Event Recording

Key Requirements for Next Generation MFA

Name: Key Requirements for Next Generation MFA
Uploaded: 2022-05-11T12:00:00+02:00
Duration: 21 min 37 s
Description: In this talk you will learn how MFA can be a foundation for your Zero Trust Initiative

Posted on May 11, 2022

Show description

Speaker

Patrick McBride

Chief Marketing Officer
Beyond Identity

Show Transcript

Thank you for staying around and, and happy birthday to EIC. That's, that's pretty exciting. So if I do my job, right, we're gonna really cover three things. You guys will be the, the assessors at that first, I'm gonna provide a little context and it's actually nice. I get a draft off our colleagues at Microsoft's, you know, presentation quite a bit there, but you know, why is it that we even have to have a different authentication fabric at, at this point, you know, in our lives, you know, off has been around for a long time.

So, you know, what's changed that is gonna require us to change. And then I'm gonna be a little controversial. I'm gonna talk a little bit about what's wrong with current MFA and in many ways it's broken and broken pretty badly. So we'll talk a little bit about that.

And then, you know, then I'll go from there and talk about some of the requirements that we're gonna face as we go to NextGen. I, I hate using the term. It's a well overplayed cybersecurity term, but that, and you know, we won't use it in our marketing literature, but it's really about advancing the state of MFA to a point that's required. So if I hit, you know, if I do my job, I'll hit all three of those things. So I'm gonna simp oversimplify this a little bit, but if we talk about, you know, why do we need to change?

Why do we have to, you know, do different things in authentication it's cuz our world changed, you know, in two really meaningful ways. One is cloud adoption.

You know, we've got customers as a company, we were born entirely in the cloud. We have no on-prem, you know, like exactly zero, one of our bigger customers, snowflake, you know, the big data Analyst company, same thing.

They, they don't, they don't own anything on pre a hundred percent of their networking. A hundred percent of their server infrastructure, you know, is in the cloud. The vast majority of our customers are still somewhere on the journey, you know, from, you know, a data center with some traditional data center, saw some virtualized stuff, you know, et cetera. But all of them have some better cloud.

Whether, you know, we're talking about infrastructure as a service platform, as a service software, as a service, they, they all have some level of it. So everybody's living in kind of this hybrid new environment. I think that's a story we all know pretty well at this point. I like to say, you know, it's I a a S PA all the asses, you know, in terms of, of the, the, the cloud stuff that we're talking about.

And, and sometimes we get a look at the, the moon side of that, unfortunately. So the other thing that happened to us and, and, and this is really just a continuation of a trend that already happened, it just made it happen really fast, was a whole COVID, you know, pandemic, everybody went home, you know, even folks, you know, I did a bunch of cybersecurity.

I've done this for now three decades as a practitioner and a vendor, which is almost shocking to say, but, you know, when even folks in the most strict environments and, you know, plants and, and things like that, and, and OT cybersecurity, those folks went home. So we already had, most of organizations had our mobile force. We had sales and marketing people and support people that traveled around the globe. So we always had this to deal deal with over the last 10 years, but they were kind of a smaller piece.

And then all of a sudden, boom pandemic hits in, in early 2020, and everybody goes home and now we're dealing with, so again, it just exacerbated something that was always happening. So those are two kind of fundamental shifts that we have to take care of. The other thing that we have to take care of.

And I, you know, I would applaud my, you know, colleague at Microsoft, cuz I think he laid out a lot of it is the attackers got more sophisticated.

They just learned and they adapted, like they always do doing this for 30 years is, is I, I, I joke with folks that, you know, newer folks that I'm bringing into the community these days, cuz I tell 'em, it's kind of the gift that keeps on giving it's the good news and bad news about being in cybersecurity, you know, for sure that there is no silver bullet, there is no magic wand and frankly there's none of those things on the foreseeable future, it doesn't exist.

