Konstantin Sutyagin - Fotolia

Las Vegas shores up SecOps with multi-factor authentication

AI-driven SecOps tools spared Las Vegas from a major data breach in January. The city now bets that two-factor authentication can stop future attempts.

The city of Las Vegas used AI-driven infrastructure security tools to stop an attacker in January before sensitive IT systems were accessed, but the city's leadership bets future attempts won't even get that far.

"Between CrowdStrike [endpoint security] and Darktrace [threat detection], both tools did exactly what they were supposed to do," said Michael Sherwood, chief innovation officer for Las Vegas. "We had [a user] account compromised, and that allowed someone to gain short-term access to our systems."

The city's IT staff thwarted that attacker almost immediately in the early morning of Jan. 7. IT pros took measures to keep the attacker from accessing any of the city's data once security monitoring tools alerted them to the intrusion.

The city has also used Okta access management tools for the last two years to consolidate user identity and authentication for its internal employees and automate access to applications through a self-service portal. Next, it will reinforce that process with multi-factor authentication using the same set of tools, in the hopes further cyberattacks will be stopped well outside its IT infrastructure.

Multi-factor security will couple a physical device -- such as an employee badge or a USB key issued by the city -- with usernames and passwords. This will reduce the likelihood that such an account compromise will happen again, Sherwood said. Having access management and user-level SecOps centralized within Okta has been key for the city to expand its security measures quickly based on what it learned from this breach. By mid-February, its IT team was able to test different types of multi-factor authentication systems and planned to roll one out within 60 days of the security incident.

Michael SherwoodMichael Sherwood

"With dual-factor authentication, you can't just have a user ID and password -- something you know," Sherwood said. "A bad actor might know a user ID and password, but now they have to [physically] have something as well."

SecOps automation a shrewd gamble for Las Vegas

Las Vegas initially rolled out Okta in 2018 to improve the efficiency of its IT help desk. Sherwood estimated the access management system cut down on help desk calls relating to forgotten passwords and password resets by 25%. The help desk also no longer had to manually install new applications for users because of an internal web portal connected to Okta that automatically manages authorization and permissions for self-service downloads. That freed up help desk employees for more strategic SecOps work, which now includes the multi-factor authentication rollout.

Another SecOps update slated for this year will add city employees' mobile devices to the Okta identity management system, and an Okta single sign-on service for Las Vegas citizens that use the city's web portal.

Residents will get one login for all services under this plan, Sherwood said. "If they get a parking citation and they're used to paying their sewer bill, it's the same login, and they can pay them both through a shopping cart."

With dual-factor authentication, you can't just have a user ID and password -- something you know. A bad actor might know a user ID and password, but now they have to [physically] have something as well.
Michael SherwoodChief innovation officer, city of Las Vegas

Okta replaced a hodgepodge of different access management systems the city used previously, usually built into individual IT systems. When Las Vegas evaluated centralized access management tools two years ago, Okta was the only vendor in the group that was completely cloud-hosted, Sherwood said. This was a selling point for the city, since it minimized the operational overhead to set up and run the system.

Okta's service competes with the likes of Microsoft Active Directory, OneLogin and Auth0. Las Vegas also uses Active Directory for access management in its back-end IT infrastructure, while Okta serves the customer and employee side of the organization.

"There is still separation between certain things, even though one product may well be capable of [handling] both," he said.

Ultimately, the city would like to institute a centralized online payment system for citizens to go along with website single sign-on, and Sherwood said he'd like to see Okta offer that feature and electronic signatures as well.

"They'd have lot of opportunity there," he said. "We can do payments and electronic signatures with different providers, but it would be great having that more integrated into the authentication process."

An Okta representative said the company doesn't have plans to support payment credentials at this time but that the company welcomes customer feedback.

Dig Deeper on Systems automation and orchestration