Cloud spending continues to grow in the US public sector, as federal agencies prioritize securing their IT infrastructure while controlling costs—goals that track with the 2021 executive order calling for government agencies to move more quickly toward secure cloud services. But even so, public sector agencies and other security-sensitive organizations will always need to maintain some IT capabilities on-premises.
Those two trends—the need to maintain key on-premises capabilities and the broader push to the cloud—can complicate organizations’ access needs.
That’s why government agencies and security-sensitive organizations rely on core SecurID capabilities to help them support secure access on-premises, in the cloud or both.
Let’s review what those capabilities are and how they help our public sector partners stay secure and productive:
One example of how SecurID hybrid cloud capabilities fulfill specific public-sector security requirements is in environments where hard tokens are required for multi-factor authentication (MFA).
While MFA today is frequently delivered via soft tokens deployed on smartphones, there are good reasons why a hard token is the delivery mechanism of choice in highly secured environments. For example, hard tokens represent the only option available for MFA in clean rooms and other workplaces where use of smartphones isn’t permitted.
But beyond those simple logistics, “a hard token represents the gold standard for secure authentication,” as Piers Bowness, SecurID Distinguished Engineer, has stated. “It’s an air-gapped hardware device, and many SecurID customers operating in sensitive environments prefer it for that reason.”
Organizations that deploy SecurID hard tokens on-premises can use them with SecurID MFA agents, web applications and RADIUS authentication, and manage them in the cloud using the SecurID Cloud Authentication Service (CAS). SecurID CAS can also be used to manage other vendors’ tokens, such as FIDO U2F and FIDO2-compatible devices.
The takeaway is that with SecurID, organizations that prefer to use hard tokens on-premises can still enjoy the important benefits that cloud affords—i.e., reducing costs by streamlining operations and eliminating overhead—while maintaining a full-featured solution for strong authentication.
“When we talk to customers about authentication in the cloud, they’ll sometimes express concern about what happens if they can’t connect to the cloud for some reason,” said Bowness. “One of the capabilities that differentiate SecurID hybrid cloud is the ability to failover to the on-premises SecurID Authentication Manager. It basically turns the on-premises component into a source of high availability cloud service.”
This failover capability ensures that SecurID hybrid cloud customers will still be able to authenticate using the on-premises component of their deployment if for some reason they cannot connect to the cloud.
Just as important as being able to connect when an internet connection is disrupted is being able to connect securely. That should go without saying, but what sets SecurID apart is the ability to deliver high availability without compromising security.
We achieve that balance by using an offline failover mode, as opposed to a fail-open approach. The latter allows users to log in without an internet connection, but without using MFA. That may ensure connectivity, but the lack of MFA can also leave an organization unprotected against threat actors looking for vulnerabilities (which is exactly what happened to the NGO described in this recent CISA alert).
While the ability to maintain convenient offline authentication is critical for any organization to operate productively, it should never be achieved at the cost of security, particularly in sensitive environments in the public sector space. SecurID has a long history of designing and engineering authentication products and solutions to be both convenient and secure. The SecurID hybrid cloud, with failover-based high availability, is no exception.
Learn about the range of solutions and pricing available for SecurID cloud and hybrid cloud deployments.