And so, you know, we're gonna be around our, you know, our children and our children's children will still be fighting this battle for the reason that the good guys keep on doing new stuff and the bad guys keep on figuring out how to break into it. So let me ask this question. How many folks have heard this identity is the new cybersecurity perimeter raise, raise a hands here. How many of the folks agree with that?

You know, identity is, is your new cybersecurity perimeter. I agree too, but I think it's only half the answer let and I'll and I'll come forward to that in a second. I think it's correct, but incomplete and, and hopefully we'll make a case for that.

So, you know, the whole idea of the perimeter, you know, goes obviously back to our early days. I mean, I, I joined security when it was mainframe rack F top secret and ACF two and firewalls. I mean that was the security program and most organizations when I kind of got into this and started doing pen testing and things.

So, you know, back then we built our first defenses, you know, we had all of our OnPrem equipment and we put a nice castle around it with a firewall and, and gave it one doorway in. And then we started to build out our defense in depth kind of capabilities. We had turrets, which was like IDs I P S to watch as people came in.

So, so we, we did that, but with the world we just talked about, we don't have any perimeter anymore. It dissolved, you know, whether we like it or not. So we can't obviously do protection from that point. It just doesn't work.

But, but that's not the whole story. You know? So thinking about identity is a new perimeter. Doesn't answer the question from a, an attacker perspective. How do attackers look at us when they're trying to come in?

We know very matter of factly that stealing an identity a is quite easy, whether you're just stealing a, you know, user ID and password or buying them and we know, and what we're gonna come back to, why some of the MFA issues, you know, happen, but 80% of all attacks somewhere north of, you know, 60 or 70%, but 80% of all attacks, whether it's ransomware account take goes of everything. And we know this year over year, we get to see this start off with a breach, you know, the use of a legitimate credential to log in. So attackers at this point don't necessarily have to break in all the time.

They do that too. They're sophisticated, you know, other ways to get in, they just simply log in. They buy a credential on the, the internet and get in ransomware attackers.

You know, everybody thinks you're, they're dropping malware, you know, through bad links that, that, you know, users click on. That's not the reality. Most of it is an RDP or some other remote access session. That's weekly protected somebody, you know, one group is out there finding all those things and selling it to the ransomware guys who then do the ransomware attacks.

And, you know, they'll even use ransomware as a service. So it's, you know, it's a really horizontally, integrated environment in most cases. So they're attacking the individual and that's where the identity as a new perimeter totally stands up. It's why it's correct. It's not an incorrect statement. But the other thing they do is they do attack the endpoint. That's where they want to get a footprint on some of the endpoint, whether it's a, you know, a phone, a tablet, a laptop, a desktop cetera. So if we're thinking about modern authentication, we've gotta take in both of these things.

As, as one thing, we have to think about both of these at the same time and you know, and that's gonna lead us there, but before I, you know, go to the requirements and we'll, we'll, we'll come back to that. Let's talk a little bit about what's wrong with kind of the, the current crop of MFA, the existing, you know, crop of MFA at the end of the day, it's barely a speed bump these days.

A lot of the modern MFA, whether we're talking about SMS, you know, one time tokens, one time passwords over SMS or email or other insecure channels, whether we're talking about push notifications, we, you know, we heard even the last presentation, you know, it doesn't take many pushes, you know, to socially engineering, somebody to answering it. They don't even have to be sleepy, you know, and which is a, I love the, I love the graphic, but the, you know, the more than enough users will just answer that, you know, we just we're all have alert fatigue.

So we're all trying to clear alerts on our phone. And that just happens to be another one. And so it's just barely a speed bump. It's like putting a screen door in front of a screen door, we've got passwords, that's the first factor. And then we've got some other very fishable, very, you know, fishable at scale, by the way. And I'm gonna come back to that. The second is users hate it. Let's be Frank who loves their MFA challenges who likes to get at their phone, do this, do that, put in the code, wait. And by the way, going down this path, you might say, well, he really hates MFA.

