Forrester Research has estimated that 80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. Since organizations lack the ability to verify whether the user accessing data is authentic or just someone who bought a compromised password from the Dark Web, organizations simply can’t trust static passwords anymore.
As a result, cybersecurity experts have recommended augmenting usernames and passwords with multi-factor authentication (MFA) to add an additional layer of security for privileged access control. By adopting an “MFA Everywhere” approach, organizations can establish a highly effective deterrent and ultimately minimize the risk of lateral movement of threat actors across networks. Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if using MFA. Acknowledging the effectiveness of MFA, a growing list of industry standards and government regulations (e.g., PCI, HIPAA, NYDFS, NIST, and more) now require enabling MFA as part of their prescribed privileged access process.
Many organizations already abide by this best practice. In fact, a recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.
However, despite the obvious benefits of MFA, organizations tend to leverage this technology on a selective basis. Best practice is to enable MFA Everywhere — and not only for certain administrators, systems, or privileged applications, as it leaves organizations exposed to potential attack and exploit. Instead MFA should be enabled across all resources (VPN, firewalls, network devices, workstations, servers that reside on-premises or in the cloud) and all use cases (e.g., MFA at password checkout, MFA at system login, MFA at privilege elevation).
Centrify Identity-Centric PAM delivers all the necessary capabilities for organizations to enable MFA Everywhere, including, but not limited to:
- Flexible Choices for MFA Challenges, Including Those Already Owned: The Centrify Platform comes with a built-in MFA Authentication Service, alleviating an organization’s need to procure a separate solution and supporting out-of-the-box a full range of authenticators — from the simplest to the more advanced authenticators to ensure compliance at NIST SP 800-63A Assurance Level 2 or 3. These authenticators include, but are not limited to:
- Mobile push notifications,
- Security questions,
- Phone call with PIN verification,
- OATH tokens,
- One Time Passcode Servers,
- FIDO U2F and FIDO2 (e.g., Apple Touch ID® electronic fingerprint recognition, Apple Face ID® facial recognition, and Microsoft® Windows Hello™), and
- Smart cards
For those organizations that already invested in MFA systems such as RSA® SecurID™, Duo® Security, or Symantec® VIP, they can leverage the RADIUS integrations to use them in conjunction with Centrify Identity-Centric PAM.
- MFA Everywhere: It is only with a platform-based approach to MFA that enterprises can fully protect their organization across the entire spectrum of resources. Whether it be MFA to server and workstation operating systems, network devices, or integrating MFA into privileged access management capabilities such as checking out enterprise passwords and executing privileged commands, Centrify provides privileged user verification via MFA across all use cases. This includes an administrator logging in as themselves and elevating privilege, or an IT admin checking out the password for a shared account.
- Centrify Mobile App for Push Notification and Workflow: The Centrify Mobile App for iOS and Android provides the privileged user with a simple interface to receive MFA notifications or workflow requests for approval. The Centrify Mobile App also provides an interface to enable the user to manage OATH tokens where the seed or secret is vaulted by the Centrify Privileged Access Service to support user validation of OTP codes, as required by various privileged applications or services that enforce their own OATH-compliant MFA validation such as the AWS® Console.
- MFA for RADIUS Client: Centrify also supports providing MFA services for network devices such as routers, switches, or firewalls where administrative access should require MFA prior to privileged user access.
- Native Support for Advanced Federated Authentication: There are other situations where the user may authenticate from an external authentication system into the Centrify Identity-Centric PAM solution via Active Directory with Kerberos/IWA or via an Identity Provider (IDP) such as Idaptive™, Okta®, Ping Identity®, or Microsoft® ADFS as well as Microsoft Azure™ using SAML. Third parties such as outsourced IT support, external developers, or vendor support can be configured to authenticate their own staff internally and access the Centrify Identity-Centric PAM solution via federation to eliminate manual account management for third-party access to an organization’s sensitive systems.
- Guard Against Attacks with Behavior-Based Access Control: Centrify’s Adaptive MFA capabilities add an extra layer of security only when needed — and based on risk rating — to reduce the threat associated with compromised privileged credentials. Configure behavior-based access control for IT admins who access Windows and Linux servers, elevate privilege, or leverage privileged credentials.
To learn more about how to minimize the risk of credential-based attacks by leveraging Centrify Identity-Centric PAM, join us for our Centrify CyberCast Live: Enabling MFA Everywhere.
©Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.