Simplicity in a Complicated World
Authentication is increasingly becoming an issue for the enterprise CISO (chief information security officer). It is not new. It is well-established as a control. However, the extent to which it is used and its commonality is widening. As a newcomer to the company, one of the factors that attracted me to join was that Duo addresses this with a solution which is characterised by its simplicity in implementation and operation.
About ten years ago, I was speaking on a panel at a conference when the question of encrypting laptops arose. Should it be standard? One of the panel members was quite vociferous about the need to have all endpoints controlled in this way. Now it is standard practice and no one would think of releasing a laptop without encryption into the wild. The same trend is happening with multi-factor authentication (MFA). It is widely used, but will soon become a mandatory part of connecting to networks.
There are a number of drivers for this - the limitations of passwords are now understood. With reams of them available for criminals to buy and try, with technology-matching capabilities increasing and the ever-present issue of users understandably wanting to repeat passwords over the multiple sites with which they interact, the day of the password alone is over.
The broader issue is of identity - Is the person who they say they are? - is a constant riddle that requires solving at every login stage.
There are technical solutions around. However, these introduce complexity or user dependence, such as the ability to keep a token and not lose it. This limits the benefit of the control. The last thing a CISO wants is more complexity and increased technology management overhead. I have yet to hear a CISO complain that their team had nothing to do.
This issue was recently recognised by National Cyber Crime Centre (NCSC) when they embarked on an initiative called Secure by Default to push the use of authentication. The NCSC is, of course, the outward face of the UK’s Government Communications Headquarters (GCHQ). One of their recommendations is to:
“...enforce multi-factor authentication on your externally-reachable authentication endpoints.”
They put out a test and have published some of their case studies. The need for authentication is also recommended by the Information Commissioner's Office. With the ever-present emphasis on General Data Protection Regulation (GDPR), the introduction of the Secure by Design principle as a fundamental requirement is another driver.
Which, of course, gets us to the Duo position. The technology rollout has been proven to be straightforward on many occasions with clients at different levels of complexity and security maturity. No matter how great the solution, if it is resource-heavy at the implementation and operational stages, it becomes a negative weight on the CISO’s shoulders. A solution that brings in control whilst being easy and resource-light makes everyone’s lives a lot easier.
A key advantage is the ease of user enrolment. Intuitively, enabling users to engage themselves rather than have to go through a complicated process will result in greater acceptance of the security control. The nature of an easy push notification option to the mobile phone will bring security home to the user and will change the level of awareness. Providing alternative means of authentication such as SMS, a friendly voice down the line, U2F, a code or a hard token provides the correct level of user flexibility. Adaptive authentication, rather than a one means fits all approach.
Additional characteristics can be introduced to build a better picture of the device and the individual. To misquote Goethe, “Tell me with whom you associate and I will tell you who you are.” That broader picture of a user being more than just a login and a password, but, rather, an association of factors enables us to shed more light on their identity.
So to return to the beginning, if we look at the emphasis on MFA as being best practice and part of Secure by Default, or Secure by Design, we have to assume that it too will be a ubiquitous part of the CISO’s technology controls toolkit. It will provide the greater picture and the increased control needed as passwords fade into history. Provided it is simple.