Aw CRUD (Create/Read/Update/Delete): Extended Policy Capabilities in Duo’s API
At Duo Security, we want to make it easier for our customers to stay secure, which is why we’re happy to announce that starting May 1st, all Duo customers will be able to happily say, “Aw, CRUD” (create, read, update, delete) to their Duo policies through our existing Admin API using our new policy endpoints. Our Duo Documentation has been updated with the how-tos of applying these policy endpoints, and in this post we’ll be sharing use cases of why our customers will benefit from this update.
Not only will the extension of our Admin API’s capabilities with these policy endpoints allow you to automate policy tasks and save precious time, but engaging with these policy endpoints can also offer you greater security, control, and integration within your environment.
As attack patterns have been increasing, and the challenge of staying one step ahead of bad actors rises, API-first development makes it easier to quickly modify Duo policies based on risk signals and telemetry from other systems, such as moving your end-users to more secure factors.
To put it simply: Duo is building a lot of new protective policies that our added policy endpoints can make easier and faster to assemble.
How many people at your organization have the ability to change your policies? With the new policy endpoints, you can control policy changes more closely, track precisely what changes have been made, and even prevent unwanted changes by making policies readable outside of the Admin Panel. This allows you to restrict who has permission to access the Admin Panel as needed.
At Duo, we understand that we are one of many tools you use to protect your organization. With the new policy endpoints, you can write programs to save your policies out to a JSON file and feed those into your SIEM or a source control system like Github.
How can CRUD do all that?
Spin up multiple policies quickly.
Run the create function to create a blank policy. Or, if you’re proficient in coding, you can export the settings from an existing policy and use that to create copies. Whether for onboarding or exporting and importing policy configurations for new sub-accounts, automating the creation of policies will save you time and help you scale.
Managed Service Provider (MSP) partners, educational institutions (EDUs), or any Duo customer that finds themselves managing many individual accounts will find this ability an excellent way to improve efficiency.
Audit policies and prove compliance more easily.
The new policy endpoints allow you to view all of your policies at once and send that same view to compliance officers. We know that seeing all your policies is difficult in the Admin Panel, which is why we are also working on a new table view design in our UI that will make our policies easier to read. Keep an eye out!
Integrate with existing processes.
While Duo is not a change management tool, the new policy endpoints allow you to output your policies into a JSON file that you can then integrate with existing change management or workflow tools that your organization uses. Most SIEMs also have the ability to ingest JSON files, allowing your SIEM to use Duo policy data for compliance management and also as an additional signal to detect potential threats.
Level up your Duo environment.
Turn on policy options, such as Passwordless authentication methods (if Passwordless has already been enabled), Risk-Based Authentication, and Static Verified Push, that work to protect your environment. In addition, you can modify policies across the board as business, compliance, or security needs evolve.
Improve sub-account management.
For our MSP partners who need to advise their customers on policy settings within this ever-changing security landscape, you can first run the read function for each sub-account akey to audit policy settings for all your sub-accounts and identify which customers to contact about a policy change. Then, with the update function you can make the policy changes without manually going into each of your sub-accounts.
Clean up your policy infrastructure.
Remove your unused and deprecated policies to tidy up your policy infrastructure.
CRUD is only the beginning of our policy endpoint and extended API offerings. Our next step is to enhance applying policy via our API by enabling the ability to bulk apply policies, which will help further eliminate the manual labor of applying policies for multiple groups or to multiple applications.
Any current users of our APIs will find that the new policy endpoints were made to look and feel like all the others. To enhance its usability, the policy endpoints has standardized objects, standard JSON input and response, and it recognizably maps to the existing policy user interface within the Duo Admin Panel. For help on setting up any of the functions above, take a look at our Admin API documentation.
We’ve been listening to feedback from our customers, and we look forward to hearing more as we continue to iterate and improve upon our API. If you’re interested in providing feedback, sign up to join our User Research Program.