I'm trying to figure out if we can justify not implementing Multi-Factor Authentication (MFA) for a system that has some pretty strict physical security measures in place. The computers involved only have local user accounts, but to access these computers, you need to have an RFID badge to enter the room where they're kept. Getting these badges requires approval from both the contractor company and the government agency that holds the contract. Entry to the campus, the building, and even the specific rooms housing the equipment each require separate approvals.
The equipment itself doesn't store or process sensitive user or company data. Instead, it serves to simulate hardware for software testing or connects to real hardware in secure facilities for testing. These systems are wiped and rebuilt regularly, and some are not used for extended periods. Implementing MFA could be problematic due to high turnover of users, large user base per location, and the lack of on-site support for resolving authentication issues. There's only one site with remote access, and even that requires a specially configured MFA-enabled machine. I'm looking to see if we can argue that we're already utilizing some form of MFA through these strict access protocols or if we need additional justifications for not implementing it at all.
3 Answers
If those machines are truly isolated and require physical access with strong identity checks, you might argue that you have a different set of controls in place. But be careful; if they ever connect to any networks, even briefly, you'll need to rethink that argument. Keeping a focus on the severity of your data and the potential consequences can help frame your justification for exemptions from MFA.
Technically, what you have isn't really MFA; it's more like multiple layers of single-factor authentication. While those layers offer decent physical security, they might not satisfy MFA standards since the authentication to the PC itself appears to be just a password after getting through the door. You might need to consider how easily someone could tailgate in or what happens if the computer leaves that secure area.
Exactly! Even with tight physical controls, you can't guarantee security if someone can just hold the door for someone else. It's all about making sure you're authenticating the user properly.
You might find it beneficial to talk it over with your cybersecurity insurance provider to get a better view. They can help clarify if your controls might qualify as compensating controls for your specific scenario and keep you covered in case of an audit.
Definitely! I think that’s a smart move. Getting that third-party opinion could help us substantiate our claim.
Right! We can’t have any connections to other networks, so we’re a bit safer that way. Just need to prove that those controls we have are enough.