Formulating a Secure, Compliant MFA Ecosystem
A sense of security is important to us all for different reasons. When it comes to our organizations, security no longer means just physical security. As businesses continue to digitize and enterprise resources continue to grow in terms of quantity and complexity, protecting every digital asset also grows in complexity.
The evolving consequences of subpar cybersecurity have been accelerated by a recent increase in cyber-attacks. To work to protect against these, security professionals not only need to evaluate new ways to protect the ever-expanding set of resources and systems that their workforce uses, but also the security standards that they meet and the compliance regulations that are relevant to them.
Today, multi-factor authentication (MFA) plays a critical role in securing company data and networks and is a simple solution to adding advanced layers of protection to digital assets. With so many vendors to choose from, it can be hard to distinguish which solutions are built to high security standards and also enable organizations to meet their own security certifications and regulations.
As humans, we like knowing that the products we are buying meet certain standards and expectations. The same goes for MFA solutions – taking a standards-based approach deployments remains important for security professionals. According to a recent report by Cybersecurity Insiders, 94% of security professionals agree that a standards-based approach is important when deploying passwordless authentication. When it comes to the larger MFA ecosystem, there’s even more scope, with an increased importance to incorporate security standards in the selection process.
Yet, the countless security standards and compliance mandates full of confusing acronyms can be a minefield. Here’s what you need to know.
Why are Security Standards and Certifications Important?
When selecting the right MFA solution, keeping security standards in mind is a way of ensuring that your solution is enterprise-ready, future-proofed and will integrate easily into your existing IT infrastructure. Utilizing MFA to secure your organization’s critical resources, solutions and products gives peace of mind – and help you to stay protected and meet compliance regulations in your industry.
Navigating what standards and certifications mean in your organization’s context can be tricky, and it's important to understand that there are numerous examples of both throughout the entire MFA ecosystem. At HID, we are proud of our extensive experience and recognition in the market for providing solutions which allow organizations in highly regulated industries to work more efficiently.
Let’s explore why security should be embedded in each part of the MFA ecosystem, and the standards and certifications that you can integrate.
If your organization is incorporating authentication smart cards or security keys into its MFA ecosystem, it’s important to deploy high assurance authenticators that support multiple security standards or protocols to match our unique needs. HID Crescendo® smart cards and security keys support a wide range of security standards, including PKI, PIV, FIDO, OATH and Seos®. For secure access to digital resources — from VPN, SSO and applications to servers and shared workstations, as well as physical access to facilities.
In using authenticators that support these standards, your organization can meet continuously evolving data privacy and technology standards knowing that your credentials and devices are compliant – both now and in the future. Deploying Crescendo authenticators in your organization means you can stay compliant with industry recognized standards, including:
- PSD2, PCI-DSS, GLBA, NYDFS 23 NYCRR 500 for payments and financial institutions
- CJIS, IRS pub 1075 for law enforcement organizations
- NERC-CIP for critical infrastructure
- HIPAA for healthcare organizations
- NIST SP800-171, SOX for enterprise and non-federal organizations
- CIV (Commercial Identity Verification) credential, aligned with PIV credential, applicable to US federal government and defined in NIST FIPS 201
Additionally, Crescendo provides seamless compliance with data privacy regulations, including GDPR and CCPA. Crescendo is also PIV- and Common Criteria EAL6+ compliant due to its embedded secure element. Both the embedded secure element and HID applet version 3.0 are FIPS 140-2, overall Level 2 and Level 3 certified, in alignment with the recommendations of the US Government’s National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS).
Secure Issuance and Management
Though Crescendo authenticators are highly secure in themselves, managing the credentials from a single point builds an MFA ecosystem that is even stronger against attacks, as it eliminates siloed systems and processes. The lack of an end-to-end MFA solution brings security risk due to lack of control and visibility over your entire workforce’s credentials and authentication devices, meaning more opportunities for security to be compromised. WorkforceID Digital Credential Manager is a cloud-based application for the lifecycle management of these digital identities.
The application adds an extra layer of security to your MFA ecosystem by giving you the ability to manage PKI certificates on your smart cards and security keys, delivering Authenticator Assurance Level 3 as defined in NIST SP 800-63b.
Secure Solutions to Power Strong MFA
The remaining piece of the MFA puzzle is selecting between on-prem and cloud-based authentication to seamlessly power your workforce’s MFA. Here, it’s about deploying a solution that provides the flexibility to configure layered security but is also built to leading standards with compliance in mind.
HID DigitalPersona®, an on-premise solution, offers a variety of options so that your organization can customize a secure solution that integrates perfectly with its unique use cases. With benefits that include additional security factors such as location, time of day, IP address and behavior monitoring to provide adaptive step-up authentication when needed — and support for numerous authentication factors, methods and devices — deploying DigitalPersona means that in addition to your contactless security card, you can also utilize FIDO2 credentials to create highly secure log-on experiences for your employees. In enforcing these customizable login policies through DigitalPersona, organizations can also adhere to CJIS compliance, ensuring that no user logs in without a second factor of authentication.
For cloud-based authentication, WorkforceID™ Authentication provides strong MFA so that your workforce can easily access company networks from anywhere. Not only does WorkforceID adhere to SOC2 compliance and GDPR to ensure strong data privacy, but it is also certified by the most rigorous security standard in the world, ISO 27001. This certification proves HID’s expertise in managing our information technology systems, meaning you can trust that our WorkforceID platform adheres to robust security requirements.
In achieving SOC2 Compliance, you can be assured that our MFA platform adheres to specified policies and procedures in line with regular audits and outlined objectives. This means that our software is in line with the evolving requirements of data protection in the cloud — guaranteeing you that we have the right tools, infrastructure, and processes to protect your information.
Solutions that are Dedicated to Security
With a product rich MFA portfolio that complies with and adheres to stringent industry-recognized security standards and regulations, HID Global is dedicated to providing solutions that ensure confidentiality and integrity. We are constantly working to adapt our solutions to evolving security standards so that we can aid your organization in staying compliant — no matter the industry.
Want to further explore our MFA solutions that are built to industry-leading security best practices? Speak to an expert.
Maria MacRitchie leads the product marketing efforts for the IAM Workforce Authentication solution globally. She has over 15 years of experience with B2B and B2C product, services and marketing communications within the IT and telecom industries. Maria has been with HID for 7 years, holding various communication roles within the Professional Services, PACS Cloud Services and Product Marketing teams.