CYBER ESSENTIALS MYTHCONCEPTION 2: MFA on Cloud Services



In this post in our series on Cyber Essentials "Mythconceptions", we tackle the myth:

 

    "Since MFA is now required on cloud services, we can't use a cloud service that does not have MFA."



MFA is a very important account security control that should be available on all services. But the fact is that MFA is not available on all cloud services and applications. However, these services will not prevent you from getting Cyber Essentials certified.

 

The rule is: if MFA is offered by the service, then you need to enable it. If MFA is not offered, then there is no impact to your Cyber Essentials compliance. Some cloud services offer MFA for an additional cost, so a consequence of this rule is that if MFA is available, you are required to enable it, even if you have to pay to enable it.

 

This should calm any fears that business critical cloud services that don't offer MFA will be a blocker to your certification.

 

The 2022 rules say that administrative accounts must have MFA enabled, if available, and end user accounts don't have to have MFA enabled until 2023, but you are required to report whether it is enabled for users until it becomes mandatory. This gives you some time to rollout MFA to your end users in a user-friendly way.

 

Barrier's "Securely Compliant Tips" for MFA on the cloud

The following tips are offered as inspiration to help you devise a strategy for cloud MFA in your organisation for compliance and beyond:

  1. Manage your SaaS security and MFA by adding a CASB or SASE security layer. These technologies can add MFA to services that do not offer it, as well as adding a lot more security, monitoring and control to cloud services.

  2. You should consider the risks of continuing to use services that do not have MFA on their accounts. Then assess whether you wish to switch to more secure services.

  3. There is a range of "MFA-equivalent" options that Cyber Essentials will accept. We have a Mythconception post in this series on this topic.

 

For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,

or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.

Jordan Schroeder