Sometimes it feels like we run in circles in infosec – chasing the same ideas, but changing the name or re-defining the concepts behind the ideas. Largely, the initiatives remain the same. In cyber security, while the goal is seemingly simple - reduce the threat surface and protect your valuable data from exfiltration - it seems the journey to get there is not.

Evolution of Trust Models - A Brief History Lesson

In the “good ole days” it was easy; everything lived behind a firewall inside the corporate network. As the business world changed to encompass remote workers, everything still lived within a controlled infrastructure and access was granted for outside users through secured virtual private network (VPN) connections. This shift in the early 2000s to allow access from outside the perimeter started buzz around the idea of “de-perimeterization,”  which the Jericho Forum was created to tackle.

The borders of the digital world expanded further with the introduction of cloud applications and services. Hybrid infrastructures meant the traditional castle and moat approach to security became antiquated and the threat surface broader. This introduced new challenges for security professionals to protect the resources of an organization. John Kindervag introduced the concept of a  “zero-trust model” for information security in 2009 and defined it as an approach that assumes no traffic within an enterprise’s network is any more trustworthy by default than traffic coming in from the outside.

This model served as the building blocks for Google's BeyondCorp, introduced in 2014, which is an implementation of a zero-trust architecture that requires securely identifying the user and device, removing trust from the network, externalizing apps and workflow, and implementing inventory-based access controls.

Today, the rise in a cloud-connected, mobile and remote workforce has put the visibility and control of users and devices firmly outside of the enterprise. The extended perimeter is now centered around user identity and their devices. To address this new reality, Gartner's CARTA model - continuous adaptive risk and trust assessment - calls for a shift away from one-time, binary access decisions toward contextual, risk and trust-based decisions. This model is about giving just enough trust to users, even after authentication, to complete the action requested.

As an industry we have been circling the horses around this notion of the shifting perimeter for years but it hasn’t seemed to gain legitimate traction within organizations. Perhaps this is due to the fact that prescribed implementations have morphed with the changing digital landscape, making it appear untenable to implement and maintain.

Now that the idea of a zero-trust approach to security has resurged in the infosec space, everyone seems to be offering complex models and solutions. But what problems does this approach solve? How can organizations build a zero-trust model, and where should they start? Maybe the problem is that there is uncertainty around this being the right approach to future-proof environments in this ever-changing digital landscape.

Does Zero Trust Solve New Identity Perimeter Risks?

Protecting users should be the core component of a zero-trust security strategy. Teams need the ability to verify user identities, and the trustworthiness of their devices, before granting both access to enterprise applications and data.

Compromised credentials are a prime target of attackers, allowing for easy, unprotected access due to phishing, brute-force and other password attacks. In an analysis of simulated phishing campaigns, Duo's 2018 Trusted Access Report found that more than half (63 percent) successfully captured user credentials.

A zero-trust security approach for the extended perimeter makes it more difficult for attackers or unauthorized users to gain access to applications without meeting certain identity, device and application-based criteria.

Brick and Mortar of the New Security Wall

This doesn’t mean that organizations have to deconstruct their existing environments, or add complex layers of security to adopt this model. Solutions should enable you to protect your current investments without heavy uplift in administration and implementation. In fact, the most successful solutions should layer on top of existing infrastructures and be convenient and easy for user populations to adopt without an impact to their current workflows.

A zero-trust approach for the workforce should provide an organization the tools to be able to evaluate and make access decisions based on specific risk-based context for any application within an environment. This can even mean layering security controls on top of existing remote access solutions that are in place today.

Bolstering Your Defenses With Trust

The goal of a zero-trust security approach is to enable security teams to be able to establish trust in users and devices accessing an organization's assets by adding an additional layer of security. Ideally, they need an approach that balances security with usability, to ensure adoption within an organization.

Solutions need to be streamlined and user friendly to both deploy and administer, and organizations need to create a culture of security with their users through empowerment and education. By providing tools that simulate phishing attacks and offering self-remediation options users become a part of the security team and improve the odds of a successful implementation of a new security approach.

Trusting the Future

Will establishing this security model future proof your organization? Time will certainly tell. The concept has been evolving over the years but the basic principles have remained the same. Access points – users and devices – into corporate resources need to be protected and the threat surface needs to be minimized to prevent the loss of sensitive data.

By approaching security practices with a zero-rust model enables organizations to modernize their infrastructure without introducing risk. A solution that is scalable, flexible, compliments existing solutions, and can adapt to diverse use cases will ensure successful adoption and protection.

Adopting a zero-trust security approach doesn’t have to be overwhelming. There are steps that can be taken today to establish protection on the new identity perimeter, giving organizations a layer of security that offers protection without the need to re-invent the entire infrastructure of an organization.

You can learn more about how Duo can help you future proof your security solution and apply principles of trusted access to support your zero-trust security approach. You can also join us for a security panel discussion Thursday, May 9 at 1 p.m. EDT and learn how other distinguished security professionals have approached the journey to establishing a zero-trust security approach.

Unlike the high tech government systems portrayed in spy movies, federal government agencies like the Pentagon, the Department of Defense (DoD) and public agencies are not at the bleeding edge of modern IT in all areas, particularly when it comes to the outdated PIV/CAC cards required to sign into systems. 

In 2001, the DoD first introduced Common Access Cards (CAC), a smart card used to prove identity and log on to systems, with no consolidated and interoperable ID management for civilian employees, reservists, active duty personal and contract workers. In 2006, the DoD launched an updated CAC adding Personal Identification Verification (PIV) capability as a next generation CAC solution. Today, the basic ability for workers and contractors to log into their super-secret systems is the same as it was in the early days of the internet, and the government has not kept up with technology advancements.

Back in 2013, Tony Montemarano, executive deputy director of the Defense Information Systems Agency (DISA) said, “We are really hitting hard on mobility [and identity protection]. Everything we are doing, every development activity has to show a mobile side to it.” 

The folks at the federal government who protect and serve are well-aware of the security and usability challengers of this outdated approach to IT security.

“We will use true multi-factor that actually does a couple of things for me — it gets me more agile because there is an overhead for CAC cards, not just cost overhead, but a time overhead, and in my business, it’s a location overhead. It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems. It just doesn’t work well.”

-- The then Department of Defense Chief Information Officer Terry Halvorsen told the Federal News Network in 2016 

As more operations rely on smart devices and screens, using CAC and PIV alone is no longer a viable solution. “We have to move away from the CAC as a form factor,” shared Steve Wallace, DISA’s technical director, in 2017, noting that the CAC card doesn’t plug into a tablet.

The CAC and PIV systems are as ingrained into our federal systems as the American Social Security number—and are not exactly going away, but they are getting an Avengers makeover and being reimagined from the clunky hardware and ugly UI to modern mobile user credentialing utilizing multi-factor authentication (MFA) that is seamless and frictionless. It’s the kind of modernization that senior leaders in federal agencies have been working toward for years.

Duo Security is a mobile multi-factor authentication technology developed to solve exactly these problems for federal and government agencies. Duo believes that excellent cybersecurity should be accessible to all people and aims to “democratize security” so every device is protected on every platform with the ability to access any application securely utilizing our zero-trust (trust no user and no device that is not properly vetted) technology.

Duo Moves Compliant CAC/PIV Credentials to Mobile

Duo’s MFA supports rather than replaces CAC/PIV cards, keeping the cost to implement low.

Duo works as a mobile application on smartphones that users can self-register and administer using their government issued or BYOD device, making a large roll-out a snap with few barriers to adoption. It is as easy as installing any app from the app store.

With Duo’s single sign-on (SSO) login with a password and username, which triggers the Duo Mobile App to send a push notification (Duo Push). User’s can tap “accept” (or deny suspicious requests) and quickly complete the second-factor authentication process (2FA). Duo allows users authenticate into cloud and SaaS applications and access applications from mobile devices

Duo keeps agencies and users compliant with granular policy controls that allow admins the ability to set policies for:

• Location-based access
• Role-based access
• Contextual access
• App-specific access
• Outdated applications and required updates
• Endpoint control enforcement whether you have an MDM solution or not
• Detecting and tracking every device on your network without using an agent
• Notifying users who have not added password protection or biometrics or restricting them until they do 

All-In-One Solution

Imagine a single solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity. Duo and YubiKey have teamed up to offer a single elegant solution for all scenarios.

Duo + YubiKey

 Together, Duo and the YubiKey satisfy the government guidance on:

• FedRAMP
• DFARS/ NIST SP 800-171
• NIST SP 800-63-3 AAL

Duo Security is proudly FedRAMP “In Process” on the FedRAMP Marketplace and adheres to NIST regulations for compliance for commercial alternatives to CAC/PIV cards. Federal and public agencies can buy Duo now.

Want to learn more? Watch this webinar on "How Mobile Will Replace Your CAC/PIV Cards" 

Editor’s note: This is the second blog in a three-part blog series that walks through the top six areas of concern for CISOs and CIOs and the technology solutions available. Our first post of the series explored gaining clear visibility into potential network threats and adopting a zero-trust security policy.

There are six key areas security executives should focus their attention towards for the remainder of 2019: clear visibility into threats across platforms, redefining the new perimeter, encouraging an internal culture mindful of security, alignment across IT operations and security operations, early detection of risks from inside the firewall and managing cloud security. It is an ambitious list for any company, but it is nothing to lose sleep over. Duo Security has developed drop-dead simple technology that solves many of these issues — giving weary security executives restful nights with sweet dreams.

Let’s dig into the next two top concerns for CISOs; adopting an internal culture of security and aligning security ops with IT ops.

3. Nurture an Internal Culture of Security Automatically

Between smart devices, laptops, phishing scams, wifi hacks and malware — preserving company security is everyone’s responsibility. Educating employees of potential risks and creating an internal culture of security is a top priority for security executives. In the recent Cisco 2019 CISO Benchmark Report only 39% of companies surveyed had security training in place for employees. This large internal security risk deeply concerns CISOs and could lead to needless sleeplessness, but it certainly does not have to. Duo was created to make security frictionless and automatic for everyone.

