The Center for Internet Security (CIS) Controls emphasize protecting the most critical aspects of your IT environment, and Control 6.5 focuses on securing administrative access accounts with Multi-Factor Authentication (MFA).

This safeguard is clear: require MFA for all administrative access accounts across your enterprise assets, whether they’re managed on-site or through a third-party provider. Why? Because administrative accounts have the highest level of privileges and are a prime target for attackers.

Here’s what this means:

• What’s an Administrative Account? These are accounts with elevated permissions, such as IT administrators, database managers, or system operators. They can install software, manage users, and modify critical systems.
• Why MFA? MFA adds a critical second layer of protection, making it much harder for attackers to exploit compromised admin credentials.
• Where It Applies: This safeguard covers all enterprise assets, from servers and workstations to cloud services and third-party platforms. If MFA is supported, it should be enforced.
• How to Implement: Most modern directory services and identity providers, like Microsoft Azure AD, Okta, or Duo Security, make it straightforward to apply MFA policies specifically for administrative accounts.

Why is this important? Admin accounts hold the keys to the kingdom. A breach of one of these accounts can lead to widespread damage. Requiring MFA significantly reduces the risk of such incidents by ensuring that access is tightly secured.

To recap, CIS Control 6.5 ensures that all administrative access is protected by MFA. By implementing this safeguard, you’re adding a robust layer of security to the most critical accounts in your organization.