Multi-factor authentication (MFA) is a powerful solution for achieving and maintaining compliance with the leading industry regulations. Lately it has also become a necessity to qualify for cyber insurance. This is because MFA significantly reduces the risk of system penetration, up to a remarkable 99%. Let’s dive into MFA and how it works, see which regulations it can help you comply with, and learn how to implement it on any system: SaaS, legacy or other.
MFA is an authentication method that requires multiple factors of verification before allowing access. Unlike traditional verification methods that rely on only one verification factor - the password - MFA is reliant on two or more of the following types of factors:
Something you know - the most basic factor. Includes credentials that users have knowledge of, like passwords or answers to security questions.
Something you have - a verification method based on user possession of assets, like tokens, certificates or USB devices.
Something you are - the hardest factor to replicate, as they are based on the user’s biological traits. Includes assets like biometric data or keystrokes.
MFA is a more secure solution than just using a password because it adds additional layers of protection. While passwords can be easily cracked, and sometimes are not even changed from their default setting, MFA ensures that a password alone will not be enough to gain access. In addition, MFA provides organizations with more flexibility to control access policies. For example, by limiting the times certain information can be accessed.
Many recent data breaches led to the distribution of stolen passwords, which then can be used to infiltrate other systems. With MFA, even if such passwords are obtained, they are insufficient to gain unauthorized access to sensitive systems. Moreover, other large-scale attacks like SolarWinds were caused because a password was cracked. With MFA, a cracked password would not be enough to attack the system.
Let’s look at five compliance standards that MFA can assist with:
HIPAA is a US healthcare regulation that ensures the privacy of patients by requiring organizations to protect their sensitive information. MFA can help by protecting patient information from attackers who might have obtained passwords to healthcare systems.
SOC 2 aims to ensure that companies securely manage and effectively protect customer data. By employing MFA, companies comply with the SOC 2 requirement to secure information from unauthorized access.
The Payment Card Industry Data Security Standard (PCI-DSS) is a standard for handling credit cards to reduce credit card fraud. Some of the requirements, including the need to change default passwords and authorize access, can be enforced through MFA.
The Sarbanes-Oxely standard protects investors from accounting fraud. MFA can help comply with the SOX requirement that passwords and access credentials are protected.
The Gramm–Leach–Bliley Act requires financial institutions to inform their customers about how they protect and share their information. MFA is a crucial component of how they do so.
MFA is increasingly important in the world of compliance, but it also helps businesses with other needs. Recently, many cyber insurance companies have introduced MFA as a requirement to get cyber insured. If they do not implement MFA, companies risk a higher premium or they may not even be able to continue their insurance policy. This development has followed a growing number of high profile cyber attacks that relied on password cracking, as well as US President Biden’s Cybersecurity Executive Order that mandates federal agencies to implement MFA.
Simply put, MFA is becoming the baseline, not an addition, to any company’s security model. So let’s see how MFA can be easily implemented.
Zero trust is a modern security framework based on the premise “never trust, always verify.” In the zero trust model, access is managed by continuously authorizing each user and device every time they attempt to enter an app or asset. Sometimes, authorization continues for sensitive actions within the app, such as financial transactions. This ensures that even if an attacker gains access to the network, they will not have access or visibility into sensitive information. Zero trust is a reliable alternative to VPNs, which only authenticate users upon initial entry to the network and do not continuously verify their identity.
By design, zero trust supports MFA as a continuous authorization method. As a result, zero trust helps enable compliance with all the security standards listed above, as well as providing additional security measures.
If you’re operating legacy systems like CRMs, ERPs, SSH server connections, remote desktop or OT systems, you’ve probably heard that MFA is not supported. This is because MFA requires various app configurations that cannot be performed on legacy apps.
But incredibly, with Cyolo's unique zero trust architecture, you can now add MFA capabilities to any of your systems – SaaS or legacy. That's right - Cyolo’s solution enables you to add an external MFA to your legacy systems. Users access the system through Cyolo’s web interface, where they are authorized with MFA for each entrance or action. Only after authentication can they access the system, which is now protected through a compliant MFA solution.
To learn more about Cyolo’s secure connectivity solution and how to painlessly deploy MFA to your systems, let’s talk.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.