<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Thu, 28 May 2020 08:30:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2020 3600 <![CDATA[Trials and Transformations: Test Driving Multi-Factor Authentication and Zero Trust Solutions]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/trials-and-transformations-test-driving-multi-factor-authentication-and-zero-trust-solutions https://duo.com/blog/trials-and-transformations-test-driving-multi-factor-authentication-and-zero-trust-solutions Industry News Thu, 28 May 2020 08:30:00 -0400

Does this sound familiar? “It’s just a trial. I have plenty of time. I’ll get to it when I get to it.” I’ve heard these things from my team in the past, and I hear them more now, given today’s culture of try before you buy. But then the trial’s over. The time’s gone. Then the team didn’t get to it, and it doesn’t happen.

How to Get The Most Out of Your Trial

If you are ready to learn how multi-factor authentication can prevent stolen stolen credentials and passwords from accessing the network 99.9% of the time, then you are ready to start your journey to zero trust.  

This article tackles that head-on by sharing what I’ve seen work for trials and proof-of-concepts. It sounds intuitive, but the point of a trial or a POC is to prove the feasibility of a solution or the feasibility of a critical aspect of a solution. Typically when we are engaged in a trail you are trying to answer questions similar to the ones below:

  • Will this technology meet our specific use cases and unique needs?
  • Does the product perform as advertised?
  • How does the solution compare?
  • Will it provide intangible benefits, like improving productivity or a new way of doing things?
  • What will it take to get the solution in, up, and operational?

Answering these questions takes work before the trial, during, and afterwards. Running a POC is a project in and of itself. Let’s look at some winning practices. 

Before the Trial

Involve people. We’ll want our champion and business stakeholders, of course. We’ll also need to loop in the IT team for support, and purchasing to understand their process. It is counterintuitive, but, we also need to include naysayers. Knowing and addressing concerns early on in the pilot strengthens the resulting business case.  

Be specific. Pilot projects which understand the mindset of our stakeholders and  document specific use cases succeed. Include quantitative measures such as time to setup, time to authenticate. Also, consider quantitative measures like ease of use and ease of administration. Finally, even though this is a technology pilot, be sure to include how this change supports the broader organization’s strategy and goals. Create an evaluation sheet with these considerations.

Schedule it. Every pilot I’ve seen run into trouble had one thing in common: not dedicating time to run the pilot like a project. If possible, get a project manager assigned. Plan the proof of concept, the technical environment, and the testing. Run the use cases, the evaluation sheet, and the plan by the people involved. Getting buy-in on the approach early on increases the support we’ll have on the final decision. 

During the Trial

Take it for a test run. Stay focused on the defined use cases and success criteria. Set it up, integrate it, kick the tires, and take it for a test drive. Work through a complete use case and get any specific questions answered. There are a couple things to look out for here. First, keep the scope tight and be careful not to let the excitement carry us away from the plan. It’s not easy to do especially when we get into the details. Second, keep an eye on the clock. A month pilot, for example, should wrap up the initial testing in the first week or two.  

Check in with the team. After spending a week or two running it through its paces, present back to the core team. Show a test case to our stakeholders and make sure the approach is resonating. In a separate meeting, bring in our secret weapon: the naysayers. Find out what concerns and questions they have early. Gather the feedback to evolve the approach and the story. It’s hard, but keep the evaluation criteria front of mind during these conversations to make a decision supported by the data.

Finish strong. With the final couple weeks of a month-long pilot, retest any use cases and answer any questions raised during the check-in. This is a good time to engage the vendor to get additional information and clarify any points. Begin preparing the final report out. We need to tell the story about how the pilot fits in the organization’s broader context, answers the technical need, and satisfies the use cases. Run it by a small set of the people involved to get early feedback.

After the Trial

Present the pilot. If not dedicating time to run the pilot like a project is the number one factor in pilots going sideways, the number two factor I’ve seen is not presenting the results. Seems odd, right? We’ve spent several weeks planning and executing on the pilot, only to fumble. But it makes sense in the broader context. Doing the work is fun. Presenting, for many of us, is less so. Moreover, operational concerns and the growing to-do list often gets in the way. Don’t let this happen. Find our best speaker, give them our best slide template (or borrow one from someone who successfully presents business cases), and schedule it. Establish the business reason, explain the evaluation and success criteria, and tell the story. Having run this by others during the pilot, we’ll be prepared to answer most questions that come up.

Decide on the direction. Gaining buy-in on the approach at the beginning simplifies gaining support for the decision at the end. Combining the data-driven approach of objective and subjective considerations with the storytelling makes for a more compelling presentation. If we clearly understood the problem we’re trying to solve, and have found the right tool for the job, the decision should be easy, right? Well. Not so fast. We think of pilots as Option A versus Option B. But in reality, it may be A versus B versus doing nothing. Be prepared to spend time running the decision to ground, getting IT and purchasing involved, and turning the decision into action. 

