cloudsecurityalliance.org
Open in
urlscan Pro
2606:4700:3108::ac42:2855
Public Scan
URL:
https://cloudsecurityalliance.org/blog/2022/04/28/mfa-is-only-as-effective-as-we-want-it-to-be/
Submission: On May 21 via api from US — Scanned from DE
Submission: On May 21 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET /search/
<form action="/search/" class="input-pair u-mb0" method="get" role="search"><label><span class="u-screen-reader">Search for:</span></label><input autocomplete="off" class="c-megamenu__search-input" name="s"
placeholder="Search CSA resources, tools, research publications and more…" title="Search for:" type="text" value=""><button class="c-button c-button--secondary" disabled=""><svg class="svg-inline--fa fa-search fa-w-16" aria-hidden="true"
focusable="false" data-prefix="fas" data-icon="search" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
<path fill="currentColor"
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg><!-- <i class="fas fa-search"></i> Font Awesome fontawesome.com --></button>
<div class="c-button c-button--expand"><svg class="svg-inline--fa fa-search fa-w-16" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="search" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
<path fill="currentColor"
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg><!-- <i class="fas fa-search"></i> Font Awesome fontawesome.com --></div>
<div class="c-button c-button--close"><svg class="svg-inline--fa fa-times fa-w-11 i" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="times" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 352 512" data-fa-i2svg="">
<path fill="currentColor"
d="M242.72 256l100.07-100.07c12.28-12.28 12.28-32.19 0-44.48l-22.24-22.24c-12.28-12.28-32.19-12.28-44.48 0L176 189.28 75.93 89.21c-12.28-12.28-32.19-12.28-44.48 0L9.21 111.45c-12.28 12.28-12.28 32.19 0 44.48L109.28 256 9.21 356.07c-12.28 12.28-12.28 32.19 0 44.48l22.24 22.24c12.28 12.28 32.2 12.28 44.48 0L176 322.72l100.07 100.07c12.28 12.28 32.2 12.28 44.48 0l22.24-22.24c12.28-12.28 12.28-32.19 0-44.48L242.72 256z">
</path>
</svg><!-- <div class="i fas fa-times"></div> Font Awesome fontawesome.com --></div>
</form>POST /mailing-lists/blog
<form class="mailing-list-blog personal-data-submission c-form c-form--small" action="/mailing-lists/blog" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token"
value="z3XUv-sRTFkeK9tnJpEgY2ng3JpEku493j9uHp8mcYcd7GLqblWl8HPs3V2V6dv7RAkR8KTr2cioEYw0P6-U-Q" autocomplete="off">
<div class="c-form__item-group c-form__item-group--duo c-form__item-group--actionable-right c-form__item-group--no-border">
<div class="c-form__item u-mt20"><input type="text" name="email" id="email" placeholder="Email address" required="required"></div>
<div class="c-form__item">
<script src="https://www.recaptcha.net/recaptcha/api.js" async="" defer=""></script>
<div data-size="invisible" data-sitekey="6Ld1CJ8UAAAAAKB00zXbZ4qXAa6U0PZd3ixvg0Ee" data-callback="joinMailingListBlog" class="g-recaptcha ">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6Ld1CJ8UAAAAAKB00zXbZ4qXAa6U0PZd3ixvg0Ee&co=aHR0cHM6Ly9jbG91ZHNlY3VyaXR5YWxsaWFuY2Uub3JnOjQ0Mw..&hl=de&v=M-QqaF9xk6BpjLH22uHZRhXt&size=invisible&cb=mo1zlkg1jrs4"
width="256" height="60" role="presentation" name="a-9hxwpvnu6x32" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div>
</div>
<input type="submit" name="commit" value="Sign up" class="c-button c-button--primary c-button--small" data-disable-with="Submitting...">
</div>
</div>
</form>POST /mailing-lists
<form class="mailing-list personal-data-submission c-form c-form--small" action="/mailing-lists" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token"
value="z3XUv-sRTFkeK9tnJpEgY2ng3JpEku493j9uHp8mcYcd7GLqblWl8HPs3V2V6dv7RAkR8KTr2cioEYw0P6-U-Q" autocomplete="off">
<div class="c-form__item-group c-form__item-group--duo c-form__item-group--actionable-right c-form__item-group--no-border">
<div class="c-form__item u-mt20"><input type="text" name="email" id="email" placeholder="Email address" required="required"></div>
<div class="c-form__item">
<script src="https://www.recaptcha.net/recaptcha/api.js" async="" defer=""></script>
