In an effort to bring enterprise-wide security to all its agencies, and in conjunction with its migration of services to the cloud, leaders in Pennsylvania’s Office of Administration recently deployed a risk-based multi-factor authentication (RBMFA) system for identity management.
The goal was two-fold. The state sought to reduce the risk of third parties getting access to their data and protect sensitive information, and also gain compliance with the Criminal Justice Information Services rules for law enforcement and IRS policies related to tax data.
To access RBMFA-protected systems, users preregister from a work-issued device located on the commonwealth’s network. During this process, workers are authenticated against the enterprise Active Directory and prompted to set-up their challenge/response questions and PIN.
Besides improving security of agency applications and increasing efficiency, the solution has raised service levels and cut costs. There are plans in the works to adapt the solution to citizen-facing applications so Pennsylvanians can access tax information or state health records through a single sign-on.
We applaud Pennsylvania’s pro-active multi-factor authentication approach to improving security and compliance by reducing risk but there is a fundamental problem that remains.
Pennsylvania’s IP-based infrastructure and DNS security paradigm is based on “access before authentication” and was instituted at a time when devices, networks and firewalls were essentially static. It relies on us knowing the IP addresses and the use of firewalls to control where the access is coming from.
Going forward, we would recommend an authenticate first approach. It is a fundamentally different approach that will require having a client on every device – something not everyone is willing to accept yet. But devices are central to any IT environment. Only by putting a client on the device can you authenticate users in way that ensures that the service is completely shut off to everyone except those authenticated and authorized.
We cannot keep doing it the same way and expect to be secure. A willingness to change must be accepted in order for it to happen.
In fact, there are emerging but proven solutions that protect enterprises from attacks. Software Defined Perimeters (SDP) employ an authenticate-first approach by securing every connection to a predetermined service, application or critical infrastructure. The primary effect of the SDP is that it allows good packets and connections while dropping bad packets and preventing bad connections. In the event of an attack, SDP proactively identifies malicious traffic, automates the ability to immediately block it, and stops the traffic from reaching the protected services.
SDPs incorporate industry input and lessons learned from successful implementations by leading enterprises such as Coca-Cola, Mazda, and Google, and large government organizations like the DHS and continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion attempts to date – all unsuccessful.
For more information, check out this white paper on Software Defined Perimeters.
Also feel free to check out the industry’s first open source reference implementation of SDP developed by Waverley Labs. The reference architecture and repository can be accessed and downloaded here.