Let me, let me back up. I'm the guy at two different vendors who walked in and not requested, demanded that our team put, you know, that our it team put MFA in place. And in one case it was a quick yet we will do it. And the second one, I got some pushback had to go to the CEO, but we had P caps from major networks sitting in a Google environment that was protected by a password. And my answer to the CEO was pretty simple. I'm not spending all this time effort, sweat equity, money, and our money to, to build a brand, to build, you know, really solid customers to have a breach.

And we didn't even pass the village idiot test. You know, that's not gonna be a thing.

And, and so he, he, he made the team turn it, turn it on. Nobody loved it, but I was, you know, quite happy. So it's not that I have a, a, a bad taste for MFA. I think I'm, I'm a, I'm a overall, I'm a fan. It's just that as attackers have gone forward, the current stuff isn't protecting us.

Like we, like we thought, but the user hated piece is just, it's a lot of friction. It's a ton of friction.

And we, it doesn't have to be that way in most things that we do in cybersecurity. We think of that. We have to, if we're gonna increase security, you know, we're gonna make the user experience more miserable and you don't have to do that anymore. And in fact, the, the one really nice silver lining that I've seen in the last two years as I do gatherings with a lot of CSOs is every one of them is talking about user experience. It's a really important factor, cuz otherwise people are gonna either turn stuff off or work around it. How many of you guys have had a request from your execs?

If you have MFA turned on, you know, to turn it off or turn up the timer so they don't have to do it as much happens all the time. I don't wanna have to, you know, screw around with this stuff. I don't like it as inconvenient. The third one's a little bit more interesting.

You know, when we talked about what attackers do they attack the person, the identity, the user try to adopt, you know, grab those credentials. They also attack the endpoint. So if we let a user in on a, you know, likely compromise endpoint, that's not helping us and current MFA doesn't really do anything for that. I can get my token.

I can, or I can go down to the library computer or the hotel lobby, computer, which any cyber security expert will tell you there's are highly likely to have malware running on them. Right.

You know, highly likely a compromised system, but I can go log into my web application, get my token, put it in there and off I go. So I'm now accessing our corporate data or customer data or, you know, you know, Phi kind of data on a machine that is more than likely already compromised. So this is where I think, you know, and this is a real, it's a, it's a challenge, but a super opportunity for the identity community. We can pull these things together. And just so that you're not just taking it, you know, for me, this is, you know, second presentation in a row.

You've heard a little bit of this, but you know, it's important enough that the federal government has mandated that every like every agency in the us government goes to what they, their exact phrase was fishing resistant, MFA. They're worried about this enough and not only do they have to do that, they have to do that within the next two years. I don't know about your governments, but our government doesn't roll over in bed in two years.

You know, it, it takes 'em that long just to kind of, you know, and, and so this is a mandate with teeth and actually money behind it as well. But, and, and I think that's gonna have a big spreading effect, you know, right now it's not foisted on industry, but that's happening. You know, they're setting a new high bar saying that, you know, the current crop of stuff, isn't what it needs to be specifically. They're recommending, passwordless MFA with, you know, basically no fishable factors and we'll come back to that.

But the point that they make is these attacks can be run fully automated at scale. So it's not a hack by hand one thing at a time.

I mean, these things can be done by scale. You guys can go out to GitHub and get, you know, your own fishing kit on a public, you know, just on a public good hub, a repository, you know, this is just one example. There's plenty that you can buy in the underground as well. So that's why it's become, you know, people think some of these hacks are sophisticated enough. I'm stealing tokens. I'm doing this. That's really kind of really sophisticated financial adversary or that's a state actor.

No, it, it, it's not, these things are out there. It's painting by numbers to a, you know, to a do man in the middle reverse proxy, you know, kind of attack.