Implement and execute. SaaS means Software-as-a-Service not Shelfware-as-a-Service. So there’s one final step in the pilot process. That step is actually applying the SaaS to the use case. To do this, we need three things. First, we need a clear hand-off between the person owning the pilot and the person owning the implementation. This means sharing what we’ve learned from the pilot, including not only about the tool, but also about the stakeholders and all the people involved. Second, we need a tighter partnership with the customer success team. And finally, we need a good plan.

Final Thoughts

The transition from trial to implementation to transformation should be seamless and smooth. This is even more critical when we are deploying security solutions across an organization. Regardless of whether we are going through a regular buying motion, or purchasing to address an emergency situation the vendor we work with needs to be there to provide support and have the tools and processes in place to help us be successful. 

In this article, I’ve shared what I’ve done to succeed when planning, executing, and finishing a proof of concept. Make it about the business. Include people, not only champions but also naysayers. Be specific in our use cases and our success criteria. Do the work and tell the story. Finally, work to make the decision the right decision, by working to ensure the product delivers on our promise. In today’s culture of try before you buy, remember, it’s our team’s approach that produces results. 

Try Duo For Free

Now you know how to make the most of it, try our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device. 

<![CDATA[Duo With Meraki: A Recipe to Simplify Your IT Network and Secure Access]]> gumapathy@duosecurity.com (Ganesh Umapathy) https://duo.com/blog/duo-with-meraki-a-recipe-to-simplify-your-it-network-and-secure-access https://duo.com/blog/duo-with-meraki-a-recipe-to-simplify-your-it-network-and-secure-access Product & Engineering Wed, 27 May 2020 08:30:00 -0400

Bring your own device (BYOD) and remote work have been steadily gaining popularity among enterprises as they realize the cost and productivity benefits. And in the current situation, organizations have been, in a span of a few days, forced to operationalize a fully remote workforce without the typical time and planning required for resources such as VPN capacity and managed devices. 

To keep employees productive in this new reality, enterprises are enabling direct internet access to cloud applications, reserving network connectivity for on-premises applications and embracing unmanaged devices for work. And IT administrators would benefit from simplified networking and secure access solutions that are quick to deploy and easy to manage from any location.  

Born Out of the Same Necessity 

Traditional on-premises solutions for IT networking and security are often regarded as cumbersome, typically involving lengthy deployment schedules and administrative overhead. Thankfully, technological advances leading to cloud-based solutions over the past decade have significantly changed that. A cloud-first approach has enabled Cisco’s Meraki and Duo Security to deliver on ease of deployment, simplified management and intuitive user experience through solutions that revolutionized their respective market segments. 

Cisco Meraki is the industry leader in cloud-managed IT and creates the simplest, most powerful solutions, helping everyone from small businesses to global enterprises save time and money. Duo, now also part of Cisco, provides an easy to use cloud-based security platform that protects access to all applications, for any user and device, from anywhere. By deploying Duo and Meraki, organizations can reap the benefits of a natively integrated solution that provides comprehensive visibility and secure connectivity both on and off the network.

Establish Device Trust With Meraki Systems Manager

Meraki Systems Manager (SM) is Cisco’s endpoint management solution that provides support, security, and control for end devices. Systems Manager natively integrates with the Meraki product portfolio and allows customers to remotely provision, monitor, and secure devices through the Meraki dashboard. 

Duo’s Device Trust helps organizations gain visibility into any device that accesses Duo protected applications and enforce access controls based on the device context such as whether the device is managed and unmanaged (BYOD and contractor devices) and the health of the device. 

Duo and Meraki make it easy to enable access only from trusted and compliant corporate managed devices while blocking access from unmanaged devices. With the integrated solution, organizations can secure access to critical on-prem or cloud applications from any location or network by allowing access only to devices enrolled in Meraki Systems Manager. ​

Consider the use case the IT security team at Griffin Capital LLC, an investment and asset management company, is looking to solve. The IT team uses Meraki Systems Manager to manage mobile devices and were looking to augment their security controls to block access to corporate resources from untrusted devices.

"We have started to roll out Duo's Device Trust capabilities across the fleet of devices our team manages here at Griffin. As we increasingly rely upon Meraki's Systems Manager solution for device management, we were happy to evaluate Duo's new integration with Systems Manager for Trusted Endpoints. Our initial evaluation has been successful and we are planning to extend it to cover the growing number of devices we now manage using Systems Manager." - Alex Moratorio, Senior Vice President of IT, Griffin Capital Company, LLC.

Compliant Secure Remote Access  

By deploying Duo with Meraki security appliances, organizations can secure VPN access while meeting compliance requirements such as PCI-DSS and HIPAA. Duo integrates with Meraki VPN to add a layer of access security with adaptive multi-factor authentication (MFA) to prevent the use of stolen credentials and protect all VPN logins.

