Doing authentication well is vital for any company in the throes of digital transformation.
Digital commerce would fly apart if businesses could not reliably affirm the identities of all humans and all machines, that is, computing instances, that are constantly connecting to each other across the Internet.
Related: Locking down ‘machine identities’
At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. On the one hand, they’re encountering crippling friction when attempting to migrate legacy, on-premises systems to the cloud. And on the other hand, there’s no authentication to speak of – when there needs to be some — when it comes to machine-to-machine connections happening on the fly to make digital processes possible.
I had an enlightening discussion about this with Dana Tamir, vice president of market strategy for Silverfort, a Tel Aviv-based supplier of multi-factor authentication technology. We spoke at RSA 2020. For a full drill down of the interview, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:
LW: Can you frame the authentication challenge companies face today?
Tamir: One of the biggest changes taking place is that here are many more remote users, many more employees bringing their own devices, and many more cloud resources are being used. This has basically dissolved the network perimeter. You can’t assume trust within the perimeter because the perimeter doesn’t exist anymore.
And yet we know that threats exist everywhere, within our own environments, and out in the cloud. So that changes the way security needs to be applied, and how we authenticate our users. We now need to authenticate users everywhere, not only when they enter the network.
LW: What obstacles are companies running into with cloud migration?
Tamir: The problem is that companies have thousands of applications and systems that they need to migrate to the cloud, including older applications and homegrown applications. And changes need to be made to make the applications cloud ready.
You need to get into the application itself, into the code, and adapt it in order to support modern authentication protocols. And that’s not an easy task. Sometimes it just isn’t possible. And when you’re talking about thousands of applications, it can become a real problem. This becomes a barrier to cloud migration.
Having a way to enforce secure authentication on access to any migrated app, without changing it and adapting it to use modern authentication protocols, allows easy and secure cloud migration.
LW: Can you frame the separate issue of securing service accounts?
Tamir: Service accounts (machine-to-machine connections) are a big problem. The accounts that enable machines to communicate with each other are highly privileged accounts — and no humans are operating these accounts. Because they’re highly privileged and because they are not being monitored, they’ve become a target for hackers.
If a hacker can compromise a highly-privileged service account, then the hacker can gain control over different systems in that environment. So these accounts must be secured. However, because these accounts are not human-managed, many organizations have lost track of their service accounts, and the dependencies between different service accounts. And with the introduction of more and more automation, this is becoming a real problem. How can you protect privileged service accounts if you don’t know about them?
Until today, detecting these accounts and their dependencies, and securing their use, has been a big problem for many organizations. They are looking for a way that will allow them to easily apply effective protections.
LW: Why is it important to dial-in just the right amount of security?
At the end of the day, you want to strengthen security, but not at the expense of disrupting productivity or diminishing the user experience. It’s important to maintain usability and keep the costs as low as possible. If you need to modify too many systems – the cost will be high. If you need to modify service accounts, you might break dependencies and cause disruptions to the business.
You also don’t want to disrupt your users and prevent them from doing their job: if strengthening security results in too many false-positive alerts, it can become disruptive. So we see many organizations that are afraid to strengthen their security controls.
LW: How does Silverfort address this?
Tamir: Silverfort can add secure authentication to any system, whether it’s on-premises or in the cloud, without using any agents or proxies or requiring any code changes on the systems we protect. We monitor all the authentication protocols, and we add a layer of security on top of them. This allows us to secure any system, including home grown and legacy applications, also IoT devices, file shares in databases, IT infrastructure, anything and everything.
The way we do it is by monitoring all the access requests in one central location; we analyze the user behaviors, their communities, and we analyze the way they access different resources. Based on that, we can assess the risk level of the user and the specific access request. So we can continuously adapt our policies according to the current risk level of specific activities.
LW: So you can issue gradations of ‘yes’ or ‘no?’
Tamir: If we’re not sure it’s a legitimate user, we can challenge the user. We can apply conditional access policies or step up security by sending out a multifactor authentication requirement, and if the user can meet it, then we know it’s a legitimate user and we can let them through.
If it’s hacker or malware that’s unable to address the multifactor authentication, it will be blocked. It’s a way to get the real threats blocked while allowing legitimate users to continue their activities and work without disruptions.
Silverfort also detects and analyzes the use of service accounts. If we see abnormal activity related to these accounts we can either alert in real time to allow a security analyst to look into it, or block their activity to prevent compromise.
LW: So you can give the right measure of authentication – for both people and machines?
Tamir: Exactly, and we do it without changing any of your systems, or the way they are communicating with users or with other machines. We do it without deploying software agents on the servers and without deploying proxies in the network. This unique architecture allows us to manage and enforce secure authentication in a unified way across all users and devices, and all the resources they access, no matter what they are or where they are.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-silverfort-helps-companies-carry-out-smarter-human-and-machine-authentications/