MFA Is Well-Established, But Not Foolproof

MFA-Is-Well-Established,-But-Not-Foolproof

EMEA Technical Director David Higgins from CyberArk dives deep into the nuances of enterprise security.Special-Week-Cybersecurity

Enterprise security is a crucial factor in today’s cyber-alert era. There is a large misconception in the Middle East market in terms of the type of IT security projects that should be running.

“It is critical to re-challenge or reject other authentication requests until we understand more. We should use ML to identify potential authentication attempts from which we want to protect the business. The second way to use ML is on the operational efficiency front. We could use ML to verify all the behavioural patterns that the employee represents and give a more seamless security experience. The information can then be fed into an AI platform to spot high-risk abnormal user behaviour,” said David Higgins, EMEA Technical Director, CyberArk.

In this interview, Higgins discusses the importance of enterprise security,  technology for enhanced and seamless security experience, and how CyberArk tackles banking operational inefficiencies. He emphasises the importance of communication between the business and the end-users about IT security.

Excerpts from the interview

How can enterprises secure DevOps pipelines and cloud-native apps better?

We have a series of recommendations that we give to organisations. One among them is to deliver security policies as code. Its key role is to deliver infrastructure as code. A company should ensure that security embraces a DevOps type mindset and delivers security policy as code.

Security should be automated and embedded at the start of the process. Often, we see organisations treating security as an afterthought or trying to implement it after the event. It can be tricky because you’re reverse engineering it and trying to secure something in place. Ultimately, operational service always wins out.

Another key point that we advocate for both DevOps and cloud-native apps is to ensure the separation of duties. Developers are developers, operators are operators, and security is focused on security. We want to make sure the developers have the access they need, and the environment they need to write the code, but we also want to make sure that they’re not exposed to any information, secrets, and keys they don’t necessarily need.

As part of that, the policy is code, and the shift left type mindset is security. We want to ensure that they have the right security services to point out their apps and code. If they don’t have that, it will become a real challenge for organisations. They might end up with different teams using different processes, lacking consistency and centralised governance.

How do your products use machine learning to secure seamless access and manage risks for customers signing in from multi-devices?

Multi-factor authentication (MFA) is well-established but is not foolproof. It is open to compromise and hacking. For many years, White Hat hackers have demonstrated how one can exploit MFA, and it’s time companies twin it with machine learning (ML).

For instance, an employee could have two authentication factors — a password and a pin, which can be exploited. We must consider the context of the employee’s authentication request: Where is he? What device is he on? What’s he previously been doing? Where was his previous authentication request? We should take that context and use ML to make more intelligent decisions.

It is critical to re-challenge or reject other authentication requests until we understand more. We should use ML to identify potential authentication attempts from which we want to protect the business because we know that attackers are after those credentials as an ingress point.

The second way to use ML is on the operational efficiency front. We’re in danger of end-users hitting notifications for fatigue when they hit an application. A full-blown MFA every single time can become tiresome. We could use ML to verify all the behavioural patterns that the employee represents and give a more seamless security experience. The information can then be fed into an AI platform to spot high-risk abnormal user behaviour.

Tell us about how you work with banks to solve operational inefficiencies?

The biggest challenge for banks is that they’ve been around for a long time. They have a lot of technical debt and legacy platforms, and we help secure them more efficiently.

There might be a lot of manual processes they’re doing within those platforms, even something as simple as rotating credentials for highly sensitive and privileged accounts. They might be doing it manually because they have to do it from a regulation standpoint. There are specific security controls and processes they have to put on top of such archaic systems.

We’ve got a lot of experience helping automate some of those security controls with the most complex scenarios. Banks need to reduce the number of person-hours to produce the reports and the evidence that the auditors ask for. Our technology allows them to do that.

There’s been a build-up of an efficient workflow in many cases. For instance, third-party access is a big challenge for many banking customers. If they want to give a third-party access to their environment, it’s almost a multi-week process to get them an account created, get them on MFA token, and make sure they can get into the bank through a VPN or VDI tech technology. It takes weeks before that third-party obtains access. We help make that happen automatically and drive down operational efficiencies when granting access.

What advice would you give business leaders to balance risks and governance while encouraging data democracy?

It might sound obvious, but it is about understanding the business well. As a security professional, you need to realise the lifeblood of the business: Where are the critical assets? And you try to understand that for two reasons. One, you need to know how the company operates and how they think, and therefore, start to identify your key targets from a threat perspective. What’s most valuable to you as a business will also be your highest risk.

Second, ensure that you get the company to understand security, and the key to it is communication. Often, security is enforced with little to no communication with the end-users, and that’s where we see the two worlds of business and security in conflict.

With security seated business, users continually try to circumvent and navigate security processes, and it all comes down to a lack of understanding from both sides of the fence. If we can more clearly articulate to our end users why we’re implementing security controls, and put it in the context of what’s critical to the business, they will be more manageable and open to embracing those security challenges.

As an example, I rarely hear anyone complain about security gates. People know that we have to ensure that the right people are in the building. The same mindset applies in the IT world. Hence, the critical thing in striking that balance is clear communication in both directions.

If you liked reading this, you might like our other stories

How Machine Identity Management Can Improve Cybersecurity
Can DevOps And Agile Go Hand In Hand?