Part 3: Cisco’s AnyConnect + Duo Trusted Endpoints Feature
This blog post is the third in a three-part series on how "Duo Integrates with Cisco Technology." Catch up on part two on Duo + Cisco's Firepower Threat Defense, and part one on Duo + Cisco's VPN and Cloud Applications.
Many organizations begin the journey to improve their security by protecting remote access to their environment with multi-factor authentication (MFA). By leveraging the integration between Duo and AnyConnect, organizations are able to verify the identity of their users and reduce their risk surface. As cyber threats evolve, approaches to security evolve as well. While establishing trust in users is critical, it is imperative to establish a level of trust in the devices connecting to applications.
There is a shift in security practices to adopt a zero-trust security model to protect access to all applications, whether on-premises or in the cloud. A critical step in realizing the zero-trust vision is adding device trust into the access equation.
When customers think about sensitive applications, the application that typically gets the most attention is the VPN. This is because an attacker who has access into the corporate network using the VPN can try to gain higher privileges and move to other systems, applications and servers. In more advanced cases, an attacker might install malware on internal systems to gain persistent backdoor access into the network.
We are excited to announce that customers using AnyConnect and Duo can now use Duo's Trusted Endpoints feature to layer on the added protection of checking for device trust to all VPN access requests. Combined with access policies, organizations can ensure only healthy, managed user devices are able to gain access to sensitive applications. By leveraging this integration, it is possible to ensure that every VPN access request is originating from an endpoint that is managed by corporate IT, with or without an MDM/EMM solution in place, and hence can be deemed trusted to gain access. This adds to the existing guarantees from the Duo MFA prompt to ensure that the request is also coming from a trusted and authorized user.