make a good business better

Blog Information Security

Print Divider Print Divider Branding

Is Your Two-Factor Authentication (TFA) FEDRAMP-compliant?

12/09/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

As cyber threats become more prevalent, the need to add multiple layers of security authentication has emerged. For most organizations, one of those layers include effectively verifying that “you are who you say you are” when you access a system on the network. This is where Two-Factor Authentication comes into play.

Two-Factor Authentication is also sometimes referred to as Multi-Factor Authentication (MFA), but the terminologies mean the same. In both cases, it is a standardized approach to validating a user using additional authentication factors beyond the standard user name and password. It offers an additional level of assurance that if a user name and password is compromised, an additional factor would be required to access the system or systems being protected by the two-factor solution.

Two-factor Authentication solutions can come in various forms including hardware and software based systems. Hardware and software based two-factor authentication systems operate in same manner. The difference between the two solutions is how the second authentication factor is presented to the user. Hardware and software based tokens are two-factor authentication security devices often utilizing a series of letters and/or numbers that are randomly generated and unique to that authorization session.

Hardware tokens come in a variety of forms including FOB’s, electronic cards and written cards (sometimes referred to as “Bingo” cards referring to the matrix of numbers corresponding to the location of a specific bit of data on the card), and software tokens that can be generated by various devices such as laptops, desktops, tablets, or even smartphones.

Software based solutions are also unique in that smartphones can receive SMS messages which can also be used to provide the additional authentication factor to a user. In most cases, the second factor authentication data is presented to the user after the user provides the first factor – generally the user name and/or password is requested by a trusted device such as a user’s cellphone or tablet.

What’s more, Two-Factor Authentication has led to greater compliance requirements for federal programs such as the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP was created to help federal agencies meet Federal Information Security Management Act of 2002 (FISMA requirements) for cloud systems. It employs a standardized approach to security assessment, authorization, and continuous monitoring based on cloud computing – with the goal of reducing FISMA compliance costs and mitigating cyber security risks. FedRAMP requires comprehensive, well-implemented Two-Factor Authentication and Two-Factor Authentication is considered a cornerstone to FedRAMP certification.

Implementing Two-Factor Authentication to be FEDRAMP Compliant

Like any other security control, the effectiveness of Two-Factor Authentication depends on how well it is implemented. From a FedRAMP perspective, Two-Factor Authentication is required to provide enhanced identification and authentication to systems in three different scenarios:

The first scenario involves providing identification and Two-Factor Authentication for network access to privileged accounts. This scenario is probably the most well-known for implementing Two-Factor Authentication. In this scenario, when a remote user who has a privileged account such as administrator, domain administrator, application administrator, root, etc. connects to your environment, they are required to use Two-Factor Authentication to authenticate themselves before access is provided. This should not be confused with a Virtual Private Network (VPN) connection which uses encryption to establish a virtual session from the remote location back to the backend network. When VPN is used in conjunction with Two-Factor Authentication, it provides a strong two-layered approach to securing the connectivity and ensuring the identity of the user.

The second scenario is very similar to the first except it is geared toward remote users who have to non-privileged accounts. In this scenario, a user with a “standard” user account attempts to connect to the environment from a remote location, they should be challenged with a Two-Factor Authentication prompt and required to authenticate successfully before they are granted access to network systems. Non-privileged account users also can benefit by using a VPN to secure the transmission tunnel between the remote location and the backend network.

When considering how to implement Two-Factor Authentication for remote users, there are a number of areas to consider as part of your implementation planning. You will want to think about how your users are organized and what systems remote users (both privileged and non-privileged) need to access. Organization is key for a smooth Two-Factor Authentication implementation. If users are grouped into functional areas using tools like Active Directory or some other LDAP type solution, it may reduce your implementation workload by implementing Two-Factor Authentication at the group level versus implementing it on a one by one basis. Other questions to ask include whether you will authenticate users to the entire network or only specific segments or systems within the network.

