The US Cybersecurity & Infrastructure Security Agency (CISA) recently issued an advise to "highly targeted" individuals, such as senior officials, to avoid using personal VPNs following the "Salt Typhoon" hacks by Chinese state-sponsored attackers. They recommend assuming all mobile communications are at risk of interception and suggest using end-to-end encrypted messaging apps like Signal. Upgrading multi-factor authentication (MFA) to phishing-resistant methods, such as hardware security keys, is advised, along with avoiding text-message MFA and securing wireless accounts with a secondary PIN. CISA highlights the questionable security and privacy policies of many VPN providers and endorses using password managers, promptly installing software updates, and opting for newer smartphones with advanced security features. They explain that personal VPNs shift risks from ISPs to potentially insecure VPN providers, urging the adoption of more secure practices and tools to protect sensitive information.

At Srity we complete this advise by proposing a migration from traditional VPN to Zero Trust Network Access solutions.

Do not hesitate to contact us for details about replacing your traditional VPN by Zero Trust solution.

https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf

Wishing you and your loved ones a Merry Christmas filled with joy and laughter.
May the New Year bring you health, happiness, and prosperity and security.

Thank you for your continued support and partnership throughout the year.
We look forward to serving you in the coming year.

Srity Team

Model 1 - Cloud SSO Service with On-Premises Identity Provider: This approach leverages the existing on-premises identity provider such as Microsoft Active Directory, while enabling single sign-on (SSO) for cloud applications. Your company Active Directory solution can then integrate on-premises directories with cloud services, providing a seamless SSO experience.

Model 2 - Standard Public Cloud Identity Provider (IDP): Here, you rely entirely on a cloud-based identity provider, Microsoft Entra, AWS Indentity management or Google Cloud identity . These services manages user identities and access controls natively within your cloud provider environment, simplifying management but requiring a migration of identities from on-premises systems.

Model 3 - Identity Synchronization between On-Premises and Cloud: This hybrid approach synchronizes identities between on-premises directories and cloud identity providers. Tools such as Azure AD Connect, Entra Sync, or Google Cloud Directory Sync ensure consistency of user identities across all environments, enabling unified access management between your on premises and cloud infrastructure.

Model 4 - Dedicated Authentication Solution for Multicloud Environment: To manage identities across on prem and multiple cloud platforms, dedicated solutions such as Okta, Ping Identity, or Auth0 can provide centralized authentication and authorization. These platforms offer robust features for multicloud environments, including single sign-on, multi-factor authentication, and detailed access policies.

Do not hesitate to contact us at info@srity.be if you want a deep dive on the cloud authentication options adapted to your use case.

There is a lot of talk in the last years around multi factor authentication, but seldom the authentication process behind most MFA solution is explained clearly. In this post we want to show a standard MFA authentication process steps. These MFA solutions even if not perfect are cornerstone to improve your security posture but have flaws that will be subject of another of our blog post. 

If you have questions or want need consultancy on implementing MFA in your organisation do not hesitate to contact us at info@srity.be 

Step 1 - Access request  

The user is trying to access a protected resource (for example, a website or an application). 

Step 2 - Entering credentials 

The user enters their credentials, usually a username and password. 

Step 3 -  Transmission of credentials  

Credentials are sent to the authentication server over a secure connection (such as HTTPS). 

Step 4 -  Credential verification   

The authentication server compares the credentials provided with those stored in its database. 

Step 5 – Initial  validation 

If the credentials match, the server validates this first step of authentication. 

Step 6 - MFA triggering  

The server requests a second authentication factor. This can be a code sent by SMS, a push notification on an authenticator app, or biometric data (fingerprint, facial recognition). 

Step 7 - Entering the second factor 

The user provides the required second authentication factor. 

Step 8 - Second Factor Verification 

The server verifies the validity of the second factor. 

Step 9 - Final validation 

If the second factor is correct, the server validates the multi-factor authentication. 

Step 10 - Session Token Generation  

If successful, the server generates a unique session token for the user. 

Step 11 - Sending the token  

The session token is sent to the client (browser or application) and stored, often in the form of a cookie. 

Step 12 – Authorized Access 

The client uses the session token to access protected resources without having to reauthenticate with each request. 

Step 13 - Token Expiration 

The session token has a limited lifetime. Once expired, the user must reauthenticate.