Local Governments Concerned With Security Should Lead With Multi-Factor Authentication
New Orleans, Louisiana
Nation-states attempt to breach New Orleans’ systems “all the time,” so the city recently upped its defenses for law enforcement and several other departments and apps.
Part of the consent decree the city of New Orleans entered into with the U.S. Department of Justice in 2013, after Hurricane Katrina shed light on local police misconduct, required the city to build two-factor authentication systems protecting law enforcement accounts.
The primary goal was to make the government workforce more resilient, said New Orleans Security Manager and Enterprise Architect Freud Alexandre, as nation-states attempt to breach the city’s systems “all the time.”
Such attacks have become less frequent since New Orleans added a security stack protecting its “front door and back door and every closet in between,” he said.
“Now we know everybody in our environment is truly in our environment,” Alexandre added in an interview. “We’re able to sense from geolocation if a possible attack has happened.”
Central to the city’s efforts is Irvine, California-based multi-factor authentication provider SecureAuth, whose adaptive platform prevents against the misuse of valid credentials and went live in the first quarter of 2016.
SecureAuth flags logins from abnormal locations and anonymous browsers like Tor, uses pre-authentication checks, and can even identify unusual typing patterns on devices. Once a user has been authenticated, a single sign-on is all that’s required for any department or app.
“If you’re not using the right MacBook, you’re not getting in,” said Craig Lund, SecureAuth founder and CEO.
New Orleans’ Finance Department’s system is going online right now, and the police department set-up only took a few months after the public bid was awarded. Set-up for a 10,000-user city on a couple apps takes under two weeks, Lund said.
Passwords and even two-factor authentication just aren’t cutting it anymore where security is concerned, he added, and identity-centric protection is supplanting endpoint / network protection.
Cybersecurity “incidents,” where an attack coincides with natural disaster or other emergency, are a growing concern for cities. Hurricane Katrina in 2005 left New Orleans vulnerable to such an incident, though none occurred.
“An incident’s an incident, and we respond accordingly. We are on high-end alert but don’t separate the two,” Alexandre said. “We try to make sure we shore up everything in the environment.”
SecureAuth works with police databases to layer adaptive techniques that make it harder to get into those highly sensitive environments.
Future-proofing is important, Lund said, and the company is currently developing new, industry-specific intelligence feeds and building our a law enforcement dashboard of known bad actors and organizations.
“So we’re trying to build more vertical-specific threat analysis and feed that into the front end of the process,” he said. “The more we know up front, the more security there is.”
On the back end, behavior analytics are king. Letting in a “good guy” doesn’t mean the platform stops analyzing user data to ensure he or she isn’t doing something they shouldn’t—what Lund calls the “Snowden effect.”
In New Orleans, the government workforce is now confident it has access to the resources it wants, and the service desk no longer fields calls for small items like changing passwords.
“We’ve had the benefit of employing a variety of tools, but in my opinion this was probably one of the things we should’ve led with,” Alexandre said. “It provided me flexibility and coverage for the entire environment.”
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington D.C.
NEXT STORY: USDA helps students get hands-on data science experience