Jan 19, 2020

Seamless and Ubiquitous Authentication Across Sensitive Assets

The cyber security world can learn from the physical security world where you need visibility to enforce security policies. Surveillance cameras, for example, have become omnipresent. Wherever we go, we expect cameras to be watching our every move. The intent? To prevent crime, or at least, to identify and apprehend criminals after a crime has been committed. Despite the lack of agreement on whether CCTV cameras truly prevent crime[i], the argument that improved visibility increases detection rates is one that can be applied to cyber security. Full visibility is certainly the first step in identifying all systems and entities on the network which require security control.

For this reason, we have seen a boost in the number of security vendors touting the visibility their products provide. From network scanning to application identification to asset inventory, every product seems to offer a “visibility-first” approach nowadays. However, when it comes to system security and data protection, visibility without policy enforcement feels like an empty promise. Surveillance isn’t the goal; preventing unauthorized and unauthenticated access is. Fortunately, unlike CCTV cameras, with the right security technology deployed, organizations can take action against identified malicious network activity. The key is applying enforcement on every system, regardless of where in the network it is deployed, what type of system it is, or whether it is a purpose-built, proprietary application or off-the-shelf.

While networks of the past may have been easy to track, today’s networking must account for on-premises and virtual data centers, cloud, IoT, BYOD, remote workers, OT, homegrown and legacy applications, and more. This is a lot of ground to cover, and finding then preventing access to sensitive data stores is a major undertaking, especially if the visibility tools and access controls implemented cannot handle modern networking or protocols.

Extensible MFA

Silverfort, an authentication vendor based in Israel, secures authentication to sensitive systems, including those which can’t be secured with traditional agent- and proxy-based authentication technologies. The company was founded by three former members of the 8200 cyber security unit of the Israeli Defense Forces (IDF) to answer the question, “How do I protect assets on which multi-factor authentication (MFA) can’t be installed?” Increasingly, the team watched the market as MFA solutions were exploding, but they didn’t see capabilities for MFA available for many sensitive assets such as legacy/homegrown apps, remote administrative tools, file shares, OT, and IoT. Thus, this is what they built.

The idea behind Silverfort is that visibility and control must be seamless, meaning, organizations shouldn’t have to install proxies or agents on each asset because doing so is impossible in today’s complex and dynamic networks. Further, authentication mechanisms must not change the user workflows. Despite the known security benefits of MFA, adoption remains low; only 30% to “just under” 50% of organizations using MFA (depending on which industry study you read) because users don’t want to perform additional actions or have access to resources delayed— even it equals stronger security.

How it works

Silverfort is deployed as a virtual machine. Every time a user/endpoint or service/resource requests access to a resource, the request is authenticated with an identity store and then routed to Silverfort. One of the benefits of the technology, said Dana Tamir, Silverfort’s VP of Market Strategy, is that Silverfort doesn’t change the way authentication happens.

The policy engine allows the customer to set allow/deny/step-up MFA rules for each asset and every access request, based on circumstance. In other words, Silverfort can be considered a zero trust technology. What’s interesting about Silverfort is that the company plays nicely with other zero trust authentication technologies like Okta, Ping Identity, Duo (Cisco), and Yubico. If a customer already uses a third-party partners MFA solution, Silverfort can act as the policy engine, extending strong authentication to more systems than currently supported. Additional integrations include Palo Alto, Check Point, and Microsoft, ensuring step-up authentication is triggered when an internal security alert is.

The installation process seems simple enough: Tamir said that a simple configuration of the identity stores to forward authentication requests to Silverfort’s virtual machine is needed. The key is the ability to understand the encrypted authentication protocols without decrypting them. Once up and running, the system starts working immediately, though Tamir says most customers set Silverfort to passive mode for approximately 30 days so that “they can see what’s going on, what protocols are in use, and who is communicating with what.” The reason, I suspect, is actually twofold: First, passive mode provides the coveted visibility mentioned at the beginning of this article but does so without applying changes to the customer’s controls. In other words, it’s allowing the customer to grow accustomed to the system. Second, this learning period provides the training data that makes the technology more effective once it’s set to enforcement mode.

Use cases

Tamir shared five uses cases for the product, the most compelling of which, in my opinion, is secure cloud migration. As companies move more resources to the cloud, one major concern is keeping legacy applications and servers secure throughout the process. Silverfort is a Microsoft co-sell partner, helping Microsoft customers safely migrate their systems to Azure—which means that secure authentication, access control, and auditing stay turned on from on-prem to cloud.

Other use cases include securing the use of service accounts, enforcing MFA on privileged access, and monitoring machine-to-machine access. Again, the key here is a form of continuous “surveillance” and protection as companies operate modern networks. It’s ensuring that strong access control is applied for every data repository and sensitive system, regardless of when it was implemented, the authentication protocols used, or where in the network the data reside. It can identify malicious attempts and block them before access is granted.

If any of the aforementioned use cases apply to your organization, give Silverfort a call. They have offices in Europe, Asia, and the US, making it easy to get in touch. And as always, let us know what you think after taking it for a test run.

___________________________________________________________________

[i] https://www.urban.org/sites/default/files/publication/27556/412403-evaluating-the-use-of-public-surveillance-cameras-for-crime-control-and-prevention_0.pdf