While the topics of multi-factor authentication (MFA), Zero Trust, and other cybersecurity measures are discussed at great length across all industries, are they being implemented? With the recent explosion of ransomware attacks going after our critical infrastructure and disrupting our daily lives, you would think that cybercriminals are getting past all of these security measures using complex approaches, but they’re not.
It was surprising and somewhat eye-opening to again see that a major ransomware attack, the recent attack on the Colonial Pipeline that shut down its 5,500-mile natural gas pipeline for five days, resulting in more than 10,000 gas stations across the Southeastern United States being out of fuel, was caused again by the well-known weakest link in security – the password. Recent news has come out indicating that the hackers were able to access Colonial’s systems by using an old VPN account and password, which had previously been compromised. In addition to the account still relying on a password that could be found on the dark web, multi-factor authentication was not implemented.
So this opens up the question, why wasn’t multi-factor authentication implemented for remote VPN access in this case?
Virtual private networks (VPNs) have been used for many years to securely connect remote users to an organization’s network from any location. VPNs have become even more critical as much of the workforce, including IT admins and other privileged accounts, have moved to working from home.
VPNs are critical to keep secure and multi-factor authentication (MFA) is considered one of the best ways to do so.
VPNs, as with most applications and services, are secured using a login asking for the user to authenticate as they try to connect. As with any connection, the login prompt asks the user for a username and password. Adding MFA applies stricter security policies to require additional authentication factors when the user tries to log on beyond the username and password. These additional factors can be a combination of something you know such as a password, something you have such as your phone, or something you are, such as your fingerprint, with no two factors being of the same type. In other words, you can’t require two authentication methods that are something the user knows.
While it is well-known that MFA is one of the first steps to increasing security and preventing cyber-attacks such as ransomware and phishing, many organizations are still working through how to implement it for remote access and VPNs.
When implementing MFA for VPN access, additional considerations need to be taken into account since a higher level of security is often needed while users are remote to the organization. One of the key challenges is determining the type of authentication method which will work best for these types of users. Hardware tokens as an example may work well for local employees, however, distributing and managing them for users who are remote can become a hassle and productivity killer if one is lost and needs to be replaced.
In addition, most authentication methods are unable to prove the user is who they say they are and are only able to authenticate the presence of a device and/or token. Knowing the individual gaining access is the correct person, is critical for remote access, however many MFA solutions don't offer biometrics which is the only way to achieve that.
So, while many organizations may have an MFA solution, being able to support the unique requirements around remote access and VPNs may require a change and/or addition to their current solutions.
Along with figuring out the right authentication method(s) for VPN access, just implementing MFA and managing it can be a burden on the IT team. When it comes to VPN access, users are remote and are often times accessing some of the most critical systems and data within the organization. Configuring the correct security policies, managing VPN accounts, and providing the right authentication methods for users can create a long list of tasks for the IT team to manage.
Lastly, the impact MFA will have on users is another consideration that often causes convenience to win against security when considerations are made for how users gain access to critical systems and data. While users are remote, being able to access the VPN is critical to being able to complete their day-to-day tasks. If they have an issue logging in, this could potentially halt their productivity completely as they will be unable to access the network and will have to contact the IT team. Troubleshooting remotely is also another challenge as the IT team and users work together to correct the issue. When driving to the office is not an answer, an issue with gaining access can become critical and long-lasting for remote employees.
While there are numerous considerations and challenges to overcome when implementing MFA for VPN access, recent ransomware attacks continue to show us this is a necessity for all organizations. Some of the main challenges are still around finding the right authentication methods that work for remote users, making it easier for the IT team to manage MFA, and avoiding any negative impact on user productivity.
Overcoming these hurdles will require the right mix of flexible multi-factor authentication options and a solution that can make it easier on both the IT team and users. While change is not easy for many organizations, seeing the consequences of not implementing these best practices should be an eye-opener to all of us. It’s time to stop just talking about MFA, Zero Trust, and all of these cybersecurity best practices, and implement them.