The modern workplace demands agility and flexibility with employees routinely expecting to be able to access their network environment using anytime, anywhere solutions. Cloud, mobile and web networks, resources and applications are the basic tools needed. But, with every new access method comes a different IT challenge and balancing the requirements of efficient business operations with effective security is a difficult one.
As well as preventing data breaches, organisations must also consider the implications of privacy laws, security standards, industry regulations and legislation. Issues such as GDPR and PCI DSS 3.2 are all factors that need to be taken into consideration.
Security teams are all too aware of the need to create optimised employee environments for efficient working but they are also aware of the stark facts around hacking related data-breaches. According to Verizon Enterprise Solutions, 81% of breaches involving hacking are related to stolen or weak passwords. The solution to protect against this threat is clear; two factor authentication is an essential component of securing network access.
Driving Factors: Legislation & Industry Standards
New legislation is helping to drive improvements in data security and there are two main statutes that now need to be considered:
- GDPR (General Data Protection Regulation) – EU Legislation implemented on 25th May 2018.
- Payment Card Industry Data Security Standards (PCI DSS) 3.2 – Industry standard, effective 1st February 2018.
Introduced to improve the rights of EU citizens to the way in which data is collected, stored and processed about them as well as improve overall data security, the GDPR states that companies must implement:
“appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Whilst this could be open to many interpretations the agency designated to provide clarity on the legislation and help achieve compliance, ENISA (European Union Agency for Network and Information Security) recommends that two-factor authentication in all high risk (and some medium risk) cases. Their advice is clear:
“Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics, etc.”
The agency goes on to point out that mobile devices represent a significantly greater risk of breaches of security since there is an increased incidence of theft and loss of portable devices. They are also used for personal use making them more vulnerable to unintentional exposure to unauthorised personnel. In order to secure business-related data, ENISA go on to recommend:
“Two-factor authentication should be considered for accessing mobile devices, and personal data stored at the mobile device should be encrypted.”
PCSI DSS 3.2
The latest Payment Card Industry Data Security Standards came into effect on 1st February 2018 and requires mandatory multi-factor authentication for systems handling cardholder data (non-console) as well as any remote access to the cardholder data environment (CDE).
The standards have two explicit requirements on users:
- 3.1 – Multi-factor authentication must be in use by all non-console access by administrators to the CDE. Non-console access is defined as being performed over a network rathe than a physical connection. This can be internally as well remote or external networks.
- 3.2 – This requirement extends the need for multi-factor authentication for remote access to the CDE to include all personnel. This extends to vendors whether for support or maintenance use as well as general users.
Two Factor Authentication with Windows Logon
One tool in the battle to provide a more secure environment is migrating to Windows Logon either with or without Push Notification. Covering access to related network logins, this solution offers a more secure way to gain entry to both the device itself as well as the corporate network. This not only protects sensitive data stored in both locations but also limits access to critical applications. The added benefits also mean that the authentication secures the VPN or Virtual Desktop infrastructure over which remote access is being used.
Two-factor authentication can be achieved with Windows logon by allowing employees to use a one-time password (OTP) to access their Windows desktop consisting of:
- A static password
- A one-time password such as a secure key to generate an OTP, a hardware token or smartphone with OTP app.
With the one-time password not being reusable and both elements being independent of each other, this satisfies both the legislative and industry standards for multi-factor authentication.
Able to be installed in the Windows environment, Windows logon can be deployed on serves, desktop PCs or laptops. Once installed, the programme replaces the original logon with the new version which requires an additional OTP.
Push Notification: An Extra Layer of Security
There is also another option to the OTP in which employees can utilise an OTP app on their smartphone.
Using an out-of-band (OOB) authentication method, Windows logon uses push mode to send the OTP app an automatic authentication notification. Employees simply receive a prompt during the logon process which they can tap to authenticate.
As well as offering a simple but as effective two-step process, push notification improves the user experience whilst still delivering low cost of ownership and higher security levels. All three factors are an important part of the decision-making process for multi-authentication technology adoption. It is this combination of reasons why most analysts are recommending mobile push notification.
Organisations that are seeking even stronger authentication methods can combine push with an additional layer of security by replacing the tap to authorise element with local authentication factors. Many smartphones can already facilitate biometric authentication such as fingerprint or face recognition, but it could even be a simple PIN entry.