Skip navigation
Product & Engineering

Part 1: Why Organizations Deploy Duo for Cisco’s AnyConnect VPN & Cloud Applications

This blog post is the first in a three-part series on how Duo integrates with Cisco technology.

Most organizations are going through a major technology transition deploying on-premises applications and workloads to the cloud. For many, this transition takes several years. At Duo, most of our customers operate in a hybrid environment where some of their workloads and applications are located on-premises and accessible via a virtual private network (VPN), while several major applications such as email, file sharing, collaboration, marketing automation and design tools have moved to the cloud.

While organizations are in this transition, IT admins have to ensure that user productivity isn’t impacted. Admins want applications to be available and accessible at all times. In addition, they have to secure all data and continue meeting any or all compliance regulations required to do business.

Duo is a part of this transition or journey for our customers. To provide secure access to applications, customers typically start by adding Duo’s multi-factor authentication (MFA) to VPNs like Cisco AnyConnect.

Security trends suggest attackers continue to use compromised credentials via phishing, brute force and other attack methods as a way to gain unauthorized access to internal applications. If attackers steal VPN credentials, they may be able to access several corporate applications and data, causing potentially catastrophic data breaches. For others, securing VPN access is also a data regulatory compliance requirement.

For example, PCI DSS 3.2 requires organizations with cardholder data environment (CDE) to secure all remote access with MFA. Aside from PCI DSS, several other compliance requirements such as HIPAA and NIST 800-171 have similar MFA requirements. 

Duo helps these organizations instantly reduce their risk of a data breach while helping them easily meet compliance requirements.

However, from a security risk perspective, securing access to your VPN is just one of many steps. As workloads and applications increasingly continue to run in the cloud, admins want to ensure a consistent level of access security for all on-premises and cloud applications

With Duo, admins can easily add MFA to any cloud application such as Office 365, Azure, AWS, Google, Workday, Box and more.

For users, there are no additional steps. If users are already enrolled into Duo’s MFA service, they are prompted to authenticate when they log in to access their cloud applications.

After Duo’s MFA is set up with on-premises and cloud applications, admins can also take advantage of its rich device telemetry. With Duo, admins can get visibility into the security posture of all user devices such as laptops, desktops and mobile devices, including all personal devices (bring your own device - BYOD) accessing applications.

In addition to user authentication, Duo can get visibility into all corporate-owned and BYO devices without the use of agents. Since there are no device agents involved, Duo is easier to deploy and more user friendly. With complete device visibility, admins can determine risks due to personally-owned devices in their environment. For example, one of our enterprise customers discovered 30,000 new devices accessing their environment - and nearly 50 percent of those devices didn’t meet their company’s security and compliance requirements.

Admins can leverage user and device data collected by Duo to enforce security policies based on the risk level of data and applications. For example, admins can enforce a security policy for VPNs to allow access only from specific locations such as United States and from devices that have up-to-date software running on them. With Duo, admins can have a high level of assurance before granting a user and their device access to applications. Many of our customers also call this zero trust (ZT) or the software-defined perimeter (SDP). If you want to learn more about zero trust, refer to our blog here