Passwordless MFA Everywhere

How the Insurance Industry Needs to Get MFA Right

Published February 07, 2022 by Sagie Dulce

Cyberattacks are on the rise, soaring 125% year over year and affecting every geography and industry.

The most familiar victims of these malicious attacks are breached enterprises and consumers who have their personal data compromised. But another cybersecurity landscape participant with skin in the game could actually be the driver behind lasting change: insurers.

Pummeled by a 400% increase in ransomware attacks alone, insurers have borne the brunt of ballooning extortion demands. In fact, criminals often leverage unauthorized network access to get details on an enterprise’s insurance coverage to calibrate their ransom request.

The result? The cybersecurity insurance industry is barely teetering on the edge of profitability, with industry experts estimating that insurers are paying out up to 70% of premiums.

And the industry isn’t taking this sitting down.

Insurers in other sectors have long priced based on risk. (Think of an overweight smoker trying to secure health coverage.) Taking a page from their book, cybersecurity insurers are rewarding good behavior, often starting by requiring endpoint detection and response (EDR) and then multi-factor authentication (MFA).

It’s a logical place to start. MFA has been around for some time. Vendors, notably Duo, made MFA mainstream. And today, over 80 percent of hacking-related breaches are caused by stolen or weak passwords making MFA more important than ever.

But breaches continue, and MFA hasn’t proven the panacea Duo and its competitors promised. Why?

The Basic Problem

While MFA works well in modern SaaS cloud environments, the adaptation vendors made to MFA for IaaS/PaaS cloud environments and on prem are far from being as effective as people think. For example, let’s use a common scenario: you have a Windows server. MFA vendors typically deploy an agent on the server to block access based on authentication. In reality, these agents only secures a small volume of remoting functionally that represent only a tiny subset of access points, leaving others wide open to lateral movement. And if the server is vulnerable (zero-day or something known that is unpatched), Duo won’t help. You need the port closed–all the time. How do you scale MFA across an entire enterprise including cloud and on prem?

Imagine MFA EVERYWHERE in your organization. This would be the cyber equivalent of making every asset defend like LeBron James. In fact, particularly post Snowden, it’s a safe bet to assume that nation-state actors like the NSA, Mossad, GRU, China and more have all deployed–and scaled–MFA everywhere. LeBron defense. And where nation states go, eventually so does the rest of the industry.

So what does proper MFA everywhere look like?

Ideally, MFA everywhere:

  • Extends pervasively to every asset in the organization for all applications with zero agents and zero application rewriting for radically effective and simple protection.
  • Applies MFA-based restrictions against privileged protocols while using automation for normal usage to minimize disruption.
  • Enables segmentation across your entire network by applying just-in-time privileged access with self-service MFA to apply security for abnormal activity, privileged users or anytime extreme security is required.

As pointed out above, with today’s MFA vendors use inadequate mechanisms covering just a fraction of a typical environment. But with cybersecurity insurers driving requirements, it’s just a matter of time before a vastly more robust and comprehensive MFA solution becomes the norm.

Spoiler alert: Zero Networks does just that in a simple and cost effective way. Learn more about the future of least privilege networking and discover how to overcome the limitations of legacy MFA.