileged accounts.” Securing the login is the first step to make privileged access management (PAM) work. Each organization has a different balance, but you’ll reduce risks by extending security as far down the “non-privileged” path as possible.
In the old-school, perimeter-based security approach, we didn’t talk as much about the security of the “average” user account. But thanks to factors like the en-masse shift to remote work, and many organizations’ rapid transition to a hybrid environment spanning both the corporate network and the cloud, the focus has changed.
The Principle of Least Privilege Is More Relevant Than Ever
The principle of least privilege – the practice of limiting user access to only sets of data, applications and systems that they absolutely need – has been around for years (Microsoft wrote about it in 1999). And because the threats of attack today are even greater, least privilege is more pertinent than ever to an organization’s security strategy:
- External attacks leverage user accounts to gain control over endpoints, to move laterally within the network and, ultimately, to acquire targeted access to valuable data.
- Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.
See, least privilege isn’t actually about privilege. It’s about compromised use of a “privileged” account. So, one of the key aspects of a least privilege strategy is to monitor the use of privileged accounts.
Monitoring All Account Access Is Key
Privileged Access Management (PAM) is viable for monitoring truly privileged accounts, like Active Directory administrator accounts. But it doesn’t serve the purpose of monitoring activity for every user in the organization.
And one pivotal point of access provides organizations with crystal clear indicators that an account is either being properly used or has been compromised: the logon.
MFA Protection Should Apply to All Accounts
For the modern organization, the real value of MFA is in protecting any account with access to critical data, applications, and systems. And since every user has attributed access rights and privileges, all users are some sort of privileged user.
Plan Ahead for Successful MFA Implementation
Preparation is key! Applying MFA to all users demands more planning than if you apply MFA to only privileged accounts. Whatever the size of your company, here are six key points to remember before you deploy MFA:
- Securing logins significantly improves your security stance
- MFA is not just for privileged users
- MFA doesn’t have to be frustrating for IT departments
- MFA must balance user security and user productivity
- Educate and empower your users to support MFA
- Management commitment and buy-in is key
Unlock the Real Value of MFA
MFA mandates from tech giants may encourage some organizations to adopt MFA, but truly increasing MFA adoption requires a more fundamental shift in the organization’s security posture. The more organizations understand the value of applying principles of least privilege and privileged account management to all accounts, the more they will understand the advantage of securing logins across all users. Organizations will put more effort into finding a balance between employee productivity and security. And when they do, get ready to see the demand for granular, customizable MFA explode.
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. A former IBM executive, François is also a member of CLUSIF (Club de la Sécurité de l’Information Français), a non-profit organization dedicated to information security.