In their keynote at AWS re:Inforce 2022, AWS’ Steven Schmidt, chief information security officer, and Kurt Kufeld, platform vice president, repeated a theme that was heard at the RSA conference earlier this year: Enterprise-level companies have to up their multifactor authentication game.

AWS deals with “quadrillions of events every month,” according to Schmidt. A quadrillion has 15 zeros, making it a number beyond the comprehension of most of us. Cloud competitor Microsoft reports that there are 50 million password attacks on its Azure Active Directory daily. Yet while implementing MFA can reduce infiltration through phishing attacks 99.9%, only a small percentage of admins implement authentication services with their single-sign-on procedures.

Why?

“Because it introduces friction, and all of a sudden people can’t get their jobs done,” said Jay Bretzmann (pictured, right), research director for cybersecurity and industry analyst at International Data Corp. “And the whole point of a network is letting people on to get that data they want to get to.”

Bretzmann and Philip Bues (pictured, left), research manager for cloud security at IDC, spoke with theCUBE industry analysts  John Furrier and Dave Vellante at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. The discussion covered trends in identity management security and cloud data security. (* Disclosure below.)

Enterprise security has to deal with on-premises baggage

Despite the prevalence of the word “seamless” in cybersecurity product pitches, the day-to-day reality of security is anything but simple. Identity verification started back with mainframes, and many companies are still dealing with the baggage of security designed for on-prem active directories, according to Bretzmann. So while it may be easy for born-in-the-cloud companies to implement universal identify verification in the cloud, it’s a different situation for traditional enterprise.

“If you ask different suppliers ‘What percent of your base that does SSO also does MFA?’ one of the biggest suppliers out there, Microsoft, will tell you it’s under 25%. That’s pretty shocking,” Bretzmann stated.

Not so long ago, MFA was accomplished via a one-time code sent through Short Message Service. But this method is no longer recommended because it is relatively easy to compromise, according to the United States National Institute of Standards and Technology’s “Digital Identity Guidelines.”

SMS is susceptible to man-in-the-middle attacks because it is built on the Signaling System 7 telephony protocol, according to Bretzmann. Developed in 1975, SS-7 “predates anything. There’s no certification either side,” he said.

In addition, Subscriber Identity/Identification Module, or SIM card hacking has also become common, allowing attackers to reroute SMS messages and compromise accounts.

Best practices for modern MFA

Modern best practices for MFA include push notifications sent to secured mobile devices that can’t be accessed without first unlocking the device. One big player in the market is Cisco Duo, which has wide adoption because many companies already use Cisco’s network services, according to Bretzmann.

“Push can be a red ‘X’ and a green check mark to your phone. It can be a QR code somewhere; it can be an email push as well,” he said. “So that is the next easiest thing to adopt after SMS.”

Another development in dynamic identification is the adoption of public key infrastructure). This system enables encrypted and signed data, and identity is authenticated via digital certificate. This makes sense due to the prevalence of personal smart devices, according to Bretzmann.

“You can have an agent on that smart device generate your private key and then push out a public key. So the private key never leaves your device,” he explained.

Trends in cloud security

The big question for data security in the cloud is how to secure complex multicloud environments when trained security personnel are hard to find. The answer seems to be through open-source, automated solutions.

“Open source continues to proliferate around the automated reasoning, [and] I think that makes sense,” Bues said. “You want to provide guide rails, you want to provide roadmaps, and you want to have sort of that guidance.”

Another trend is that companies are combating cybercrime by sharing intelligence: “Some of the recent directives from the [US] Executive Branch make it easier for private companies to share data and intelligence, which I think strengthens the cyber community overall,” Bues added.

However, sharing data can be a security risk: When the keynote speakers said “encrypt everything,” they were speaking only about data at rest, Furrier pointed out. “What about data in flight?” he asked.

The trend toward consolidation and integration in cloud security continues, according to Bues.

“In the runtime detection, [it] makes perfect sense to have both the agent and agentless so that you’re covering any of the gaps that might exist,” he stated.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:

(* Disclosure: This is an unsponsored editorial segment. However, theCUBE is a paid media partner for AWS re:Inforce. Amazon Web Services Inc. and other sponsors of theCUBE’s event coverage have no editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE