InfoSecurity Europe: Effective Breach Prevention With King.com
At InfoSecurity Europe (and at most other infosec conferences), the focus was on breach prevention and the many different ways to achieve it. Protecting customer data and sensitive company information was top of mind, and one particular session focused on the need for something stronger than passwords alone to prevent unauthorized access to company data.
Two-Factor Authentication for VPNs, Cloud and On-Premises Apps
Last Wednesday, the Director of Information Security Giacomo Collini at King.com (the makers of the online game Candy Crush) and Duo Security’s VP EMEA Henry Seddon gave a tech talk about implementing a two-factor authentication solution to protect employee logins.
With a presence in over 200 countries with 300 million users, the mobile and web game developers needed a way to secure remote access to their VPNs (Virtual Private Networks). King.com needed something better than passwords, but they also needed to choose a security solution their users wouldn’t hate.
Two-factor authentication adds another layer of security after you enter your username and password - you complete a second method of identity verification that makes it much more difficult for attackers to compromise your account by stealing your password.
In their search for different two-factor authentication solutions, they looked at RSA and Vasco but wanted to find a better solution to meet their requirements:
- Multi-platform software tokens
- Alternative methods of authentication, like phone callbacks and SMS passcodes
- An open platform that allowed for easy integration
When evaluating a new product, Giacomo looks at the APIs. With embedded developers, they do everything through the APIs, and they need to integrate with everything.
They also needed to protect their on-premises, company-wide VPN. While they were using Google Authenticator to protect their VPN, the setup leaved a lot to be desired, requiring the implementation of custom servers for provisioning and emergency access that caused a lot of problems, and a bad user experience.
King.com also needed to find a secure way to access their cloud-based Google Apps storage online. They had at least 25 apps integrated through their identity management stack.
The Solution: Duo’s Trusted Access
Giacomo noted a few major benefits of implementing Duo’s Trusted Access solution - the combination of two-factor authentication and endpoint visibility:
End Users Love It
Duo’s solution is user-focused, according to Giacomo. As the Director of Information Security, his job is to sell the use of two factor within his organization. That means he needs user buy-in in order to ensure they’ll use the security solution.
Sophisticated users don’t want to be disrupted in performance or authentication - if you force administrators to type in passcodes each time they log into the administrative console, it can prove to be too cumbersome, adding up in time and effort. Users will find ways to bypass two factor if it’s too difficult to use or slows them down.
End users love Duo’s push notification method that eliminates the need to generate and type in passcodes to log in. Instead, using our authenticator app, Duo Mobile, users will be prompted automatically via push notification on their smartphones to approve or deny a login attempt.
Duo Push is fast, easy, and uses something your users already carry with them everyday - their phone. It takes seconds to authenticate and doesn’t slow them down.
Easy Integration and Interoperability
Giacomo also found Duo’s solution to be easy to integrate with many different solutions, allowing for log management, administrative management and many other capabilities through the use of APIs.
Duo supports over 200 integrations, including cloud apps, web apps, VPN, Microsoft and many more services. Our extensive documentation makes it easy for administrators to add new applications, with step-by-step technical instructions and videos to guide you through the process.
Giacomo deployed Duo’s solution in just 20 minutes. He managed to expand the setup geographically to cover all of King.com’s offices worldwide, optimizing for performance and redundancy across the globe.
User provisioning is pretty quick and painless, too. Admins can email signup links to allow users to enroll their own devices. Or, they can leverage bulk enrollment and Active Directory synchronization to provision large groups of users.
Endpoint Visibility and Security
In addition to two-factor authentication, King.com uses Duo’s solution to get insight into all of their managed and unmanaged devices logging into their environment. Without using an agent, Duo’s solution shows you how many jailbroken, outdated and unprotected devices are logging into your applications protected by two factor.
According to Giacomo, Duo’s endpoint visibility tool revealed that King.com had one customer logging into their apps using a machine that was running Windows Vista, an older version of the Microsoft operating system that is especially susceptible to software bloat, exploited security vulnerabilities, malware, viruses and many other problems.
That could be a big problem for any organization - it only takes one outdated device accessing your business-critical apps to take down the entire company. An attacker could scan for devices on an open network to find outdated operating systems, plugins and other software, then exploit them by using a known vulnerability. With access to your network, they could install malware to steal, alter or destroy sensitive customer and company data.
Custom Access Policies and Controls
With Duo’s endpoint remediation tool, you can detect and warn users as they log into your network that they have outdated software. Then, you can create a control to block certain versions of software based on your security needs, to reduce the risk and spread of malware via outdated devices.
King.com uses Duo’s policy-based controls for all applications to define the rules around security needs for different teams, like marketing and engineering. Each team has different permission levels and access, and Duo allows admins to configure access security controls.
Total Cost of Ownership
Giacomo also noted it was difficult to sign a long-term contract when they weren’t exactly sure what was in store for the company in the future. Compared to other providers, Duo offered a very competitive total cost of ownership (TCO). For a breakdown on RSA vs. Duo’s TCO, check out Replacing RSA SecurID: Why Are Customers Switching to Duo Security?