Duo helps organizations avoid the legacy limbo and modernize IT infrastructure with super simple self-service technology that is system agnostic and offers maximum security. It is a win for CISOs and a win for employees.

“The only way we knew to get insights into mobiles devices was to push a mobile device management (MDM) tool onto user’s devices, but due to cost and complexity we didn’t want to pursue this idea. Duo’s push functionality, flexible authentication options, inline enrollment and user documentation made it easy for us to enroll all of our users in a timely manner.”

— Chad Spiers, Director of Information Security, Sentara Healthcare

Everyone can own their security. Duo’s DIY mobile authentication is as easy as downloading an app from the app store.

• Users can self-enroll. Duo's automated sign-up options, such as user self-enrollment, and Active Directory sync options allow for scalable user provisioning
• Duo’s self-service portal lets users manage their own devices
• Duo’s Self-Remediation notifies and assists users to update any out-of-date devices
• Duo’s technology stops phishing attacks before they happen by identifying vulnerable users
• You control and customize policies based on the user or group or their specific roles and responsibilities
• Customer case study: Sentara Healthcare

4. Align Security Operations with IT Operations

The Chinese symbol for danger doubles as the same symbol meaning opportunity. This paradox is similar to the competing priorities between CSOs and CISOs. On one hand, the CISO manages the security operations team with the goal of enforcing and controlling trust to keep data safe; while on the other hand the CIO manages the IT operations team and is tasked with completing projects and increasing revenue with a focus on expanding business with new technology. They often have similar but competing goals to modernize the way business is done and to be secure while maximizing efficiency and business objectives.

Duo helps to align security operations with IT operations by streamlining multiple security tools in one agnostic platform. Duo democratizes security for all organizations regardless of their current technology stack. CISOs can finally catch more zzz’s.

“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls.”

—  Mike Johnson, CISO at Lyft 

Together at last, Duo helps CISOs and CIOs meet their goals side-by-side.

• Reduce time to security: Duo's native integrations protect on-premises, cloud, remote access, VPNs, etc. to enable business agility, allowing admins to roll out security in a matter of hours and days
• Secure cloud infrastructure access: DevOps and engineering teams can SSH to servers remotely and securely with Duo to access development environments and deploy code, as required by compliance regulations
• Duo does the work of many different security tools, all in one platform: strong/adaptive authentication, endpoint visibility and control, remote access and single sign-on – increasing the value of your security investment
• Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments
• Customer case studies: Withers Worldwide, Lyft

Studies show vendor consolidation as a trend. Duo is a single vendor solution that takes the place of multiple vendors and technology. Duo Beyond makes it easy to develop an internal culture of trust through zero-trust security. CISOs can worry less and get deeper sleep by implementing technology that automatically secures everyone and aligns with the goals of security ops and IT ops.

Our final post in our three-part series will review how Duo helps with early detection of risks from inside the firewall and managing cloud security so more CISOs can get quality REM sleep.

Recently at Duo Tech Talks we hosted Emma Dauterman of Stanford University for an outstanding presentation on True2F, a joint research project between Stanford and Google surrounding backdoor-resistant security keys.

The True2F work builds on top of FIDO U2F, which is a 2nd-factor authentication standard supported on sites like Google, Dropbox, GitHub, and Duo. U2F, (and similar technologies like WebAuthn), provide strong, public-key based authentication on the web with built-in phishing resistance. Instead of relying on shared secrets, protocols like U2F and WebAuthn use a challenge-response protocol. U2F and WebAuthn authenticators can be physical security keys such as a YubiKey or Google Titan Key, platform authenticators built into computing devices, or can even be software-based.

U2F and WebAuthn provide some protections if faced with malicious websites, (e.g., a phishing site), or even a malicious web browser. However, these protocols currently provide no protection from token faults or backdoors. True2F changes this by providing a two-party protocol for generating cryptographic keys and ECDSA signatures.

Emma’s talk covers the design and implementation of True2F, as well as performance differences between U2F and True2F. The full paper is available online, which goes into even greater detail and provides complete proofs.

If you missed it last time, check out Emma’s talk here, and if you’d like to attend future Duo Tech Talks, you can find them posted on our Meetup page.

You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that's clear
I will choose freewill
-Rush

Change is hard. We humans have a built-in CRD (Change Resistance Diode) and we spend an inordinate amount of time and energy fighting change. I am as guilty of this as anyone. I’ve been wearing the same style of shoe for almost 40 years. “It works for me, has always worked for me and if it ain’t broke, don’t fix it.” This is a fine mantra for shoes, but status quo is a killer in the enterprise. This mindset makes us miss things – trends that might actually help the business. But the greater threat is missing areas where the business is vulnerable or at risk. This mindset also gives way to “do nothing” thinking, and, well, just because you don’t make a decision or don’t make a change doesn’t mean that the change happening around you, won’t affect you.

This behavior gives way to “the law of unintended consequences” and “unintended or accidental motivation.”

It’s always talked about and often examined but worth taking a look at it in an IT security context. We as human creatives act and are compelled to act by a few different “drivers.” The biggest driver, imho, is the incentive driver. While we all have others – things like a moral driver, a moral “compass,” if you will; some people’s moral compass will never find true north – one thing that all of us human animals have in common is a drive that will align with some kind of compensation. I’m not talking strictly about money, although this tends to be a big driver and the most equated attribute to compensation. I’m talking about incentives. The incentives can be wildly varied, as it should be. And what motivates one might not motivate another. For example, some people are rewarded by sheer satisfaction. The satisfaction that comes from a job well done. Some are not motivated by this at all and couldn’t care less about how well a job is done. Add to this that the job itself plays a role in satisfaction being a driving incentive, and you have a complex set of attributes and psychology that are both fascinating and terrifying.

When my first born son was a teenager he was not at all worried about how well he mowed the lawn. He cared a little more when he got paid for it, but it wasn’t a task that he could be motivated into easily. He was however, very motivated to become good at the video game Halo. He played it a lot. I didn’t have to pay him to do it. The incentive was the satisfaction. He was good at other things and took pride in things that weren’t video games, but my point is: the task itself plays a role in how things are incentivized. Playing this game was also incentive for doing his homework. Bribery/incentivization is a parent’s strongest tool.

“When I do good I feel good, when I do bad I feel bad, and that is my religion.” - Abraham Lincoln

All three of our boys are very compassionate souls, even if they didn’t ever want us to know it. My wife instilled in them a volunteer spirit. They volunteered (and continue to volunteer) quite a bit with many organizations growing up. They did this with pride and without compensation. The job was the reward. There was an incentive to do a good job for their fellow humans.

Not all jobs are like this. Some jobs or tasks require compensation. This is the whole point of sales compensation.

So this brings me to accidental motivation (and before you say “there’s no such thing!” yea, yea there is, and it’s actually the prevailing motivation in the world).

It can be a sales comp plan that provides incentives and compensation that are good for the business, but not as good for the customer: “I only want widget A and don’t want widget B. Why do you keep pushing widget B?”

Usually this is because someone inside the selling organization has incentives/compensations to move more widget B. This is probably due to the fact that no one wants to buy widget B because it doesn’t solve any useful problem for the customers. Now, no organization on earth wants to hurt their customers. Not on purpose. So while this example is premeditated, the outcome is not a wanted outcome for either the customer or the organization. Unintentional consequences or accidental incentive.

We do this in InfoSec all the time.

Everytime we decide not to have a policy or to have a policy that puts undue burden on our users, we have decided to allow chaos or accidental incentives to take over.

Trying to COPE with BYOD

One of the biggest examples of this was/is bring your own device (BYOD).

BYOD happened to IT, not the other way around. People got cool phones and tablets and more than that they got useful smart devices that could do email, calendar, notes, and many other things. And once the apps started coming, forget about it. Computing changed forever. The early days of BYOD were people bringing their personal devices and using them for business, in most cases without the IT department’s knowledge. Once IT got wind of it, that’s when the party started. CISOs and legal folks got involved and the privacy and data protection dance started. The irony is that there are lots of cases now where people won’t allow IT to put a control agent (MDM) on their device. So InfoSec invented this thing called COPE (corporate owned, personally enabled) devices. This was a fancy way of saying, “we’ll give you one of those cool devices, but we own it and we can do whatever we want to it. You can put your pictures and songs on it but we may wipe it anytime we want. Here’s our 30 page policy. Have a nice day.”

So what behavior did we incentivize? People will either carry two devices or just use their personal device anyway. Sure, you can try and block their email. But they can still text and make calls and people are creative. They will find a way. You’ve essentially, but accidentally, encouraged people to work outside the confines of corporate security.

I know this from personal experience. I’m a CISO’s and legal team’s worst nightmare. And I’m a security guy! But for me, usability will always always always outweigh security. It’s a simple fact. I like to get things done. Security will either work with me or I’ll find another way.

BYOD works. I remember when the iPhone first showed up in 2007; the prospect of consolidating my personal compute platform from a Blackberry, plus an iPod, plus a phone to a single device was truly compelling. That compelling event is still happening today. In my world (public sector) they are constantly vacillating back and forth between “never gonna support” to “looking for a way to support.” But guess what? It’s already happening. Why? Because users find a way. While you keep thinking about it and keep talking about it, it’s happening. Unintended consequence of doing nothing.

Breaking All the (Password) Rules

Passwords are another glaring example of accidental or unintentional incentives.

We put in place strong password requirements, both for the passwords themselves (complexity) and how users use passwords (change them every 30 days, don’t write them down, etc.). We have accidentally incentivized users to break the rules (I’m gonna write that password down because there is no way in heck I can remember that) or reuse the password everywhere because I’m not going to have 30 passwords that I can’t remember.

Now, luckily we have the tools to deal with this. Password managers are a great tool. Password managers combined with a simple effective MFA (multi-factor authentication) solutions are an even better tool. But as useful as they are, they sometimes add a layer of complexity to the user’s everyday technological life, so we need to be conscious of that. Apple’s doing a pretty good job of turning the Keychain into a useful password manager. It’s always been one, but now it’s gotten much more user friendly, ie. working across all of my devices, as long as they’re Apple devices. The point is, while I absolutely recommend using password managers, it’s not a “one size fits all” solution and not everyone will embrace it. But pretending that our users don’t mind heavy handed password requirements pretty much sums up the security team/users relationship conundrum.