The third and final scenario involves providing Two-Factor Authentication for local access to privileged accounts. In this scenario, the goal is the same, but the implementation is slightly different. Instead of authentication remote users, you would focus on implementing Two-Factor Authentication on the administrative or privileged users inside of your network. Remember, not all threats originate from outside of your four walls so vigilance is required to authenticate those users who have the most knowledge and technical abilities within your organization.

For the internal deployment of Two-Factor Authentication, you will want to first consider how your administrative users are laid out. Are they on the same subnet or VLAN or can they be easily grouped together to offer a more robust and efficient implementation?

As you consider how to implement Two-Factor Authentication in your environment, don’t forget about the basic systems within your environment. Often, new implementers of Two-Factor Authentication will cover the minimum requirements as mandated by FedRAMP but will overlook some basic function or individual who may not fall into those three scenarios. Examples of this may be internal audit or individuals or deal with intellectual property, Personally Identifiable Information (PII), or other sensitive types of data. If that user has a function that could increase risk or lead to compromise within the organization – especially if there normal credentials are compromised, than they should be considered as a possible candidate for Two-Factor Authentication.

Cybercriminals will always go for the low-hanging fruit first before trying to crack the more complex systems. Two-factor authentication can be particularly effective at mitigating much of the risk upfront. A good way to think of it is that two-factor authentication shouldn’t be tied to a single system but your overall strategy – and across your enterprise.

The ultimate goal is to meet FEDRAMP requirements first. For cloud service providers (CSPs) just starting out, be careful about trying to implement too much too fast. Yes, you want to build out your business. Sure, you might have the technology to address this issue. However, if the security controls, people and processes are not carefully planned, integrated and trained properly, the two-factor authentication won’t be effective.

From a security perspective, it makes sense. However, management might not support it. Perhaps they believe that current controls are enough. It could be a matter of dollars and sense. Your organization may still be in its nascent stages and not equipped with the resources or foresight.

Most organizations are in similar situations and elect to handle using a phased implementation approach.

Phase One: Before any deployment activities are started, the organization should examine its needs and determine which Two-Factor Authentication solution would be best for its environment. People resources, management processes and procedures, and technology preferences should all be considered before making a decision. Once a technology is selected, training should be developed and provided to all users so that they understand what the solution is supposed to accomplish, their role in maintaining the security of the authentication device, and what to do in case the solution is not working correctly or is lost or stolen.

Phase Two: Once phase one is complete, organizations can then consider deploying to all remote users and employees – including third parties and contractors that access your environment. Requiring all external users (including administrative users) will greatly reduce the risk level associated with effectively authenticating remote access attempts.

Phase Three: Once the first two phases are complete, the next step would be to expand the deployment to include all internal administrative level users. Once this step is complete, you will have met the FedRAMP requirements for Two-Factor Authentication.

If you are struggling with where to start with Two-Factor Authentication, a good tactic would be to work with an outside firm to first conduct a risk assessment. An outside firm can clarify the nuances of external and internal users and authentication. They can assist in the development of Two-Factor Authentication strategies that will improve your security and meet FEDRAMP compliance and can help you implement the right controls and processes based on the outcome of that assessment. Finally they can provide the training necessary for end users and internal support staff to effectively use and support the technology.

Final Advice on Two-Factor Authentication

Two-Factor Authentication is not bullet-proof and it won’t eliminate compliance vulnerabilities entirely, but it does provide an additional layer of security that can be crucial to protecting networks and systems in the event that a user name and password has been compromised. And most importantly, it is a requirement for FedRAMP certification. As always, monitoring and testing consistently also goes a long way to reducing problems and ensuring FEDRAMP compliance.

Implement an applicable solution for your environment and tackle two-factor authentication early in the process. If cost is an issue, consider using a managed service provider to handle your authentication process. They absorb the software and hardware costs. If you go this route, just be sure that you have properly vetted the service provider first. It will keep your system safe – giving you added assurance when turning over your network’s authentication process. As your organization grows, you may also consider integrating an in-house team if that’s more feasible.

In the meantime, nail down your Two-Factor Authentication , people, processes and technologies. Do so and you’ll not only be FEDRAMP-compliant but you will have a more secure organization because of it.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

Posted in: FedRAMP