Hi everyone, today we’re doing a deep dive into each of the Essential 8, how we can address each point at each maturity level. We also discuss how multi-factor authentication is a best practice in securing your accounts from a Cyber Attack. Let’s get stuck into it!
MFA is becoming increasingly common in day-to-day life, with most people being familiar with receiving an email or text message to be able to log into varying online services. One of the biggest challenges presented to organisations however is the line between personal devices, and the resistance of staff to using the personal devices for business purposes. This can lead to some challenges in implementing multifactor authentication and may lead to the implementation of other token-based systems such as Fido2 and YubiKey’s.
Multi-factor authentication is broken down into 3 different elements:
• Type 1 – Something you KNOW
• Type 2 – Something you HAVE
• Type 3 – Something you ARE
If your IT Team is struggling to interpret the Essential 8, then send them this blog – it gets more in-depth from here. If your organisation needs help with MFA, then give us a call!
Maturity Level 1 (ML1)
ML1, ML2 and ML3 are 8 key points with the key differences between each maturity being at points 5,6,7 and 8. For ML1 they are just the first 4, they are as follows:
1. “Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.”
2. “Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.”
3. “Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s non-sensitive data.
4. “Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.”
The above 4 points can be addressed with the same qualification. Not all services can run MFA, so this is a primary consideration when looking into implementation of multi-Factor authentication. If a service can’t utilise MFA, then removing direct access to the internet should be a first point of call and enabling a VPN endpoint that can use Multifactor authentication should be considered. Calibre 1 partner with Fortinet to provide Firewall services that can secure your VPN access with MFA.
In addition to this, if a provider can’t directly provide MFA, but it can be set up with Single Sign On (SSO), then consideration to using a secure identity provider, like Microsoft Azure Active Directory which CAN be secured with MFA is another consideration. This can also remove the barrier of requiring a VPN to connect into critical business systems. SSO is a core security tenet that reduces the complexity in an environment and reduces the risk of something getting missed during onboarding and offboarding.
Where guest users are allowed to access your systems remotely, where they’re set up directly on your systems, then they should be configured as if they’re one of your own users, and the principle of least privilege – Least permissions required to complete their job – should be implemented. If the system supports it, then consider using Federated Identity Services, or Azure Active directory, to allow their access to be controlled by the guests’ systems, or directory structure. E.g., When they leave their organisation, their access is revoked by their own provider, and no notification or update is required on your own systems.
Join us for Part 2 – Coming Soon!