Some day passwords will be gone. Can’t be soon enough for most of us, but today is not that day.

<DUO COMMERCIAL>

The first thing to understand about me is that I am a true believer. What I mean by that is, I don’t preach the value of Duo because I work here. Quite the opposite, I work here because I believe in the original vision of the company and believe it does good in the world.

When I on-boarded at Duo over a year ago, it really struck me, as I put on my end user hat, how good it was. I tell people this all the time. It was the right combination of people (we’re all security right?) process (here’s how you set everything up and how it all works together) and technology (ours, plus LastPass and Yubico’s YubiKeys, browers, apps, etc.). It was the whole ball of wax and it was simple and user focused. This last part is key, and something that is most often forgotten.

It is the most crystalien example of a user-centric zero-trust security model that I have seen.

Every organization should be doing this. Now. Everyday.

</DUO COMMERCIAL>

As I finished up the above section, I realized it wasn’t really a Duo commercial as much as it was a best practice commercial. I just happen to truly believe that Duo is doing something special here and has an important role to play.

Seriously, giving the user community the incentive to be good security citizens cannot be overstated. Having well defined, user-centric policies and processes, coupled with user compassion and kick ass tools make for a winning combination.

Otherwise, we are creating accidental incentives to not do the right thing and the law of unintended consequences will prevail.

It’s just the first half of 2019, yet chief security officers (CSOs) or chief information security officers (CISOs) everywhere find themselves in a race against time and resources to modernize and shore up vulnerabilities within IT infrastructure in a way that plays nice with current legacy systems and permits device autonomy within organizations on the individual level. The good news is that solving these complex problems is not as difficult as it sounds.

Editor’s note: This is the first blog in a three-part blog series that walks through the top six areas of concern for CISOs and CIOs and the technology solutions available.

The 6 Key Areas of Concern for CISOs

There are six key areas security executives should focus their attention towards for the remainder of 2019: clear visibility into threats across platforms, redefining the new perimeter, encouraging an internal culture mindful of security, alignment across IT operations and security operations, early detection of risks from inside the firewall and managing cloud security. It is an ambitious list for any company, but it is nothing to lose sleep over. Duo Security has developed drop-dead simple technology that solves many of these issues — giving weary security executives restful nights with sweet dreams.

Let’s dig into the first two top concerns: gaining clear visibility into potential network threats and adopting a zero-trust security policy.

1. Gain Clear Visibility Into Potential Threats Across Your Network and Platform

Managing potential security risks across mobile, cloud and on-premises assets requires deep visibility into all assets that have access to applications, networks and platforms. Duo helps organizations get real-time insights on device health across platforms.

Get detailed insight into the security health of every type of device (whether corporate-managed or personally-owned) accessing your applications.

“We can see a full device inventory through a single pane of glass and have been able to secure endpoints and enforce policies to block access to applications from out-of-date and vulnerable devices. This, in conjunction with the implementation of MFA, has reduced the attack surface effectively and efficiently”

— Richard Bailey, Vice President of IT Operations at PruittHealth

Know What Is Happening on Your Network Right Now

Some device visibility solutions only give you limited insight into certain platforms and operating systems. Duo uses a single centralized dashboard that gives admins oversight across the network, hardware and software.

• Duo protects against password attacks with multi-factor authentication (MFA).  Eliminate the threat of attacks that stem from compromised credentials with Duo's easy and effective MFA

• Stay compliant. Duo provides end-to-end visibility, reporting and logs of assets. Duo's endpoint visibility gives a detailed overview of users' devices (managed or unmanaged, mobile and laptops/desktops) with compliance-friendly reporting and logs
• Get granular control with continuous reporting and monitoring of systems. Streamline data reporting and policies. Duo continuously monitors and reports on the health of your infrastructure. Identify mobile devices with certain security features enabled or disabled, as well as their security posture. BYOD, no problem
• Duo is software agnostic, accessible and open to everyone — democratizing security. Duo supports all users, types of devices and integrates with on-premises and cloud applications.
• Customer case studies: PruittHealth, Eastridge Workforce Solutions

2. Adopt Zero Trust to Secure the Perimeter Inside and Outside of Your Firewall

CSOs and CISOs are throwing out the assumption that the perimeter is confined to inside the firewall, because it simply no longer applies. The perimeter has shifted with a push toward “mobile first” and “bring your own device (BYOD)” and continues to expand to include cloud applications. This has changed the definition of what trusted users, trusted devices and safe traffic look like. Organizations need to expand the perimeter across on-prem, cloud and hybrid environments.

Zero trust treats every access attempt as if it originates from an untrusted network. This might sound like an expensive and time consuming proposition, fortunately it does not have to be.  A zero-trust approach doesn’t require a complete reinvention of your infrastructure. The most successful solutions can layer on top of and support a hybrid environment without entirely replacing existing investments.

Duo Enables Zero-Trust Security That Meets Strict Compliance Standards While Expanding the Perimeter

“We chose to implement Duo Beyond because it aligns with our own vision of zero-trust security. When integrated with Sophos Mobile control, it helps us securely and confidently provide mobile access to our employees, and provides additional visibility into all assets that are accessing corporate resources.”

—  Ross McKerchar, Chief Information Security Officer, Sophos Security

Have the power to limit access and flag risks before they become problems

• Duo Security centralizes access policies across platforms with zero-trust security. Admins can consolidate dashboards and get a single view of overall security status. Duo's Admin Panel flags risky devices allowing policy controls that limit access based on device and user trust (adaptive authentication)
• Support several authentication methods based on user choice: Duo Push, phone calls, U2F, etc. for all applications and services
• Limit or restrict access based on location or  IP ranges. Grant or deny access to applications based on where the user/device is coming from and what they are accessing with an easy to use interface
• Stop unauthorized authentications. Block authentication attempts from anonymous networks like Tor and proxies
• Customer case studies: Withers Worldwide, Sophos

Cisco recently released the 2019 CISO Benchmark Study that confirms gaining clear visibility into network threats and getting to zero trust is a top priority for CISOs. Duo Beyond is a zero-trust security platform that addresses user and device risk for every application so that CISOs can relax and rest easy, saving their energy for real problems.

Our second post in our three-part series will review how Duo creates an instant internal culture mindful of security, as well as how seamless alignment across IT operations and security operations can be.

There are many valid reasons federal agencies have been reluctant to adopt bring your own device (BYOD) policies, despite having a large remote and contract workforce.

The risk of not being in compliance, ransomware, hacks, PUS (potentially unwanted software), malware, phishing, shadow devices and information leaks on compromised devices combined with a lack of clear policy guidelines can appear to outweigh the rewards. Yet, asking government workers not to use their personal devices in 2019 is increasingly inefficient, expensive and archaic (plus, they’ll find a way to use them regardless).

So the White House released the BYOD toolkit and the National Institute of Standards and Technology (NIST) continues to update their mobile device security hub with guidelines to help federal and government agencies modernize their IT while securing their network from mobile device threats. NIST 800-63-3 updates the Digital Identity Guidelines to overcome the shortcomings of personal identity verification (PIV) cards and common access cards (CAC) credentials by allowing public agencies to choose accredited commercially available multi-factor authentication (MFA) technology as compensating security controls, meaning agencies are closer than ever to being able to embrace BYOD without the perceived security pitfalls.

Today, technological advancements in cloud security have turned the tables, and the pros for permitting BYOD devices (laptops, smart devices, phones, tablets, device screens and more) in federal agencies can outweigh the cons. In the past, the only solution to enabling secure BYOD to install an agent or a client like mobile device management (MDM). That gave visibility, but at the cost of personal privacy and invasive scanning. Now, there are low cost software agnostic alternatives that do not require a rip and replacement of legacy systems and complement and expand older technology.

MFA + Unified Endpoint Visibility = Freedom for Federal BYOD with Device Visibility

The obvious benefit of MFA is its ease of use and two-factor authentication that protects and verifies user identities before allowing access corporate applications. MFA protects public agencies from unauthorized access and attacks. MFA is as easy as uploading an app from the app store and even easier to implement with user self-enrollment.

Unified Endpoint Visibility strengthens a government agency’s control over each user’s device hygiene. It allows them to monitor and identify risky devices in real time while blocking device access until users perform critical updates that patch potential threats with easy-to-use self-remediation and Endpoint Remediation tools. Public agencies can rest assured they are always in compliance by setting up policies that automatically enforce many security hygiene requirements such as passcode, biometrics and encryption to maintain preset security standards.

See Everything Now. Shine Light on Shadow Devices

Securing BYOD by enforcing device access policies for corporate and personal devices helps agencies identify all devices logging on to the network, even unknown devices. Government agencies can set and enforce policies with contextual controls based on granular details like user groups, geolocation, device type, network and more. Finally, federal agencies can get a clear view of all the devices attempting to access or that are on their network through a single control panel. Agencies have the power to identify, control and block potential threats before they happen.

BYOD is good for government. It can keep the costs of equipment down. BYOD can eliminate new hardware and infrastructure costs. BYOD keeps staff accessible and appeals to a new mobile workforce while increasing productivity.

Duo Security is currently FedRAMP “In Process” on the FedRAMP Marketplace. Freedom for federal BYOD with clear device visibility is possible now.

It can be difficult to quantify the effect of a brand on a company and an industry, given that brands are the gut reaction of the many people who interact with a company, its product and its people. Businesses don’t get to define their brand, their audience does; and a business can only work to reinforce or dispel the traits it’s known for.

When our CEO Dug Song first talked to me about the idea that would become Duo, it was clear that how we did things was going to be as important as what we did. That combination has informed our style from the beginning. Duo’s reputation — its brand — is built on a belief that building the right kind of security product meant building the right kind of security company, one that makes user, customer, and even employee experience a top priority.

See the video at the blog post.

An overview of how Duo's in-house team drives business value and is helping disrupt an entire industry.

