Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.
What is the control?
Multi-Factor Authentication (MFA) requires a second form of authentication when logging into or connecting to a service. This makes it significantly more difficult for an account to be compromised as, to authenticate, someone needs the password to the account but also a second piece of information that is often variable. As an example, this could be a 6 code on a physical token or sent to the person’s phone via an SMS.
This ensures that someone who may have your account password still cannot use it unless they also have your physical token or phone.
Why should I have it?
While MFA is increasingly common, it’s especially important to use it for network remote access or any cloud-based business platform due to the implications of such an account being compromised. It would be akin to someone plugging their computer into your internal network (or cloud service), bypassing all your network protections (Firewalls, intrusion detection systems, etc), with the access of a regular user (or worse) from which they can start exploring your network and escalating their access.
It is not only a potentially devastating attack vector, but one that is relatively easy to slowly brute force over time without being detected. Conversely, it’s also one of the easiest to mitigate with MFA and why many clients will look for it as part of their due diligence.
MFA is also increasingly becoming a regulatory requirement within many sectors.
Your network security policy should dictate that all remote access, such as VPNs connecting to the internal network, or critical cloud services, have MFA enforced for all connections. Ensure that any product you deploy to grant remote access, or any remote or cloud services involving sensitive data, supports this capability as part of your procurement and provisioning processes.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.