Close Menu
Blog
  Back
Posted by Andrew Ballantyne on 18th February 2021

Multi Factor Authentication- Why you Should use it but Probably Don't

In a recent LinkedIn post, I provided 4 suggestions as to how organisations can secure their remote workers, a thing I’m sure most would agree is of paramount importance under circumstances.

Of the 4 suggestions, I have already written blog posts that look in more detail at Azure Information Protection and Conditional Access, leaving me with just 2 more to cover. This week, I am going to be looking at the commonly known but under used Multi Factor Authentication (MFA).

Let’s Jump straight in…

More and more organisations are choosing to implement MFA as a mandatory step in their login procedures. Most people these days will be aware of what MFA is and how it works, but for those who aren’t, you might have noticed that your bank and/or other such data storing giants have started sending you a text with a code you need to input in order to log in. Well, that’s MFA. By more formal definition, it is the requirement for a user to present 2 or more pieces of information to evidence authentication.

When we look at some of the information security numbers associated to MFA, it becomes clear as to why it’s so widely regarded. There are many statistics that I could reference here, but there is one that basically tells you everything you need to know. According to Microsoft, in an age where weak, default or stolen passwords are the cause of most data breaches, MFA can prevent 99.9% of attacks on your account. It’s almost unbelievable that such a simple step can be so effective. To achieve such a level of security, it seems more conceivable that we would need some intricate and expensive MoD level of protection. But no. It’s often the most basic steps that can protect us.

Sounds great… But how do I get it?...

The great thing is that Microsoft enforce MFA for admins on Office 365 accounts by default, providing that Security Defaults is enabled (there will be a follow up blog on Security Defaults in the near future). Doing this is a strong first step to protecting your environment. In addition to this, MFA is available and free with all Office 365 plans. That said, without the higher-level plans, it must be enforced manually for the users in a basic ‘on/off’ type scenario. The Circle Cloud video below will show you how you can do this…

It is at this point that I am going to take a step back a little. Remember how I said at the beginning of this post that MFA was ‘under used’. Well, it is this ‘on/off’ functionality that, although useful, creates some of the perceived problems. The reason for this is that many end users find it annoying when they have to put in a code every time they attempt to gain access to their devices.

So, what can be done to overcome this potential issue…

To answer this question, I am going to pose to you what is on offer as standard as part of all Microsoft Office 365 licenses, then present an alternative:

On offer as standard: I can manually enforce MFA for all users, meaning they must always input a code every time they try to access company assets.

Alternative: I would like to be able to apply MFA to all users, but for the users to only be asked to MFA in particular, pre-determined scenarios where I think it’s most needed (such as when accessing from a remote location and/or an insecure device). 

Well, if you’ve come this far, you’ll be glad to know that the ‘alternative’ is certainly achievable if MFA is used in conjunction with Conditional Access. I recently wrote a blog post about Conditional Access which might be worth reading if you want to fully understand how the two link together. However, the brief overview below should get you started.

Using MFA as part of your Conditional Access Strategy…

For those who’ve never heard of conditional access, you can probably take a reasonable guess as to what it does. It restricts access to an organisation’s platforms and data by enforcing standards that must be met by a device or network before accessing information. The most simple takeaway message I can give you here is that Conditional Access allows you to decide what a compliant device looks like for your organisation, then gives you the power enforce rules on any ‘non-compliant’ devices trying to access company information and systems.

Conditional Access does this by applying basic ‘IF-THEN’ logic. I have provided an example below to give you an idea:

IF: a ‘non-compliant’ device attempts to log on

THEN: allow access through but only through a browser, and do not allow the user to download company information onto their ‘non-compliant’ device.

You might already have guessed by now where MFA fits into the picture. For obvious reasons, a lot of the restrictions that organisations apply to their policies are focussed on the enforcement of MFA, such as making it a mandatory requirement for anyone in the business who has administrative access. To put this into perspective, here is how the previously used ‘IF-THEN’ example would look if we used MFA as our rule to apply to non-compliant devices:

IF: a ‘non-compliant’ device attempts to log on

THEN: force the user to MFA

If you want to understand more about how Conditional Access works, Click Here. It will take you to a blog where you can watch a recent webinar recording where we looked at Conditional Access.

 

Final Remarks

MFA is an incredibly effective step to take in protecting our users (and organisations) against some of the most common information security threats of our age. Many IT teams don’t implement it as standard because of the pushback they get when their users complain about how irksome it can be to go through the MFA process over and over again. It’s easy for me to advise decision makers not to succumb to the pressure, however I appreciate that the reality is much different. That’s why a more realistic way to approach your MFA strategy may be to use it in conjunction with Conditional Access. By creating specific, scenario-based policies that only ask the user or user group to MFA when appropriate, we can create a sense of balance that benefits a user’s experience without compromising on security.

Get in touch if you would like to talk to Circle Cloud about how we can make Conditional Access and MFA work for your organisation.

 

 
Recent Posts

Some of our happy clients...

