Cloud computing services and applications have surprisingly been around since the late-1990s and have slowly been adopted across federal government agencies since then. But when COVID-19 took the world by storm in 2020, this crawling pace had to change as federal agencies were forced to shift to remote work. As a result, agencies became fully immersed in the cloud in order to continue day-to-day agency operations.
Before COVID-19, some agencies had dipped their toes in the remote work arena, and started deploying digital media controllers (DMCs) with virtual private networks (VPNs) to give access to remote employees, external vendors, partners, and suppliers within different agencies. With all of these different entities connecting to one DMC, it created issues as there were disparate levels of modernization between the apps they were all using.
As a result, agency employees created separate usernames and passwords for each application they used. However, these credentials were sometimes duplicated among applications for users to gain easy access— which inadvertently left a huge window open for a cyberattack to occur. This also led to agencies mixing up cloud identities with partners and suppliers outside of their agency because they were all connected to the same access credentials.
This obviously does not seem like the best practice now, but at the time this was the only way to gain access to cloud services and share them remotely. This is why Microsoft launched Office 365 and later released Azure Active Directory (Azure AD) in 2010 for agencies to mitigate these user credential and user identity issues.
However, some agencies are still stuck in password guidance techniques from 20 years ago and may not be properly securing their cloud services. So, how can agencies leverage updated authentication best practices to enhance their security postures?
How agencies can optimize authentication methods in hybrid cloud services
Multi-factor authentication (MFA) is something that is highly recommended for all government agencies that want to have a strong security posture. As recently mentioned, many federal agencies are still following antiquated password guidelines from 20 years ago, and these procedures do not include authentication methods.
Though there are many forms of authentication, not all are created equally. This is why Microsoft developed three ways to optimize authentication methods to help create the strongest security posture possible for federal government agencies.
- 1. MFA prompt workbook
When looking at MFA, this is a great way to strengthen an agency’s security posture, however, just like anything else, it does have its downsides if agencies aren’t careful. For example, MFA sends prompts to a user’s device to gain access to an account that is on another device. If there are too many prompts, users might blindly accept these prompts without even looking at their phone, and as we know, this is not the most secure situation— leading to a possible cyberattack.
This is what is called an MFA fatigue attack. Microsoft has come up with the MFA prompts workbook to help optimize this authentication method, which is an Azure AD workbook that will tell admins what applications are generating the most prompts. So, if agencies realize this is an issue, they can go into that workbook and alter the prompts that appear for users within the agency.
- 2. Number matching
To further improve the MFA experience, Microsoft also offers an authentication method called number matching. This sends a prompt to the user’s screen that the user will then have to type into their authenticator app. This causes users to have to question this prompt before blindly accepting it. This minimizes the chances for agencies to deal with MFA fatigue attacks and creates a stronger security posture.
- 3. Additional context
Additional context is another recommended way for agencies to further optimize their authentication methods. When a user is sent an MFA prompt request with additional context enabled, additional information such as the geographic location where the request originated or the sign-in application details to which the user is trying to sign in will appear within the prompt.
This method can also be coupled with number matching. So, when the user gets the prompt, they not only have the additional information of where the prompt originates, but the user also has to type in the specific numbers to accept the MFA prompt. Both of these methods enabled together create an airtight authentication method to mitigate any risks of MFA fatigue— resulting in the strongest security posture possible.
