Going Beyond Privileged Accounts
By François Amigorena, Founder & CEO, IS Decisions
Given the current global cyber threat landscape, multi-factor authentication (MFA) is one of the most effective ways to prevent breaches and protect network data. But although MFA adoption has accelerated since the pandemic, it’s still slow to take off. Why? For MFA adoption to really become widespread, organizations must grasp the true value of MFA and how to implement it effectively.
MFA Adoption is Slow
In their everyday lives, most people ignore two-factor authentication (2FA), or hesitate to apply 2FA for, mostly, the same reasons: they have misplaced confidence in passwords, are frustrated or confused about setup, or they’re just lazy. A case in point: less than 10% of Google users have enrolled in 2FA.
This reluctance has propelled several tech giants to make MFA mandatory: Salesforce now mandates MFA, 2FA will gradually become mandatory for all Google users, and Amazon.com Inc.’s Ring has already made 2FA mandatory.
Unfortunately, the same attitude exists in the workplace, with enterprise MFA adoption still low.
Why Do Organizations Hesitate to Adopt MFA?
A few persistent common MFA myths make many organizations reluctant to adopt MFA. Many view MFA as best-suited only for:
- Very large organizations.
- Privileged accounts, like Windows local administrator accounts, domain admin accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment.
First of all, the question of whether or not to apply MFA actually should have nothing to do with your organization’s size. Whether a small business or a global enterprise, your data is just as sensitive and should be just as well protected.
But should MFA really only apply to the most privileged accounts?
Is Protecting Privileged Accounts Enough?
The idea behind “privileged accounts” belongs to a certain security approach called privileged access management (PAM). Within this approach, securing the login of your privileged accounts is the first step to securing access.
PAM ties into an old-school, perimeter-based security approach, when the login security of the “average” user account wasn’t as important as those privileged accounts. Even so, PAM certainly has a place for monitoring and securing privileged accounts like Active Directory administrator accounts.
But the modern enterprise faces a different cyber threat landscape today, even compared to as recently as two years ago. Factors like the rapid shift to remote work, and many organizations’ hurried transition to a hybrid environment including both the corporate network and the cloud, call for a new approach.
Least Privilege Is as Relevant as Ever
The principle of least privilege limits user access to the sets of data, applications, and systems that they absolutely need. It’s been around for years (Microsoft was writing about it 30 years ago), but as the risk of attack increases today, least privilege is more relevant than ever:
- An external attack leverages user accounts to gain control over endpoints, move laterally within the network, and, ultimately, acquire targeted access to valuable data.
- Insiders exploit their own granted access or other compromised accounts to wield data and applications for malicious purposes.
The point is, that least privilege is about more than a privilege. In essence, the principle has always been about preventing the compromised use of an account with access to valuable data.
The Real Value of MFA
In a modern organization, every user has attributed access rights and privileges. For the purposes of logon security, that makes all users some sort of privileged user. Organizations can reduce risks by extending login security as far down the “non-privileged” path as possible, to as many users as possible.
This leads us to the real value of MFA: protecting any account with access to critical data, applications, and systems.
Special Considerations for Deploying MFA to All Users
When rolling out MFA to any number of users, preparation is key. Obviously, applying MFA to all users will likely require more planning than if you were applying MFA to only your privileged accounts. Remember these six key points for a smooth MFA deployment:
- Securing logins significantly improves your security stance
- MFA is not just for privileged users
- MFA doesn’t have to be frustrating for IT departments
- MFA must balance user security and user productivity
- Educate and empower your users to support MFA
- Management commitment and buy-in is key
The Future of MFA: Protecting All Users
Tech giants may push some organizations to adopt MFA, but a real increase in MFA adoption will require a fundamental shift in the organization’s security approach. The more organizations understand the value of applying principles of least privilege and privileged account management to all accounts, the more they will understand the advantage of securing logins across all users. Organizations will put more effort into finding a balance between employee productivity and security. And when they do, get ready to see the demand for granular, customizable MFA explode.
About the Author
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. A former IBM executive, François is also a member of CLUSIF (Club de la Sécurité de l’Information Français), a non-profit organization dedicated to information security.