Protect Access to Meraki Cloud Dashboard

One of Meraki’s key value propositions is that network administrators can access the Meraki dashboard - the centralized cloud management platform to manage and monitor all Meraki devices and services, from any location. Duo helps organizations protect administrator access to the Meraki dashboard by preventing unauthorized access and use of stolen credentials. Duo’s MFA easily integrates with Meraki Dashboard logins, delivering an intuitive access experience that users expect from Duo and Meraki.

In Conclusion

Duo with Meraki makes it easy for organizations to deploy and manage their IT networks, and enable secure access only from verified users and compliant devices. IT and security teams can consolidate their access policies in one central location – Duo – and apply them consistently across any application and any device. This helps security professionals to achieve their ultimate goal:  reducing risk while providing seamless access for the workforce.  

Try Duo for Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[How Duo Maps to Australian Cyber Security Center Remote Worker Guidelines]]> tkietzman@duosecurity.com (Ted Kietzman) https://duo.com/blog/how-duo-maps-to-australian-cyber-security-center-remote-worker-guidelines https://duo.com/blog/how-duo-maps-to-australian-cyber-security-center-remote-worker-guidelines Industry News Tue, 26 May 2020 08:30:00 -0400

For years, security professionals have been discussing the diminishing traditional perimeter. The rise of cloud applications, the prevalence of personal devices in the workplace and the transition to a more remote workforce are reshaping access points and transitioning companies into a modern era. 

Today, vague predictions of remote access have snapped into concrete realities the world over - the entire globe, wherever possible, people need to work from home seamlessly. Over the past few weeks, the guidance and tools needed to protect against breaches and secure a remote workforce are now center stage. 

A case in point in Australia, the Australian Cybersecurity Centre recently released a document outlining its tips and guidelines for securing the remote worker. The advice is timely and well-structured, and like their tips in their previous “Essential Eight” guide, this new guidance distills the nine most important security controls that workers should consider when working in this new environment.

The Nine Most Important Security Controls For Remote Workers

  1. Beware of scams
  2. Use strong & unique passphrases
  3. Implement multi-factor authentication
  4. Update software and operating systems
  5. Use a Virtual Private Network (VPN)
  6. Use trusted Wi-Fi
  7. Secure devices when not in use
  8. Avoid portable storage devices
  9. Use trusted sources of information

For more details feel free to read the full guidance, but it’s worth commenting on a few of the points made. 

Scams Are on the Rise 

There are many documented cases of cybercriminals leveraging panic around the pandemic to entice action from unsuspecting users. 

Security Education Works

Beware of scams, use strong and unique passwords, avoid portable storage devices, and use trusted sources of information can be conjoined. These are issues of workforce security education. Now, more than ever, it’s important to set security expectations with remote workers and invest time in security education. 

Protecting Passwords

When addressing multi-factor authentication, updating software and operating systems, and securing devices when not in use: Duo can help. Duo’s multiple-factor authentication (MFA) eliminates concerns around weak or vulnerable passwords by requiring multiple factors to establish the right person is getting the right access to the network. 

Duo makes it easy to rollout MFA to all of your remote workers and protect all of your corporate applications, whether cloud or on-premise. (Duo is particularly adept at protecting VPN credentials, which ends up enabling tip five too). Duo is known for being easy to implement and deploy to users, and got working with larger organizations like the University of Queensland to secure workers quickly and effectively.

Establish Device Health and Trust

Keeping devices patched and updated is one of the strongest ways to avoid bad actors exploiting vulnerabilities and gaining access to a network through insecure devices. This control and guidance could potentially be harder to encourage through education, or to enforce at the corporate level. If workers are left on their own to update devices and software or  select security tools, for example, it may take awhile and they may opt for a variety of disparate consumer-facing tools that are hard to manage centrally by IT departments. This lack of visibility can cause immense help desk challenges. 

Moreover, for IT departments, enforcing controls around device operating systems, health and status when workers are home provides a whole new set of challenges. Sure, constant reminders via email or the company chat with reminders to update to the latest software or to make sure screen-lock is enabled is one strategy - but often updates happen too late. Ensuring that only up-to-date devices, with proper security posture, are accessing corporate applications should be simple to do.

Additionally, Duo’s Device Trust makes it simple to assess worker devices at the point of access for software version and security posture. If a worker’s device is out-of-date or lacking a security feature, Duo can guide them through the update. If a worker persistently attempts access with a risky or insecure device, Duo can block them from access until they update. 

Times have changed quickly in light of recent events. The prospect of widespread remote work is the new reality. In order to best defend companies from breaches, easy-to-use security controls that map to guidance from organizations like the ACSC will be important moving forward. 

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Unpacking 2020's Verizon DBIR - Human Error and Greed Collide]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/unpacking-2020s-verizon-dbir-human-error-and-greed-collide https://duo.com/blog/unpacking-2020s-verizon-dbir-human-error-and-greed-collide Industry News Wed, 20 May 2020 00:00:00 -0400

Pick up your device, and lean into your screen because the numbers are in for the 2020 Verizon Data Breach Investigations Report (DBIR). This year celebrates the report’s 13th by monitoring security in 81 contributing organizations, four global regions and 16 different industry verticals.  The report reviews 32,002 security incidents and analyzes 3,950 confirmed data breaches, and is complete with interactive data points.

