In this blog I explain why it makes sense to use the same endpoint security solution for both encryption for data at rest on the device and authentication to servers and web services such as SaaS.
First; what are the core attributes of a good endpoint encryption solution?
By endpoint encryption I mean Full Disk Encryption (FDE) or File and Folder encryption. The encryption should occur transparently and have little or no impact on the user’s daily experience. Users probably don’t even know it is happening. But how can you trust that the encryption is done correctly if you cannot “see” it. The answer is to select a vendor that has been doing it right for many years, uses standard algorithms like AES and as been awarded third party certifications like FIPS 140. For the encryption it is all about the cryptography, standards and certifications.
That said, encryption without authentication does not provide confidentiality. So strong user authentication at pre-boot BEFORE the data is decrypted is important.
Then there is key management and recovery for users that get locked out of their encrypted data for whatever reason. Strong central enterprise-wide management is also mandatory for setting, enforcing and reporting on standard configurations that implement enterprise policy. A centralized management platform can provide reports to prove to your risk team and auditors that the enterprises fleet of devices is protected with encryption.
Second; what are the core attributes of good authentication for remote systems?
Passwords are neither secure nor provide a good user experience. Methods to shore passwords up with SMS Text, Out Of Band (OOB) Push and OTP (One Time Password) all have usability and security drawbacks. The user is at the endpoint when Authentication occurs, and the remote system (relying party) is sitting on the other side of some internal or external network connection. The two ends of that connection should not share a secret because they will be suspectable to MITM (Man In The Middle) attacks, server data base attacks and phishing attacks.
Asymmetric crypto-based authentication – where the endpoint has a private key and the server has the corresponding public key – is the best approach to eliminating the “shared secret” problem. This is a core attribute of a good authentication system. This asymmetric-based crypto is what underpins Smart Cards and FIDO Security Keys.
As with encryption, there is also a need for key management and recovery for users that lose their authenticators (security key). Similarly, strong central enterprise-wide management is a must for setting, enforcing and reporting on standard configurations that implement enterprise policy.
Advantages of Combining Encryption and Authentication at the endpoint under one technology.
If your organization needs both endpoint encryption and strong authentication, then security is obviously an important requirement. Done right, they both will have a very firm foundation in cryptography and key management. A product that can provide both – managed well from the same console – will reduce attack surface and will reduce IT costs to both deploy and manage security on an ongoing basis.
The user authentication to the endpoint for FDE happens in a confined operating environment before the even the OS is loaded. The trust established at pre-boot can then be leveraged into the OS environment, which is the users jumping-off point for access to remote systems.
This trust can be used to make authentication into the remote systems less burdensome and more transparent for the user. After all, it is the security key that does all the hard asymmetric crypto work on the behalf of the legitimate user.
Here is an example of a day in the life of a user with integrated Full Disk Encryption and Authentication where it all works together seamlessly:
1. Power on the computer
2. User is prompted for pre-boot authentication BEFORE the OS is even loaded, for strong security.
|3. User enters a short 6 digit PIN to unlock the computers security hardware (Just like when powering up an iPhone) Then, transparently, and automatically the drive encryption is cryptographically unlocked, the OS is decrypted as it is loaded into memory and the user is logged into their Windows account.|
|4. Users connects to Salesforce,
Enters their Salesforce password (Salesforce is 2nd factor authentication)
Uses biometrics (e.g. finger print) as the 2nd authentication factor
or perhaps just touches a button to confirm user presence.
5. User starts their VPN app.User is prompted for their PIN, the same one as used at pre-boot. (No password to enter, not even a username to enter)
|6. User is prompted by Microsoft Office 365 to authenticate
Uses biometrics (e.g., finger print) as the authentication factor
or perhaps just touches a button to confirm user presence.
(No password to enter)
In the above example the user never once has had to remember their AD Windows password or enter it. All they all to do is swipe their finger or remember a single simple short PIN. Most importantly, the PIN and biometrics are both local to the device and are never sent over the network. Under the covers, one product orchestrates the strong cryptographic authentication and encryption that is occurring – totally transparent to the user.
More to the Journey
In the example above I am using a Salesforce password along with asymmetric crypto (a Security key) to authenticate. Salesforce has mandated that all users must have MFA (Multi-Factor Authentication) by Feb 2022. That reduces the reliance on Salesforce passwords for security, but doesn’t eliminate them. It is a step in the right direction, but some of the disadvantages of passwords remain. There is still more to the journey. I hope that some day Salesforce will enable passwordless logon. When they do it will be a mere configuration change for enterprises that have a strong crypto-based system in place. After that, the next step is to eliminate the password altogether on the server side.
Even then there will still always be emerging threats. Centrally managed crypto-based technology provides a firm foundation to adapt – and is well suited – to addressing emerging threats. The SolarWinds’ MFA bypass attack is an example of a new kind of attack that doesn’t rely on directly defeating the MFA. Rather it bypasses MFA by faking the session cookie or token that the server can store on the user’s endpoint device, thereby authorizing continued access after the initial authentication is performed. With a strong crypto based presence on the endpoint there is the opportunity to cryptographically protect the cookie with the endpoint’s private key so that the server can detect if the session is hijacked to another endpoint.
(See here for more details https://www.winmagic.com/blog/endpoint-vs-oob-authentication/ )
It makes sense to use the same endpoint security solution for both encryption and authentication. They both require a strong presence on the device, and when done right both require strong foundations in cryptography, are as transparent as possible, and provide a consistent user experience. If both can be managed by the enterprise through one console, it can decrease IT costs.