Mark Arundale
Managing Director- Sine Consulting

We moved to Circle Cloud just over a year ago because our IT was costing us productivity. There was a lot of downtime and unpredictability, which made running our business harder than it needed to be. Circle Cloud have made things so much more straightforward. Their IT Management Plans are perfect for our needs as a small business. The service is so clear and well designed, we have regular reviews and now have a more proactive and professional provider

Beverly Goodall
Managing Director- Abacus Bean

As the owner of an accountancy practice, there’s so much to think about. I need to stay focussed on our own products and services and making sure our customers are looked after. That’s why working with Circle Cloud has been perfect. They’ve taken away any concerns I’ve had around information security. The initial 30 day onboarding process made such a big difference, and the support we’ve had since has been excellent.

Andy Craddock
Managing Director- Accurate Data Services

In our industry it is critical to be constantly focussed on information security. At Accurate Data Services Ltd we always deal with extremely sensitive data, so remaining one step ahead of IS risk is our top priority.  We wanted to work with Circle Cloud because there IS infrastructure design continuously ticks all of the right boxes, can be delivered quickly and is scaleable.  It really is a comfort to everyone in the business that Circle Cloud are there, constantly having our back and making sure that our IS systems are always best in class.

Tony Crocker
Managing Director- IWC Wills & Probate

Circle Cloud’s IT Managed Service has been brilliant for us. It really is focussed on the security side of things. That matters a lot. When you think about all the emails and information that get shared on a daily basis, there is always that worry that something important might slip through. But Circle Cloud have put everything in place to make sure we’re safe.

Mark Pendlebury
IT Manager- Cosatto Limited

Working with Circle Cloud to implement the transition of our ERP system and SQL server into Azure has been a great choice. They have shown great knowledge of the platform and it's possibilities and have worked closely with us to ensure key project milestones and testing phases were met resulting in a successful and on time go live. Furthermore, they have also offered great advice and help on licensing to ensure costs are kept to a minimum.

Deborah Hugill
IT Director- Nigel Wright Ltd

We needed to modernise our server infrastructure in order to enhance resilience, as well as improve accessibility for our European workforce.  This is why we decided to move to the cloud, however we needed a supplier that could help us on our journey. We found the perfect technology partner in Circle Cloud, who specialise specifically in the Microsoft Cloud. They moved all our applications and files to Microsoft Azure which has proven extremely robust, ticking all the boxes we needed it to.

Urfan Durrani
IT Director- Protec International

As a business we had various challenges from moving a legacy on premise exchange system into hosted Office365 environment. Our Office365 system offers the users almost guaranteed uptime, accessible from any place and device, whilst its management facilities make it easier to monitor and control. The commitment to quality and care by Circle Cloud, provided the management team with assurances.

Craig Kippling
Director- Studio Anyo

We needed a telephone system that offered the functionality of a PBX solution. Circle Cloud were the perfect partner to guide us. They demonstrated how Microsoft Teams itself could be used as our full, business-wide telephone solution. They scoped our requirements and migrated our group to Microsoft Business Voice, which bolts seamlessly onto Microsoft Teams.  Our decentralised workforce can now make and receive business calls from anywhere using mobile apps and laptop headsets. This has proven invaluable over the last year and will assist in our future growth. 

Rebecca Pendlebury
Customer Care Manager- Scamp & Dude

As our Customer Care team grew we soon realised we needed to open up forms of contact for our customers. We also needed a system that was flexible and easy to use. As we already used Teams, it felt natural to incorporate Teams Voice and we couldn’t be happier with the result. As a result of Circle Cloud’s recommendations, implementation and training, we now have a happy team and customers.

Ian Burns
IT Services Manager- Waterton Academy

Circle Cloud’s offer of Office 365 security audits catered for every aspect of the brief, however it excelled in the way it was delivered to us as a customer. The added value area of mapping out detailed next steps alongside flagged areas was highly valued and demonstrated their unique ethos of being able to provide an external sound board/advisory presence and where needed, action change by their internal staff as a commissioned service. Based on the experience we had from Circle Cloud, including value for money, the accuracy and attentiveness from staff, we have now adopted the company as our external consultant for Microsoft cloud technologies.

John Painter
IT Systems & Development Manager- Denbury Homes

In November 2021 Circle Cloud were engaged after a shortlisting process, for a time sensitive tenant to tenant domain migration following a business separation- each tenant being wholly separate to the other. Several companies were contacted and their tools assessed, but none could provide a ‘one stop shop’. The expectation was that end users would see no visible difference with regards to experience or content, with the exception of a new temporary password and new MFA registration process. Circle Cloud were able to achieve this within the tight deadline. Denbury Homes are happy to recommend Circle Cloud for Office 365 and Azure Cloud to Cloud migrations, as well as On Premise to Cloud migrations.

Circle Cloud Limited
Company

Circle Cloud Ltd.
Fusion Hive
North Shore Road
TS18 2NB

  0191 672 7012
  info@circlecloud.co.uk
Products
Company
Social
Accreditation
  • ISO/IEC 27001
    Cert Number: IS 697 097
  • Cyber Essentials Certified
Site by Calm Digital Limited
© 2024 Circle Cloud Ltd.
Drop us a message...
Open Menu Open Menu
Contact Us
Open Menu Open Menu
CONTACT US