What have you used to ensure that you have MFA on all externally facing systems and IT services?
Sort by:
This is a five step process to get it right. Someone gets their hands dirty without getting any credits for the effort because that's what was expected by management in the first place. Its a program in itself with each step a project within. if you're inheriting this mess from someone else who hasn't done it this way, all the best 2 u!
1. It starts with having inventory of all applications, both internal and external facing and their underlying stack (Web/OS/DB etc) dependencies.
2. Demarcate them between internal and external facing.
3. Inventorise admin / previleged accounts on both internal and external applications (first) and then underlying stack (second).
4. Push them all into a previleged access (PIM/PAM) solution and its vault.
5. Enable MFA via PAM on all previleged accounts.
The cherry on the cake will be to get all external and internal apps on an SSO solution.
Force access through an SSO solution that includes MFA, without direct access to an external system you can control how the authentication is provided.
Great question, top of mind, I'd suggest:
1) Review your Application Inventory and assign App Owner validates MFA (test script or screen shots of config are ideal); an
2) perform a pen test either internally via peer review or externally. This is a good starting use case for ASM to enumerate all IPs/DNS that have an auth prompt.
I'd like to hear how others have approached as well, the Entra and Intune settings (inclusive of conditional access, App proxy and email) make it complex - it is rather easy to miss an MFA setting here and when engineering right, it is a robust control against credential based attacks.
Implementation is dependent on your network architecture, but the general process needs to start with your asset register and prioritization of external / internal interfaces. MFA is something that affects external stakeholder experience and can increase friction in some use cases, so it needs to be agreed with the business.
Ideally you would proxify all inbound connections through a brokered service already offering MFA as standard (the combo Entra + Intune on Azure work for this purpose, but you need well-trained engineers). Do take into account API interface connections if you have them, as well as pre-existing or legacy B2B channels which might pose a challenge.
Whatever your implementation, you will need assurance: incorporate external pen-testing into the mix with the specific scope of detecting non-MFA enabled inbound vectors, then check if the results match your understanding. Much can be learnt with this if done properly.