Healthy Device? Check With the Duo Device Health App Before Granting Access
We’re taught from an early age that good health is important to our well-being. Eat the right foods, exercise, drink plenty of water, and get at least eight hours of sleep. But what about preventive care? Most of us aren’t great about getting regular check-ups. In an ideal world we’d get an assessment of our “personal health posture” before we walk in the front door of our home. After all, no one wants to bring home a cold to family and friends.
We can apply this concept to the work environment. The corporate network is our home, other devices we interact with are our family members and friends, and resources such as applications and data are the stuff we need access to like the refrigerator and television. And that cold we want to avoid getting and passing around? That’s malware. If we bring malware into our network, it can lead to all sorts of problems – data breaches, denial of service attacks and account take-overs to name a few.
Much like the modern family, today’s workforce is a bit more blended. Many organizations have employees, contractors and partners who need network access. Some work in the corporate office while others are remote. There are corporate-owned devices, personal devices (BYOD), even shared devices. You wouldn’t let someone into your home if they were sick, so why let these devices on your network without first checking their health?
Assessing the health posture of devices, regardless of whether they're company-issued or personal, before letting them access network applications is a good security practice. To help with that, there's the Duo Device Health Application (DHA) which performs a real-time check on macOS and Windows devices at the time of authentication to establish their health. Now, we've expanded operating system support to include certain versions of Linux OS.
Read on to learn more about this expanded coverage, and about how the Device Health app can help you prevent risky devices from accessing essential resources.
Establish device trust with health checks
Verifying user identity before granting access to a network application is the first step in a well-designed security strategy. But it’s no longer enough. There have been too many cases where a verified employee/contractor/partner brought a malware-riddled device onto the network with disastrous results.
Beyond establishing user trust, organizations also need to verify the health of every device before allowing access. It's part of a strong zero trust strategy. But what makes a device “healthy”? Here are some checks to consider when creating your access security policy:
Is the device running the latest OS version including patches?
Is the browser up to date?
If there are plug-ins, are they the latest version?
Is a system password in place?
Does the device have an encrypted drive?
Is the host firewall enabled?
Is the device running an endpoint security agent?
Is it a corporate-issued managed device or an unmanaged BYO device?
Verify device security posture with the Duo Device Health app
As the number of connected devices continues to grow, so does the pressure on security and IT teams to ensure these devices have a healthy security posture. One tool that can help is the Duo Device Health Application. A lightweight client application for macOS, Windows and Linux clients, the Device Health application provides the controls organizations need to create custom access policies that allow or block connections to applications based on device health. It’s part of a more extensive Duo Trusted Endpoints policy that also considers whether a device is managed or unmanaged.
When assessing health, the Device Health application collects information from each endpoint at the time of authentication and checks it against the access policy. This includes:
Operating system version
Disk encryption status
Host firewall status
If everything complies with the security policy, access to the application is granted. However, if one or more elements fail the compliance check, access is blocked.
The good news is the Device Health application includes guided remediation that enables users to address the issue and bring the device under compliance quickly and easily. Once that happens, access is granted. Not only is your end-user happy, there’s also no Help Desk ticket to bog down your IT team. Here's some more good news. The Device Health app can update seamlessly to the latest version without user intervention through a Silent Updates feature. Available updates are automatically downloaded and installed without users needing to take time out to enter a password or click through an install wizard.
More ways to check device health
In addition to the list above, the Device Health application enables administrators to combine a Device Health application policy with other Duo policies to check the status of browsers and plug-ins. For example, organizations may hesitate to allow access from devices that aren’t running the latest version of Google Chrome.
The same goes for devices using plug-ins. Outdated browsers and plug-ins are well-known attack vectors, so keeping them current is critical. Again though, the Device Health application’s self-remediation feature makes it easy to update to the latest version with step-by-step instructions.
Duo Premier edition customers have additional device health check options at their disposal. The Device Health application can check to see if an endpoint security agent is running on the device. Duo supports many of the leading endpoint security solutions.
For organizations that want even tighter control, the Device Health application reports unique device identifiers to verify whether devices are enrolled in your endpoint management solution. While a device may pass the required health checks, IT may want to distinguish between devices managed by your organization and those that are not before deciding whether to grant access.
What’s new with Duo Device Health?
I’ve written a lot about the importance of good device health. Creating and enforcing strong security policies when it comes to allowing or blocking access to your applications will help keep your network protected from cybercriminals.
For many organizations, having a mixture of operating systems in use across their desktop systems is a common practice. The most widely utilized are Windows and macOS. However, those two alone are not enough. Linux OS in all its various flavors has increased in popularity with certain users, particularly software developers. Because of this, Duo has expanded its list of supported operating systems to include Linux. Now, organizations with a mixed OS environment can perform health checks on Windows, macOS and Linux endpoints using the Duo Device Health app to verify devices running those operating systems are in a health and trusted state before granting them access to network applications.
If you’d like to try the Device Health application and experience how Duo can simplify access for your workforce, sign up for a free 30-day trial.
Editors Note: This blog was originally published in September 2022, but has been updated with more recent information.