Thought leadership

The Importance of Multi-Factor Authentication in Zero Trust IT Models

The cybersecurity landscape is rapidly becoming more challenging, particularly in the UK, where over 80% of businesses have experienced a successful cyber-attack in the last 12 months (Cyberthreat Defence Report). Not only are cyber threats increasing, but new threats are also emerging, with the increasing reliance on remote working adding to these challenges.

There’s a greater need to introduce a security model that adapts more effectively to the complexity of the modern workplace. It’s no longer enough for IT security to focus solely on the protection of people, devices and applications, it must now embrace hybrid working models, empower employees to work productively from any location, facilitate digital transformation journeys, all whilst mitigating risks.

As a result, traditional IT security methods are being replaced by newer approaches, such as the Zero Trust principle, operating on a ‘never trust, always verify‘ basis. When implementing Zero Trust, all end-users must be authenticated and authorised across all devices to minimise the ‘blast’ radius, drive threat detection and improve defences.

Unified Security

Before the idea of Zero Trust, businesses deployed their IT security in layers to create a ‘defence in depth’ architecture. In doing so, valuable business data is placed at the centre of the corporate network, protected by a series of IT security layers that act as defensive mechanisms on top.

However, the problem with this approach is different security pillars often operate in isolation, leaving gaps between endpoints that are extremely vulnerable to cybercrime. Layered security allows authorised users to bypass all security defences if logging in via an authorised device from within the network perimeter. Should a hacker gain access to employee credentials, they’ve got access to the corporate network, including all data and applications, in one simple step.

As many businesses are still developing their digital transformation journeys, business models are increasingly turning to cloud-based operations to enable a work from anywhere, at any time, flexible environment. However, this multi-device, multi-network way of working leaves traditional layered security architecture redundant.

Solving Modern Cybersecurity Challenges

Whilst the new way of working presents a multitude of opportunities, it also faces a number of new threats and challenges. The majority of these challenges stem from the increasing number of endpoints businesses now have operating within their network, whether through cloud-based machines and apps, SaaS (software-as-a-service) tools, or deploying a UYOD (use your own device_ policy.

The principles of Zero Trust address these challenges by never assuming trust without verifying an identity first. It operates under the assumption that valid credentials are not enough to prove that it is in fact the assigned user accessing an IT resource, as potential attackers exist both within the network, and outside it. Over the last two years, the number of cyber-attacks deployed by an insider has increased by 47% (Tech Jury), so every request to access the system requires multiple checks to be completed before authorisation is granted.

Thus, the traditional network perimeter is eliminated, and a perimeter is instead wrapped around each user, minimising threats that could emerge through compromised identities, devices and networks.

User Authentication

When it comes to successful Zero Trust architecture, identity verification is the pre-requisite for access. Implementing a multi-factor authentication tool is the first step in delivering a strong Zero Trust IT security strategy, as the identity of a user is authorised before entrusting them with access to critical data and resources. This is particularly important when considering that only 1 in 5 people utilise unique passwords across accounts and applications (Source: WatchGuard).

Device Authentication

It’s also important to remember that authenticating and authorising devices is just as important as doing so for an end-user. This is a feature less commonly seen in traditional IT security protected by perimeter networks, as it’s often deployed via VPN or NAC technology. However, with the continued rise in hybrid working environments, many businesses are seeing a greater uptake in BYOD/ UYOD policies, which brings a whole host of risks, as it’s likely that the personal devices being used are not as stringent with their security requirements as enterprise-grade software and applications. If an employee’s personal account is hacked whilst connected remotely to the corporate network, it could ultimately lead to the exposing of sensitive business data and information.

Network Trust

When utilising the right tools, businesses can maintain granular control over the IP addresses that are allowed and denied entry to the business network. This ensures that access requests originating from whitelisted IPs are processed, whilst those that are unrecognised by the system are denied. Subsequently, employees can only access resources from networks that are known to the company and verified to be secure.

In doing so, organisations can prevent employees from accessing sensitive data from their home IP addresses, and require them to pass through a multi-factor authentication tool or use a company VPN instead.

Method for Establishing Trust

Identifying the components of Zero Trust is only half the battle, as businesses must also be specific in how trust is going to be established. This is where the role of multi-factor authentication comes in.

As previously established, passwords can no longer be trusted on their own to demonstrate that a user is who they say the are. Similarly, since devices are no longer connected to a physical network when working remotely, it can be hard to distinguish valid remote access attempts from malicious ones.

More and more corporate resources are being hosted externally through SaaS models, leaving internal IT teams blind to bad actors and unauthorised access attempts against critical resources.

MFA is the single most important IT security tool to combat these challenges, as it verifies users through the use of multiple simultaneous proof points. At SysGroup, our MFA solution goes beyond traditional two-factor authentication to create a three-pronged approach, asking users to prove something they know, on something they have, using something they are. This last part is especially important, as the final step includes biometrics, which simply cannot be replicated or breached by a hacker.

Why MFA is Critical to Zero Trust

The MFA challenge is presented once the user attempts to log in with the correct credentials. With a standalone password, access would automatically be granted, however with MFA, there is an additional step that requires approving the log in attempt through a push notification or by using a biometric senor on their device.

This is a critical part of the Zero Trust IT security model because even if an attacker is able to compromise a particular component, MFA tools still prevent hackers from gaining access. Persistence and lateral movement attacks can also be mitigated through MFA, as successful verification is generally not valid for longer than a single session. This means that every time a new log in attempt is activated, or a new device is used, or a request is initiated from a new location, authentication must be provided. Ultimately, MFA is the epitome of the ‘never trust, always verify’ principle.

Small to medium-sized enterprises stand to benefit immensely from the implementation of MFA in a Zero Trust model, largely due to its reliable security and user-friendly nature. With relative ease, businesses are able to ensure a high level of security for their devices, networks, resources and users.

However, the success of MFA hinges on the ability to balance tight controls with a seamless user experience. This can be complex, as if there’s too much friction, users will start developing workarounds that create new security risks.

At SysGroup, we’re here to make the complex simple. Our IT security methods exist to create intelligent and adaptive MFA policies that improve the user experience without sacrificing security. Our Platinum partnership with WatchGuard enables us to deliver AuthPoint, an easy-to-use authentication app that works directly from mobile devices. It operates as a low total cost of ownership, cloud-based service that is easy to set up in five simple steps, with no expensive hardware to deploy on premise. Similarly, the user-friendly app allows authentication from anywhere, at any time, utilising Secure Single Sign-On to reduce the need for complex password management. If you’re ready to better protect your business, why not try before you buy with out free, no obligation 30-day AuthPoint trial.