Today, we’re excited to announce some major changes to our product line. We are introducing a new edition, Duo Beyond, to help address security challenges as customers increase adoption of cloud applications and BYOD initiatives.
Duo Beyond is modeled after Google’s BeyondCorp security architecture - a radical shift from traditional perimeter-based security models. It assumes a zero-trust environment across the organization, ensuring that no traffic within an enterprise’s network is, by default, any more trustworthy than traffic coming in from the outside. You can read our blog on Google BeyondCorp for more information.
Duo Beyond provides increased security by addressing three main use cases for modern corporate IT environments:
- Differentiating between corporate and personal devices
- Limiting sensitive data access to only corporate devices
- Limiting remote access to specific applications without exposing the network
Let’s examine each of these in greater detail.
Trusted Endpoints and Protecting Sensitive Data
With Duo Beyond, we are introducing our Trusted Endpoints feature, which allows customers to easily identify their company-owned and personal laptops accessing corporate applications. Traditionally, this was done using a combination of various security technologies, spanning across endpoint protection platforms (EPP), network access control (NAC), virtual private networks (VPNs), client certificates, and public key infrastructures (PKIs).
Duo is making this process radically simple; administrators can distribute Duo certificates to their corporate laptops to mark them as ‘Trusted’ without having to deploy their own public key infrastructure or NAC solution. Through our beta testing with over 100 customers, we’ve seen most customers fully deploy certificates within 2 hours. This is a significant reduction compared to traditional NAC deployments, which often take several months to complete.
We also gathered some great insight on BYOD trends. Generally, about one-third of all laptops in a company’s environment tend to be corporate devices, while two-thirds of the devices are personally owned (which companies have no visibility or control over). This further validates the security concerns brought on by BYOD adoption.
In addition to providing visibility into which devices are corporate-managed and which are personally owned, Duo also allows you to control access based on the same attributes. If a laptop has a Duo certificate, it is therefore considered a trusted endpoint. These policies can be created at the global, application, or user level; they can be applied to any web-based application regardless of whether it’s hosted in the cloud or on-premises.
Throughout our beta program, we saw a common use case where customers enforced a higher level of trust for privileged account access. For example, regular users were able to log into Salesforce.com with any laptop as long as it was up to date and had proper security settings enabled, such as disk encryption, passcode enforcement, etc. (also enforced with Duo’s Trusted Access platform). However, Salesforce administrators’ accounts were only accessible using devices that had a valid Duo certificate.
A Better Way to Secure Remote Access
Duo Beyond also provides a simple and secure way for companies to provide remote access to corporate applications without exposing the rest of the network. While VPNs have traditionally solved remote access requirements, there are still some drawbacks:
- VPN clients are clunky and provide a sub-par user experience. Connections are often slow and unreliable, leading to end user frustrations.
- It’s difficult to segment network access using a VPN. Once a user logs in, they often have access to the entire network, which presents a security challenge.
Customers can now use Duo’s secure single sign-on to give end users one consistent login experience while accessing any cloud or on-premises application. Best of all, users don’t have to go through a VPN, meaning companies can provide remote access to certain applications without exposing the rest of the network. This not only improves overall security posture, but it also introduces cost savings.
For many companies, the vast majority of remote employees use VPN tunnels only for a few web applications. By moving access to those applications out of the VPN, companies would be able to retire the vast majority of their VPN licenses.
Other Notable Changes
To make our product offerings even easier to understand, we are renaming the existing Duo editions to better align with our customers’ requirements. Here is the new Duo product lineup, effective February 8, 2017:
Finally, we are integrating Duo Insight, our free phishing simulation tool into Duo Access. In July 2016, we introduced this tool to help organizations measure their exposure to targeted phishing attacks for free. This is critical to understanding user risk and successfully implementing two-factor authentication to protect against credential theft. Duo Access and Duo Beyond customers can now launch unlimited phishing simulations to measure this risk in their employee base.
We’ve made a number of (positive) new changes to our editions - check out our Customer FAQ to learn how this affects you.