Healthy Device? Check With the Duo Device Health App Before Granting Access
We’re taught from an early age that good health is important to our well-being. Eat the right foods, exercise and get at least eight hours of sleep. But what about preventive care? Most of us aren’t great about getting regular check-ups. In an ideal world we’d get an assessment of our “personal health posture” before we walk in the front door of our home. After all, no one wants to bring home a cold to family and friends.
We can apply this concept to the work environment. The corporate network is our home, other devices we interact with are our family members and friends, and resources such as applications and data are the stuff we need access to like the refrigerator and television. And that cold we want to avoid getting and passing around? That’s malware. If we bring malware into our network, it can lead to all sorts of problems – data breaches, denial of service attacks and account take-overs to name a few.
Much like the modern family, today’s workforce is a bit more blended. Many organizations have employees, contractors and partners who need network access. Some work in the corporate office while others are remote. There are corporate-owned devices, personal devices (BYOD), even shared devices. You wouldn’t let someone into your home if they were sick, so why let these devices on your network without first checking their health?
Establish device trust with health checks
Verifying user identity before granting access to a network application is the first step in a well-designed security strategy. But it’s no longer enough. There have been too many cases where a verified employee/contractor/partner brought a malware-riddled device onto the network with disastrous results.
Beyond establishing user trust, organizations also need to verify the health of every device before allowing access. But what makes a device “healthy”? Here are some checks to consider when creating your access security policy:
Is the device running the latest OS version including patches?
Is the browser up to date?
If there are plug-ins, are they the latest version?
Is a system password in place?
Does the device have an encrypted drive?
Is the host firewall enabled?
Is the device running an endpoint security agent?
Is it a corporate-issued managed device or an unmanaged BYO device?
Verify device security posture with the Duo Device Health app
As the number of connected devices continues to grow, so does the pressure on security and IT teams to ensure these devices have a healthy security posture. One tool that can help is the Duo Device Health Application. A lightweight client application for macOS and Windows clients, the Device Health application provides the controls organizations need to create custom access policies that allow or block connections to applications based on device health. It’s part of a more extensive Duo Trusted Endpoints policy that also considers whether a device is managed or unmanaged.
When assessing health, the Device Health application collects information from each endpoint at the time of authentication and checks it against the access policy. This includes:
Operating system version
Disk encryption status
Host firewall status
If everything complies with the security policy, access to the application is granted. However, if one or more elements fail the compliance check, access is blocked.
The good news is the Device Health application includes guided remediation that enables users to address the issue and bring the device under compliance quickly and easily. Once that happens, access is granted. Not only is your end-user happy, there’s also no Help Desk ticket to bog down your IT team.
More ways to check device health
In addition to the list above, the Device Health application enables administrators to combine a Device Health application policy with other Duo policies to check the status of browsers and plug-ins. For example, organizations may hesitate to allow access from devices that aren’t running the latest version of Google Chrome.
The same goes for devices using plug-ins. Outdated browsers and plug-ins are well-known attack vectors, so keeping them current is critical. Again though, the Device Health application’s self-remediation feature makes it easy to update to the latest version with step-by-step instructions.
Duo Beyond edition customers have additional device health check options at their disposal. The Device Health application can check to see if an endpoint security agent is running on the device. Duo supports many of the leading endpoint security solutions.
For organizations that want even tighter control, the Device Health application reports unique device identifiers to verify whether devices are enrolled in your endpoint management solution. While a device may pass the required health checks, IT may want to distinguish between devices managed by your organization and those that are not before deciding whether or not to grant access.
What’s new with Duo Device Health?
I’ve written a lot about the importance of good device health. Creating and enforcing strong security policies when it comes to allowing or blocking access to your applications will help keep your network protected from cybercriminals.
Security though, must always be balanced with ease of use. Go too far in one direction and there will likely be consequences. One way Duo is driving ease of use is through a new capability known as Silent Updates. Previously, end-users were prompted to update the Device Health application manually. This involved downloading and installing the latest version using administrator privileges.
In version 3.0, the Device Health application can take care of this seamlessly behind the scenes without any user intervention. Available updates are automatically downloaded and installed without users needing to take time out to enter a password or click through an install wizard.
Administrators can also disable automatic updates so that updates are pushed out using a system management tool, giving them control over which app updates get installed and when. This provides time to test the update before pushing it out or to skip updates that aren’t important.
If you’d like to try the Device Health application and experience how Duo can simplify access for your workforce, sign up for a free 30-day trial.