At a Glance

  • 86% of breaches driven by financial gain (up 15% from 2019)
  • 70% of breaches are caused by bad actors (with 55% of these in organized crime)
  • 67% of breaches were due to credential theft, errors and social attacks
  • 27% of malware incidents are from ransomware, and that threat is rising
  • 43% of breaches are due to web app attacks (double from 2019)
  • 58% of breaches involve personal data (double from 2019)
  • 17% of breaches are caused by errors (double from 2019)
  • Financial gain is still the primary motive for attacks 
  • North America leads other regions in the amount of breaches
  • 43% of data attacks are cloud-based (double from 2019)
  • On-going patching is a successful deterrent with fewer than 1 in 20 breaches exploiting vulnerabilities
  • Password dumper is the most popular form of malware followed by capture app data and ransomware
  • Office documents and Windows apps still tend to be the malware file type of choice. Other file types seen as malware delivery mechanisms include shell scripts, Java, PDF, browsers app, Flash, Linux app, OSX app and Android app
  • Denial-of-Service (DoS) attacks have gone up over the past year, while cyber-espionage campaigns have decreased

Phishing and Stolen Credentials Still Top Driver of Breaches

Phishing and stolen passwords continue to be top ways that cyber criminals are accessing networks and systems. Over 80% of hacking breaches involve brute force or the use of lost or stolen credentials. Hacking coupled with exploitation of a vulnerability is a main way bad actors access web applications (through stolen credentials) and gain entry.

Although down 6.6% from 2019, social phishing remains the top access point for breaches, followed by stolen credentials from hacking, which is down by 4.1% from last year. Social attacks are sent via email 96% of the time, with 3% through the web and slightly over 1% via mobile or SMS. 

If the DBIR has taught us nothing else is that we need to accelerate the denouement for the ignoble static password. According to the report, over 80% of the attacks involved brute force or the use of stolen passwords. If we can collectively shift towards utilizing multi-factor authentication, while keeping an eye towards of future with passwordless technology such as WebAuthN and biometrics, we will embrace a safer future.

                                                                        — Dave Lewis, Duo’s Advisory CISO

It is worth noting the click-through rate in phishing simulations has gone down from an average of 25% to 3.4% in the past 7 years as more users are educated on security best practices. This shows despite human error we can be trained to do better. Reporting the results of phishing test campaigns is also increasing. Passwords that are easily detectable or reused often are vulnerable to phishing attacks. With security education and multi-factor authentication (MFA) the trail of breaches due to stolen passwords can be prevented 99.9% of the time.

Attackers targeted credentials, personal data, medical records, payment information, internal secrets and other internal business-related data. 

  • 37% of credential theft breaches use stolen or weak credentials
  • 25% involve phishing
  • 16% from password dumps
  • Human error accounts for 22% of breaches 
  • 20% of attacks are against web applications using stolen credentials

Cyber-Breach Pathways Lead to a Defender Advantage

The 2020 DBIR introduced cyber-breach attack pathways that document the steps (typically under 10 steps) used in a breach or incident, or a holistic view of the attackers’ “journey to a breach.” By documenting the steps an attacker takes to systematically work their way through the network and expand their persistence, it sheds light on the areas of vulnerability and provides a “defender advantage” on where you choose to intercept them. If you want to stop them before they start, two-factor authentication (2FA) is the most effective solution.

Errors Double

The report shows a significant increase in internal errors-related breaches, which increased by 2x, although that might be due to stricter reporting. Misconfiguration errors also doubled, and successful social engineered attacks are up 18%. Errors are most often discovered by a security researcher or third-party. Of breach origins, 17% are created by errors. 

Breaches from malware stealing passwords and password dumps have gone up 4.2% from 2019. Breaches from errors and misdelivery are up 1.4%, while errors from misconfiguration are up 4.9% from last year. Financially Motivated Social Engineering (FMSE) impersonating or targeting CEOs (without malicious links but with the goal of a money wire) continues to increase significantly year over year.

“It’s not personal, it’s business.” —The Godfather

Security breaches are big business, with 70% driven by external actors and 55% of those carried out by organized crime; followed by nation-states, system admins and end users, which all sit at under 20%. Physical breaches have leveled, but hacking, malware, social and misuse have decreased since 2019. Hacking with stolen credentials and social phishing are down from 2019, but remain consistent and the top threats. Malware breaches have gone down, primarily because the accessible pool of stolen credentials makes malware no longer necessary. Take this news with a grain of salt, however, as ransomware is higher than last year, up 2.6%, and while it is considered malware, it is difficult to confirm as a breach without credentials, but easier to track as an incident. 

DoS attacks made up 40% of security incidents reported, more than crimeware and web applications. DoS attacks can send junk network traffic via bots to overwhelm and crash systems. 

