I have heard the opinion that an alternative to implementing strong authentication is hardening the internal network by introducing maximal restrictions on access to hosts, ports, type of data transferred, etc. That way, even when the user's account is taken over, the consequences of hacking will be minimized. Well, I would say those restrictions are not an alternative to strong authentication, but rather these two approaches complement each other perfectly. I would also point out a few facts:
1. According to all reports, the most common way to break into computer systems is to hijack the password - by breaking it or stealing it. Here is an example of the attack methods summary:
It follows that protecting the password protects us against the vast majority of cybersecurity events. But of course we must not neglect the rest.
2. Since in the event of a hack, the restrictions are to work only after it happens, and authentication is to prevent it, I would consider strong authentication (called MFA - Multi-factor authentication) as the first line of defense, and restrictions as the second. This means that if I could deal with only one issue at a time (e.g. for budgetary, technical or organizational reasons), I would start with the MFA.
3. You also need to look at the ratio of effort to the results obtained. In point no. 1, we showed we eliminate more than 80% break-ins by getting the issue of weak and stolen passwords done. The ease of implementing the internal network security varies by organization, and probably using the homogeneous environment or tools to manage the entire heterogeneous one often allows do it quickly. However, it is necessary to develop it first, that is, to get to know who uses the resources, how and what kind of, and then discuss everything with all business departments or even individual users. And there will never be any guarantee that the reached consensus will be valid forever. On the other hand, the implementation of MFA also requires a lot of effort – at least in the traditional approach, when we need to modify each application so that it does not only rely on a password, but also requires use of a second authentication component (called 2FA – two-factor authentication), such as providing an one-time code, using a dongle (a hardware key) or scanning a fingerprint. And what if we have a lot of these apps? And not all of them can be reworked - at least easily (because they come from third parties or are based on old, no longer used technology)? Fortunately, there is a solution on the market that allows you to implement strong authentication completely eliminating the need to modify the applications - from the Secfense company. It acts as an intermediary between the user and the application. For a user, Secfense introduces 2FA, an additional authentication component, and after using it she or he connects to an existing application. From the app's point of view, it only allows users who have authenticated themselves in a valid, secure way to access it.
Thus, implementing strong authentication using Secfense not only protects us from the greatest source of threats, but is also realized quickly and easily.
Summarizing the way of thinking, I urge you to both, harden the internal network by introducing various types of restrictions, and to implement strong authentication. And to start your adventure with MFA/2FA by exploring the Secfense solution.