Michael Brake, noted sociologist specializing in subcultures and collective experiences, defines style as a combination of three things:

• *Image* – our presentation, how we look
• *Demeanor* – our attitude, how we behave
• *Argot* – French for slang, or what we say

The right combination of those things, cultivated by a company with keen self-awareness, has made for an authentic brand that customers and employees are not only interested in, but actually champion, and even love — an outlier in the security industry. It has fueled our growth, adoption and customer satisfaction for years, and has set the tone for a new security industry mindset.

Infosec Style

It’s no secret that the information security industry, part of and yet distinct from the larger technology industry, has an image problem — both in the experience of using the products it created, and in the marketing of those products and companies.

Duo endeavors to avoid the cliche and fear-inducing messaging common within the infosec industry.

As Hafsah Mijinyawa, visual designer at Duo put it in her blog post; Infosec Has an Image Problem:

"When most people think of “security,” the concepts of good security hygiene or zero trust are not likely to be the first things that come to mind. It’s more likely the average individual will cycle through a mind mapping session that starts at the door to a bank vault and might end up somewhere near an episode of Person of Interest. In large part due to mainstream media, the idea of security often becomes entangled with fictional concepts of who the people in the world of security are and what the data battlefield looks like.

Keeping in mind that film and narrative depictions of hacking, cryptography and the digital network overall were often grossly exaggerated by imaginative minds moved by the potential of “cyber” and the brave new technological world, it is interesting to note that a good chunk of aesthetic choices within the infosec industry appear to have drawn inspiration from those same glamorized concepts found within genre fiction." 

This dichotomy between the somewhat mundane “industry solutions” and the hacker mythos makes for an inauthentic industry —one that finds joy in complexity, and admires the attackers, while enormous amounts of money are made selling products that perhaps, maybe, hopefully do something to mitigate them. "Selling snake oil" is a common idiom used in infosec to describe disingenuous companies peddling less-than-effective solutions.

Some of those notions of a brave new cyber technological world are real and true — like the potential impacts of software vulnerabilities — but the people depicted as cyber warriors are often simply people whose curiosity and intuition provide them with the ability to figure out how things work.

I’ve often thought of the infosec researchers and practitioners I know (our industry’s “influencers”) as being as “close to the metal” as you can get in technology — sometimes literally etching off the top of a silicon chip in order to poke and prod at its innards. A unique blend of technologists, computer scientists, mad scientists, futurists and straight-up hackers, you’ll find these great minds working for every style of employer you can picture; from military and clandestine forces, to consumer tech companies like Etsy and Facebook.

See the video at the blog post.

These makers, thinkers and doers are the first line of assessment when vetting a new security project, but are notoriously put off by the typical heavy-handed marketing techniques of many companies. Too often there is a tendency by security companies to oversell and underdeliver, and to demonstrate a lack of understanding and reverence for the very real subculture that we work in. That fundamental disconnect often led to brands and tactics built on fear, uncertainty, and doubt. And while fear certainly sells, it rarely inspires.

We knew we had to take a different approach.

Disrupting Complexity With Radical Simplicity

In some of the very first conversations about the company that would become Duo, two notions kept coming up:

1. The security industry was creating unnecessarily complex products. 
2. The industry itself had an image problem.

Duo’s brand - its very philosophy - aims to dispel and disrupt those notions.

At the core of both of these issues was complexity. The security industry and its products didn't put users' needs first, and put threats and fear at the center of its messaging. Doing things differently meant getting back to our core principles; solving true security issues without flashiness or over-promising. Our Midwestern roots have influenced our work ethic and principles; the sense of just getting the job done and being upfront and honest about what job we were trying to do.

We didn't need another superhero to take on hackers with more brute strength. What the infosec industry really needed was an antihero who could change how security products were designed and sold, while redefining the relationship between a company, its employees and its customers.

Duo was formed with a distinct vision of radical simplicity and transparency. We wanted to redefine how we communicate across every interaction — not just in the experience of using our product, but in the experience of interacting with our company. All of this combined into a single mission: to democratize security and make it accessible and simple for everyone, not just those with unlimited resources.

See the video at the blog post.

Communicating that vision was crucial for us to distinguish ourselves from our competitors and to create an endearing connection with our customers. That gut reaction and connection to the soul of the company is what makes a brand relevant and resonant, and it’s been something we’ve made a point of cultivating from the very beginning at Duo. I’ve been lucky enough to be able to build and lead an amazing team to do just that.

Bringing It All In-House

As a consultant and advisor to the business early on, I was happily parachuting in to other companies like Tesla, Clif Bar and Miramax, doing the mercenary design/branding stint, and parachuting back out. I began the same process with Duo to get the company off of the ground by developing early product designs, crafting messaging and building pitches and websites as needed, even renaming the company.

What was different about Duo (and what led me to curtail a 15-year freelance career to join Duo full-time) was the desire to treat every aspect of the company — including the visual brand, communications, interactions and product experience — as equally important.

Outsiders simply couldn’t cultivate that kind of vision. Duo needed a dedicated in-house team, fully equipped to craft the unique stories of our diverse customers, to build the authenticity of our voice, and to make the empathetic connections that were so desired (and lacking) in the industry.

Our in-house team enables conscientious design and creativity to be championed throughout the business.

Reinventing decades of assumptive imagery and communication could not happen through a couple of agency-led one-off campaigns and sporadic updates to the brand. Compelling storytelling through messaging, visual design and high production value had to be a core capability of Duo that was treated with the same iterative and ongoing process that we would use for our product development.

As one of our board members and investors, Matt Cohler (of LinkedIn, Facebook and Benchmark) often stressed, Duo’s message needed to be relevant, inevitable, believable and simple. Our ability to communicate authentically was crucial to our success. An in-house team that lived and breathed the industry, the product and the culture was the only way to instill that authenticity during the hyper-growth stages of a wildly successful startup.

Telling the Story

With the drive to both change the existing infosec narrative and to invest early in design and storytelling, two of my first hires at Duo were a journalist and a filmmaker. This wasn’t exactly a normal hiring round for a software as a service (SaaS) company of only a few dozen people, especially not for what was then a two-person a design team.

The rationale for in-house teams is often based on cost and speed, which are certainly important considerations for an early-stage startup. Being quick and lean can mean the difference between success and failure. But more importantly, it’s about the capability to treat the message of the company the same way we build the product — building upon successes, learning from failures, and looking for innovative ways to instill our vision wherever possible.

We do this with four core components:

A content team that leads with strategic storytelling to impart relevant, useful, educational articles, ebooks, scripts, product copy and more that makes security approachable and interesting to both insiders and outsiders — all while intentionally shaping and keeping consistent the overall tone of Duo’s friendly, casual and authentic voice.

A visual design team that crafts our visual presentation — from trade show booths to ebooks to diagrams and t-shirts — with the same simplicity, straightforward aesthetic and clear communication that we bring to our product.

A video and multimedia production team that brings a range of talents across motion, video, animation, acting, script writing, editing and major production capacity, all in service of telling our story.

And naturally, a web design and development team responsible for the lynchpin of our demand, lead generation and marketing efforts — and therefore the revenue of the company — duo.com.

As we've evolved past those early days, Duo has built much more than just an in-house agency. We've built an essential component of the business that is integral to teaching the rest of the company, industry and beyond our unique brand and vision.

Over the years, we've also created and maintained authentic connections within the industry by bringing our very real personality and opinions to the broader market. We're leaving a lasting mark with our brand, and doing it with style.

This year some of our best and brightest teammates were recognized by their security peers for their contributions and achievements to the security industry and we could not be more proud.

From humble beginnings at Duo’s first RSA Conference in 2013 to this year’s expansive multi-booth presence sharing space with Cisco, Duo Security has grown. Blink and you can see how far we have come - just look at our first year booth photo versus this year’s booth photo in a side by side comparison! Duo’s ‘‘security without fear’ approach to infosec was recognized by the security community at the pre-conference awards handed out by SC Magazine, Security Boulevard and The Cybersecurity Go To Market Dojo.

We thought it would be great to hear more from our winners on their accomplishments.

The Winners

• Duo’s Blog won “Best Corporate Blog” by Security Boulevard
• Decipher won “Best New Security Blog and Podcast” by Security Boulevard
• Meredith Corley, Head of Corporate Communications, was named “Cybersecurity Marketer of the Year, Private Company” by The Cybersecurity Go To Market Dojo
• Dug Song, Founder of Duo and General Manager of Cisco, was named by SC Awards one of the top “Cybersecurity Visionaries of the Last 30 Years” by SC Magazine

Duo Blog - “Best Corporate Blog”

If there is one thing Thu Pham is passionate about, it is security. That passion is the secret sauce behind the Duo Blog. From the very early days of the company, Thu developed the voice of Duo by delivering complex and compelling stories in easy to understand language. She built the Duo blog from scratch and turned it into the winning blog it is today by recruiting top security leaders to regularly contribute to content, research and share opinions. Pham credits Duo’s high-quality team of passionate human beings to the blog’s success.

“It takes an entire network of people behind the scenes to create successful, timely, updated and relevant content. I've worked with teams of web developers and web designers to continuously evolve the user interface, design and backend to keep innovating with industry standards to ensure our content and brand are always at the forefront,” said Pham.

The entire Creative team at Duo also creates videos, animations, graphics and great content to populate the blog. You can read more about Thu’s winning approach to the blog redesign and content strategy in the blog post "New Duo Blog Who Dis."

Decipher - “Best New Security Blog and Podcast”

With vibrant graphics and a fresh new perspective on security, Dennis Fisher and Fahmida Y. Rashid set out to democratize security news with the launch of Decipher. They felt there was more to security news than fire drills of impending doom and breaches. They set out to demystify the security space with practical advice, lessons learned, cool tools and stories of successful security.

“Our editorial goals were clear from the start: Security without fear means being straightforward and taking the time to explain the difficult concepts so that we don’t throw up even more obstacles for people trying to be more involved in security,” they said.

“The award tells us that what we are doing is resonates with the industry, and that we are meeting a need. We appreciate the vote of confidence, and will keep on plugging away because there is still so much left to do,” they added.

Meredith Corley, Head of Corporate Communications, was named “Cybersecurity Marketer of the Year, Private Company”

Meredith has been busy. Her corporate communications team has overseen the external public relations efforts as well as internal employee engagement communications during Duo’s most rapid period of growth. This includes the full communications lifecycle for the $2.35 billion acquisition by Cisco in October 2018. She is one of those people who loves her job. She smiles with her eyes and loves to talk about Duo and her amazing team.