When we look at criminal forums and underground data, 5% refer to a “service.” That service could be any number of things including hacking, ransomware, Distributed Denial of Service (DDoS), spam, proxy, credit card crime-related or other illicit activities. Worse still, that “service” may just be hosted on your hardware. The simple fact is this: If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.

                                                                                         — 2020 Verizon DBIR

Small Versus Large Business

Bad actors target businesses using cloud-based tools. Misconfiguration errors and human errors have made this area lucrative for hackers. Small businesses need to get smarter about phishing, as they fell victim to 30% phishing-related breaches, 27% were stolen credentials and 16% password dumpers. These were the main vulnerabilities for large companies as well in 2020.  Point-of-sale (POS) attacks decreased this year as user devices, mail servers and people were the main targets for attacks. 

Industry-Specific Findings

Since 2019, web application attacks have increased significantly, both in terms of percentage and in raw number of breaches. Ransomware is on the rise at 27%, and phishing still works.

  • Public Administration: 346 confirmed data disclosures. Miscellaneous errors, web applications and everything else represent 73% of breaches, with 59% of threats from external actors, 51% of personal data was compromised and 61% of incidents due to ransomware.
  • Professional Services: 326 confirmed data disclosures. Web applications led with 75% of threats from external sources, and 75% of breaches stole personal data and 45% stole credentials.
  • Manufacturing: 381 confirmed incidents, 75% are external actors and 29% use password dumpers, app data captures and downloaders to obtain proprietary data. Crimeware, web applications and privilege misuse account for 64% of breaches. And 23% of malware incidents are from ransomware.
  • Financial and Insurance: Misuse dropped from 21.8% in 2019 down to 8%. Over 30% of breaches were caused by web application attacks using stolen credentials to get data stored in the cloud. But also troubling is that miscellaneous errors attributed to employee errors resulted in just as many breaches. 
  • Educational Services: Ransomware attacks continue to plague education with 80% malware attacks vs. 45% in 2019, and social engineering accounted for 27% of incidents.
  • Healthcare: Human error created 31% of breaches from misdelivery and misuse, with external breaches at 51% (a 10% increase from 2019). Almost half of the bad actors come from the inside at 48%, making this vertical is susceptible to credential theft. 
  • Retail: 99% of incidents were financially-motivated, with payment data and personal credentials continuing to be prized. Web applications, rather than POS devices, are now the main cause of retail breaches.

As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount. In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.

                                                                             —Tami Erwin, CEO, Verizon Business.

Regional Findings

  • Northern America: Stolen credentials were used in over 79% of hacking breaches; 91% of cases were financially-motivated; 33% of breaches were associated with either phishing or pretexting.
  • Europe, Middle East and Africa: DoS attacks made up for more than 80% of malware incidents; 70% were financially-motivated; 40% of breaches used a combo of hacking that leverage either stolen credentials or known vulnerabilities to target web applications and 14% of breaches were from cyber-espionage.
  • Asia Pacific: Only 63% of breaches were financially-motivated, and 28% were the result of phishing attacks.

When greed (bad actors) meets human error (phishing and stolen credentials) — vulnerabilities and exploits happen. Duo helps companies by taking the guesswork out of many of the human errors that lead to stolen credentials through multi-factor authentication combined with Duo's zero trust controls that allow administrators to make effective policies. Duo's device trust helps organizations get clear visibility into devices accessing the network and provides additional layers of protection with prompts for users to keep their devices up-to-date, and barriers to access if their device poses a risk. Duo offers powerful security that is easy to deploy and easy to use. We help your users stay secure with minimal friction.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.


<![CDATA[Duo & Webex: Essential Tools for a Remote Workforce]]> ubarman@duosecurity.com (Umang Barman) https://duo.com/blog/duo-and-webex-essential-tools-for-a-remote-workforce https://duo.com/blog/duo-and-webex-essential-tools-for-a-remote-workforce Product & Engineering Tue, 19 May 2020 00:00:00 -0400

According to a report by MIT, 34% of Americans who were previously commuting to work reported that they were working from home by the first week of April. As more employees are working remotely from home, IT departments have to enable and provide their employees with a set of tools to stay productive and secure. 

Due to stay-at-home orders, organizations had to provide resources such as laptops to thousands of employees and students to minimize disruptions to productivity and to help them continue working. While access to laptops is one of the many necessary resources, users also need a set of tools to work effectively and securely. Cisco offers a variety of such tools to support a remote workforce regardless of size. 

Since the early days of the internet, Cisco has helped thousands of global organizations connect their workforce, secure their sensitive data, and collaborate with anyone, anywhere.  The transition from work at the office to work from home has created an urgency for organizations to deploy new technologies to support their teams and adopt this new normal. However, evaluating and deploying newer technologies can take weeks to months. 

To help accelerate this transformation, we want to share a few essential tools that can be deployed within days to support a remote workforce.

