New to Duo’s Reporting Suite: The Policy Impact Report
Duo’s adaptive authentication & policy enforcement is how a growing number of companies address such security issues as growth in cloud services, bring your own device (BYOD) and distributed workforces. This feature set allows Duo administrators to set fine-grained device access policies, restrict access to or from specific locations, and require certain security settings on devices.
To complement this feature set, Duo's newest addition to our reports includes the Policy Impact Report – a clear, concise and holistic view of your administrative policies and how they impact your users This new report is available on Duo Access and Duo Beyond.
Why We Created This Report
The Product Design team spoke with several of our customers’ Duo administrators to learn more about how they were using access policies and what we could do to progress the feature set. One of the most salient takeaways was that Duo administrators do not have an efficient way of measuring the success of their policy configurations.
In order to provide this value, our team needed to understand how administrators are currently using policies and why. The Product Design team conducted dozens of discovery interviews with Duo administrators to answer these high-level questions:
What types of policies are administrators enacting? How have their policy ecosystems evolved over time?
What is the most and least useful policy-related data Duo is already providing to administrators?
What missing policy-related metrics would be most valuable to administrators?
The Product Design’s research revealed that administrators must measure the success of their enacted policies against multiple, sometimes conflicting objectives; they need to balance organizational security needs with end user productivity. Additionally, they often enact policies that block or warn end users because of device hygiene, while also setting policies that expedite end user authentication like “remember trusted devices.”
Duo can support these efforts through analytics, helping administrators surface and solve policy-related problems by answering these key questions:
How are policies working together to improve the organization’s security posture?
How are the end users being impacted by policies (both positively and negatively)?
As a result, we are excited to introduce a recent addition to Duo’s growing reporting suite: the Policy Impact Report. This report provides a clear story of how policies are working together to improve an organization’s security posture. It describes how end users are being impacted by policies, both interactions in which they are blocked and those in which they are expedited through without having to select an MFA (multi-factor authentication) method.
With this report, administrators can easily identify the reasons driving policy activity, single out distressed users, uncover user behavior patterns, and see how expedited policies help the right end users access their applications faster.
In the future, we intend to provide a log of changes made to policies as well as support filtering on specific policies, including step-up authentication and warned activity. Since many administrators are reluctant to block end users, step-up authentication and warned activity metrics are important to understanding overall policy impact.