Multi-Factor Authentication

Now a basic and staple security solution we have come to know and use - MFA/2FA is now something that should be in place everywhere possible (and all cloud services) for users and administrators

The Cyber Essentials standard requires Multi-Factor/Two-factor (MFA/2FA) authentication to be enabled for all cloud platforms for all users and administrators, where there is an ability to deliver it, in any way.

That is:

  • More expensive offering from your provider
  • Utilising Single Sign On / oAuth solutions
  • Utilising technology from a 3rd party

Thus, if there is an ability to deliver MFA/2FA for your cloud service, as per the above, you are required to either deliver that or cease using the platform. If however, there are no methods of delivering MFA/2FA for your platform, other than questioning whether you should still be using it, there is of course nothing you can do, and thus, this will not fail your Cyber Essentials assessment.

Of course, you should already have this in place if you want to secure your cloud systems and reduce your risks of breach; enabling it on every system, service and technology platform, whether cloud or on-premise, wherever you can enable it, is just a good thing to do!

The National Cyber Security Centre (NCSC) suggests that, where one of your cloud platforms doesn't support MFA/2FA, you should consider finding an alternative.

You should have a unique admin account for any cloud service where you can have a unique admin account and you can manage the users within your platform.

What is a cloud platform or service in Cyber Essentials?

Start work now on getting MFA enabled for all your cloud services and ensure that every provider you are using is set up to allow Multi-Factor / Two-Factor Authentication for all Admins and Users within their platform.

Remember, we DO NOT DO DATA CLASSIFICATION within Cyber Essentials, so we don't care what data the cloud service has in it, as if it's used in the business, and you can manage it (i.e. someone else doesn't provide the logins and manage it as the bank will for a bank account) we are interested in this as one of your cloud services.