Introducing Role-Based Access Controls for Duo Administrators
For enterprises, managing a security solution across hundreds or thousands of users involves more than just one administrator - help desk, IT, network, and security staff and more comprise an IT ecosystem.
Now you can improve your company’s security posture by easily separating the roles and responsibilities of the different managers of your Duo Security deployment with our new feature, Administrative Roles! Available for our Enterprise and API Edition customers, Administrative Roles (a.k.a. Role-Based Access Controls) allows two-factor authentication administrators to delegate management of different tasks with more granular control over their permissions.
Before today, Duo Security only provided a single administrator role that allowed full access to all settings in the Administrative Panel. Some customers, especially ones with large IT and security organizations, requested the ability to adjust administrative privileges per user. Good privilege policy can help prevent accidental or intentional changes to integration settings, users, groups, and more.
Now Duo administrators can delegate specific 2FA management tasks without worrying about abuse of privileges. For example, an organization’s primary 2FA administrator might want to delegate the task of issuing temporary bypass codes to their help desk team, or billing updates to the procurement team. To ensure internal security, administrators can now assign certain management roles with specific permissions.
Dedicated Access Settings and Permissions
There are seven total different types of roles, including Owner, Administrator, Help Desk, User Manager, Integration Manager, Billing and Read Only. Each has certain access settings and permissions - for example:
- Owner: The Owner role grants full access to all actions and settings in the Duo Admin Panel.
- Administrator: The Administrator has full access to users, settings and integrations - an Administrator can’t view or update billing information; nor create, view or modify any other Administrators.
- Help Desk: Help Desk administrators can view and update users, phones, tokens, and bypass codes, as well as send Duo Mobile activations to users. Help Desk admins can’t create or delete users or export information to a text file.
Administrative Roles Helps Organizations Meet Compliance Regulations
In addition to improving an organization's security posture, Duo Security Administrative Roles can also help financial service organizations that need to comply with data regulations such as GLBA (Gramm-Leach-Bliley Act), or need to meet guidelines set up by FFIEC. These guidelines require the strict segregation of roles and responsibilities while managing security solutions.
GLBA & FFIEC for Financial Institutions
The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, is the law created to manage how financial organizations deal with individuals’ personal data. However, the GLBA doesn’t provide advice on specific technologies to use, but more so guidelines on how to create an information security program under the Safeguards Rule.
The FFIEC (Federal Financial Institutions Examination Council) provides more technical guidelines for protecting online banking and financial institutions, including requiring two factor for remote access for internal employees that administer sensitive systems or databases, as well as for online banking customers, according to their Information Security InfoBase on Remote Access.
And in accordance with the Access Rights Administration guidelines, the FFIEC states that:
...access beyond the minimum required for work to be performed exposes the institution’s systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed. The financial institution's security policy should address access rights to system resources and how those rights are to be administered.
ISO 27000 & SANS
For organizations that need to follow industry security standards like ISO 27000 or SANS best practices, they require strongly dividing roles and responsibilities while managing security solutions.
The ISO 27000 family of standards manages the security assets of financial information, intellectual property, employee details, etc., and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
More specifically, the ISO/IEC 27001:2013 is the standard that provides requirements for an information security management system. Standard 5.3 provides more information about organizational roles, responsibilities and authorities, according to ISO.org.
Created by top experts in the field from primarily government agencies, the SANS Critical Security Controls Guidelines provides 12 information security controls to help organizations protect against threats and attacks. Critical Security Control (CSC) 12 dictates the controlled use of administrative controls, with recommendations for:
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
More specifically, the standard 12.1 requiring organizations to minimize administrative privileges, and only use admin accounts when required. The control should be implemented with a focus on the use of administrative privileged functions and monitoring for anomalous behavior.