SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Google's Cloud mandates MFA, sparking mixed reactions

Thu, 7th Nov 2024

Google's recent announcement to mandate multifactor authentication (MFA) for all Cloud accounts has sparked a spectrum of reactions across the cybersecurity sector.

The move is part of an effort to bolster security as user identity increasingly becomes a preferred attack vector for cybercriminals.

Ed Russell, the CISO Business Manager at Qodea, emphasised the necessity for organisations to proactively address potential challenges associated with adopting MFA. "Mandatory multifactor authentication (MFA) is a welcome move from Google as user identity remains a primary attack vector used by bad actors," noted Russell.

He acknowledged that while passwords are inadequate alone to protect sensitive information, MFA adds crucial verification layers to defend against data breaches. Nonetheless, Russell cautioned that such mandates could disrupt existing routines within organisations, underscoring the importance of comprehensive training and preparation for a seamless transition to the new security protocols.

Research cited by Russell highlighted deficiencies in skills and understanding as significant barriers to adopting zero trust controls in the past. Consequently, he urged firms to utilise either internal teams or external partners to ensure full compliance with the upcoming MFA requirements.

Mike Britton, CIO of Abnormal Security, echoed the sentiment that Google's MFA mandate is essential yet overdue. "The move by Google Cloud to make MFA mandatory is long overdue. This is a foundational security service that should be 100% mandatory for all software and platform providers," he asserted. Britton elaborated that fundamental security features like MFA should not be monetised unless financial constraints mandate otherwise, arguing that they should be part of the basic offering for all software and platform providers.

However, there remains a divide in the industry regarding the sufficiency of MFA for enterprise protections. Jasson Casey, CEO of Beyond Identity, expressed reservations about the efficacy of basic MFA measures against sophisticated threats faced by enterprises.

"Google's MFA mandate marks a baseline step for consumer security, but it falls short for enterprise protection," Casey stated. He pointed out that advanced phishing operations can exploit traditional MFA systems, leading various US government agencies to push for more robust, phishing-resistant MFA protocols.

According to Casey, while the emphasis on MFA is a notable advance for consumer security, it does not adequately address the needs of enterprise-level defences.

The cybersecurity community's response highlights the balance organisations must strike between implementing comprehensive security measures and maintaining operational efficiency.

As cyber threats continue to evolve, the discussions underscore the urgent need for companies to assess their cybersecurity strategies in anticipation of Google's changes. The call for training, skill development, and a reevaluation of existing security protocols resonates as firms brace for the mandatory MFA integration.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X