Paul Parker, chief technologist, federal and national government, SolarWinds looks into the importance of two-factor authentication for the public sector as digital crime increases
We live and work in the digital age, yet many of us still tend to approach our work and personal lives with the assumption that our high-value data is safe. Unfortunately, assuming that “it won’t happen to me” can be naïve, and perhaps even irresponsible, in an era that sees digital crime grow each day.
Awareness through education
Google has done much to elevate online security awareness. Most account users will be familiar with its 2-Step Verification process, introduced in 2011 and designed to add an extra layer of protection that’s unique to each individual, making it much harder for hackers to gain access to files and information. Known generally as Two Factor Authentication (2FA), this additional layer of security requires not just a username and password, but also something that is completely unique to that user, whether it be a piece of information or a physical token. It’s based on the concept that only those users will achieve access based on something they know (knowledge) and something they have (possession). Such a system makes it much harder for cybercriminals to access and steal information or identity.
Leading by example
In a public sector context, data sits at the heart of organisations and in an environment shaped by stringent data regulations and growing security threats. As such, a renewed emphasis has been placed on expanding the use of strong multifactor authentication that’s resistant to attack, particularly for systems accessed by the public. Two years ago, the U.S. government launched a Cybersecurity National Action Plan (CNAP) to curb the increasing number of attacks against organisations and individuals, which included mandatory two-factor authentication for federal government websites and government contractors.
The local 2FA landscape
From a U.K. perspective, a growing number of government agencies are deploying encryption to help secure critical information properties. For example, the Code of Connection (CoCo) and public services network (PSN) frameworks recommend that any remote or mobile device should authenticate to the PSN via two-factor authentication. While it is not a legal requirement, the uptake in two-factor authentication processes in public sector organisations is rising, with some vendors delivering authentication-as-a-service that can be used to authenticate cloud applications, infrastructure, and information.
Better security = peace of mind
Two-factor authentication provides reassurance for both users and system administrators. They know that should the password be compromised, the account can’t be accessed without providing the second authentication factor. Biometric authentication, such as a fingerprint, is becoming more common and can be used in diverse systems such as websites, enterprise applications, and secure thumb drives.
The practical way forward
Using 2FA in the public sector makes absolute sense, but logistically it’s understandable that it takes time and work to implement. Organisations wanting to use biometric or smartphone-based authentication processes, for example, will need to ensure that the back-end solutions are designed and in place to support the technology and work properly for system users. Thought also needs to be given to education and awareness when introducing new authentication systems. It could become overwhelming, particularly when considering that many public sector organisations may have only recently started to develop a digital transformation strategy. In the NHS space for example, just 24% of trusts and Clinical Commissioning Groups (CCGs) have begun to develop strategies.
The good news however, is that processes such as cloud adoption and 2FA are all part of the same digital transformation journey. Having the appropriate tools to manage each of these components will go a long way towards helping public sector organisations understand the processes and be able to do what is needed to best support them and their publics. Striving for more secure authentication systems that provide far more confidence in the identity of both end users and systems administrators is a great example of this, and is why it matters.
Federal and National Government