5 Principles to Achieve Zero Trust for the Workforce - Enable Secure Access to All Apps (Part 5)
Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Week one we explored the history of zero trust and how to establish user trust. Week two we delved into the history of endpoint security and gaining visibility into devices. Week three we reviewed zero-day exploits and establishing device trust. Week four we discussed the amazing protective powers of enforcing adaptive policies. Today we will explore the final and fifth principle in this five-part blog series — how to enable secure access to all applications.
Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in this series, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network.
Some Background on Cloud Computing
Throughout this series, we have touched on a few historical key technology innovations that have led to faster and better computing, as well as more opportunities for stronger security. Back in the late 90’s VMware started the virtual computing revolution that made cloud computing possible. Cloud computing freed applications and storage from physical locations and dramatically lowered costs making virtual infrastructure affordable for all, scalable on demand, and accessible from anywhere. Thus began the hypergrowth of everything over the internet.
In 2006, with the launch of Elastic Compute Cloud (EC2) from Amazon Web Services (AWS) the power of cloud computing made all kinds of new businesses and services possible. New multi-cloud options surfaced with Microsoft Azure in 2010 and Google Cloud Platform in 2011. Automation helped computing speed up and streamline. Open source code libraries made sophisticated code structure available for free to anyone, and many new cloud capabilities were offered as a service. But all of this awesome technology outpaced compliance and governance, and many industries kept their feet planted both on-prem or in the cloud or in both to have more security and control.
Regardless, the train had left the station and many teams found cloud collaboration tools easier, bypassing security and creating their own rogue shadow accounts for corporate business projects. Personal devices were cost effective and more desirable than company devices in many situations, which added more shadow devices connecting to corporate environments often without visibility or trusted security enabled. On those BYOD (bring your own devices) were new mobile apps made by mobile application developers who did not have security front of mind when creating the next big thing.
Protecting Application Access for the Workforce
The first line of defense in the zero trust model is to secure credentials for the workforce. According to the 2019 Verizon Data Breach Investigations Report (DBIR), which analyzed 41,686 security incidents in over 86 countries, with 2,013 confirmed data breaches from 73 data sources and 63 external private and public entities (including the FBI), “no organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack.” The report notes corporate executives and small businesses credentials are increasingly the top targets by bad actors.
Corporate leadership, which often has privileged access to valuable information and computer systems coupled with undisputed and unquestioned authority to make requests, is an obvious sweet spot for bad actors. Corporate executives are often seen as easy marks with big impact – they’re frequently on the move with limited time to digest large amounts of information, making them targets of dedicated social engineered attacks such as phishing, spear phishing and more.
Mobile Users Are More Susceptible to Social Attacks
The small screen size of mobile screens restrict viewable information necessary to verify fraudulent emails
Many mobile browsers limit access to website SSL certificates
Prominent features on mobile like “accept, reply, send” make it easier for users to make snap decisions
Mobile users are often walking, driving, talking and more decreasing their attention to details
Duo’s Zero Trust for the Workforce
Duo provides the foundation for a zero-trust security model by providing user and device trust before granting access to applications – ensuring secure access for any user and device connecting to any application, from anywhere.
Each time a user logs into an application, the trust of their identity and security of their device is checked by Duo, before granting access to only the applications they need. Duo gives you adaptive policies and controls to make access decisions based on user, device and application risk.
STEP 5 - SECURE ACCESS TO ALL APPLICATIONS
You may be a cloud-forward organization, or a large enterprise with a complex mix of both cloud and legacy on-premises infrastructure and applications. Secure access to all of your cloud apps such as Office 365, Google, Box, Dropbox, Slack, and more, as well as access to any existing single sign-on (SSO), identity providers and federation services. Make sure your solution provides secure access to any SAML 2.0-enabled cloud application.
Best practices recommend securing access to these apps by separating your primary authentication method from your secondary (using multi-factor authentication or MFA). Shift away from depending solely on a primary authentication provider to avoid a vendor-based breach that can risk exposing both primary and secondary authentication.
HOW DUO CAN HELP
Enable Secure Access to All Apps
Duo provides broad coverage across every application, with out-of-the-box integrations for ease of setup with all types of apps - from legacy to modern to custom tools. For custom applications, Duo also offers APIs, WebSDKs and support for other protocols to allow you to extend Duo's security platform to protect proprietary services.
Duo provides flexible, frictionless access to hybrid and multi-cloud environments, allowing you to apply a zero-trust security approach for remote access to cloud infrastructure and corporate applications.
Secure against compromised credentials and protect access to your remote access gateway providers with Duo’s integrations for virtual private networks (VPNs), virtual desktop infrastructure (VDI) and proxies.
Duo’s solution integrates seamlessly with major enterprise remote access gateway and VPN providers, including CA SiteMinder, Oracle Access Manager, Juniper, Cisco, Palo Alto Networks, F5, Citrix and more.
Duo secures application access to:
As organizations migrate their applications and infrastructure to the cloud, Duo can fully protect both a hybrid and multi-cloud environment. Duo provides users with consistent remote access to multi-cloud and hybrid environments, including cloud infrastructure providers, as well as on-premises and cloud applications.
Duo supports cloud access use cases, such as developers accessing Amazon Web Services (AWS) and contractors who need remote access to internal applications. Duo’s MFA also integrates with other SSO provides like Ping, Azure, Okta, Oracle and Shibboleth; providing identity integration with AD and SAML.
Secure Single Sign-On (SSO)
Users get a consistent login experience with Duo's single sign-on that delivers centralized access to both on-premises and cloud applications. Reduce password fatigue and increase user productivity by enabling your users to log in just once to Duo's single sign-on (SSO) to access all of their apps. Duo's secure SSO checks device security every time before granting access to each application
Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments. Our tech partners (Microsoft, Cisco, Workday, Citrix, VMware and many others) include identity and access management; network and remote access; endpoint management and security; detection and response; as well as popular business applications.
How Duo Secures Applications
Duo Access Gateway is part of the Duo Beyond, Duo Access, and Duo MFA plans.
Duo Access Gateway supports local Active Directory (AD) and OpenLDAP directories as identity sources, as well as on-premises or cloud SAML IdPs.
You can also use the Duo Access Gateway with Azure and Google directories or third-party IdPs hosted in the cloud.
Define Duo policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Google Apps. Duo checks the user, device, and network against an application's policy before allowing access to the application.
Once you deploy Duo Access Gateway with multiple service providers you can opt to minimize repeated Duo authentication prompts when switching between your SAML applications with shared remembered device policies for SSO.
Duo aims to democratize security so that every device is protected on every platform. Security should not be intimidating, complicated or difficult, and we designed Duo to be powerful, simple and easy to use for everyone whatever your company size.
Duo’s approach to zero-trust security for the workforce is different in four ways:
Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
Broadest Coverage of Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far less resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.
This post completes our blog series “5 Principles to Achieve Zero Trust for the Workforce.” Previously we covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust and establishing device trust is the third principle and the fourth principle is enforcing adaptive policies. We hope you enjoyed this series and feel more informed on how to begin your journey to zero-trust security.
Zero Trust Evaluation Guide: Securing the Modern Workforce
We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.Download Guide