BEST PRACTICES: The case for ‘adaptive MFA’ in our perimeter-less digital environment

By Byron V. Acohido

One of the catch phrases I overheard at RSA 2019 that jumped out at me was this: “The internet is the new corporate network.”

Related: ‘Machine identities’ now readily available in the Dark Net

Think about how far we’ve come since 1999, when the Y2K scare alarmed many, until today, with hybrid cloud networks the norm. There’s no question the benefits of accelerating digital transformation are astounding.

Yet the flip side is that legacy security approaches never envisioned perimeter-less computing. The result, not surprisingly, has been a demonstrative lag in transitioning to security systems that strike the right balance between protection and productivity.

Take authentication, for example. Threat actors are taking great advantage of the lag in upgrading authentication. The good news is that innovation to close the gap is taking place. Tel Aviv-based security vendor Silverfort is playing in this space, and has found good success pioneering a new approach for securing authentication in the perimeterless world.

Founded in 2016 by cryptography experts from the Israeli Intelligence Corps’ elite 8200 cyber unit, Silverfort is backed by leading investors in cybersecurity technologies.

I had the chance to catch up with Dana Tamir, Silverfort’s vice president of market strategy, at RSA 2019. For a full drill down of the interview, please listen to the accompanying podcast. Here are the key takeaways:

Eroding effectiveness

Compromised credentials continue to be the cause of many of today’s data breaches. The use of multi-factor authentication, or MFA, can help protect credentials, but even those solutions have lost much of their effectiveness. The problem is that most MFA solutions are designed for specific systems, rather than today’s more dynamic environments. Traditional MFA may have hit its limitations due to dissolving perimeters.

In the past, Tamir explained, you had a solid perimeter around your network, with one entry point and you added the MFA to that single entry for the extra layer of protection. But that single-entry perimeter doesn’t exist today. We don’t even have a real perimeter anymore.

Tamir

With the cloud and mobile devices, there are now countless users, devices and services communicating with each other, and the enterprise network is now everywhere.  And if in the past we could trust our insiders, today we know they may not be trustworthy.

There are also compliance drivers to account for. The payment card industry’s PCI-DSS rules, for example, require secure access to any system that is part of the cardholder data environment, yet it is nearly impossible to protect this environment with MFA, making compliance increasingly more difficult.

“The question is where do you put MFA?” said Tamir. Putting it on every sensitive resource and implementing it system by system by system becomes an endless task. “MFA is still a valid solution but it has to be done in a different way.”

Agentless, proxyless access

Silverfort’s adaptive MFA solution works with directory services in order to provide MFA without needing agents, proxies or any integration with the protected system.

After the authentication requests are processed by the directory (e.g. Active Directory, Linux LDAP, Cloud IdPs) it sends the authentication request to Silverfort, which acts as the second opinion for validating the request.

For example, if you are trying to access a sensitive business application, the request first goes to Active Directory for approval and then that request is forwarded to Silverfort, who can request the user to authenticate with an additional factor, like responding to a push notification sent to the user’s mobile device. Based on the response, Silverfort will either grant or deny access.

The authentication step can be either static – no matter what, it will always deny access or request a two-factor authentication – or it can be adaptive based on real-time risk analysis. “Since Silverfort monitors all the access requests from all the organization’s directories into one consolidated place, its AI-based risk engine can continuously analyze all of the access requests, and step-up authentication based on the current risk level” explained Tamir.

To determine the level of risk, the AI risk engine is tuned to get better and better at recognizing the normal pattern of behaviors of specific users, as well as ‘communities’, and be on the alert for anomalies. If it is low risk, it will let the user through. If it is high risk, the policy can be set to automatically require a second-factor of authentication or deny access.

Cloud consequences

Organizations want to use MFA because of the security protections it provides, but if MFA is required every time users try to access resources, they may find it annoying. That’s where adaptive MFA comes in. It is designed to request additional authentication only in high-risk situations, but not in low-risk situations. It maximizes security while minimizing disruptions to the users.

Silverfort also enables smooth and secure migration of legacy and homegrown systems to the cloud: Many legacy systems don’t support traditional MFA solutions, but when migrating to the cloud, enterprises look to add an extra layer of security.

Silverfort’s agentless MFA enables the migration to the cloud in a safe way, while maintaining flexibility. It allows organizations to maximize their infrastructure. Companies are freed up to ‘lift-and-shift’ their systems to more modern environments without expanding exposure.

Silverfort appears to be on the right track offering enterprises a dynamic approach to authentication. Interestingly, it is actually part and parcel of digital transformation, leveraging digital technologies to carry out task at high velocity and at vast scale.

Validating the company’s approach is the fact that Silverfort, in a very short period, has managed to book enterprise customers across multiple industries, as well as secure strategic partnerships with top security vendors. It may be possible to strike the balance between protection and productivity that is needed for internet-centric corporate computing to come to full fruition.

Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(Last Watchdog’s Sue Poremba contributing.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone