When the topic of security comes up while implementing Cloud-based solutions, customers will often talk to me about issues they think are important:
ISO 2700X certification
Physical media destruction policies
Police Checks for support staff
Data Sovereignty and privacy issues
and in some cases, counter-measures for volcanic and tectonic plate movement.
While these things are important to get right, credible vendors of Cloud solutions don’t run their own data centres anymore, we let professionals like Microsoft or Amazon take care of those physical aspects which can be done in more depth and at a far greater scale of efficiency than anything individual companies could implement themselves for comparable cost.
Meanwhile in the real-world, most cases of serious data breaches and corporate espionage are actually carried out with techniques like ‘Spear Phishing’ or other social engineering approaches. This gives the attacker access via an employee’s credentials rather than physically breaching data centres or brute forcing encryption, which is hard work.
So what can we do to prevent this?
Multi-Factor Authentication (or MFA) is the answer. This means that even if a clever attacker convinces your employee to part with their username/password the attacker still needs something else in order to log in, like an SMS code. This should prevent the majority of Phishing attacks from actually succeeding.
These authentication factors are usually 2 or more of:
- The password
- A text message
- A phone call
- The code from a hardware key fob
- The code from a software generator on a phone
- Approving a notification on a phone or wearable.
“This all sounds like hard work” I hear you say – and a few years ago you would be right, however with today’s Cloud solutions MFA is often just a tick box away. This is certainly true for Microsoft Accounts (consumer) and for Azure AD accounts (Office 365).
For Sensei customers who use Office 365, this Multi-Factor Authentication is baked right into the product, and can be enabled for everyone or on a per-user account basis for certain high-value users.
When MFA is enabled for a user in Office 365 they get an extra screen after entering their password that asks for the 2nd factor.
As pictured above, one of the most popular 2nd factors is the Microsoft Authenticator App available for Android and IOS. This App simply pops up a message allowing the user to acknowledge the login request quickly on their phone or wearable (Samsung Gear or Apple Watch).
This level of convenience really does take the sting out of living with MFA.
Another level of convenience is that for organisations that have deployed Azure AD Join for their Workstations, this MFA works with the Windows Hello service that validates users by face, retina and PIN numbers so that they get a single sign-on experience utilising the 2nd factor that was already present when they signed into their physical machine.
The last aspect of living with MFA on a day-to-day basis is “App Passwords”. There are situations where MFA is undesirable, usually in the case where the App or device is too old to be aware of the MFA infrastructure. In this case an App Password can be generated by the user, which is essentially an additional password that does not require the 2nd factor, but with the following restrictions:
- The password is long and complex, and not settable by the user – it is generated.
- Once shown the password cannot be retrieved again.
- The password cannot be used interactively – so even if it was breached it can’t be used by a bad actor to log in as a user normally would.
With these added convenience features, MFA is much easier to live with on a day-to-day basis, and well worth the effort in exchange for the added level of security.
Start your 2017 with a fresh approach to Cloud Security and get serious about deploying Multi-Factor Security as part of your Cloud solution!
James Boman, Application Alchemist
James doesn’t really like talking about himself in the third person.