How Duo’s Device Trust Enables Organizations to Enforce Endpoint Compliance
This is the third of a four-part blog series on how Duo helps organizations in verifying device trust. This blog will explain how Duo's Device Trust enables organizations to check and enforce the device security and compliance posture prescribed by standards such as PCI-DSS, HIPAA, and the NIST cybersecurity framework.
Verifying the trustworthiness of devices accessing corporate applications is part of basic cyber hygiene. So it's no surprise that many IT security standards and regulations have required security controls to assess device posture.
Here are some common checks that organizations would need to perform before granting access in order to attest whether a laptop or desktop is trustworthy:
- Is the device managed?
- Is the OS version and the patch level up-to-date?
- Is the enterprise antivirus (AV) agent installed and running?
- Is the disk encryption turned ON?
- Is the host firewall turned ON?
- Does the device have a password set?
Examples of Required Security Controls
Below are some of the required security controls that call for similar device posture assessments before granting access to sensitive data.
How Duo's Device Trust Helps Organizations Enforce Endpoint Compliance
Endpoint security controls can be implemented in various methods using different solutions. But challenges exist for administrators in checking and enforcing these controls at the time of application access and maintaining sufficient artifacts in order to prove compliance across groups of devices over a period of time.
Duo's Device Trust provides IT administrators an access control enforcement tool to ensure that the devices accessing sensitive data are compliant.
For example, if the user has not installed a recent OS security patch or does not have the enterprise AV agent running on their device, and is requesting access to CDE (cardholder data environment), the Device Health application blocks the device’s access and provides instructions to the user on remediation steps needed to comply with the security policy. Duo also captures detailed logs of every device and every access request, providing an audit artifact that can be used to prove compliance during audit.
For complete information on how Duo can help organizations meet compliance requirements read the solution brief.
Enabling Compliance for BYOD and Unmanaged Devices
Organizations find it difficult to gain the level of visibility needed to make an access control enforcement decision on BYOD and unmanaged devices. Device management solutions may not be a viable option in this scenario.
Employees typically do not adopt corporate solutions such as a mobile device management (MDM) agent on personal devices due to concerns regarding loss of privacy and control. External contractors and partners that comprise the extended workforce for an organization may already be enrolled in a different solution from their primary employer. The lack of visibility and control into these devices creates security and compliance gaps as organizations might be blind to the device state when they are accessing corporate data.
Duo's Device Trust makes it easy for organizations to gain just the right level of the level visibility needed to attest to the devices. With the Device Health application organizations can enforce access control policies to corporate applications and restrict access when devices do not meet specified security and compliance requirements.
This lightweight application can be installed by users with administrative privileges when they login the first time after the policy is configured. Unlike other device management agents, the application cannot make changes to the device, such as execute remote wiping of data. Duo’s novel approach is BYOD-friendly as the Device Health application only performs device posture checks at the time of accessing applications. The application empowers users by enabling self-remediation, which reduces the number of IT tickets raised or calls to a support help desk.
“Cisco has over 3,000 applications, 4,000 extranet users (partners) and 15,000 contractors worldwide. A huge security challenge we need to solve is making sure we assess and verify the state of every device we allow access. Duo's Device Trust will help us solve this challenge by providing us the visibility into the world of the unknowns so that we can flag and block devices that do not meet our security criteria.”
— Rich West, Principal Engineer of Information Security, Cisco
Enabling Compliance for Managed Devices
To comply with more strict regulatory requirements, many organizations implement MDM or enterprise mobility management (EMM) solutions. Duo integrates with leading device management systems such as MobileIron, VMware Workspace One and Microsoft Intune*. With Duo’s Trusted Endpoints, organizations can distinguish between unmanaged endpoints and managed endpoints that access browser-based applications.
The Trusted Endpoints Policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.
Further, deploying the Device Health application on managed devices helps IT easily enforce granular security policy checks at the time of authentication.
“Duo Beyond creates an invisible and open gate that authorized users with trusted devices never have to see, the gate only materializes and closes when the device trust standards are not met.”
— Dan Regan, Former Cloud Security Engineer, Zenefits
Learn how Duo can improve your organization’s security and compliance. Try it for free by signing up for a 30-day trial.
*Microsoft Intune integration for Duo Trusted Endpoints will start beta at the end of February 2020. For details on participating in the beta program, current Duo Beyond customers can reach out to their account representative.