“I think what is so special about working at Duo is that doing things differently is encouraged,” said Corley.

It’s a pay-it-forward cycle of helpfulness to customers, team members and partners that helps Duo stand out. That and a culture of empathy.

“One area we do things differently is working from a place of empathy. This is a core value for how we conduct ourselves across Duo. This means that our corporate communications and marketing teams do not use fear, uncertainty and doubt (FUD) to sell stories and products. We will never comment on a company’s breach on day one for quick clicks, or place stories focused on berating or scaring the user. Being anti-FUD sells just as well...while offering a better nights sleep,” said Corley.

Dug Song was named one of the top “Cybersecurity Visionaries of the Last 30 Years” by SC Magazine

Dug Song cut his teeth in the business working as a system administrator at the University of Michigan. He worked in a variety of roles in security from consultant to security architect before he pinpointed the gap in security that soon became two-factor authentication known as Duo Security.

“All of the attacks were going after people, not systems. The rise of targeted malware was the primary route successful hackers had into organizations," Song told CRN UK.

Song believes excellent cybersecurity should be accessible to all people and Duo aims to “democratize security” so that every device is protected on every platform. Song dismisses the notion that cybersecurity should be intimidating, complicated or difficult and he designed Duo Security to be powerful, simple and easy to use for everyone.

For decades the security industry has relied on fear to sell security horror stories. Duo’s approach of “security without fear” is not only a better approach to solving security problems, it is also officially award-winning. Congratulations to our winners!

In the world of web security, it’s easy to drown in a sea of acronyms. Every time a new approach or protocol is introduced, it includes a whole host of abbreviations to remember. Believe it or not, there’s one security acronym that’s designed to make everything a lot simpler: SSO.

Single sign-on, most commonly referred to as SSO, allows users to access multiple systems using one login and password, with the credentials managed by an independent system. With SSO in place, your network can short-circuit some of the most common security threats, and users won’t have to deal with the headache or risk that comes with managing multiple logins.

Let’s dive in to the basics of SSO: how it works, the benefits of using it, and how you can begin the process of deploying SSO.

Single Sign On: Overview

There are several different ways to approach SSO — you may have heard of OpenID Connect, SAML, or even Facebook Connect. Fundamentally, they’re each variations on the same basic concepts. Here’s how they work:

When a user needs to access a system in an SSO environment — for example, if they want to log in to their corporate VPN — they’re redirected to log in to their authentication server. The authentication server is in charge of validating the user’s credentials and providing access to all of the systems the user has access to. This means once a user has logged in to the authentication server, they don’t need to do anything extra if they want to access another system in the same domain (for example, their Salesforce account), — they’re already logged in by virtue of SSO.

A strong SSO implementation will save users some frustration but the benefits go well beyond that. Let’s look at why single sign-on is good for your users, and even better for the admins in charge of your network infrastructure.

User Benefits of SSO

Although it can be difficult to get users excited about security updates, there’s a lot for them to love about single sign-on. If you’re planning on rolling out SSO, start by talking to users about how much easier it will make their lives. Highlight benefits like:

• Users are only required to remember one password. This is a big win for a lot of users. In an SSO environment, the user is only responsible for one set of credentials. They don’t have to manage a ton of different usernames and passwords. In addition to the convenience, SSO also saves a lot of time. If you’ve ever had to rack your brain for a password you only use once a year, you know the struggle of losing hours to password management is real.
  
  
• Password updates become standard, centralized procedures. In an environment without SSO, users aren’t just required to remember multiple passwords — they’re also typically responsible for periodically updating each one. Using this model for passwords just isn’t scalable. It causes tremendous amounts of wasted time as admins try to ensure that every user has updated their passwords to every relevant system. With SSO, administrators can set password expiration dates that help users maintain good password hygiene, and keeping passwords fresh is a lot simpler for them when there’s only one password to manage.
  
  
• Getting access to new internal applications and resources is easy. As new applications and systems get added to a network environment, in most cases it’s fairly simple to integrate them with an SSO system — so users can gain access by virtue of their SSO login. The next time you’re rolling out an application or service to your users, consider how much time you spend managing access, and how much time you could save by implementing SSO.

Collectively, the user benefits of SSO drive buy-in, and eventually change the relationship between administrators and users. The service-oriented relationships of the past evolve into partnerships, where it’s easy for users to be active participants in keeping your network secure.

System Administrator Benefits of SSO

In addition to front-end benefits for users, implementing SSO also resolves long-standing system administration issues and makes day-to-day management simpler. Consider that with an SSO:

• Phishing (and similar scams or attacks) are less effective. With SSO, all of the credential interactions are with an authentication server, and passwords aren’t cached by any of your applications. That makes phishing attacks — which typically try to fool a user into divulging a password from a specific service — nearly irrelevant. Similarly, if an application or service is compromised, access data for that application or service is still safely maintained by the authentication server.
  
  
• Help desk costs for user administration evaporate, and management of user logins requires only one system. With SSO, the authentication server is more than “just” a gatekeeper. It also is a one-stop shop for user management. In traditional environments, administrators are forced to deal with user changes one at a time — whether that’s a “reset my password” request or terminating access after an employee has moved on from the business. With SSO, administrators don’t have to waste time wading through esoteric systems and processes. Instead, they can make changes that impact the necessary systems from a single, unified interface.
  
  
• SSO can be used for both cloud and on-premises apps. It doesn’t matter if you’re a business that maintains its own data or a service that runs in the cloud: SSO works for both. This is particularly important when it comes to evolving and moving your apps and services to the cloud. SSO can continue to work for users before and after the transition, so that the changes are practically invisible on the front-end.
  
  
• SSO can help define user access. You can set up SSO so each user’s unique login will work across apps and services — but only on the apps and services they have access to. In other words, when you establish SSO, your users only see what they are supposed to see. This eliminates any confusion or issues that might arise from a user seeing content that wasn’t intended for them.
  
  
• SSO can be used in parallel with other web security protocols. SSO solves many key problems — but not all of them. A strong security posture typically includes multiple approaches. As such, SSO is an essential web security tool — one that becomes even more secure when used in combination with other tools. For example, if you’re migrating toward a zero-trust security model, you can use SSO in concert with things like multi-factor authentication (MFA), continuous authentication, and even local access policies. Best of all, that means that users won’t have to give up the convenience of SSO when it comes time for implementing additional protocols to keep the network secure.

Getting Started with SSO

There are multiple approaches to single sign-on. The method you choose will depend on your unique network environment and application requirements. For Duo customers, SSO is built into the Duo Admin Panel, so it’s easy to implement with specific applications while still coordinating with your existing security policies and multi-factor authentication requirements.

When you’re ready to roll it out, consider these best practices:

• Establish a test group of typical users. A test group will let you assess how your SSO implementation might work under real conditions, and make adjustments before rolling out system-wide changes. Your test users can give you crucial feedback — and, if you choose influential testers, their buy-in can go a long way toward building trust with other users.
  
  
• Enable SSO to one application at a time. There’s no need to set up SSO for everything, all at once. Start with your least mission-critical system or application and gradually expand your deployment as you get successful results. If you do run into any technical issues, they’ll be easier to fix in a single instance (and not system-wide).
  
  
• Communicate frequently with users ahead of time. Rolling out SSO to your network is likely to be a home run with your users — you’re solving a lot of problems for them and simplifying their lives! Even so, change management can be challenging. It’s important to talk to your users, in plain terms, about why you’re moving to an SSO framework and how it will benefit them. The more you get in front of the change, the more likely you are to recruit allies who can help manage any concerns.

Conclusion

Single sign-on hits the sweet spot of web security — system administrators love that it’s a robust tool that’s easy to implement, and users love that it reduces their security burden. If you’re ready to dig deeper, or you’re just ready to get rid of a few security acronyms, you can learn more here.

Federal agencies and systems integrators are under immense pressure to comply with a host of various laws, policies and standards. Those regulations shift and evolve to accommodate the emergence of new security threats and technologies, such as cloud and mobility.

Compliance regulations take two key forms: there are regulations agencies must ensure their vendors and solutions adhere to, and regulations they themselves must comply with.

It is often so confusing that agencies use specialized consultants to determine whether a desired IT initiative will result in compliance issues. The Government Accountability Office (GAO) is specifically tasked with regularly auditing public sector organizations for compliance.

Simply put: it’s challenging to navigate – all the letters and numbers create a sort of alphabet soup. Here, we’ll help you cut through the confusion and outline some of the key compliance regulations federal agencies must follow.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government standard that applies to cloud and SaaS IT solutions, like Duo, which must be FedRAMP authorized to be used by federal agencies. FedRAMP is important as it mitigates risk associated with cloud-based solutions.

Duo is currently FedRAMP “In Process” on the FedRAMP Marketplace.

NIST 800-63-3

NIST 800-63-3 is billed as a set of Digital Identity Guidelines authored by the National Institute of Standards and Technology, which is part of the U.S. Department of Commerce. The guidelines provide technical requirements for federal agencies implementing digital identity services and cover identity proofing and authentication of users, including employees, contractors and private individuals. They define the technical requirements of identity proofing, registration, authenticators, management processes, authentication protocols, federation and related assertions. NIST 800-63-3 allows for commercial, off-the-shelf (COTS) IT solutions to stand in place of personal identity verification (PIV) cards and common access cards (CAC) for logical authentication.

FIPS

Federal Information Processing Standards (FIPS) are a set of standards developed by the federal government for use in computer systems by non-military government agencies and by government contractors and vendors who work with the agencies. FIPS standards describe document processing, encryption algorithms, cryptography and other IT standards.

FARS-CUI, DFARS-CUI and NIST SP 800-171

The [Defense] Federal Acquisition Regulation Supplement (FARS/DFARS) - Controlled Unclassified Information (CUI) regulation and NIST SP 800-171 apply to all non-government organizations (such as federal contractors) that process, store or transmit controlled unclassified information. It mandates “multi-factor authentication for local and network access to privileged accounts.”

