Essential services have become crucial in the era of COVID-19. Securing organizations that provide these services is vital to ensure the nation continues to respond effectively to the pandemic. Verifying that authorized employees, and only authorized employees, can access their organization’s systems is more critical now than ever.
A great way to guarantee secure access to systems and apps is by using multifactor authentication (MFA), which requires at least two authentication factors to verify the identity of an individual. In addition, a single sign-on (SSO) platform helps centralize and secure identity and access management.
The Basics of MFA and SSO
Multifactor Authentication (MFA)
In total, there are three possible authentication factors: something you know (knowledge factor), such as a password; something you have (possession factor), like a smart card; and something inherent to your person (inherence factor), such as a fingerprint. MFA requires the use of at least two of these authentication factors before it allows a user access to the system. There are several benefits of multifactor authentication:
- Reduce the risk of compromise: Using one authentication factor means that attackers have only one obstacle to overcome to gain access. But using an additional factor or factors significantly increases the difficulty level for the hacker trying to compromise your systems.
- Meet compliance standards and lessen legal risk: Many organizations, especially in essential services, must comply with industry-specific regulations regarding data access and security. MFA can help them comply with those requirements. It can also reduce legal risks, from regulatory fines or class action lawsuits filed by breach victims.
- Set organizational security expectations: Implementing an MFA program sets security expectations for employees and contractors. It requires the organization to identify and classify business scenarios based on risk to determine when MFA is needed.
In spite of these advantages, many organizations balk at implementing MFA because they fear it will make the login processes more cumbersome and reduce productivity.
Single-Sign On (SSO)
One way to reduce the complexity of MFA is to use a single sign-on (SSO) platform. An SSO platform centralizes identity and access management. It not only makes it easier for a user to sign into multiple systems, but it also improves access security. Users no longer need to remember separate passwords for each of the applications and systems they use at work.
For IT teams, SSO enables them to enforce security policies and manage users all in one place. IT can also implement a policy that locks user accounts if too many unsuccessful login attempts are made. SSO provides organizations with the ability to centralize access logs, help with regulatory compliance, and gain insights into user behavior.
SSO and MFA can be combined to boost security. One of the benefits of multifactor authentication is that it provides extra protection to ensure that the user who logs into the SSO platform is authorized to do so. Once the user is logged into an SSO platform, they will have access to all of the systems linked to their profile.
Essential Services and the Need for MFA and SSO
Before examining how essential services can take advantage of the benefits of multifactor authentication and single sign-on, let’s briefly discuss what essential services are. According to the U.S. Department of Homeland Security, essential services include the following:
- Healthcare and public health
- Law enforcement, public safety, and first responders
- Food and agriculture
- Water and wastewater
- Transportation and logistics
- Public works
- Communications and information technology
- Community-based government operations and essential functions
- Critical manufacturing
- Hazardous materials
- Financial services
- Defense industrial base
Essential services are central to the COVID-19 pandemic response, treating its victims, and controlling its spread. Unfortunately, cybercriminals and other bad actors are taking advantage of this crisis to target organizations providing essential services. These attacks are designed to exploit the vulnerabilities of these organizations as they grapple with COVID-19. Essential services should take robust measures to protect systems and data from these bad actors. To respond to COVID-19, organizations are collecting and processing personal and health information in new ways to address and mitigate the pandemic.
Hospitals, healthcare providers, and laboratories must report confirmed or probable COVID-19 cases and deaths to state or local health departments. While this data is essential to combat COVID-19, it creates a vast pool of sensitive health data that needs to be secured.
To lessen the regulatory risk for healthcare providers, the Department of Health and Human Services (HHS) has eased the requirements for complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule in response to COVID-19. The agency has relaxed rules regarding the sharing of health information without the individual’s consent, has granted liability immunity for organizations working on COVID-19 countermeasures, and has eased data privacy requirements for telehealth. Whether subject to HIPAA or not, all essential services organizations need to take steps to safeguard access to their systems and protect their data.
The COVID-19 pandemic has also forced organizations to shift to remote work. Essential workers need secure access to technologies and processes that enable remote working and mobile productivity. Essential services also need collaboration tools, such as public and private messaging, employee status indicators, screen sharing capabilities, web conferencing, and document sharing and editing platforms. Greater use of these technologies demands more robust measures to secure access by employees, contractors, and others.
Preventing unauthorized access to the systems of essential services organizations is critical to saving lives and safeguarding data privacy. SSO and MFA can help essential workers gain quick and secure access to applications and systems. They first have to verify their identity using MFA. Then, they sign in to an SSO platform and have access to all of the applications they need to do their job quickly and effectively, without the hassle of having to sign in to each application individually. This saves time and possibly lives.
Beyond MFA and SSO: Zero Trust
In addition to MFA and SSO, Zero Trust is a security approach that can ensure that sensitive data and systems are protected in an essential services organization, especially where employees work remotely. With Zero Trust, every person and every device is verified before being allowed to connect to systems and apps. Zero Trust can help organizations address the challenges of securing sensitive data and integrating cloud-based applications without disrupting productivity. Tools that support Zero Trust include MFA, SSO, provisioning and deprovisioning platforms, and device security.
A Zero Trust approach can help essential service organizations address the challenges of securing sensitive data without disrupting treatment and services. Forrester Research, a leader in developing the Zero Trust model, said that MFA and SSO are critical features of Zero Trust that “reduce access threats exponentially.”
Zero Trust limits an essential worker’s access to only what they need to do their job. This is known as least-privilege access, and it reduces the damage that a malicious insider can do to an organization. Zero Trust, enabled by MFA and SSO, helps secure the mobile and remote workforce of essential services organizations. It also allows these organizations to continue their digital transformation and comply with regulations and standards for their industry.
Identity Solutions can help essential services organizations along their Zero Trust journey. Our approach centers on MFA and SSO-enabled Zero Trust. We can help organizations implement a secure access control strategy. First, we work with each customer to understand secure access pain points and concerns. Then we develop an identity and access control program that eliminates the guesswork about who has access to what using the Zero Trust framework.
In the rapidly changing COVID-19 environment, the combination of a Zero Trust strategy and a robust access control solution is the way to go for essential service organizations. Identity Solutions will be there to help them along the way.