There is no arguing that businesses today are run differently from a decade or two ago. I am sure most of you remember the times of having to physically put together workstations, as well as deploying patches and applications one desktop at a time. Think back on the ridiculous amount of time and effort spent on accomplishing even the simplest of tasks. Now fast forward to today. We are now in a time where we can deploy a fully configured workstation in the span of minutes or push out an application install to hundreds of devices in mere seconds. As technology continues to get better and better, it unquestionably decreases our time to achieve business value.
What About Access to That Workstation?
It used to be that IT administrators spent their time securing mainly servers and applications. It was only when all necessary controls were in place did they begin allowing their users to use corporate applications for their intended purpose. These corporate applications could be anything – EMR applications with sensitive patient records, financial planning applications with detailed budgetary information, or my all-time favorite – an excel spreadsheet filled with a user’s application usernames and passwords. So, what happens when a user’s workstation is compromised? What happens when sensitive data is not stored on the server or within the application database, but on the workstation itself?
As with most challenging questions, the answer is…“it depends.” It depends on what kind of information the user has access to, as well as what data is deemed as “must be protected.” If I know there is a user with potential access to thousands of customers’ credit card numbers, I’m probably going to protect that really really well. If it is a sales intern with minimal access to sensitive information, I will most likely lower my efforts there. As an administrator, I would want the ability to adapt as needed. After all, security is not free and I would not want to waste my precious budget unnecessarily. That would be a big waste of my time and department money.
How I Handled Workstation Authentication
I identified critical users that have access to application data that needs to be protected. Then I asked myself, now what? Should I put DLP in place? Should I enable endpoint analysis? How about setting up ACLs to keep the bad people out? These are all great security measures and are all questions that should be answered before making sensitive application data available. But does it not also make sense to protect who is entering the front door by enabling stronger authentication controls to the devices holding critical data?
There are stories all the time about how a single user account was compromised to gain access to thousands or even millions of sensitive records. Take the Home Depot breach as an example. One vendor’s logon credential was used to steal 40 million credit cards and 70 million users’ personal information. Could this have been prevented if the compromised user account required the use of more than just a username and password for workstation authentication? Imagine if there was a policy in place also requiring a One-Time Password code or fingerprint to login the chances of this breach happening would have been much less. There is a pretty high chance that by simply adding one additional authentication factor could have prevented millions of user’s information from being leaked.
So How Much Authentication is Enough?
I’m a strong believer of multifactor authentication and have worked with organizations from all corners of the map. And there is no question that organizations have different requirements. However, regardless of the organization’s stance, there always needs to be a balance between the convenience for the user and security for the organization. Therefore, I always tell my customers that rather than thinking about how many factors should I use? It is better to address what authentications factors would best fit my organization and what use cases present a security risk for my organization.
By answering these questions, you can:
- Reduce the overall project scope
- Identify an appropriate multifactor workstation authentication solution
- Create a project budget
- Begin using stronger workstation authentication