In "Mission: Impossible," one of the most iconic scenes involves Ethan Hunt (played by Tom Cruise) infiltrating a highly secure CIA facility at Langley to steal the NOC list, a comprehensive list of all covert agents. To access this room, Hunt has to bypass multiple security measures:
- Temperature Regulation: The room is temperature-controlled. A sudden rise could trigger the alarm. Ethan and his team have to ensure that his body heat doesn't increase the room's temperature.
- Sound Sensors: The room is equipped with sensitive acoustic sensors. Any noise louder than a whisper can set off the alarm. Hence, Ethan has to move very quietly.
- Pressure-sensitive Floor: The floor is loaded with pressure sensors. Ethan can't touch the floor, which is why he's suspended from the ceiling with ropes and harnesses.
- Retina Scanner: The computer holding the NOC list is secured with a retina scan. Ethan has to dangle right above the desk and use a gadget to capture the eye scan of a rightfully authorized person (in this case, the man who enters the room before the heist begins) and then replicate it to gain access.
This scene vividly encapsulates the principle of multi-layered security. Each layer (temperature, sound, pressure, and retina scan) is akin to a factor in multi-factor authentication (MFA) in real-world IT security. Even if an intruder bypasses one, there are additional layers of security in place to stop them.
At its core, MFA is a security protocol that requires users to provide multiple types of identification before gaining access to an account. This often combines something they know (like a password), something they have (like a smartphone or a token), and something they are (like a fingerprint or facial recognition).
If you’re not a Mission Impossible fan, imagine your house has multiple locks on the door, a security camera, and a fingerprint scanner. Even if a burglar picks one lock, they'd still need to bypass the other security measures. Similarly, MFA acts as multiple security barriers, making unauthorized access exponentially more challenging.
In the age of digital transformation and the era of remote work, companies are relying heavily on applications that are externally accessible. While this opens up opportunities for better collaboration and flexibility, it also introduces a series of security challenges. The onus then falls on the Chief Information Officers (CIOs), to not just innovate, but to also protect. One of the key security recommendations, as highlighted by the Center for Internet Security (CIS) in Safeguard 6.3, is the implementation of MFA for externally-exposed applications.
Pros of Adopting MFA for Externally-Exposed Applications:
- Enhanced Security Posture: In an environment where cyberthreats are continually evolving, MFA acts as a formidable barrier, ensuring that compromised credentials alone can't provide access.
- Building Stakeholder Confidence: By adopting recommended security measures like MFA, organizations signal to their stakeholders, including customers, employees, and partners, that their data is taken seriously and protected diligently.
- Regulatory Alignment: MFA is increasingly becoming a requirement in various industry regulations. Implementing it ensures that the organization remains compliant, avoiding potential fines or penalties.
- Versatile Authentication Options: Today's MFA solutions offer a range of verification methods, from SMS-based codes to biometrics. This ensures flexibility in deployment based on the organization's needs.
Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here are some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 6 – Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.
Implementation Group 1
CIS Safeguard 6.3 - Require MFA for Externally-Exposed Applications
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.