Secure Video Conferencing Via Webex

First, organizations should provide all users several ways to virtually collaborate with colleagues, partners, vendors, etc. Users should be able to host and attend virtual meetings. For a productive meeting, a virtual meeting experience should be as good as an in-person one. (For example: users should be able to communicate and perceive non-verbal communication such as body language and facial expressions.) Studies show video interactions produce effective outcomes. 

Duo Protects Webex

Duo protects Webex logins and prevents unauthorized users from accessing sensitive data stored within Webex. Webex offers a secure high-quality video meeting platform that works on any device - laptops, desktops and mobile devices. Organizations can use Webex to facilitate team meetings, webinars, remote learning, live online support, sales calls, etc. Cisco Webex is a cloud-based platform that can be accessed via a standalone app, any internet browser or through Webex Teams. Webex offers video recording, host switching, customizable backdrops, screen sharing and more.  

Webex Teams is an internal collaboration tool that provides users with a messaging platform to send instant chat messages, share files, links, whiteboard, schedule, send photos and videos, etc. 

Secure Access to Applications Remotely

Second, when employees work remotely, they should be able to access work applications securely. In the past, when most of the business was conducted at a corporate office, security admins could check for incoming traffic such as malicious sites and malware, and block them from infecting users’ devices and causing data breaches. However, with users working remotely, admins should protect their data regardless of who the user is and what device they use to access applications. 

To protect sensitive data, Duo checks for the identity of the user with multi-factor authentication (MFA). Admins can also check the security posture of all devices (corporate managed or remote) logging into applications. Based on user and device trust, IT admins can set policies to allow or block a user from accessing applications. Our customers call this security posture zero trust, and you can learn all about zero trust here.

In addition, Duo works with thousands of other cloud applications such as O365, Salesforce, Workday, etc., providing users with a consistent access security experience. 

Finally, organizations who want to implement a defense-in-depth security architecture can consider several other security products we offer as a part of secure remote worker offering. We published a blog to highlight how to go about securing a remote workforce. If you have other questions, please contact your account executive at Cisco to learn more. 

Learn more about Duo & Webex integrations.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Keep Celebrating: Ideas for Virtual Social Team Building]]> espratley@duosecurity.com (Elayna Spratley) https://duo.com/blog/keep-celebrating-ideas-for-virtual-social-team-building https://duo.com/blog/keep-celebrating-ideas-for-virtual-social-team-building Industry News Wed, 13 May 2020 08:30:00 -0400

Now that we are getting into a routine working from home, there is a key social activity that we have to be intentional about. Team celebrations! Now more than ever it is important to recognize and celebrate all of the awesome personal and professional things that are happening on our teams. These moments of rejoicing help us feel more connected to each other, they lift our spirits and add some scheduled fun to our calendar. We all could use an extra dose of joy these days — so why not celebrate our successes  — or gather just because it’s Friday! Great things are happening every day, so any day is a great day to celebrate. 

At Duo, we celebrate as often as we can, we are party people. We have a monthly happy hour across each office called Brew:30 to connect and enjoy each other’s company. When there are new releases of our products we take the Brew:30’s to another level with balloon arches and a cake. 

Now that we are working remotely we have been using Webex to stay connected. We had our first virtual disco party this April to celebrate a big milestone on our journey with Cisco. The virtual disco was pretty epic, there was a DJ streaming live and a video chat for all of us to talk while we bopped. Continuing our love of partying has been our piece of normal that helps us stay lifted during these times.

If you are ready to start brainstorming for your next team fiesta, check out these recommendations for reasons to party and how to get down. 

WFH Duo Dance Party

Remote Team Building Celebrations

Here are a few occasions that are prime party opportunities to celebrate the team’s progress:

  • Project kickoff
  • Start of a project phase
  • End of a project phase
  • End of customer interviews or testing
  • End of a sprint
  • Product release
  • Any other major project milestone
  • Start of the workweek
  • End of the workweek
  • We made it halfway through the week!
  • It’s Thursday — only one more workday! LET’S PARTAY!

Consider holding maybe 1-3 of these types of get-togethers a month. You want the celebrations to keep some novelty to them. If there is a particular cadence you’d like to create, like a happy hour every other Friday, put it on the calendar so that the team is consistently connecting outside of meetings. Aside from celebrating the team’s success, there are plenty of personal reasons to gather and congratulate.

  • New baby
  • New home
  • Completion of a certification or degree
  • National holiday
  • Silly national holidays. Here’s a whole list of them. Don’t forget July 28th is Milk Chocolate day. Send your folks some candy and have a chocolate party! :D
  • New season. This includes self-proclaimed sessions like grill season and sweater season)
  • Personal interest. Have everyone express their super-fan side
  • Shared interests. Think Tiger King or a hip hop dance party.
  • Someone found toilet paper at the store. This deserves a huge celebration!

Have these personal parties as they come up but no more than three in a month if possible. Consider asking your team about their upcoming major personal milestones at your next virtual happy hour and put them on the calendar. If you have a light month, throw in one silly celebration to put a bit of wacky in the weekday.

Now that I gave you plenty of reasons to party, let’s talk about how you can spice things up and put some variety in how you celebrate.