CJIS

The Criminal Justice Information Services (CJIS) Security Policy was designed to provide controls to protect the full lifecycle of criminal justice information in transit and at rest. It covers the hardware, software and infrastructure used by the criminal justice community and provides guidance for the creation, viewing, modification, transmission, dissemination, storage and destruction of criminal justice information. Duo helps with CJIS by protecting data at rest and in motion, providing strong two-factor authentication and through integrations with partners such as NetMotion, which helps protect data.

HSPD-12

Homeland Security Presidential Directive 12 (HSPD-12) requires a common identification standard for all federal employees (and most contractors), to be used for physical and logical access to federal facilities and resources.This requirement has primarily been met via PIV/CAC cards.

How Duo Helps

That’s just a small sampling of the myriad compliance regulations federal agencies and systems integrators must consider. It’s a lot for a small team, or an individual, to contend with, but all are necessary protections to ensure data privacy and security.

Duo can help you overcome the compliance confusion by providing a strong authentication solution and the ability to set access policies to ensure compliance is maintained.

For example, Duo is FedRAMP In Process, offers offline MFA functionality to help comply with DFARS-CUI and delivers two-factor authentication to comply with NIST guidelines.

Duo’s trusted access solution is wired for zero-trust security. We work with a broad ecosystem of partners, such as Yubico and its YubiKey hardware for strong two-factor authentication (2FA), and integrate with applications and systems to help agencies along their zero-trust journeys.

With Duo, you get a trusted advisor to ensure your security infrastructure is up to snuff to achieve regulatory compliance and stay that way. We can be your guide through the compliance confusion.

There’s no getting around it: the password as we know it is dead. The information we keep online is too important to only safeguard with a single string of characters. Our security methods must evolve.

We’ve seen that evolution begin over the last decade or so. Users and system administrators have gradually moved beyond passwords to implement complex, dynamic approaches to security like zero-trust architectures. In the past, one only needed a password to gain access. Now, administrators and users can use a combination of tools and policies that allow seamless authentication while still safeguarding against the most common types of attacks.

Essentially, web security has moved from the Captain America approach — using one shield for self-defense: a password — to the Batman approach, where a utility belt of tools contains options for a variety of situations.

One of the most important resources in that utility belt is two-factor authentication (2FA). It’s a cost-effective measure that protects against key threat vectors (and it’s fairly simple to roll out). Let’s dig in to 2FA: why it’s important, how it works, and how you can get started.

Why 2FA is an Essential Part of Web Security

Two-factor authentication means that whatever application or service you’re logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue.

You’ve probably used 2FA before, even if you weren’t aware of it. If a website has ever sent a numeric code to your phone for you to enter to gain access, for instance, you’ve completed a multi-factor transaction.

2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

2FA also does something that’s key to maintaining a strong security posture: it actively involves users in the process of remaining secure, and creates an environment where users are knowledgeable participants in their own digital safety. When a 2FA notification comes to a user, they have to answer the question, “Did I initiate that, or is someone attempting to access my account?” This underlines the importance of security with each transaction. While most other web security methods are passive, and don’t involve end users as collaborators, 2FA creates a partnership between users and administrators.

How Does 2FA Work

Different 2FA methods use varying processes, but they all rely on the same underlying workflow.

Typically, a 2FA transaction happens like this:

1. The user logs in to the website or service with their username and password.
2. The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
3. The authentication server sends a unique code to the user’s second-factor device.
4. The user confirms their identity by approving the additional authentication from their second-factor device. 

While the basic processes behind multi-factor authentication are generally the same across providers, there are many different ways to implement it, and not all methods are created equal. Let’s dive into the various types of 2FA.

Types of 2FA

Generally, multi-factor authentication systems rely on at least one of the following approaches.

• Authenticator Apps. Authenticator apps are exactly what they sound like: smartphone apps that handle the second-factor approval process as standard notifications. Authenticator apps such as Duo Mobile use internet connectivity to deliver login approval requests, which is more secure than using phone lines.

• U2F devices. Universal Second-Factor (U2F) devices are similar to tokens: they’re small physical devices used exclusively to verify logins. Instead of attaching to a keychain like a token, however, U2F devices are designed to fit in an open USB slot. (Older models use USB-A ports, newer versions fit in USB-C slots.) When a user enters their password on a computer with a U2F device plugged in, they’re prompted to tap the physical U2F device to gain access. U2F devices are popular because they’re so easy to use — a simple tap and you’re done — but using one means giving up an available USB port, which isn’t always an option for all users.

• Passcodes. Passcodes are the most common form of 2FA, and usually consist of a short string of numbers sent to a smartphone. Passcodes definitely count as 2FA. Since they rely on phone lines, however — which can be compromised — they represent the least secure method. Passcodes aren’t a real hit with users, either: each code must be manually entered, which can be a nuisance. 

• Tokens. Many web security teams opt to arm their users with tokens. These typically are small keychain fobs that generate codes for users to enter as their second factor. Tokens are more secure than cellular-delivered passcodes, as they don’t rely on phone lines, but they don’t address the annoyance of entering codes. (In fact, they may make that worse, as you can’t copy and paste a code from a token.) Tokens are attractive because they are affordable and don’t require system administrators to collect phone numbers — but they’re battery-operated, and batteries die. Using tokens will mean dealing with the headache of timing replacements to avoid users losing access to crucial systems.

• Phone callbacks. Phone callbacks are one of the less popular versions of 2FA, but they’re an effective — if time-consuming — way to implement a second factor. In a phone callback setup, once a user logs in, they receive an automated phone call that prompts them to approve or deny the access request.

• TOTP. Time-based One-Time Passcodes, better known as TOTP, are similar to passcodes. Instead of a service sending the user a series of numbers, however, an app generates a one-time-use passcode that will quickly expire. Doing it this way means users can still use their authenticator app (which will generate TOTPs on demand), and no insecure phone lines get involved.

Keep in mind that in most cases, system administrators opt for a variety of approaches and typically give users a few options to best fit the given need. So, for example, if your work laptop has a U2F device attached, you could use that as your second factor throughout the day. Logging in to an application off-hours from your smartphone, however, might require that you use an authentication app. And while this kind of flexibility may not seem like a big deal, your users will definitely appreciate it, making them stronger allies of your security efforts.

Getting Started with 2FA

Because 2FA is a cloud-based service, it’s relatively easy to implement and can be rolled out gradually to your organization. The basic process for getting started goes like this:

1. Determine which 2FA service you’ll be using. Take advantage of our Two-Factor Evaluation Guide to get a handle on all of the things you can (and should) get from a web security product that includes 2FA. Remember: 2FA shouldn’t be your only security approach. A strong security platform will both make it easy to set-up multi-factor access with your most important apps and provide other avenues of defense, like customizable access policies. If you have ambitions of someday moving to a zero-trust model, a coordinated approach that includes, but isn’t limited to, 2FA is essential. We’ve designed Duo Beyond to meet these needs, and you can learn more about that here.
   
   
2. Establish a proof of concept with a small group of users in a low-stakes environment. Before you roll out 2FA to your entire organization, test it out first and address any issues you identify. Get a small group of users who will be communicative about the process and work with them ahead of time to understand how it will work for them.
   
   
3. Enable 2FA using integrations for each service or application you’re protecting. To set up a specific application or service to work with 2FA, you’ll need an integration — a means of getting the application or service to work with 2FA. For example, Duo Beyond includes integrations for everything from larger systems like Salesforce CRM to smaller applications like Slack. (We also have a web-based integration that can be customized to work with any application for which there isn’t a specific integration.) However you choose to move forward, make sure you’ve got a plan for integrating each of your critical systems with your 2FA service.

Conclusion

In the post-password world, strong web security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means two things: (1) if you’re currently relying on passwords alone, it’s time to evolve, and using 2FA is a solid first step; and (2) 2FA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.

One of the briefings during my onboarding at Duo was from our Corporate Security team. At the beginning of the brief, a question was asked: “Who here is from security?” We all kind of looked around waiting for someone to raise their hand. I was thinking “ awesome! I need to figure out who the security gurus are so I can make sure to engage them during future sales cycles.” I tightened the grip on my pen, got my notebook in position, and put a big star on the line just waiting to record who these super important people were. Well, nobody raised their hand. This is where our Corporate Security presenter curled a smile and she stated emphatically that every one of us is part of security. At the time, I was like “hmm, ok, noted – makes sense. I can sort of see that.”

But this has kind of exploded my brain for the past year.

I’ve spent the better part of a 25-plus-year career helping to build the moat around the castle. Firewalls, VPNs, Intrusion Detection, Intrusion Prevention, Intrusion Deception, SIEM, Next Generation Firewalls, Threat Intelligence, Network Access Control, Web Application Proxies, WPA2, Wireless Intrusion Detection, Mobile Device Management, Mobile Threat Detection, etc...The list is a mile long. There is no shortage of super sophisticated security tools available. As an example, see the following chart.

The vast assortment of security tools.

I’m not discounting any of the tools in this chart one bit, but I do feel like we are continuously chasing the “shiny object” – hopeful that we can push a button to be magically “secure.” However, I do feel like the chase is making us miss some of the basics, and the framework. According to the Verizon 2018 Data Breach Investigations Report,  the biggest security vulnerabilities are users’ compromised credentials (yes, phishing is still a thing) and vulnerable devices (yes, we’re still running old beat up and busted vulnerable versions of software). The zero-day vulnerabilities Google just announced is just the latest example.

I wish we had some framework available to us that validated a user’s identity, validated the machine they were using, and applied some policy and context for everything they tried to access. That would be pretty cool! Such a model would move the moat (or perimeter) to anywhere an access decision is made. Right, Wendy Nather? There would be no inherited trust just because you were already connected to a particular network, etc... Whether you were at work, at home, or at Starbucks; we could treat every access attempt as equally suspicious and validate user + device + context for every access attempt. To everything!

Such a framework does exist. It’s often referred to as zero trust. Yep, the latest buzzword that makes people’s eyes glaze, and seek extraction. I completely understand. I think a fair comment and question for those trying to sell you zero trust is “Cool, can you show me how your company is using zero trust?” That should help cut down on the noise...

