Passwordless MFA Everywhere

MFA 2.0: How Government Organizations Practice MFA

Published April 20, 2022 by Sagie Dulce

How do major government organizations prevent ransomware and other cyber-attacks? Despite the NSA, Mossad, FSB and the PLA deploying different preventative tactics, they likely have one thing in common: the use of multi-factor authentication (MFA) everywhere.

What is MFA everywhere and how does it work?

The concept is pretty simple: Utilize just-in-time privileged access with self-service MFA to apply security for abnormal activity, privileged users or whenever extreme security is required. For more mundane, less sensitive activities, automate segmentation across non-risky protocols to ensure standard employees routines and interactions experience zero disruption.

And where government security practices go, usually the private sector eventually follows. So what would deploying MFA everywhere military style look like? With modern approaches, not only is it easy to do—but it's also highly effective. In fact, adding MFA pervasively to every asset you own radically improves protection.

Specifically, MFA everywhere enables any organization to:

  • Stop Ransomware: Dramatically reduce the likelihood of ransomware spreading through your network with an airtight, properly segmented network.
  • Deploy flexible, scalable network segmentation: Enforce only required network access between workloads, and between environments.
  • Conduct application ring fencing: Microsegmenting all workload communication across East-West as well as Identity-based segmentation for user access for North-South.
  • Protect hybrid environments: Single network control to protect assets both in cloud and on-premises environments.
  • Secure your remote workforce: Every remote employee can only connect to what they need after 2FA, eliminating VPN as an attack vector.
  • Reduce compliance overhead: Easily pass pen-tests and meet compliance requirements.
  • Create and enforce policy automatically: Observe how users and machines normally communicate to automatically define and enforce a least privilege networking model throughout your environment, at scale, with a click.

And MFA everywhere may come sooner for reasons you may not expect: insurance. Today, likely driven by ransomware, insurance companies are getting spanked by paying out premiums due to security breaches. As a result, much like they do when providing health coverage, insurers reward good behavior. In this case, insurers often start by requiring EDR and then MFA.

Implementing MFA everywhere

You might be thinking, “I am using Duo or Okta–isn’t that the same thing?” Sadly, it is not. While today’s MFA solutions work well in modern SaaS cloud environments, they don’t work in cloud virtual machines or traditional on-prem machines.

For example, let’s use a common scenario: You have a Windows server. MFA vendors typically deploy an agent on the server to block specific protocol access based on authentication (such as remote desktop). In reality, these agents only secure a small volume of remoting functionally, representing only a tiny subset of access points, and leaving others wide open to lateral movement. If the server is vulnerable (zero-day or known, unpatched vulnerabilities), Duo won’t help - you need the port to remain closed.

What are the drawbacks of this approach? While MFA everywhere is a big technical change, it's not a big cultural shift. Employees don’t need to contort workflows. Done properly, MFA everywhere should only touch highly privileged users—such as admins—while remaining invisible to routine operations and employees.

Recently, we helped deploy MFA everywhere to two organizations, a law firm and healthcare provider. Both organizations were hit by ransomware attacks not long after installation—and both deflected the attacks. Most importantly, one of these organizations had just one person manning their IT and security function. This proves that making the right choice of vendor will truly provide military-grade security for any organization.