It's, it's literally that, that easy, get the kit, you know, fill in the blanks, get the stuff with my dated, you know, coding knowledge and my, you know, somewhat dated network knowledge I can get on there and make it happen myself. So it's trust me, you know, it's in, it's in the arms or it's in arms reach of like anybody who wants to do it. So that's the setup now what, you know, what do we need to be thinking about when we're talking about modern authentication, modern MFA, and we break it down to what a couple of things I've, I've got 10, but these are really the top four.

I think that really really matter. You know, you have to be able to positively authenticate users in a high trust, you know, in a very, very high trust way. You can't use fishable factors if you're using, you know, push or any token that, you know, traverses the network, it's just not, it's easily fishable.

It's just, you know, persona on grata. That's what the, you know, that's what our government said.

And I, I am quite sure others will follow. So you gotta eliminate those factors, not just from the authentication flow, cuz you know, passwords and other Fisher will factors. Aren't just an issue with authentication flow. It's a recovery flow, a lot of attackers to, to do what they need to do.

They'll, you know, we've gotten better at the offsite. So they'll just go into the recovery flow and try to re you know, do an account recovery kind of thing. And that's like, you know, more likely protected or the just the way it works, it's easier for them to attack.

So it's, it's, you have to eliminate those things everywhere. And really the model that people are, you know, that, that the advanced companies are going to is some sort of form of, you know, some form of public private key cryptography. And there's really good news in that if you just are using like certificates on a hard drive, no good. If you're storing a pie, the key in a TPM or an enclave, that's great. It can't move.

And you know, to Apple's credit when they came out with the, you know, the iPhone for, and we all had to put our thumbprint, they didn't store our thumbprint up in the, up in the cloud, you know, where it was gonna be, you know, a giant target. They stored it on a device, in a hardware protected thing, Microsoft it with windows 11 won't install, unless you've got a TPM on the machine and that's to do a lot of things. It's not just an authentication thing. It's obviously the check layers of the operating system and code as it, as it loads up, but super important.

So modern devices, all modern business devices have a really secure place to store private key. So we can now use public private key crypto, but do it in a way that is like having an HSM on every device that, that we have. So that's one piece positively authenticate users with, you know, a public private, you know, kind of key exchange and then, you know, positively identify the device. Are we logging in from a device that we've authorized to use?

And that, that matters more from a workforce scenario versus a cm or, or consumer model, but it matters. I mean our, and by the way, even the guys, the, you know, the Netflix of the world are all now figuring out that maybe that's a big issue too. Our college kids are gonna be really bummed out because you know, Netflix is gonna do something that, you know, they're going to authorize only a certain number of devices, you know, as you log in. And so there's, there's other ramifications for this idea of authenticating and device that go beyond just security.

They want to do it to, you know, maintain revenue hold, but you know, so positively authenticate the device, but we're not done yet. Now we gotta check the thing are the security controls in place for that device that we expect to be on that device? Not is it installed?

Is it, you know, are they are the configuration set? Is my firewall turned on as my disc encrypted is my pin code turned on and active at the time. Did you know, did somebody turn off the pin code? So I don't have a, you know, or the biometric, you know, to get into the device.

And, you know, that kills one of the factors, one of the important factors. So you, you need to be able to check that prior to authentication, why led, you know, in a device that we doesn't have the appropriate security controls, you know, which is gonna avoid that problem with the, the library computer just, you know, logging in from, from that sort of thing. And then you don't get to do it once you should do it continuously.

You know, just because I logged in, you know, 10 minutes from now, can I go change settings? Can something happen?

Can I, you know, sure. So we've been talking about this idea of continuous authentication for a long time. And if you apply that not only to users and looking at behavioral metrics, you know, user behavior things afterwards apply that same logic to the end point as well, and then continuously do that. So a modern authentication thing has to do that. And aren't we really talking about with those first four things, zero trust. So that's a really exciting part for identity professionals. We are the main cog in the wheel, you know, kind of the, the main thing you, you don't get zero trust.