Anyway, back to the topic...

Federal agencies, including the DoD, are working to deliver a really useful, useable, capable, and secure bring you own device (BYOD) program beyond basic OWA, etc... We know that users are using personal accounts and devices to get their jobs done. Sending emails with sensitive attachments from their .gov or .mil accounts. The challenge so far has been more of a policy challenge vs. a technology challenge. It’s a balancing act between protecting the data and addressing user privacy concerns. It’s impractical to deliver GFE or Virtual Desktop across the entire population. It’s impractical for the government to manage personal devices even if users would allow it, which they won’t. Users don’t want a “spy” agent on their personal devices. I do think there is some middle ground. Would it be comforting for the government to know their community of users kept their software up to date on their personal devices? And that users weren’t running vulnerable versions of software? I think so. I would argue that could be the most impactful security tool the government has.

So how could the government do it? I see two base paths:

Develop a user security manual that explains why keeping software up to date is important, do periodic user training, ask them to keep their software up to date, and hope that they do.

Or…

Deliver some capability for users to access an application or data from personal devices, and enforce that they can only access it from a machine that has up to date software. Do basic health checks like OS versions, browser types and versions, java and flash versions, screen lock enabled, not rooted or jailbroken, disk encryption enabled, etc...as part of the authentication workflow to the application. Without an agent! And for critical agency applications, require that the device is part of the GFE fleet of equipment.

Duo’s trusted access platform can enforce such a policy and can be used to gently nudge users to keep their software up to date.

If you think really big about it – increasing lethality of the of the force big – it’s a way to up-level OPSEC and PERSEC across the entire federal government by making sure that everyone is part of security.

As cloud and mobile technologies fuel IT modernization efforts in federal agencies, IT and security pros face a dilemma: they need to update and secure aging systems, but must do so with tight budgets, arduous buying cycles and massive existing investments in legacy gear.

IT modernization can’t happen at the flip of a switch. Yet the need to secure government systems continues to grow. According to The Washington Business Journal, federal agencies reported 35,277 information security incidents to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team in fiscal 2017, which is is up 14 percent from 30,899 reported the prior fiscal year. That breaks down to about 96.6 attacks per day.

The DHS sums it up this way:

“Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes are now being perpetrated through cyberspace.”

Agencies must overcome a host of new pain points IT modernization initiatives introduce to ensure smooth and secure operation.

In our new ebook, Relieving the Pain Points of Federal IT Modernization, you’ll learn:

• How to navigate and clear the compliance confusion to ensure you’re adhering to federal compliance regulations
• How to overcome the challenges of poor device visibility and start to embrace BYOD
• How to augment clunky PIV/CAC deployments with modern authentication methods
• How to integrate security into your legacy systems to avoid having to rip and replace

IT modernization is a must, but it’s not without its challenges. Download the ebook now and read about the pain points and how best to find relief to ensure federal systems are both modern and secure.

The cloud and mobility are pushing federal agencies to upgrade outdated systems in favor of more modern approaches. Hence the origin of the term “IT modernization.”

See the video at the blog post.

But embracing modern approaches is sort of an about-face for the federal government, which has long been saddled with tight budgets, long buying cycles and long-term investments in legacy gear they can’t shake. Still, widespread adoption of the cloud and mobile technologies, both in the private sector and among some federal workforces, is tipping their hand, acting as a forcing function for change.

With the addition of cloud and mobility comes the question of access, and more importantly, the question of how to secure access. For decades, the solution has been Common Access Card (CAC) and Personal Identity Verification (PIV) – access cards used for everything from physical access to buildings to authenticating into applications.

Again, mobility and cloud have plunged this old method into a sort of obsolescence, where trusted access can happen anywhere, at any time, from any device. It’s a marked improvement on the old way, but not without its challenges.

Why Modernize?

There are a host of reasons federal agencies should modernize:

Achieve Compliance: From NIST guidelines to DFARS and beyond, there are a host of stringent compliance regulations to which agencies must adhere to ensure only trusted users and trusted devices are accessing their systems. And failure to comply could result in a breach or fines –  two things no agency wants nor can afford.

Embrace BYOD: Federal agencies struggle with the concept of bring your own device (BYOD). Why? Because they lack visibility into devices that are not government issued. Modern IT solutions can give agencies insight into the security posture of devices and empower admins to enforce strict policies governing how and when devices can access applications.

Augment PIV/CAC: Supporting PIV/CAC requires a heavy lift in supporting a full-blown PKI (public key infrastructure), a FIPS-compliant cryptographic infrastructure, which can be incredibly difficult to set up and maintain. Not to mention, each workstation requires a card reader, which pushes the cost and maintenance headaches even higher. Most government agencies would consider an additional technology to complement card deployments as an alternative for logical access and authentication. Replacing PIV/CAC altogether would be too complex, too costly and wasteful of previous investments, but replacing the authentication and application access function of PIV/CAC cards is an attractive compromise for agencies and a step toward IT modernization.

Reduce TCO: Running and maintaining legacy systems is expensive, but so is replacing all of that gear. It’s a costly catch 22. But embracing cloud and mobility and starting down the path to IT modernization through strategic integrations and upgrades helps reduce the total cost of ownership of IT and security infrastructure while also satisfying IT modernization efforts. Leveraging modern authentication methods specifically can also dramatically reduce TCO (some Duo customers report a 10x reduction in TCO) by streamlining various workflows with different authentication processes into a single process for cloud and on-premises applications.

Adopt Zero Trust: While it may seem like a buzzword, zero-trust security is the real deal, and it’s changing the way access is granted. Zero trust is a model in which application access is granted based on trust in the identity and the device. It verifies trust at the time of access and assumes no one person or device is inherently more trustworthy than another, as opposed to the old perimeter-based mantra of trust anything that’s inside the corporate walls. Zero-trust security is the result of effective IT modernization.

Improve Security: Overall, IT modernization is about improving security. Modernization initiatives help agencies adopt and deploy new security technologies and integrate them into existing systems. Strong, modern authentication methods set the foundation for zero-trust security, so that’s a great starting point. From there, fortifying security further with device insight and strong access policies gives federal IT admins tighter control and helps ensure only trusted users and devices are accessing applications and data.

IT modernization is a marathon, not a sprint, so it’s important to understand that these changes won’t happen with a flip of a switch. But enacting an IT modernization plan can lay the foundation to embrace cloud, mobility and new security models and will ultimately result in reduced costs, flexibility and fewer management hassles. It will also future-proof federal IT infrastructures so when the next tectonic technology shift occurs, you’ll be ready.

Last week Google discovered a zero-day vulnerability in Chrome that the Google Threat Analysis Group determined was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-5786, resides in the web browsing software and impacts all major operating systems, including Windows, Apple macOS and Linux.

If you are unfamiliar with the term, a zero-day vulnerability results in attack attempts to exploit a vulnerability on the day it is discovered, before the software developer is able to provide a patch.

To mitigate the potential for exploitation, Google experts revealed that the CVE-2019-5786 flaw is a use-after-free vulnerability in the FileReader component of the Chrome browser. A 'use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. Simply put, if a user opens a PDF in a compromised browser, an attacker can hijack the browser and use it to get into the system and wreak havoc.

Google quickly released a patch for Chrome browsers to address this, so the fix is relatively simple: update Google Chrome immediately to the latest version (72.0.3626.121 (Official Build)) of the web browsing application.

How Duo Helps

When faced with this type of exploit, security teams in organizations must address it quickly and efficiently.

So, how can Duo help?

1. Gain visibility into your exposure with Duo’s Device Insight, which lets you see which users’ devices are out-of-date and at risk. In this instance, Device Insight can show you which devices are running an out-of-date version of the Chrome browser.

2. Then you can enable Duo’s browser policy to warn users if their browser is out-of-date.

3. Duo’s browser policy also allows you to  block out-of-date browsers and show users which browsers and versions are allowed. Duo’s policies can be applied at various levels, including globally, group specific and application specific, allowing you to choose where best to apply the appropriate controls.

Introduction

If there’s one thing I’ve noticed in my time working in the world of application security, it’s that each company has their own process and what they think is the “right” way to do things. Bringing security to your applications and hardening them against attacks can definitely be difficult to accomplish. Some companies have one or two people on the general security team that are part-time AppSec, others have full teams dedicated to the effort. There’s also some companies, usually smaller in size, that operate without any kind of Application Security team at all.

Here at Duo, we’re fortunate enough to have a team focused on the security of our wide range of applications (the web-based administration interface, mobile applications and SSO proxies – just to name a few). Our team spends our time working to improve the code, communication and processes around securing our offerings. One of our main goals is to provide this not as an independent operation, but as part of the development process. We spend time encouraging development teams to build security in and teaching them about writing secure code rather than just tossing issues back over the wall.

I’m getting ahead of myself, though. I wanted to shed some light on how our Application Security team works and some of the lessons we’ve learned along the way towards creating a more mature Application Security team.

Security Activities

One of the tasks that we, as the Application Security team, work on during any given day is what we call a “security activity.” Basically, this refers to us taking time to review a question or need from the development groups related to the security of our various applications.

Intake

These requests come in from several different channels and can vary widely in scope – all the way from a simple question in our public Application Security Slack channel to a more thorough review of a new feature or a major change in functionality for the application. This includes the reviews of code changes, evaluation of third-party tools, and ensuring the quality and safety of new packages the teams might want to add to our codebase.

These requests might also include general advice on how to proceed with a feature with the development team providing us with a plan of action before any development has been done. Having this push for application security up front is one thing that many application security and development teams struggle with, but it pays off huge rewards in the end.

Developer Coordination

Another key part of any activity is the coordination with the developers involved in the change or the request. Our Application Security program has a well-defined goal that we shouldn’t consider ourselves a separate organization from the development groups, but as a collaborator in their efforts. In fact, we’re even in the process of renaming our team from “Application Security” to “Security Engineering” to reinforce this.

We believe that a key factor in the success of an Application Security program is working collaboratively with the developers. We try to be consistently available to answer their questions and provide them timely feedback on their review requests. The size of our team helps make this possible, too. While we’re currently a small team, our ratio of developers to security engineers is relatively high. This means we can respond quicker and help the development groups stay on schedule with their sprint-based workflow.