<div data-size="invisible" data-sitekey="6Ld1CJ8UAAAAAKB00zXbZ4qXAa6U0PZd3ixvg0Ee" data-callback="joinMailingList" class="g-recaptcha ">
<div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.recaptcha.net/recaptcha/api2/anchor?ar=1&k=6Ld1CJ8UAAAAAKB00zXbZ4qXAa6U0PZd3ixvg0Ee&co=aHR0cHM6Ly9jbG91ZHNlY3VyaXR5YWxsaWFuY2Uub3JnOjQ0Mw..&hl=de&v=M-QqaF9xk6BpjLH22uHZRhXt&size=invisible&cb=o4uo6gn78mkx"
width="256" height="60" role="presentation" name="a-t277gbm8r077" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response-1" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<input type="submit" name="commit" value="Sign up" class="c-button c-button--primary c-button--small" data-disable-with="Submitting...">
</div>
</div>
</form>Text Content
CircleEventsBlog Membership Join as a Business Cloud Customers Cloud Solution Providers SaaS Solution Providers Current Business Members CxO Trust Contact Us Join as an Individual Regional Chapters Circle Community Forum Research Working Groups STAR Program STAR Registry STAR Home Submit to Registry Provide Feedback What is the STAR Registry? Learn how to stay compliant in the cloud. CCAK Training Governance, Risk & Compliance Tools Cloud Controls Matrix (CCM) Consensus Assessment Initiative Questionnaire (CAIQ) GDPR Code of Conduct STAR Level 1 At level one organizations submit a self-assessment. View companies at level one Learn about level one STAR Level 2 At level two organizations earn a certification or third-party attestation. View companies at level two Learn about level two CSA Approved STAR Assessment Firms Certificates & Training Events Learn and network while you earn CPE credits. Events Virtual Events & Webinars Certificates & Training Certificate of Cloud Security Knowledge (CCSK) Certificate of Cloud Auditing Knowledge (CCAK) Train my entire team Training Instructors Become an Instructor Training Partners Become a Training Partner Research CSA Research Latest Research Working Groups Open Peer Reviews Research Topics Zero Trust Advancement Center CxO Trust CloudBytes Webinars Industry Specific Research Financial Services Healthcare Getting Started with CSA Research Best practices for cloud security Assess your compliance to cloud standards Security questionnaire for vendors The top threats to cloud computing Zero Trust Architecture View more Awards & Recognition Ron Knode Awards Research Fellows Architectures and Components Enterprise Architecture Hybrid Cloud Security Emerging Technologies Blockchain/Distributed Ledger Internet of Things (IoT) Quantum-safe Security Securing DevOps Application Containers and Microservices DevSecOps Serverless Security Services Enterprise Resource Planning Cloud Key Management Security as a Service Zero Trust Threat Intelligence Global Security Database (GSD) Incident Response Top Threats View all topics Search for: Membership Join as a Business Cloud Customers Cloud Solution Providers SaaS Solution Providers Current Business Members CxO Trust Contact Us Join as an Individual Regional Chapters Circle Community Forum Research Working Groups -------------------------------------------------------------------------------- STAR Program STAR Registry STAR Home Submit to Registry Provide Feedback What is the STAR Registry? Learn how to stay compliant in the cloud. CCAK Training Governance, Risk & Compliance Tools Cloud Controls Matrix (CCM) Consensus Assessment Initiative Questionnaire (CAIQ) GDPR Code of Conduct STAR Level 1 At level one organizations submit a self-assessment. View companies at level one Learn about level one STAR Level 2 At level two organizations earn a certification or third-party attestation. View companies at level two Learn about level two CSA Approved STAR Assessment Firms -------------------------------------------------------------------------------- Certificates & Training Events Learn and network while you earn CPE credits. Events Virtual Events & Webinars Certificates & Training Certificate of Cloud Security Knowledge (CCSK) Certificate of Cloud Auditing Knowledge (CCAK) Train my entire team Training Instructors Become an Instructor Training