If you don't do those things, things like network segmentation or some of the other, you know, advanced VPN things that are positioned to zero trust. Aren't the fundamental building block this in and of itself. Isn't zero trust. There's obviously more things to do and no product solves that. But if you don't do those top four things, you're nowhere. I can have a nicely segmented network. And that stop, you know, that contains the blast radius. So the bad guy gets into one segment. They hopefully can't get to other segments, right.

Or if malware gets into one segment, it can't propagate to other places, but that doesn't, that doesn't stop somebody from getting in necessarily. It just stops from, from moving. So then we go on from there. What else do we need? User experience matters. So doing this in a, you know, really frictionless way, and we have the ingredients now we've got TPMS on machines, we've got biometrics or strong pin codes that are local to the device that are really hard. So that's a factor for us. We can leverage that factor and combine that with other factors. And that are also not fishable.

We chose a particular way to do it, which, you know, we can come by the booth and we can talk about it. It's, you know, public private key crypto is a second factor and X 5 0 9 certs, but it doesn't matter. It's both factors are, are not fishable. And then we go on from there. If you have to go plop out a second, there's a bunch of use cases where a second device is a pain. You go to some clients that have big call centers, financial call centers. You don't wanna bring a phone into a call center.

It's the last thing they want you to bring in there so that, you know, the employees at the call centers can snap pictures of, you know, private, you know, information on their screen of users. But beyond that, just from a friction standpoint, nobody wants to like pull out the second thing.

Ah, crap, I gotta run upstairs. I forgot my left my phone there, or it's over at the desk.

I'm, you know, I brought my laptop into the conference room and you know, didn't in the phone, didn't come with me. So that's that we think that's an important requirement. And listen, at the end of the day, authentication's about selling front doors, hopefully secure front doors. So if your front door isn't functioning, that's no Buena, right? So it's gotta be highly available and a highly scalable architecture, you know, that supports that. And I think, you know, that has to be one of the requirements continuing on that. We think it's the same kind of user experience across all the devices.

You know, users are creatures of habits, we're all creatures of habits. So if you can provide the same ubiquitous user experience, no matter whether I'm logging into a web app, you know, from an iPhone or logging into a native application on an Android device or set, if you can do the same kind of, you know, blanket way of doing it, great, everybody learns it once and they know how it, how it all works and they're not gonna get tripped up by it. And then the last thing is that we all have made big investments in our identity stack.

So any authentication solution that come in has to plug in, and the nice thing is, is for the last bunch of years, you know, last decade or so, we built some really great standards, O I D C off SAML, et cetera, that really enable that, you know, so that we can integrate with ping for rock Okta, the Microsoft, you know, suite. And we can do it in a way that is not brittle. We can do it in a way that standards base will work, will work over time because the organizations are adhering to that. And then lastly, this really becomes authentication, becomes the piece.

You know, it's almost like the Keystone, the, the thing that holds up, you know, the whole arch it's that piece in the middle. So it's, you know, it also should iden, you know, integrate with the security stack. So whether we want to get additional information about the dice, vice from the MDM or additional information from the EDR, what's the risk score, you know, on the device.

And should we let it in, or we want to communicate these events, you know, if you're opening and closing the front door, you know, you wanna, you know, make sure that you're getting back any, you know, any stuff that you're blocking or issues that you see, get that back to the security operations center, through the, the SIM, et cetera. And so I'm sure it's gonna be no shock to you, and you can come down and visit us at the booth that, you know, this is, you know, we hit all those requirements.

This is something that, you know, we've been working on for the last couple of years, and we've done it across, you know, three use cases, the workforce DevOps, which is super important as well, locking down, you know, access to the repo and the C I C D pipeline ends up being a really big issue. And then the consumer, the IAM use case. So love to talk to you about that. And with that, that's what we think advanced authentication. The future looks like.