Data security and data privacy are two ongoing issues of prime concern for every organization. Data breaches are known to incur huge losses to organizations. According to Verizon’s 2020 Data Breach Investigations Report, credential theft, social attacks, and errors cause over 67 percent of data breaches. Personal data accounts for 58 percent of the total breaches.
The pandemic exposed organizations to increased security risks. The overnight move to remote working, unsecured endpoints and increased use of personal networks and devices have gained the attention of malicious players. We now live in a world where just a password is not enough to secure sensitive information at an organizational or user level. Over 81 percent of hacking-related data breaches are password-related, according to Verizon. What can organizations do to secure their data better?
The move to modern authentication protocols
Microsoft defines modern authentication as “an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with.” It is a set of different protocols that aim to improve cloud security. Some examples of modern authentication protocols include Security Assertion Markup Language (SAML), Web Services Federation (WD-Federation or WS-Fed), and OAuth.
Modern authentication steps away from a password-centric authentication to a token-based approach to govern access to every user and resource. The tokens can be defined based on user location, device, role, etc. For instance, Microsoft users are authenticated via their Office 365 identity and is extensible to other third-party applications.
Is modern authentication required for MFA?
The password-centric era may soon be coming to an end. With technologies such as Seamless Sign-On and password-less authentication by Yubico, Entrust, Google or Microsoft – the need for passwords is virtually eliminated. Multi-factor authentication (MFA) is a subset of modern authentication. It provides an additional layer of security for the entire organization by validating users based on location, device, biometrics, hardware/software tokens, one-time passwords, IP ranges, and much more. It helps improve business security by:
- Enforcing policy-based granular access
For most organizations, MFA is an essential security default enforced for every user. It helps organizations in enabling conditional access/authentication policies that are based on contextual factors, role, device, location, etc. MFA allows organizations to define access policies that can be granular, configurable, and specific control rules. The granular-level security limits access to users, ensuring the right people get access to the right tools.
- Providing consistent access security
The traditional office environment includes on-premises secure networks and systems that mitigate data risks. But the recent proliferation of cloud applications has left organizations wondering how to extend the same level of security (as on-premises) to their cloud applications. MFA makes access to cloud applications more secure and provides visibility across multiple applications.
- Providing clear visibility into all devices
Remote work also translates to many unsecured endpoints getting added daily. Security teams require device-based security to increase device visibility while reducing the dependency on-premises tools. MFA enables and enforces device visibility from end-user devices.
- Enabling better security protocols
Most security protocols are moving away from basic or legacy authentication methods. Legacy authentication is vulnerable to attacks raising compliance and safety concerns. Companies like Microsoft have disabled legacy authentications for all clients to support modern authentication methods. For modern MFA to be effective, organizations need to disable legacy authentication. Microsoft reports, “organizations that disabled authentication experienced 67 percent fewer compromises than that where legacy authentication was enabled.”
Security vulnerabilities are an ongoing battle for highly regulated industries such as banks, financial services, and healthcare. Organizations must understand the new norm is affecting every aspect of their operations. A new wave of inexperienced remote workers is still learning how to fit in a non-traditional workspace. While security training is a part of security administration, MFA would equip organizations with the required security blanket.