Ways you can celebrate the team’s success or just because it’s Thursday...

  • Costume party. Everyone has a whole closet of possibilities. Come up with a zany theme.
  • Host your party like a late-night show and interview a few teammates like they are celebrities. Take it up a notch and put on your best Jimmy Fallon voice and maybe do some fun extra bits like musical impressions.
  • Set up a virtual team lunch and have everyone talk about what they made to eat. Or use your team celebration budget for lunch delivery from a local restaurant.
  • Find out what foods everyone has in their house and have a “Chopped-style” food competition to see who can come up with the most creative dish.
  • Grab the script of a scene from a classic movie or TV show and do a dramatic reading with different team members as each character.
  • Have virtual tea time with mugs and snacks.
  • Have everyone share their favorite motivation speeches, put a few watch parties on the calendar and be inspired!
  • Take a virtual walk together and give a tour of each other’s neighborhoods.
  • Create a fun Spotify collaborative playlist and do a sing-along.
  • Do time machine presentations. Every team member creates one slide that shares what era of time they would like to travel back, who they would like to meet and why.
  • Do a hobby together. Reading, drawing or if a few folks know how to play an instrument attempt a jam session.

  • Play a game. Here are some ideas of classic board games and tips on how to play them virtually.
  • Do a watch along of your favorite movie, show or concert performance. You can use the chat or just shout out jokes the comments the whole time.
  • Hire a local artist to do a private video concert. Hook up that laptop to your TV and jam the afternoon away.
  • Create a good news day! Everyone collects an inspiring or fun story to share in their best newscaster voice.
  • Learn more about your teammates with a Pecha Kucha party. Pecha Kucha is a presentation style where each person makes a slideshow that auto progresses with 20 slides and 20 seconds per slide, so everyone has 400 seconds to share their story. Have the conversation go deeper and aside a little time for Q&A after each person presents.
  • Inspire each other with personal stories of triumph and transformation. Have a few people share a life experience that made them stronger. Be sure to have your tissues handy.
  • Start a bucket list document with everyone’s top ideas and have a happy hour where everyone shares their ideas. I’m sure your teammates will surprise you.

Ways you can celebrate team members…

  • Have a storytime. Have the team collaborate on a story in the style of a children’s book and have people take turns reading out the story. Extra love points for illustrations and funny voices! This idea is great for birthdays.
  • Edit the lyrics to one of your teammate's favorite songs and make it all about them! Perform it with a karaoke track from YouTube or a cappella. Bonus points if you dress up like the band.
  • Write them a poem or letter to a teammate. Add some extra fun by having everyone randomly paired. Simple poems like haiku are easy and sometimes silly due to their constraints. 
  • Take a trip down memory lane with a virtual fireside chat. about your teammates. ​
  • Share team gratitude lists. Everyone writes down 10 reasons why they are grateful for their team or teammate. Let the good feels flow!

The ideas are endless! This is just a start. I hope this list encourages you to celebrate your team and their special moments in a fun and creative way. Anyone on the team can set up one of these video parties. Yes, that person could be YOU!. I’m sure your teammates will be happy you did. Remember it doesn’t have to be a special day to celebrate because your teammates are special people and everyone deserves more joy in their day.

If you have any additional ideas please share them by tweeting to me and keep celebrating!

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Join us. Learn more at duo.com/careers

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[The Story of the Frolicking Insider]]> rarchdeacon@duosecurity.com (Richard Archdeacon) https://duo.com/blog/the-story-of-the-frolicking-insider https://duo.com/blog/the-story-of-the-frolicking-insider Industry News Tue, 12 May 2020 08:30:00 -0400

The UK Supreme Court handed down a judgement recently concerning a supermarket company called Morrisons and a group of 9,000 employees who were pursuing a class action lawsuit following a 2014 data breach. The case focused on the issue of vicarious liability – the liability following the actions of an employee. This is applicable only to the UK  – excluding Scotland  – but it does have some interesting points.

This sad tale started in 2013, when a chap called Andrew Skelton was asked to provide data on employees to Morrisons auditors. It wasn’t a surprising request, as he was an internal auditor.  It was quite within his scope of work. However, this chap Skelton had a grudge. He felt he had been wronged. So he set about his revenge. He downloaded the data, about 100,000 individual records, and then posted them on the internet.  He anonymously tipped off the media to make sure he had done a good job. He was caught, however, and as a result was rewarded with eight years free board and lodging in one of Her Majesty’s finest accommodation units  – jail.

To carry out his nefarious scheme, he used all sorts of tricks to hide his real identity, including uploading the data anonymously from a home device and using a burner phone to communicate. So, outside of normal corporate working practices it is safe to assume.

This was the basis for the Group Action. Obviously for Morrisons, this was a tad worrying.  The original action was by 9,000 employees, with the remainder to follow. The question arising was whether Morrisons were responsible for what Skelton had done. The court decided that they were not. It said that Skelton was clearly not furthering their business, there was no close connection and he was in effect on a frolic of his own.

