Federal Agencies Sprint Towards Multi-Factor Authentication, but There Are Gaps to Address
March 29, 2016 | Security and Risk | Kevin Corbett
The need for stricter cyber security measures within federal, state and local governments is well documented from high-profile breaches including those within the U.S. Office of Personnel Management (OPM) and the Internal Revenue Service.
As part of a directive to better protect the integrity of federal networks, in June 2015, the U.S. Chief Information Officer Tony Scott launched a 30-day Cybersecurity Sprint requiring federal agencies to improve the security and resilience of their networks by tightening policies and practices for privileged users and credentials across networks. The focus on privileged account security, signaled a shift in security strategy for both public and private organizations – one that assumes attackers are already inside the enterprise.
Multi-factor authentication was among the requirements included in the Sprint. Specifically, the initiative required agencies to: “Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems.”
The implementation of multi-factor authentication solutions is a response to vulnerabilities associated with privileged account credentials. Privileged account credentials are used by cyber attackers in nearly 100% of attacks to reach their goals of successfully breaching networks. Privileged accounts and credentials include IT administrative credentials, default and hard-coded passwords, application backdoors and SSH keys.
To mitigate risks, proactive security controls are a must, and credentials have to be managed and appropriately protected with solutions like multi-factor authentication, but adoption is not an easy feat for government agencies.
Addressing the Challenges
Multi-factor authentication implementations come with several challenges and complexities. Fortunately, there are alternatives to consider. For example, in a recent FCW article, Deborah Golden, principal and Federal Cyber Risk Services leader at Deloitte & Touche, notes that federal agencies can consider a multi-tiered approach by:
- Requiring PIV authentication where possible and rapidly implementing known technical solutions for environments that can support PIV.
- Using other multi-factor authentication tokens, where available, to eliminate remaining password-enabled accounts.
- Determining mid- and long-term infrastructure changes required to PIV-enable all privileged user accounts.
The use of PIV cards for multi-factor authentication has known limitations with its ability to secure accounts that do not natively support PIV cards. CyberArk, however, helps organizations to meet the mandated use of multi-factor authentication for all privileged accounts by enabling PIV card authentication to all systems and applications managed by the CyberArk Privileged Account Security Solution – even applications that can’t natively support public key infrastructure (PKI) or multi-factor authentication. This approach enables the organizations to work with their existing infrastructure and centrally add PIV card authentication.
To simplify the deployment of the solution while maintaining individual accountability, many organizations working with CyberArk leverage shared accounts managed by the solution instead of personal privileged accounts. Each user is provided PIV card-protected access to the shared accounts stored in the secure digital vault resulting in the identity being decoupled from the account and the ability for organizations to more easily manage user access while maintaining required visibility. The combination of shared accounts centrally stored in the CyberArk Privileged Account Security Solution and access protected with PIV cards with individual accountability helps organizations meet the mandate for multi-factor authentication without introducing undue burden. CyberArk supports a variety of multi-factor authentication technologies including PIV and CAC cards.
In addition to its consultation efforts, partnering with CyberArk provides access to additional solutions that help bolster cyber security strategies within the federal, state and local governments. For example, CyberArk SSH Key Manager securely stores, rotates and controls access to SSH keys to prevent unauthorized access to privileged accounts. Additionally CyberArk Privileged Session Manager secures, controls, and monitors privileged user access as well as activities for critical UNIX, Linux, and Windows- based systems, databases, and virtual machines.
For more information on security and compliance for federal agencies, visit CyberArk’s Federal solutions webpage.