MFA for Critical Infrastructure: Advice from a CTO

Tobias Gurtner
CTO, Ciptor IT-Safe

Implementation of an authentication solution requires careful consideration of security, encryption, and best practices. You need to do it efficiently, without risking security or user experience.

Throughout my 15+ years of experience in leading engineering teams, I have deployed over 10,000 authentication projects. My key insight is to enable our clients to focus on their core business while we concentrate on creating a secure and robust infrastructure. By establishing a strong foundation, our clients are able to seamlessly scale and integrate external technologies in-house, with MFA.

Plan for MFA

Before you decide to invest in MFA to secure your critical infrastructure, don’t do the mistake and build it yourself or buy it from an outdated technology platform. Let me explain why.

When it comes to securing your system, building a solution from open-source materials, or purchasing a basic MFA platform that lacks updated cybersecurity features might seem like a no-brainer. However, it's crucial to be aware of the potential risks and the needs of protecting your system accordingly. In today’s digital world companies experience more breaches and the cost of a breach continues to rise. The cyber criminals are highly skilled and trained and they have access to sophisticated tools. This requires your team to tackle these issues and create solutions to resolve them. Common issues include:

• Stolen or compromised credentials
• Ransomware
• Business email compromise
• Account takeover
• Password spraying attacks
• Credential stuffing
• Financial fraud
• Content scraping
• Denial of service attacks
• API abuse
• Phishing
• Vulnerability in third-party software
• Malicious insider
• Brute force
• Man-in-the-middle attacks
• Social engineering
• Malware

Use of stolen or compromised passwords remains the most common cause of a data breach and it had an average cost of USD 4.5 million (IBM cost of a data breach report 2022). Tools like AI, Bot Detection, Detection of Breached Passwords, DarkNet Alerts and Automated Threat Reports help significantly but for that you will need a team that understand complex cybersecurity models and have the latest technology in place.

Identity and Authentication Team

If you don't have a dedicated Identity and Authentication Team in place, you need to pull engineers from other projects to build these systems. However, this will impact engineering productivity and affect your company's growth. While customers demand for more features in your core offering, the best engineers are preoccupied with addressing such identity and authentication issues. Identity and authentication capabilities is time and work intensive and should not be a part of any companies core product.

The Identity and Authentication Team has a fundamental responsibility of protecting an organization's digital assets, making sure only authorized individuals can access sensitive information and resources. Roles that typically are included:

• Identity Manager: Developing and implementing processes and tools for creating, managing, and revoking user identities within the organization's systems. This may involve user provisioning, role-based access control, and managing user directories or databases.
• Authentication Manager: Evaluating, selecting, and implementing secure authentication methods. The team ensures that the chosen authentication methods are aligned with industry best practices and meet the organization's security requirements.
• Access Control Manager: Defining and enforcing access control policies that determine who have access to specific resources and data within the organization. This includes implementing mechanisms like access control lists (ACLs), permissions, and authorization frameworks.
• Security Auditing and Manager: Conducting regular audits and assessments to identify potential security vulnerabilities in the identity and authentication systems. The team monitors logs, user activity, and access patterns to detect and respond to any suspicious or unauthorized behavior.
• Incident Response Manager: Developing and implementing incident response plans specific to identity and authentication-related incidents. This includes procedures for handling compromised accounts, password breaches, or unauthorized access attempts.
• User Education and Awareness Manager: Promoting security awareness among users, educating them about best practices for authentication, recognizing phishing attempts, and safeguarding their devices and accounts.
• Compliance and Regulations Manager: Ensuring that the identity and authentication systems comply with relevant regulatory requirements, industry standards, and data protection laws. The team stays up to date with evolving regulations and adjusts security measures accordingly.
• Collaboration Manager: Working closely with other IT teams, such as network security, application development, and system administration teams, to integrate identity and authentication solutions into the overall IT infrastructure and ensure a secure environment.

Innovate without compromise

Identity and Authentication are today top-of-mind and a strategic part of companies roadmap. Keeping up with market trends is key to your business, that is how we all drive growth. Make sure your developers are 100% focused on your core business, don’t take their valuable time and attention away from it. Competition is high today, and your end users have endless online options. For businesses to stay competitive, they are creating new ways of accessing their services such as mobile apps, e-commerce, and more. With so many ways to connect to digital platforms, customers need fast and secure access to them. Identity and Authentication Management is a constantly evolving field, and it can be challenging for businesses without internal resources to create a solution that meets all requirements while ensuring security. Choosing the right solution helps to prevent lost revenue, missed deadlines, and keeping customer trust.

Getting Customer Identity right is hard, particularly when you’re reinventing it from scratch. Identity and Authentication is our core product, and we want to help you deliver your innovative business using our innovative identity and authentication solutions–without compromise.

We are always working hard to enhance our services, enabling businesses to operate efficiently and safely. To improve productivity, we have added more capabilities to our CaaS (Cybersecurity as a Service). You can now create a unique identifier for each device based on its software, hardware, and network configurations. This identifier can be used to detect unauthorized access attempts and block them before they cause harm.

We are proud to be a trusted Identity and Authentication partner for our customers, delivering frictionless, scalable, user-friendly, secure, and highly extensible platforms for customer and workforce applications. We prioritize security in our product development, ensuring that each feature is secure-by-design. Our solution is tried and tested, securing organizations globally, with deployments in complex environments such as finance and banking, critical infrastructure, and government. Our security and engineering teams monitor activity and infrastructure, 24/7, 365 days a year.