Partners Become a Training Partner -------------------------------------------------------------------------------- Research CSA Research Latest Research Working Groups Open Peer Reviews Research Topics Zero Trust Advancement Center CxO Trust CloudBytes Webinars Industry Specific Research Financial Services Healthcare Getting Started with CSA Research Best practices for cloud security Assess your compliance to cloud standards Security questionnaire for vendors The top threats to cloud computing Zero Trust Architecture View more Awards & Recognition Ron Knode Awards Research Fellows Architectures and Components Enterprise Architecture Hybrid Cloud Security Emerging Technologies Blockchain/Distributed Ledger Internet of Things (IoT) Quantum-safe Security Securing DevOps Application Containers and Microservices DevSecOps Serverless Security Services Enterprise Resource Planning Cloud Key Management Security as a Service Zero Trust Threat Intelligence Global Security Database (GSD) Incident Response Top Threats View all topics -------------------------------------------------------------------------------- Circle -------------------------------------------------------------------------------- Events -------------------------------------------------------------------------------- Blog -------------------------------------------------------------------------------- MFA IS ONLY AS EFFECTIVE AS WE WANT IT TO BE Home Industry Insights MFA Is Only As Effective As We Want It To Be Blog Article Published: 04/28/2022 Written by Authomize Good cybersecurity is all about getting the basics right. Sure, AI and other advanced technologies help us to cyber better, faster, stronger, etc. But the really important work is all about actually using the most basic of tools to fend off the vast majority of attacks. One of the most glaring examples of a good security measure that is woefully underused is multi-factor authentication (MFA). IDENTITY IS THE NEW BATTLEGROUND In the cloud-centric era, where we use our identity to access the apps and services on someone else’s network, the good fight has centered on getting identity and access security right. The problem is that a lot of us are still getting a lot of those basics wrong. In its recent “Cyber Signals” report, Microsoft declared that, “Identity is the new battleground, but most are unprotected against attacks.” Looking at its internal numbers, Microsoft reports that only 22% of Azure Active Directory organizations are using what it terms as “strong authentication” (read MFA) for securing their accounts. This is beyond irksome, given how the folks in Redmond have been spreading the good word about MFA for years now, repeating the mantra that “MFA can block over 99.9% of account compromise attacks.” Considering the high-level effectiveness of standard MFA, it boggles the mind as to why it is so underutilized. WHY AREN’T ORGANIZATIONS USING MFA? MFA is like a seatbelt — easy to use and highly effective in most cases. And yet people will always have an excuse as to why they don’t use it. Added friction to productivity and UX is one of the most common responses, with many employees griping about having to add an extra step to logging in. Some will ask, “What if I forgot my phone today? Can I not log in?” Lack of time and resources from the security team to get everyone enrolled is another reason that often gets cited. Though when it comes to the basics like adding MFA to your Microsoft accounts, costs for the service is less of a direct issue — even if the implementation might be. When it comes to 3rd party services, there may be extra costs associated with adding MFA that could deter an organization from doing the right thing. None of these are good reasons not to have MFA, which has reached a critical point of necessity. Passwords are not nearly enough to protect your access to cloud services like your IaaS, SaaS, and hosted data. Ideally, we could just enroll everyone in MFA, but given the aforementioned challenges, we have to pick our battles. 