Apply MFA to:
Almost all organizations use some form of multi-factor authentication (MFA) as an extra layer of security to protect user access to SaaS applications.
With MFA, users are required to provide at least two pieces of evidence to verify their identity, such as a password and a biometric scan, a security token, or a one-time code sent to their mobile device. This added layer of security makes it nearly impossible for attackers to gain unauthorized access to user accounts: Even if an attacker obtains a user’s password, they are unlikely to possess the additional factor of authentication.
However, applying MFA to non-SaaS assets is difficult. Most organizations struggle to apply MFA on PaaS solutions, legacy applications, databases and OT/IoT devices. Only a few vendors enable MFA on the application layer (specifically, applications that support Kerberos or NLTM). These solutions may cause a false sense of security as attackers often exploit protocol vulnerabilities (especially if not patched on time) to take control of a machine even if protected by MFA. In fact, all attackers need to overcome MFA is just an open port.
As a result, the stopping power of MFA is underutilized in most enterprise environments.
The Zero Network way: Tie MFA to the network layer
Zero Networks Segment is a patented solution that applies MFA at the port level (network layer): Any protocol, operating system and applications above will be protected with MFA without agents or need to rewrite the application. Tying MFA to the network layer also denies attackers access to vulnerabilities (including zero / one-day) in the organization, preventing them from moving laterally and compromising the organizational network.
Zero Networks Segment enables just-in-time privileged access with self-service MFA to apply security to any abnormal activity, privileged users or anytime extreme security is required.
A common scenario: MFA for RDP / SSH
One of the most common use cases is enabling administrators and IT teams to remotely access various servers, on prem and in the cloud, using remote administration protocols like RDP, SSH and WinRM. However, these protocols are also widely used by attackers to move laterally across the network. To ensure server access is allowed to authorized users only, Zero Networks Segment automatically blocks all incoming traffic on administrative ports and prompts users for just-in-time MFA, before temporarily opening the port to the authenticated users for a limited amount of time.
Users can authenticate using the organization’s preferred identity provider (for example, Duo, Okta or CyberArk) or can use email or SMS authentication.
By applying MFA at the port level, Zero Networks can protect assets that could not have been protected by MFA so far: legacy applications, databases, OT/IoT devices, mainframes, on-prem VMs, and IaaS VMs.