{"id":17732,"date":"2020-02-13T18:52:06","date_gmt":"2020-02-14T02:52:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/02\/13\/news-11467\/"},"modified":"2020-02-13T18:52:06","modified_gmt":"2020-02-14T02:52:06","slug":"news-11467","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/13\/news-11467\/","title":{"rendered":"Changing the Monolith\u2014Part 4: Quick tech wins for a cloud-first world"},"content":{"rendered":"

Credit to Author: Todd VanderArk| Date: Thu, 13 Feb 2020 18:00:25 +0000<\/strong><\/p>\n

You may have heard that identity is the \u201cnew\u201d perimeter<\/a>. Indeed, with the proliferation of phishing attacks<\/a> over the past few years, one of the best ways to secure data is to ensure that identity\u2014the primary way we access data\u2014can be trusted.<\/p>\n

How do we secure identity?<\/h3>\n

Start by evaluating how users are authenticating to all applications inside and outside the organization<\/a>. I say all applications,<\/strong> because it doesn\u2019t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.<\/p>\n

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users<\/strong> as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.<\/p>\n

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos<\/a> and NTLM<\/a>. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users<\/a>. These factors range from something you know (password or one-time password), something you have (hardware token<\/a> or soft token), or something you are (biometrics<\/a> like 3D facial recognition or fingerprint matching).<\/p>\n

\"Image<\/a><\/p>\n

Start with MFA.<\/em><\/p>\n

Requiring MFA for all applications<\/a>, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app<\/a> or a one-time password<\/a> mechanism as they are typically not as susceptible to man-in-the-middle attacks<\/a>, compared to text-back codes or phone calls that may be intercepted with spoofing.<\/p>\n

The least vulnerable MFA mechanisms include FIDO2<\/a>, which utilizes a biometric device or USB hardware token like YubiKey<\/a>, and machine learning systems that can provide conditional access based on Zero Trust<\/a> and time-of-authentication context.<\/p>\n

Here is the context commonly evaluated by machine learning authentication systems:<\/p>\n