Previously, I wrote a piece on the role that bring your own office (BYOO) plays as the ‘new normal’ post-COVID environment of decentralised working becomes more widespread. BYOO and working from home (WFH) means that an organisation has far less control, with its network now consisting of an increased amount of third-party and public networks where malicious activity, such as man-in-the-middle attacks and hijacking can more easily take place.
For organisations that realise this can be a major threat to their commercial activities and intellectual property, the MSP can step in with a couple of extra offerings to help make everything more secure.
Obviously, nothing is ever completely secure, but as with household burglary, the idea here is to make the organisation’s environment appear to more secure than others, so malicious actors think that the low-hanging fruit of other organisation’s weaker protections are easier targets.
So – what can an MSP offer?
The first should be multi-factor authentication. This moves past simple challenge and response/username/password pairs and requires more information from the user in the form of one or more credentials that are not held directly as a permanent item. Most systems work on a one-time password that is provided to the user through an email account or device that is unique to them. Although such systems have been around for a long time, it is only in the past couple of years that it has become more mainstream. Increasingly, software as a service (SaaS)-based systems have embraced MFA, as have social networks and online banking systems. However, few organisations – particularly within the small and medium enterprise (SME) space, believe that it is a tool for them. It is seen as expensive, cumbersome, and restrictive.
The MSP can establish a multi-tenanted system that will bring costs down to suitable levels for such organisations and can – by using the right MFA system – avoid the perceptions of such systems being cumbersome and restrictive.
Systems used can be based on cell phone texts or emails – neither of which are recommended, due to the ease of these systems being hacked. Discrete hardware tokens were all the rage some years back but tend to be lost quite easily by users. Authentication apps on cell phones are now well supported and provide a good level of security and ease of use. For MSPs, authenticator-based systems are recommended, with the user being able to photograph QR codes from specific screens to set the system up.
MFA and SSO make a great team
However, MFA on its own can be dangerous. If a malicious actor does manage to get past, they are then roaming free within the proverbial walled garden (i.e., an environment that once you are in it, there is little to stop you from doing all sorts of things).
This is where single-sign-on (SSO) can help. Counterintuitively, SSO does not necessarily remove all barriers to a user by breaking through the walled garden with a wrecking ball. OK – it can do, but a good SSO system shouldn’t allow this to happen.
The idea is that a user should be able to sign in once to an environment and then from there, they will have access to everything they need without having to sign into other systems as they go along. This is great for systems acceptance and productivity by individuals and groups – but must be carefully controlled.
Breaking it down
The first thing is that SSO needs a directory of users, roles, responsibilities, and access levels. Without this, it is all but impossible to set up a workable system. Again, for many organisations, this is seen as a bit of heavy lifting. MSPs can help by providing an online directory or by leveraging existing directories such as Microsoft Active Directory (AD).
Once the directory is set up, then the SSO system works against this by matching various aspects of the user trying to log in against what they are allowed to do. At a basic level, this will be by name and/or position and a list of applications that they are allowed to access. However, it can be enhanced such that it includes the type of device being used to access the system, type of network and so on. This enables access levels to be reduced (maybe to read only, for example) should the user be accessing the system over a public network from a café or airport.
Tokens – the heart of SSO
The other aspect of SSO is in the use of tokens. These tokens are what makes SSO work: packets of information are handed between different applications so that the user does not have to log into that system, as the SSO system is vouching for the validity of the session, rather than just the user.
This session validation does need the capability for it to be regularly checked, however. Token time-outs can be used on systems requiring higher security, meaning that the user may have to provide some login details again. Better yet are token feedback loops: the token keeps ‘pinging’ the originating environment and if anything has changed, then it can request a re-login to foil any man-in-the-middle attacks or can log the session out and even lock the user out of the system.
So, for MSPs, bolstering BYOO with MFA and SSO for SMEs, particularly where SaaS-based systems and AD are already in place maybe A-OK.
Photo: Flamingo Images / Shutterstock
