The zero-trust concept starts with establishing a level of trust around the identity of the user and what they can access to work within the organisation’s environment. Having checked the device and authenticated the user, the next fundamental element is controlling what doors to what applications they can enter, and what is considered out of bounds. This is not a new idea. As Hamlet once said all those years ago:
“Let the doors be shut upon him, that he may play the fool nowhere but in’s own house.”
This is not to suggest that chief information security officers (CISOs) should start getting worked up about familial or romantic issues; as it didn’t appear to work out too well for poor old Hamlet. But the idea of restricting a user so that they can only enter into an area which is approved and relevant to their duties is a necessary control.
Virtual private networks (VPNs) ensure that the user is connected within the virtual corporate network. But once the credentials are accepted, the user is through the main door into the organisation. This is all well and good in a world where all users are completely honest and, in fact, who they say they are. Unfortunately, compromising credentials is all too common an occurrence. For example, the ease with which phishing has become an attack tool of choice has made relying on controlling the main door with a username and password a limited security control.
The Duo solution starts to address this level of control over users at the entry point. The use of a reverse proxy enables the mapping of users to applications. This means that each application has a door which the user has to open. It is a house on its own with one way in, and that is under lock and key. This provides a triple layer in the defence structure:
- The user is known and authenticated.
- The device is checked and found to be adequate.
- The user is limited to where they can go.
This all needs to be done with minimal impact on the end user. Introducing difficulty into any security control area just breeds avoidance. By integrating with established single sign-on (SSO) capabilities, the users’ rights can be identified without the need for any duplication of effort. The ease of adaptive authentication at the device level makes this a non-disruptive activity on the user side, and a natural part of the workflow of logging in to do some work. Meanwhile, the ability to block non-approved devices leverages the awareness of endpoint security. Wrapping this around a browser-based gateway screen provides a simple, secure single point of entry into each of the application doors.
What is appealing about the agile and flexible approach is the ability to bring new applications on board wherever they are found - whether running in the cloud, in a local data center or a third-party application. No matter where the doors are, they can be open or shut from a central point based on a policy. So as digital transformation drives change in the business and new applications are brought on stream, the Duo solution ensures that security controls enable, rather than block or hinder.
And, of course, because we want to control the doors, it doesn’t mean we think that all users are there to play the fool. Just the bad guys.