Seek approval from others!
That’s lousy life-coach advice, generally speaking, but a helpful safeguard in the IT space, especially when someone on the team wants to perform a sensitive admin action like disabling multi-factor authentication.
That’s why Google is adding a multi-party approval, or MPA, function to its Workspace platform, in an effort to slow down (and secure) the deployment of far-reaching IT decisions.
Multiparty-verse! With its MPA feature, announced on April 9 and available for Workspace customers with multiple super admin accounts, Google offers a “you sure about that?”-style check when an IT pro wants to perform one of the following actions:
- Two-step verification
- Account recovery
- Advanced Protection
- Google session control
- Login challenges
“We typically see products support multi-party approvers in change management and change control workflows, but integrating the additional level of protection directly into the administrative console is more unique,” Forrester Principal Analyst Geoff Cairns wrote in an email to IT Brew.
While independent help-desk software and other security tools offer workflow paths that bring authentication requests to the proper admins for approval, Andy Wen, director of product for Google Workspace Security, said the team aims to move and “evolve” the MPA function across the Workspace platform, particularly for what he calls “vault-like” transactions—sensitive tasks that require an extra verification.
“Transactions and actions that we’re going to put behind MPA are going to be those actions that have a very high impact on an organization,” Wen told IT Brew during a demo of the MPA feature.
Accept no imitations. Social engineers have been successful lately at convincing IT pros to reset accounts.
In an April 3 sector alert, the Health Sector Cybersecurity Coordination Center, or HC3, warned of “advanced” social engineers convincing hospital help desks to restart multi-factor authentication and gain control of accounts.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“You would think that defenders would really make it difficult to call up and say, ‘Hey, I need a new MFA,’ but if the social engineering attack seems dire enough—‘I'm the CEO and I’m in a business meeting, I can’t get access to my laptop’—a lot of people will be intimidated into providing that access easier,” Roger A. Grimes, a data-driven defense evangelist at the security training platform KnowBe4, told IT Brew.
In Verizon’s recently released Data Breach Investigations report, the company’s writers noted that 68% of the over 30,000 studied security incidents between November 1, 2022, to October 31, 2023, involved a “human element,” what Chris Novak, senior director of cybersecurity consulting at Verizon Business, defined as avoidable actions that could have prevented the occurrence of a security incident.
Who’s going to the multi-party? Wen sees the MPA feature as an effective tool for large organizations with 5,000-plus employees and teams with multiple admins.
Say, someone wants to migrate a group of users to a new system, requiring a disabling of two-step verification or multi-factor authentication. Super admins can view the request in the console, read details regarding the change and approve or deny.
“The magic,” according to Jeroen Kemperman, product lead of account security at Google Workspace, is that actions execute after approval, saving the requester a step of having to revisit the task.
“We have a multi-layer defense system that runs on every account. But if you’re an attacker and you encounter MPA, you would have to take all those lines of defenses and pass them for two accounts, which is much harder, and gives a much bigger chance of the attacker being caught somewhere,” Kemperman said.