NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

What is Multi-Factor Authentication for Systems?

Privileged account exploitation is a tried and true means of accomplishing a cyber attack. Nearly every major breach in the last 10 years has included some variant on privileged account credential theft. Once acquired, credentials are used by attackers to move laterally within an organization’s networks to access sensitive data from databases or applications. At first blush, this seems like an end user problem: find ways to remove the unauthorized use of credentials and you’ve solved the problem. Though user account takeover—privileged or otherwise—is certainly one problem the information security needs to continue to ameliorate, it’s not the only authentication issue security pros need to be concerned with. Machines, files, databases, and applications also use credentials to authenticate then communicate on the network. Networked assets primarily rely on digital credentials or digital certificates as their form of “identification.” But just as with end user “identities”—typically a combination of username and password—cyber criminals can easily exploit holes in traditional methods of system resource authentication to gain unauthorized access to data stored in system resources.

When carrying out a large-scale breach is as easy as stealing valid credentials, it’s no wonder we’re seeing rates of cyber crime increase year-on-year. Rather than continue down the path of minimal effectiveness, security teams can take a page out of userspace identity and access management best practices and apply it to system resources. Only this time they can ratchet up security control by broadening the definition of “identity.”

Challenging the definition of identity and access management

Most security practitioners think of multi-factor authentication as a user control that helps abate the probability of an adversary using legitimate credentials to gain unauthorized access to applications, data, or systems. However, databases, applications, hosts, servers, and processes all require access permissions to function normally as well. As stated above, the most common method of authentication for assets today is a set of digital credentials or a digital certificate. But just like end user IDs and passwords can be spoofed or stolen, so too can system credentials and certificates. Savvy criminals depend on this fact to move undetected through organizations’ networks to their ultimate targets: data-rich applications and databases.

Stay on the cutting edge. Subscribe to our blog.

For years, “identity and access management” (IAM) has meant a specific thing to security practitioners. However, if we expand the definition of “identity” to include the identity of system resources, it’s easy to see that system resources—just like users—have many attributes which constitute an identity; identity isn’t limited to a small set of user-defined inputs, and it definitely should not be based on things an attacker can socially engineer.

As a way to curtail account takeover, many security teams have implemented multi-factor authentication (MFA), especially for privileged accounts which have access to sensitive systems and data. Traditional MFA, though, isn’t bulletproof; attackers have successfully bypassed MFA. It’s therefore necessary to look at how to change the definitions of both identity and MFA to be more robust and more reliable as security controls.

System-based identity as an IAM mechanism

Expanding on the idea of multi-factor authentication and applying it to system resources, consider that fact that assets/resources have identities (just like users), and those identities can be used to determine access permissions to other networked resources. In this new world of system-based MFA, rather than defining each resource by an identity created from made up attributes (i.e., username and password), identities are based on a collection of attributes taken from data sourced in the kernel and can include hardware/software product name(s), version, patch level, loaded modules, baseline behavioral information, and much more.

This process of aggregating identity information (rather than assigning it then using a separate second factor for validation) provides contextual information which allows security policies to determine the true authenticity of network communication requests and more reliably authenticate system resources. If one attribute in an identity changes, for instance, patch level or file path, system-based MFA checks the rest of the requesting asset’s identity for validation before the resource is allowed to send or receive a request.

Because system-based identity automatically incorporates myriad factors, the additional verification action required for traditional MFA becomes obsolete. The aggregated identity attributes, themselves, become the “extra check” needed to determine whether an application or service should be authorized on the network. As a result, users can be assured that only legitimate resources are communicating on the network and that they aren’t malicious.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.