Matthias Reinwarth and John Tolbert talk about profound implications of security products not having their administrative interfaces sufficiently secured with technologies like multi-factor authentication.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Matthias Reinwarth and John Tolbert talk about profound implications of security products not having their administrative interfaces sufficiently secured with technologies like multi-factor authentication.
Matthias Reinwarth and John Tolbert talk about profound implications of security products not having their administrative interfaces sufficiently secured with technologies like multi-factor authentication.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, I guess today is my fellow analyst and colleague John Tolbert. He's a lead analyst for KuppingerCole in the US and he's located in Seattle. Hi John. Hi Mathias. Good to be with you today. Great to have you Again and great that you suggested such a great topic to talk about. And we are starting with a, with a question that you raised, and the question reads, when is a security product, not a security product.
And where does that John, you know, we cover identity and security products across the board. And I think there are lots of interesting and very useful security products that are out there, but if they don't strongly consider their own internal product or service security, then I think that winds up being a pretty distinct weakness. And the focus here today is on the use of strong or multifactor authentication to get into those security products.
I've seen a number of different security products, be the endpoint protection endpoint detection and response, or even network detection and response kinds of products that do offer a lot of value for their customers, but have a pretty significant weakness and that they don't necessarily allow for strong authentication of administrators. So I would say, you know, based on what I've seen lately, maybe as many as a third of the products that are out there, don't have a good multifactor authentication or even basic two factor authentication option.
And I see that as a fairly significant problem, Completely agree. It it's almost incomprehensible that they provide a solution that actually should heighten the level of security, but actually has this weakness at the front door. So what are these types of tools where this multifactor authentication is missing? Where is it needed there?
You know, specifically, I would say for as many different kinds of product vendors are moving their products to the cloud, especially management consoles, that's where, you know, we have to have more than username password to get into one of these cloud-based management console. So let's say you're operating a, an endpoint protection system for your enterprise and you are using the cloud hosted service. If you can get into that with, you know, an admin and password, even if you can change the password, that's really not enough.
I think it's imperative that security vendors allow for multiple forms of multi-factor authentication and be able to design policies around that. You know, this would be a great place to start integrating with some of the IDAs identity as a service or other IAM kinds of products, to be able to be a good front end for these security platforms. Right.
And when we look at these cloud platforms, there's also no real sense in, in integrating that into an overall say privileged access management, because for every other person that is still available online with username and password, even if you integrate it into a corporate Pam solution, every other person is still able to, to just use the weak authentication though. Yeah.
You know, I mean, there are various workarounds that are possible. Let's say you take the on-premise version of a management console and you put that on your premises and you let's say secure it with some sort of web access management product.
That's, that's a decent workaround. Or if you provide, you know, extensibility to where maybe you could use an elder app or an active directory account to manage it, but yeah, you're right.
I mean, we still need things like privileged access management to control, which admins can do, which kinds of things. So, I mean, I think there are workarounds that people can put into place for on-premise deployments, but I, I really think that security vendors need to focus on making that easy for their customers. And then especially since many of these vendors are actively pushing their customers to use their SAS based consoles.
That's where I think immediate development really needs to happen to be able to integrate either accounts from on-premise via, let's say Samuel Federation or OAuth or something like that, or, you know, allow people to set up accounts with iDesk providers and then be able to federate to the security console that way, just anything to get away from username password, because let's just, just think about a scenario where you have an unsecured admin console that a bad guy could access and, you know, through password guessing, get in and, and maybe start selectively weakening, or deactivating some security controls.
I mean, you can almost envision something like that happening with a major apt campaign or, you know, a cybercrime campaign, maybe they're trying to capture trade secrets or, you know, lots of PII or payment card data. You know, it may not be something that's so flagrant as to catch the attention of administrators by turning off everything at once.
But, you know, it could be part of an overall breach campaign. So making it harder for things like that to happen by introducing multi-factor authentication, strong authentication, I think are important considerations that security vendors should be thinking about.
