The Federal government has recently taken new steps towards creating a zero trust security environment, building on last May’s Executive Order on Improving the Nation’s Cybersecurity (EO) aimed at advancing the standards by which we protect our federal information system.
On January 19, the President issued a National Security Memorandum extending the EO to National Security Systems (NSS), stating that NSS has 180 days to adopt Multi-Factor Authentication (MFA). On January 26, the Office of Management and Budget released a memorandum creating a Federal zero trust architecture, requiring that all agencies achieve zero trust security goals by FY2024 and referencing MFA as a critical part of the government’s security baseline.
The key foundation of all of this work is the integration of MFA agency by agency. As new measures are undertaken to protect our government’s cybersecurity systems, the government must ensure that MFA solutions are widely adopted across agencies and that lessons learned are shared. While we currently don’t have specific data (for understandable security reasons) describing where agencies are in the adoption of MFA, at Akamai, we know from our own MFA journey how much time, effort, and resources it takes for organizations to implement MFA solutions, and the struggles faced when doing so.
With this experience in mind, here are five tips for federal agencies, and others, looking to adopt MFA technology and begin a zero trust security journey:
Start With a Quick Win
It is daunting and, frankly, impractical, to migrate all systems and applications to MFA immediately. So begin your journey with a quick and impactful win – for example, implement MFA for your Single Sign-On (SSO). Likely, you already have many applications behind the SSO, so this point of integration gets you MFA for all of those applications in one step. In addition, this step will get your teams familiar with implementing your chosen MFA solution and start getting your end-users into the habit of using MFA.
Prioritize MFA Integrations by Impact
Once you have a quick win under your belt, evaluate your environment to prioritize the remaining necessary MFA integrations. At the top of your list should be integrations that will have the greatest impact – either by volume of applications and systems protected or by criticality to your agency. After SSO, implement MFA for your virtual private network (VPN) (and better yet, replace your VPN with a Zero Trust Access solution), since numerous attacks have started by exploiting weak authentication on the VPN. This prioritization exercise will help you break your migration into manageable increments and ensure your most valuable assets are protected first.
Leverage FIDO2 With Mobile Devices Versus Physical Tokens
If you can use mobile devices for MFA instead of physical tokens, the MFA implementation and enrollment is greatly simplified both for your end users and your helpdesk. Everybody already has a mobile device, so by using these devices, you avoid the headache of rolling out and maintaining physical tokens. Moreover, push-based MFA for mobile devices is incredibly easy to use – your users will be delighted – and modern solutions make it very easy for users to enroll their devices, so almost no effort is needed from your helpdesk.
As long as your MFA solutions leverage the newer FIDO2 MFA security technology, you will both improve your security defenses and provide greater convenience to users with frictionless mobile push notifications. Of course, in some cases, physical tokens may be a necessity. In those cases, it’s important to have an MFA solution that is flexible enough to adapt to your agency’s requirements.
Piggyback on Other Cyber Initiatives
As with any IT or security initiative, there is no success without end-user awareness and adoption. To help speed up adoption, we recommend combining an MFA rollout with other cybersecurity training or awareness campaigns whenever possible. By introducing (and then reminding) your employees about how to use MFA and explaining its role in a broader zero trust architecture as part of your regular cadence of training, you help prevent training fatigue and integrate MFA into the day-to-day technology landscape.
Invest in a Strong Identity Solution
While it’s a separate initiative from the MFA implementation, I’d be remiss if I didn’t mention the importance of your other Identity and Access Management (IAM) systems like Identity Management (IdM). These systems provide the framework to link authenticated users with the policies that control what they are able to access. Consider when and how you can focus on your IdM solution, either in parallel with your MFA implementation, or shortly thereafter.?? Strong identity and access management with FIDO2-based MFA is the foundational technology upon which additional security technologies can be most effective.
With these key steps in mind, Federal agencies can ease the transition to an MFA solution and work to improve their cybersecurity defenses. These steps also satisfy the requirements of the Administration’s Executive Order for improving the government’s cybersecurity posture, and help agencies move towards a true zero trust approach to security.