The Power of Multi-factor Authentication combined with Data Encryption and Protection

With the emergence of PCI DSS 3.0, GDPR and other data protection standards onto the global stage, the starting point for securing private information is via two well-known security technologies: Multifactor Authentication (MFA) and Data Encryption and Protection.

While some regulations are extremely general in terms of security requirements (GDPR is one of these), the implementation of the data protection safeguards is left in the hands of each integrator to interpret. Therefore a vendor is going to select a niche requirement for their product and exploit this to generate business for their organization. But, even with this being the case, IT Security best practice would always dictate that MFA is an essential starting point (protect your access and authentication) and then all data, regardless whether it is at rest or in transit, should be encrypted to avoid data breaches. With any encrypted service, key management is also essential.

MFA and Data Encryption services are a good starting point for most organizations serious about securing and protecting their (private) data and complying with local and global regulations.

MFA

MFA establishes access control via the authentication of a user or device (ie. you only gain access if you are authorized to do so). We have discussed Multi-factor versus Multi-step authentication previously so it is not covered here, but if you are not sure about the differences, please go to the Mi-Token blog.

MFA is akin to securing your front door and only letting in trusted parties. By adding MFA security to your standard login process, you are ensuring only validated and authorized users can get access to private data sitting in repositories, including cloud and on-premise services.

Even if a user’s credentials are stolen, there is very little chance that a criminal will be able to predict a totally random value and another separate factor, to gain access.

Also, separation of duties is very important with regards to access permissions to stored data, keeping in mind that much of the fraud committed is perpetrated by malicious staff. It pays to consider separating administration and database access. This means the person who configures your database should not necessarily be given access to the data in the repository.

Organizations not implementing MFA are missing a vital component in their security arsenal and hence leaving themselves exposed to the possibility of data breaches. If you’re holding Credit Card information or private/personal data, you may be required to implement an MFA service.

MFA is sometimes considered complex to install and configure and requires specialised skills to manage and maintain. In fact, this is far from the truth. Installing MFA is actually quite a simple process and the benefits far out-weigh the small amount of effort required to install and configure this technology. One of the objectives Mi-Token has set for its development team is that the product can be up and running in “10 minutes”. While this may seem like an unreasonable objective, it is something that we actually test for. Of course our team are experts in the installation process and there are many add-ons that can be installed which extend the install duration.

Mi-Token is embedded in Windows NPS and as such the configuration process is as simple as setting up your remote access gateway with Windows NPS. Also, forget patching and DB replication, this is handled within the Windows environment. No expert knowledge is needed to manage and maintain the system if you have a basic knowledge of Active Directory. If so, you can simply manage and support your Mi-Token users.

Data Encryption and Protection

Data encryption and Protection is another very important security technology referred to in a range of current regulations. If data is encrypted, it is of no use to anyone other than the person who can decrypt it. That is as long as they are a trusted and authorized person. One of the big issues is that private data is finding its way into a broad range of repositories, and organization may not even know what it has.

While policies and regulations mandate tougher security measures, IT security teams must be vigilant against persistent and increasingly more sophisticated attacks. In many cases these threats are coming from inside an organization via staff with privileged access, whether intentional or not. As I said before, separation of duties is a necessity. But many organizations are going one step further by limiting the unencrypted data that a Privileged User can access.

As an IT Security (MFA) vendor, Mi-Token works closely with Thales and Vormetric via partner organizations, and data encryption has become an important piece in our product arsenal. When using encryption and authentication technologies together, we are establishing a comprehensive and defensive framework that allows an organization to adhere to most global and local regulations (such as GDPR and PCI DSS).

Hardware Security Modules (HSM)

HSM provides centralized key management and dedicated cryptographic operations, such as certificate signing, bulk key generation, data encryption, and much more.

Any IT Security solution encrypting data requires encryption keys to encrypt the data. So it is critical that these keys are protected. Key management becomes an integral part of an organization security arsenal, as to which many larger organizations will attest. Consider HSMs for the generation and management of your encryption key and certs.

MFA and data encryption, while not always mandated, are definitely a great starting point for most organizations finding themselves in a position where their security may not be compliant with GRPR or other relevant regulations.

My advice is to do your homework and start investigating your options.

To find out more about Mi-Token visit our website: https://www.mi-token.com/