Yeah, absolutely. Because if you think of where would you expect the bad guy to be it most probably not within your security solution. So that is really something where you probably need protection here. You've mentioned the, the acronym apt, maybe that is not known to every of our listeners. Could you just explain that a bit? Sure.
Advanced, persistent threats, those are usually either state actors or, you know, corporate espionage agents going after important intellectual property from, from organizations around the world. Those are the kinds of campaigns, the things that tools like endpoint detection and response network detection and response are designed to be able to find even if they get missed by other security tools. Right. Thank you. Can you give a percentage of how many of the solutions that you recently examine have, have this weakness?
Yeah, I would say probably a third don't really have good solutions for multi-factor authentication. A few of those may have some ways of making it happen if you do extensive customization, maybe including coding, but I really think the focus that security vendors needs to be on making it easy for their customers to do MFA to the admin console and then being able to make it required really a username password combo should not be something that would let you into a security product period. So being able to use MFA, should it be a requirement more than just an option, Right?
And maybe it's also in an ideal world, something that lets you lock in into more than one platform securely at a time, because we are all talking about layered security. So more than one security solution in place at the same time. And if you have to really have an account on each of these systems with varying passwords, that is really at, that sounds like the 1990s. So that should really be prevented. So as we are analysts here and we look at this market, we try to help assist our customers in finding the right solution.
So what should customers that are looking for these often really, really interesting and technically sophisticated solutions? What should they do when they come across this issue? First of all, they should look at it that it's something that I take away from you today, but what is their option then?
Well, you know, from a vendor point of view, I would say if you don't have multifactor authentication natively within your solution, it should be on the very near term roadmap. And you can make that a little bit easier by supporting, let's say SAML for Federation so that customers can use existing accounts they have, or maybe partner with, again, some of those identities as service providers, that that can go much quicker than if you have to go out and build the code up yourself from a vendor perspective.
But you know, in an end user organization, you know, the customers of these security vendors, I would say I would be, I'm normally skeptical. That'd be skeptical about products that, that don't cover all the different aspects of security. I would say, if you don't have it in your current product, ask your security vendor when they plan to support multifactor authentication for administrators, if it turns out that they do then use it and get that turned on and in place as quick as possible.
If not, if they say it's on their near term roadmap, then then good hold out for that. Continue to pressure the vendor. If you've got any sway over the roadmap. And then if it really doesn't seem like it resonates with the vendor as a high priority item, I would say it might even be time to think about looking at different vendors in those cases, Right?
It's this, as you, you are doing lots of briefings with these vendors. Is this also feedback that you just give them when doing their briefings and they don't have this functionality in place?
Yes, definitely. You know, in the recent leadership campuses that have published and ones that I'm working on now, I do call that out in each section who supports multi-factor authentication or who supports Federation, because I think that that's something that security minded customers really want to know.
Yeah, I fully agree. And I think that, that when our listeners went, maybe have a look at one of your leadership conferences afterwards, they will find this as, as one item in the list of criteria to look at. So really that is more or less even a showstopper.
Yeah, I do. I, you know, I would say grade pretty hard on that. So not only do I mention what they have available, if MFA is available, but if for some reason it's not, then yeah, that definitely negatively affects their security scores and leadership conferences. Right. So if a security solution is not implemented by the principle of security by design, there is yeah, there there's some mismatch. Okay.
So thank you very much, John, I'm actually looking into the leadership compass and trying to identify those solutions or just asking your vendor, whether it is the product is capable of implementing MFA, should be the key takeaway for today. Anything else that you would like to add as a summary?
No, that pretty much covers it. I think, you know, consider security as a whole. It's great to have groundbreaking features and a security product, but they also have to cover the basics. Things like authentication, access, control, least privilege, just, just do a thorough examination of all the different aspects of product or service security when you're selecting a vendor. Right.
And for all of those who are listening, if you're interested in examining state-of-the-art security technologies and assessing them, please feel free to drop by the KuppingerCole website and have a look at the reports that John, for example, and all our colleagues actually provide when it comes to looking at different market segments. Thank you very much, John, for dropping by again, stay safe and yeah. Thank you very much. Thank you. Bye bye. Bye