Understanding and Complying with the New MFA Requirements for Cyber Insurance

MFA Requirements for Cyber Insurance

This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Yaron Kassner, the CTO and co-founder of Silverfort, shares some expert insights into the new MFA requirements that companies need to know about.

A few months ago, the insurance industry hardened its prerequisites for cyber policies. The new requirements include Multi-Factor Authentication (MFA) across practically all the insured organization’s resources. MFA is mandatory for purchasing a new cyber policy and the renewal of an existing one.

The checklist of MFA rules includes enforcing MFA for all employees accessing email through a website or cloud-based service; remote access to the network provided to employees, contractors, third-party providers. Others include internal and remote admin access to directory services, network backup environments, network infrastructure, and the organization’s endpoints and servers. While the first two requirements are relatively easy to address, the last one is tough to implement—more on that below.

Also, most cyber insurance providers now require MFA across on-prem and cloud resources. This is incredibly challenging for small and mid-sized companies, as standard MFA solutions don’t provide the necessary coverage, and deploying a PAM solution is generally not within their security skillset.

Top MFA Implementation Challenges

In most cases, MFA implementations involve installing agents on machines or placing proxies in front of devices in a network. However, both approaches are riddled with coverage gaps. In general, agents cannot be deployed across all network machines. In an extensive network, some devices will be overlooked in the deployment. Additionally, there are always machines on which an agent cannot be installed.

The problem with proxies is quite different. For proxies to achieve complete MFA coverage, a proxy must be placed in front of every network segment, which is only doable in a small, relatively simple network. Both approaches provide partial MFA coverage that exposes critical resources to identity-based attacks.

Common access interfaces to critical resources provide another obstacle since many do not support standard MFA implementations. For example, popular command-line access tools such as PsExec, remote PowerShell, and WMI do not support MFA. Their failure to do so is well known and frequently abused by hackers who exploit these interfaces in lateral movement and ransomware attacks.

Meanwhile, some resources use a small number of interfaces, while others, such as a server (either physical or virtual), use a handful. Finally, fragmentation poses a considerable risk and management nightmare. Many access points, applications, cloud services, and on-prem machines require a different MFA solution in today’s complex IT environments.

The use of heterogeneous MFA solutions results in operational complexities that degrade both the user experience and the level of protection. Navigating through a slew of products with different interfaces creates unnecessary friction for users while placing a drag on productivity. On the protection front, the use of several other products — each with different risk engines and scoring models — makes it virtually impossible for security professionals to enforce consistent policies.

Unifying Identity Protection

Although traditional MFA solutions can tackle some of the use cases that cyber insurance requires, none can tackle all of them. What is needed is an identity protection framework that can orchestrate MFA across hybrid-cloud and on-premise environments, including legacy and homegrown applications, command-line access tools, file shares, databases, and more. Sometimes called unified identity protection.

This model can bridge incompatible identity systems, allowing security policies to be enforced in a standard way for any resource that authenticates to a directory, regardless of whether it is a SaaS application, on-premises server, legacy system, or others. When evaluating a framework to unify identity protection, consider the following checklist:

  • Will you be able to create a consolidated audit trail of all identity activity for both on-premises and cloud resources?
  • Can you analyze user activity to understand behaviors and detect anomalies and suspicious events?
  • Will you be able to implement unified security controls for all users and resources, and enforce zero-trust policies to block unauthorized and malicious access in real-time?

For companies large and small struggling to meet the new MFA requirements for cyber insurance, unified identity protection can provide a path to compliance.

Yaron Kassner