The Countdown Has Started -- The Move Toward Zero Trust and MFA
In early May 2021, the President of the United States issued an executive order on cybersecurity, and though it will take some time for executive branch agencies to develop formal rules, the order itself includes a lot of what I consider to be best practice in cybersecurity, including the use of multi-factor authentication (MFA) and Zero Trust, mentioned by name.
The call for adoption of cybersecurity best practices makes a lot of sense. Recently, we broadly discussed how MFA can be leveraged to prevent increasing security risks. In the past six months alone, we've seen a substantial increase in headline-grabbing security incidents: SolarWinds in December 2020; Microsoft Exchange vulnerabilities in March 2021; and, most recently, theDarkSide ransomware attacks. Even the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse Connect Secure Vulnerabilities, drawing attention to the growing problem of increasing security threats.
The movement away from a traditional network access model toward the powerful combination of Zero Trust bolstered by MFA can significantly limit the ability of malware to do harm. Unlike traditional tools like VPNs, a Zero Trust approach is designed to ensure that information assets remain dark to all except authorized users.
This means that data can be seen only by users who are strongly authenticated and who have been granted access. Effectively, this approach is a strong form of the principle of least privilege: verify, then trust.
The move toward Zero Trust is in contrast with the traditional network access model -- a VPN, for example. Traditionally, once a user is on the network, they can see all assets that are routable on the network.
This is dangerous. Although the user may not be able to get past the login, if they can get an application to present a login screen (or begin any other form of login challenge), then they can get that application to execute code, which means vulnerabilities can be exploited. That, right there, is a violation of least privilege.
Seriously, why would you ever grant visibility to non-authorized users? Such visibility could be exploited by malware. So, don't do it.
The Biden Administration, including the Department of Homeland Security's CISA, thinks it's dangerous too. The executive order urges the Federal government to secure cloud services using a Zero Trust architecture and mandates deployment of MFA and encryption within a specific period. The order outlines timelines for this implementation, giving 180 days to adopt an MFA solution.
November 8th is fast approaching, folks.
What can you do right now?
Alleviating the cybersecurity challenges of today and moving fully toward Zero Trust with one simple tool isn't an option that exists just yet. But a good first step is an MFA tool.
Akamai's MFA is a phish-proof authenticator that leverages FIDO2, the strongest standards-based authentication method available, via a smartphone app. It allows for end-to-end cryptography and a sealed MFA challenge/response flow to make the authentication process unphishable and confidential. Combined with Zero Trust access, it grants access only to those users who have been strongly authenticated and who actually need access. For all others, the assets remain dark, which means that they cannot be scanned for vulnerabilities or attacked.
Give our phish-proof MFA solution a try for free at www.akami.com/mfa or learn about it in our upcoming Public Sector Summit, CyberThreats 2021: Federal Agencies Build on an Era of Trust starting on Wed, Jul 21, 2021 2:00 PM EDT.