Where is multi factor authentication in the 2017 Australian Government Information Security Manual?

This post is going to be a bit dry, it is written to provide an accurate overview of specifically where you can find multi-factor authentication controls in the 2017 Australian Government Information Security Manual (ISM). It is accurate as at the 3rd of March 2017. If you are in a security or IT decision-making role, and are considering whether multiple factors of authentication should be part of your security apparatus, the ISM provides both a minimum standard for accreditation, and guidance that can be used to inform your risk assessment. Each control is contextual, and doesn’t apply to every situation – you should seek a qualified opinion from a member of the IRAP program to ensure that you are assessing the right controls.

The minimum standard is imposed through controls that are listed as “must” for compliance purposes. In areas where some consideration of control vs. ease of access is appropriate, the controls are listed as “should”. What is clear from the ISM is that for system administrative activities, it is not considered acceptable to act without multiple factors of authentication. In some individual user access scenarios though, multiple-factors are listed as “should”. This lessening of controls for end users provides scope for each agency to consider the level of risk associated with access to the system, the level of burden that it is appropriate for users of that system to bear, and the level of operational complexity that the additional factors add.

As always, prior to looking at controls, the grade of information the service will carry needs to be decided. The cost of achieving each higher classification rises substantially, and each successive classification focuses more on access control than ease of access. From a risk perspective, more consideration of whether “should” should become “must” should also be considered. Appropriately qualified security and risk management personnel should be engaged to advise on these matters.

From a pure control standpoint, the controls focused on multi-factor authentication are listed below, each applies to all classifications –

  • 0974 – “Agencies should use multi-factor authentication for all users.”
  • 1039 – “Agencies should use multi-factor authentication for access to gateways.”
  • 1173 – “Agencies must use multi-factor authentication for” – system and database administrators, privileged users, positions of trust and remote access.
  • 1384 – “Agencies must ensure that all privileged actions must pass through at least one multi-factor authentication process.”
  • 1401 – “Agencies using passphrases as part of a multi-factor authentication must ensure a minimum length of six alphabetic characters with no complexity requirement.”

Some discussion of Multi-factor authentication can also be found in the “Access Control” section of the ISM – Principles manual.

All the documentation you need can be found at https://www.asd.gov.au/infosec/ism/index.htm

The 2017 ISM – Controls can be found at – https://www.asd.gov.au/publications/Information_Security_Manual_2017_Controls.pdf

The 2016 ISM (the latest) – Principles can be found at – https://www.asd.gov.au/publications/Information_Security_Manual_2016_Principles.pdf

What access security really is, and the myth of “totally secure”

A good definition of security will let you do two things –

  • Make more objective decisions about how much to spend on security.
  • Sort out who the people who don’t know what they’re talking about (and the liars) are.

So what is security as it relates to access?

Access security is the process of making access cheap for people who are authorised, and expensive for people who are not authorised.

That’s a simple but objectively useful definition. It’s useful because it can be applied simply to every form of access security – armed guards, door locks, IT security, theft laws – it’s universal. With the definition in place, you can move on to a conversation about how expensive access should be, then think about how you invest. Any investment in security should introduce significantly more cost for someone attempting unauthorised access.

In the light of that definition, it’s also easy to see why “totally secure” is a myth. Any form of access means something is now only secure against a certain amount of expenditure.

Next time you’re talking to someone about security and they’re asking you to make an investment, ask them about how much access expense the investment will add for an unauthorised person. Then you can compare it to the cost of what you’re securing. If you can’t make sense of that, you should find someone who can help you can. Any investment in security that doesn’t make unauthorised access many times more expensive than its cost is just the purchase of a warm and fuzzy feeling.