3 TIPS FOR SECURING YOUR PRIVILEGED ACCESS When malicious actors target your organization, the goal is to ensure that they walk away with as little as possible for their troubles. We need to prioritize our attention on securing the accounts that can do the most damage if they are compromised — namely our identities with privileged access. Ensuring that these valuable identities have MFA enabled should be our top priority. Here are a few good tips for getting started. 1. KNOW WHERE TO START Start by identifying these privileged identities. In some cases they will simply be listed as admins. But it is not always so clear. You also need to detect shadow admins and others with access privileges, either directly, through group memberships, or roles that can reach your sensitive crown jewels like customer data or that can be exploited for privilege escalation. Identifying these undefined admins is often harder than it sounds because they lack visibility over all the different access paths that an identity may have to their assets. 2. USE FEDERATED ACCESS Using an identity provider like Azure AD, Ping, or Okta, will give you an easier way to determine and manage who has MFA enabled. If any of your privileged accounts do not, then require them to do so. 3. DISALLOW UNFEDERATED ACCESS For all the apps and services where possible, bar access to local IAM users. This is best practice in general, but has added value when talking about more sensitive assets. In cases where you can’t use federated access, use tools to track access usage activity, gain visibility, and ensure that people cannot access your valuable assets without MFA enabled. A FIGHTING CHANCE Along with the suboptimal MFA 22% adoption figure, there are reasons to be hopeful. The Microsoft authors tell us that basic security hygiene still protects against 98% of attacks, citing MFA and applying Least Privilege as important measures for mitigating risks. That’s good news because it means that organizations stand a fighting chance against the threats to their identity perimeter. And that threat is rising. The report claims that in 2021, “Azure Active Directory detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords.” So how many didn’t they block? How many more are coming? As we move through the tumult of early 2022, we can expect these attempts to increase further. Preparing for whatever comes next will require organizations to develop a technology adoption strategy that enables them to enforce their Authentication and Authorization policies. Taking responsibility for their security will mean using all the defensive tools at our disposal — starting with the most basic. Identity and Access Management Share this content on your favorite social network today! Sign up to receive CSA's latest blogs This list receives 1-2 emails a month. RELATED ARTICLES: KNOW YOUR CLOUD SECURITY ACRONYMS: CWPP, CSPM, CIEM AND CNAPP Published: 05/20/2022 PRIORITIZING CLOUD SECURITY THREATS: WHAT YOU NEED TO KNOW Published: 05/18/2022 WHY MACHINE IDENTITY MANAGEMENT HAS BECOME A CRITICAL PRIORITY FOR ORGANIZATIONS Published: 05/09/2022 SECURITY SERVICE EDGE (SSE) IS THE WAY TO GO, BUT HOW DO YOU CHOOSE? Published: 05/02/2022 This website uses third-party profiling cookies to provide services in line with the preferences you reveal while browsing the Website. By continuing to browse this Website, you consent to the use of these cookies. If you wish to object such processing, please read the instructions described in our Privacy Policy. I understand × © 2009–2022 Cloud Security Alliance. All rights reserved. SIGN UP FOR CSA'S MAILING LIST CORPORATE MEMBERSHIP Cloud CustomersCloud Solution ProvidersSaaS Solution Providers JOIN AS AN INDIVIDUAL Circle Community ForumChaptersWorking Groups RESEARCH Download PublicationsView Working Groups FIND A... Cloud ConsultantCloud Service ProviderView All Topics CERTIFICATES CCSKCCAK EVENTS AmericasEMEAAPAC EDUCATION BlogVirtual Events & WebinarsTraining POPULAR RESOURCES Security GuidanceCCMCAIQSTARGDPR ABOUT CSA Contact UsPress ReleasesAffiliatesPress Coverage OUR TEAM Board of DirectorsManagement & Staff LEGAL Privacy NoticeTerms & Conditions CLOUD SECURITY GLOSSARY ▴