Insight by Microsoft

Implementing identity and access management to meet cyber EO 14028 requirements

This content is sponsored by Microsoft.

One of the biggest cyberattack vectors we see today is stolen or weak passwords. As federal agencies work to meet the milestones laid out in memorandum 22-09 in support of President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, implementing a strong identity and access management solution is a practical first step with a large impact in improving an organization’s security.
Not all MFA methods are created...

READ MORE

This content is sponsored by Microsoft.

One of the biggest cyberattack vectors we see today is stolen or weak passwords. As federal agencies work to meet the milestones laid out in memorandum 22-09 in support of President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, implementing a strong identity and access management solution is a practical first step with a large impact in improving an organization’s security.

Not all MFA methods are created equal

Multi-factor authentication (MFA) can prevent 99.9% of all identity-related attacks. However, not all forms of MFA are created equal. For example, there are many ways that SMS and call-based MFA can be bypassed by determined hackers. Therefore, the memo 22-09 suggests federal agencies implement phishing-resistant MFA.

“Federal agencies often get sophisticated phishing attacks. Using SMS and other less secure MFA methods is not sufficient. It’s critical to look at how people can adopt phishing resistant MFA,” said Natee Pretikul, principal product manager lead for identity and network access at Microsoft. “Certificate-based authentication (CBA), FIDO2 security key, and Windows Hello for Business are great phishing resistant MFA options, especially when paired with federal agencies’ preferred CAC or PIV card options.”

That’s why Microsoft recently announced that Azure Active Directory, a multicloud identity and access management tool, now supports CBA. It also offers Windows Hello for Business, an MFA solution that replaces passwords with biometrics and PINs tied to specific Windows devices. Finally, it also supports FIDO2 security keys, which are useful options for users with multiple devices.

Enforce strong authentication to effectively mitigate phishing campaigns

But IT leaders can’t just provide every available MFA option to users and let them choose. Users will always choose the path of least resistance, and often, that means less secure MFA options that leave them open to phishing attacks.

IT admins need a solution that will allow them to enforce the policy and mandate which MFA methods users can use to sign in. And many customers, including federal agencies, need to consider the authentication methods used by the external users accessing their resources. They need a cross-tenant solution that applies not only to their own end users, but anyone accessing their systems, like contractors.

“Azure AD Conditional Access authentication strength is a great tool to enforce phishing resistant MFA methods to employees, contractors and external users,” Pretikul said. “Certain departments, for example, need to use FIDO2 security key. With Azure AD authentication strength, federal agencies can restrict the FIDO2 security key to specific key vendors and modules. You can even disable SMS as an MFA method for users who should no longer use these less secure methods. So there is a wide variety of options made available for government agencies.”

Embrace flexible, hybrid work environment

Since the pandemic, telework has exploded, and most experts agree that the flexibility it offers is here to stay.” That means IT leaders need to find a way for people to work from home and access their virtual machines more securely. To do that, they have to make MFA available across a variety of environments.

Pretikul said federal agencies are also trying to move more heavily into making it easier to work on mobile devices. Certificate-based authentication on mobile is another area that Azure AD customers can use now.

Partnerships can accelerate your zero trust journey

To offer this variety of options to federal customers, Microsoft partners with many leading zero trust vendors. Microsoft Intelligent Security Association now includes over 185 independent software vendor members, including phishing-resistant MFA vendors such as Yubico, Thales and HID Global. That’s because achieving zero trust requires a variety of solutions, all integrated to work together to secure a system.

Next steps

All of these considerations are key to building an agency’s zero trust strategy, because identity and access management is foundational to those efforts. Zero trust architecture requires agencies to be able to authenticate who is accessing any given resource in real time, and the most effective way to safeguard those identities is MFA. That’s why President Biden, The Cybersecurity and Infrastructure Security Agency (CISA), and the Office of Management and Budget (OMB) put so much emphasis on MFA in the EO and follow-up guidance.

To learn more, “Microsoft is here to support federal agencies along their zero trust journey, and a good place to start is our repository of reference content on our cybersecurity EO page,” Pretikul said.