Duo Makes Verifying Device Trust as Easy as 1-2-3
“There are primarily three ways you can authenticate someone: with their username and password, with two-factor authentication, and with a company-supplied device that you can trace. For most stuff, you should have two of those things. For critical things, you should have all three.”
—Alex Stamos, Former Chief Security Officer, Facebook, in WIRED magazine
Adopt a Defense-in-Depth Strategy With Device Trust
Identifying what devices are accessing corporate applications is critical to understanding the overall security posture of an organization and reducing the risk of unauthorized access.
Unknown devices offer the lowest level of trust because they’re beyond the control of the IT department.
Enforcing security requirements such as OS updates and disk encryption help organizations set a baseline for healthy and compliant devices.
For critical applications and environments with sensitive data (e.g., HIPAA compliance in healthcare or PCI compliance in retail), organizations need to ensure that only managed devices are authorized to access.
Security practitioners are always looking to minimize risk of a data breach, and a common framework to achieve this goal is by leveraging a defense in-depth strategy. Implementing device-based access policies follows this framework by layering on authentication and authorization controls, raising the bar for cyber criminals looking to gain unauthorized access. Even if an attacker compromises an employee’s credentials and somehow manages to get around multi-factor authentication (MFA), they would still need to access the application using a compliant and/or managed device.
Establishing Device Trust, Simplified
Since 2017, Duo has enabled organizations to identify if a device is enrolled in the corporate management system and apply device-based access policies based on the management status. Duo administrators may be familiar with the Trusted Endpoints policy, which typically relies on device certificates to verify the management status.
At Duo, we constantly seek feedback from customers to understand their pain points. One recurring comment from customers was that the deployment and management overhead of device certificates impacted the policy implementation.
Administrators want an easier way to verify the enrollment status of devices in corporate management systems without having to deal with digital certificates. And security practitioners want to ensure that critical applications are accessed only from managed devices.
OS version (including minor versions)
presence of security agents (eg: Crowdstrike, Cisco Secure Endpoint, Symantec)
host firewall status
disk encryption status
We’re excited to share that administrators can now use the Device Health application to easily enforce the Trusted Endpoint policies for devices that are Microsoft Entra ID domain-joined or enrolled in Jamf Pro. Other device management tools will be supported soon — stay tuned!
Duo’s Device Health application now collects unique device identifiers (UUIDs) and, at the time of authentication, verifies whether that device has been enrolled in the enterprise management system. This novel approach eliminates the need for device certificates, helping organizations balance security with usability.
Enable Trusted Endpoints In Three Easy Steps
Duo has made configuring and applying Trusted Endpoints policy as easy as protecting an application. Administrators can get started in just three simple steps:
1. Create an integration in the Duo admin panel by navigating to the Trusted Endpoints Configuration and selecting your device management tool.
2. Configure your device management system, and input the information in the Duo admin panel to complete the integration.
3. Deploy Duo Device Health application on the managed devices, and apply the policy to Duo-protected services and applications.
Benefits of using Device Health Application to Verify Device Trust:
Enables trusted endpoints policy in five minutes or less!
Eliminates overhead due to certificate deployment, management or expiration
Performs real-time and reliable device identity and security health checks
Reduces dependency on third party PKI infrastructure
Provides broader support for browsers and compatible thick client applications
Supports environments with shared workstations
In Conclusion: Balance Security With Usability
Enforcing Trusted Endpoints policy using Device Health application significantly reduces certificate deployment and management hassles for organizations, while providing similar security benefits and raising the bar for cyber criminals to compromise internal systems.
We’re excited for our customers to try this new approach and share feedback. If you’re not a Duo customer, sign up for a free trial and reach out to a Duo representative to try this feature.
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.
Recommended Reading: Check out our ebook, Anatomy of A Modern Phishing Attack, to learn how trusted devices, zero trust, adaptive user policies and more can thwart phishing before it can result in a data breach.