Are your first-floor windows and front door secure but you’ve left a second-floor window unlocked?
Does this sound like a goofy question? Well, I just ask because it provides a great analogy for the approach too many organizations take to security. I personally, talk to customers about this issue every day — but it still amazes me, how many organizations are still taking a one-size-credential-fits-all approach — leaving enterprises vulnerable to a ‘second floor attack.’
It only takes one entry point for a single hacker to get into your organization’s data.
A Tipping Point
This said I feel like there has been a recent tipping point and more enterprises are waking up to the need for multi-factor authentication (MFA). Good news, the transition to MFA doesn’t have to be difficult. Let me walk you through one recent customer interaction. A customer who decided it was time to get rid of passwords to strengthen identity assurance at all levels of the organization.
This particular CIO not only decided to take a password-less approach to security, but she also wanted to utilize mobile authentication throughout the enterprise and she wanted to make the transition — fast!
The Design Workshop
We kicked off the project with a design workshop to formalize the requirements, priorities and timeline. In my experience, having different stakeholders in the room to identify objectives and set expectations is key to a project’s success. In this case, it became clear that there would be user populations for whom the mobile phone solution wouldn’t work:
• Manufacturing clean room environments had employees in bunny suits where phones were not allowed but where MFA was still needed to access shared workstations.
• The IT team had just switched system administrators to YubiKeys and wanted a higher trust level of authentication.
• One business unit was doing contract work for the US DoD and was required to have FIPS l2-approved credentials; there was an existing infrastructure of CAC cards, plus they wanted a smart card that could also double as their site badge.
Without a solution consisting of multiple MFA options, this could have easily gone south as a patchwork of solutions, or even worse, as an expensive partial solution addressing only 80% of the population.
Instead, we worked together with the CIO and her team to very cost effectively and efficiently address each of the organization’s unique security requirements.
Today, this enterprise is in full deployment mode with an integrated MFA solution providing four different device options: mobile phones, YubiKeys, CIV Smart Cards, and Contactless Cards. Every user has at least one of these options and many have more than one.
No More One-Size-Fits-All Approach
After managing dozens of such projects over the past 10 years, it’s clear to me this scenario is more the norm than the exception. Enterprise environments are too complex for a one-size-credential-fits-all approach.
I’d welcome the opportunity to consult with you on how best to improve your enterprise’s cybersecurity posture. And in the meantime, following are some tips to get the thought process going:
1. Honestly assess your different user populations and their access needs. The time spent on this before selecting a solution will save you a lot of headaches.
2. Select a flexible solution. A one-size-fits-all approach will likely lead to multiple solutions to manage — resulting in higher costs and more complexity.
3. If you plan to use hardware devices, whether YubiKeys, OTP tokens or smart cards, make sure the solution includes user-centric device management capabilities. A lot of vendors claim support for YubiKeys, Cards or Hardware OTP, but don’t provide integrated options to enroll, manage or update these devices.
4. Take an iterative and phased approach to replacing passwords across all your organization’s apps. This is very important: replacing all passwords on “Day One” is a recipe for disaster. Unreasonable expectations are one of the most common reasons IT projects fail. Instead, apply the 80/20 rule and score some easy, important wins first. But don't stop there. Be sure to address the tougher, smaller footprint apps later. Otherwise it’s as if you’ve secured the door and first floor windows but have left the second floor window unlocked.
The secret is to select the right partner, with the experience and interest in supporting your company over the long run.
Jerome Becquart is the Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to: safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at email@example.com.
Join the Axiad IDS community of subscribers and get an email update with the latest news including our monthly blog posts.
Jerome Becqart is a Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to: safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at firstname.lastname@example.org