Reporting and Follow-Up

Once we’ve completed the assessment, we write up a report of our findings complete with references to actual tickets filed for any issues we might have found.

By filing these tickets, we work in the same context as the development groups and decrease that friction even more. These reports also sometimes, when relevant, include a summarized listing of the ASVS items that were checked for the reference of the development team.

Once we’ve completed this report, we send it back over to the development teams and, if needed, schedule a follow up meeting to discuss the findings. We find this follow-up meeting important as it allows us to directly provide context and suggestions to the developers about the issues and clarify any additional questions they might have.

These meetings aren’t the end of the process either. As we strive for that engineering integration, we continue to help shepherd them, answering other questions that might come up during the development process. Sure, we want the applications we build to be as secure as possible; but we also want to make sure the engineers understand the “why” of the issues and any changes requested.

Developer Training

We also believe that education is one of the key factors in creating a strong culture of security among the engineers and the company at large. To help with this, we provide several internal trainings offered multiple times each year to help teach those interested about the concepts of application security and to get some hands-on work finding and fixing issues.

Right now, we offer two courses to help get engineers up to speed on the basics: an “Introduction to Application Security” course and an “Introduction to Threat Modeling” course. Both courses provide more general content shared via slides or other media and a large amount of time spent working on what they’ve learned in hands-on labs. These interactive labs allow them to apply the knowledge they’ve just learned, finding issues in a vulnerable application or creating a threat model for a simple tool.

In order to take things even further, we’ve also started work on an “Advanced Application Security” training to take the attendees beyond the basics shared in the introductory course and let them dig deeper into more advanced topics via an online learning platform. This platform provides them with lesson information and a live version of the code, walking them through the issue and showing them how to correct it.

We’ve found that this hands-on learning approach works much better than just bringing them in to a room and using a presentation-only approach. There always seems to be demand for the trainings in several of the offices too. We switch locations to try and make them as easy to attend as possible and there are efforts underway to try to make them more friendly to remote workers, making it even easier to attend.

Continuous Security

Finally, I wanted to share some about how we handle continuous security in our group. It’s one thing to work with the engineers up front and while the development is happening, but we want to ensure that the security level of the application remains constant and things aren’t introduced to heighten our risk levels.

The Application Security team can’t be in all places at once so we’re working on a security assessment pipeline tool. The goal behind this tool is to provide a way for both security engineers and those on the development teams to perform security-specific testing on their changes in a more automatic and standardized way. The ultimate goal is to provide them with the interface (a web UI) to be able to make it fully self-service to provide them with on-demand testing and tools.

This helps ensure the overall security levels of the code in the applications and also provides us with details about third-party modules with vulnerabilities and issues that already exist in the code. We’re building in tests for a wide range of technologies too including:

• Python and Javascript syntax evaluation (static testing)
• Automated dynamic testing of different Duo products
• Static analysis issue de-duplication
• And many more

Like any security testing program, our hope is that, as time goes on, more and more “green” will show on our dashboards and the “red” will consistently drop.

Another positive side effect of this testing and the results it provides is that the engineer running the test can see the issues reported and apply that knowledge to their work to avoid repeating the same mistakes.

Wrap Up

We don’t claim to have any kind of “secret sauce” for a mature, cross-team collaborative Security Engineering team, but we feel like we’re on the road for success. Our Director of Security Engineering, Mark Stanislav, has put together an excellent presentation about the work we’re doing here at Duo in the Application Security program and where it’s headed in the future.

I highly suggest checking those out. Who knows, maybe some of the thoughts in there will spark ideas in your own mind about improving (or creating!) an Application Security program in your organization.

In just a short time, there have been a number of developments in WebAuthn. And Duo has been at the forefront of the WebAuthn revolution.

Now it’s time to talk about how you will be able to use WebAuthn with Duo in 2019. 

WebAuthn will enable the most convenient and secure authentication method for end users – the device that they are already using – to validate that the user is who they say they are via a biometric.

As a reminder, WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. You can learn more at webauthn.guide and in the previous blog post in this What is WebAuthn? series.

In 2019, Duo is using WebAuthn to support new multi-factor authentication methods.

Biometrics with Touch ID

At RSA Conference, we’ll announce the general availability of Touch ID as an MFA method in Google Chrome. This allows you to provide your end users the most convenient authentication method built-in to the latest MacBooks. In addition, Touch ID leverages a tamper-proof security coprocessor that ensures that credentials cannot be removed from the endpoint, leading to high trust that the user is who they say they are at point of authentication. 

We truly believe that built-in biometrics is the most usable and the most trustworthy authentication method. It also allows customers to work around barriers associated with asking users to enroll their personal mobile devices for authentication.

As we’ve been developing this feature, we’ve been going through extensive user testing, and one of the concerns we’ve heard from users is “does Duo see my biometric information?” We’ve somewhat jokingly chalked this up to decades of espionage films where lifting a fingerprint is as easy as using some scotch tape on a door handle.

But it’s a legitimate issue of trust for end users. We want to assertively state that we do not get actual biometric signatures or fingerprints from the end user. As a third party leveraging WebAuthn to speak to Touch ID, all we get is a pass or fail and the method that is utilized for authentication.

Security Keys in Firefox

We’ve been early adopters of Security Keys here at Duo. We were among the first vendors to announce support for Security Keys via the U2F standard in 2014, and we consider Yubico to be a tremendous partner. However, we’ve only been able to support Security Keys as an authentication method within Chrome, and many of our customers have requested the ability to also use Security Keys in other browsers.

Thanks to Firefox’s early adoption of WebAuthn, we’re happy to announce that we’ll also be supporting Security Keys in Firefox. 

Future Factors

Now, an obvious question might be: why is Touch ID supported in Chrome but not Firefox? There are a number of moving parts to enable biometrics through WebAuthn.

First, the operating system needs to expose a means to address the biometric authenticator. Second, browsers need to support that method. And last, but not least, browsers need to support WebAuthn.

Chrome and Firefox support WebAuthn. Microsoft currently has no intention to support WebAuthn in Internet Explorer. Microsoft Edge does support WebAuthn, but due to the recent announcement that the browser will be switching rendering engines to Chromium, we are waiting on a future implementation of WebAuthn to tackle supporting Windows Hello in the second half of this year.

Our roadmap ahead includes support for Fingerprint API within Google Chrome on Android later this year. This will address the millions of Android devices our customers use for accessing critical mobile services.

Apple’s Safari browser is critical for our end users because it’s the only rendering engine allowed to operate on iOS. Safari does not support WebAuthn yet, although they have shipped an early test release in a preview build. We expect Apple to ship WebAuthn support with the next iteration of iOS and MacOS later this year, and we plan on following fast with support for Touch ID for our iPhone and iPad users. 

Building Toward Passwordless Authentication 

WebAuthn is a nascent browser API, and we’re excited to be early adopters of this exciting opportunity to tap into built-in biometric authentication methods. We want to build products for our customers while also helping the drive adoption of WebAuthn in the community.

We were excited to launch WebAuthn.guide last month, which is a development guide for implementing WebAuthn. And our Duo Labs team launched WebAuthn.io, a test site for WebAuthn across browsers using security keys and other authenticators.

2019 will be the year of biometric authenticators for MFA, and we’re excited to help lay the foundation for a passwordless future.

Recently at Duo Tech Talks we hosted Ofir Weisse for a phenomenal presentation on Foreshadow and Foreshadow-NG, the speculative execution side-channel attacks that stole the privileged enclave signing keys from Intel’s SGX platform and can read arbitrary host memory from a compromised VM.

The Foreshadow attack builds on techniques used in the recent Spectre/Meltdown attacks in which speculative instruction execution leaves artifacts in the processor’s L1 cache that can then be detected by an adversary and used to infer the values of specific bytes in protected memory. Foreshadow applies a similar technique to read arbitrary memory across the protection boundaries enforced by Intel SGX, but goes further and even allows an adversary to retrieve any victim memory, even that which the victim process hasn’t loaded in the cache itself.

Because of the low-level technical nature of the research project, Ofir’s talk first covers an introduction to cache side channels, speculative execution, the Meltdown attack and the SGX architecture before explaining how Foreshadow and Foreshadow-NG work. His animated slides break down this complex topic into clear building blocks, upon which we can see how the attack works and the implications for security on future chip designs.

If you missed it last time, check out Ofir’s talk here, and if you’d like to attend future Duo Tech Talks, you can find them posted on our Meetup page.

“I’ll send an SOS to the world” - Sting

Needless to say (but I’ll say it anyway), public safety officials rely on effective communication to serve those in need. We’ve come a long way since Morse code and telegraphy, but any dire message is moot if the delivery mechanism fails - as they do. Network providers are now readily available to support multi-agency communication during peak times and in rural areas, but first responders still face evolving challenges to protect victim and patient data.

So, just need to fire-up a quick security stack for police/fire/rescue and call it a day, right? Well, sort of..

There’s a not-so-little public/private partnership called FirstNet, and they’re well underway to improve agency interoperability. With 50 states and five U.S. territories opting-in for service on the National Public Safety Broadband Network (NPSBN), identity verification is a top consideration and requires a security architecture to support the multitude of applications, users and devices.

If it hasn’t already, the term “zero trust” might ring a bell. By defining perimeters at the application access point - or anywhere you make an access decision - agencies can quickly authenticate badged officials from their field without the delay of sending network traffic through firewalls or VPNs; especially now that providers support significant 5G bandwidth for major incidents and rural jurisdictions.

At risk of more acronyms, NIST and DHS S&T fully support this initiative with relevant framework and first responder implementation guidelines. These step-by-step instructions on zero-trust principals are helping state and local governments streamline use cases across the enterprise with ICAM glue; sticky middleware that supports authentication via mobile device, biometrics, tokens, U2F, NFC, WebAuthN, etc..

Thankfully, we live in a time wherein security and convenience is at an intersection of agency missions. First responders can effectively increase their speed-to-safety by utilizing a variety of authentication methods to access all applications - while reducing risk of stolen keys to the crown jewels.