This incident reminds me of an event which I came across some time ago: the fraudulent invoice scam. An employee was sending out perfectly correct invoices from a perfectly correct email address  –  but with a different bank account. When discovered it was difficult to decide whether this was a case of compromised credentials or an insider job. Where detection may have failed would deterrence not have provided an additional solution?

As security teams, we should look back on the incident described (it happened over sever years ago, almost half a century in dog years) as a defining moment for cybersecurity. We cannot say “they did not have the right to leak our data” as a defence. We are now more than capable of understanding and acting upon the need to check the end user permissions and have a policy-based access control point. We have tools now that didn’t exist before. The simple act of having to verify user identity and access using a multi-factor authentication (MFA) control sharpens the mind of any potential malcontent. We will know it is you and what you are trying to do! It is a deterrent first, and then a tool to control. The same applies to step up authentication within key applications. When a key piece of data, such as bank account information is changed,  then authentication is required again. Every step of the way.

It also makes one think how data will be transferred in the future. We are entering an API-driven world where perhaps the risk of misappropriated data in transit will be reduced by the use of direct links between systems. Although that opens up another Pandora's box.

So getting the basics right and making sure you know who is logging in is who they say they are, and making the user help in the security function by being part of the decision-making process by passing multiple factors of control will provide greater visibility as well as greater deterrence to any frolicking insider.

Try Duo For Free

Discover how easy it is to be protected from frolicking insiders with Duo's two-factor authentication. Start your free 30-day trial.

<![CDATA[Duo Expands Device Trust to Corporate Devices Managed by Microsoft Intune]]> manand@duosecurity.com (Manu Anand) https://duo.com/blog/duo-expands-device-trust-to-corporate-devices-managed-by-microsoft-intune https://duo.com/blog/duo-expands-device-trust-to-corporate-devices-managed-by-microsoft-intune Product & Engineering Fri, 08 May 2020 08:30:00 -0400

With remote work, BYOD and hybrid app environments becoming the norm, IT teams need to enforce controls for the users and devices that can access sensitive corporate data and applications. From a Zero Trust perspective, these controls need to apply regardless of where the user is accessing the application from and if the application is cloud-based or on-premise.  

Duo’s industry-leading MFA solution provides the necessary controls to ensure that the user is trusted and really is who they say they are by verifying identity access in multiple ways. Duo’s Trusted Endpoints solution adds to those controls by ensuring that the user is using a corporate-issued device that meets corporate guidelines for software patching and application/data access. 

Trusted Endpoints + Microsoft Intune

Duo’s Trusted Endpoints solution, part of the Duo Beyond edition, has now been in the market since 2017. Since launch, we have been focused on making the solution more relevant by integrating it with a wide variety of device management solutions our customers have deployed. We have also been focusing on further extending the solution to account for the growth in both ChromeOS and Linux endpoints as they become increasingly commonplace in corporate device fleets. 

In the spirit of continually extending our solution based on how our customers want to leverage it, we are pleased to now also support devices that are managed by Microsoft Intune. Over the past year, we have seen the rapid growth in Microsoft Intune’s adoption particularly for customers who previously were using Active Directory Directory Services or Microsoft SCCM for managing their corporate-issued devices. The Microsoft Intune integration will cover iOS, Android, and Windows devices (8.1 and above) managed by Intune. 

​This integration is designed to be set up in a matter of minutes and we can’t wait for our customers to take advantage of it in order to ensure all access, remote or from an office, to cloud apps or on-prem apps, is granted to only trusted users from trusted and managed devices

Customer Value Proposition

With this integration, Duo makes it easy for Microsoft customers to reduce security risks due to non-compliant and vulnerable devices accessing sensitive data. Administrators can easily limit access to critical applications only to devices enrolled in Intune, while enabling BYOD for other applications. 

IT and security teams can consolidate their access policies in one central location - Duo; and apply them consistently across managed and unmanaged devices. This helps security professionals to achieve their ultimate goal - reducing cyber risk while providing seamless access for the diverse workforce population (users and devices). 

The Microsoft Intune integration is now Generally Available to Duo Beyond customers from the Duo Admin Panel. We are glad to be able to get this integration out especially in these times where the balance has tilted heavily towards supporting employees working remotely from their home offices. 

Register now 

Register for the sponsored live webinar on simplifying secure remote work using Duo and Microsoft.

Recommended Reading

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Download this essential guide on how to enable zero trust access for Microsoft applications.

<![CDATA[Podcast: 'The Handmaid's Tale' Author Margaret Atwood on Plaintext Ep. 3]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/plaintext-podcast-ep-3-margaret-atwood https://duo.com/blog/plaintext-podcast-ep-3-margaret-atwood Industry News Fri, 08 May 2020 08:30:00 -0400

See the video at the blog post.

Welcome to episode 3 of the Plaintext Podcast!

You read that right, folks. Today I'm not speaking with a CISO. Instead, I'll be chatting with award-winning author, poet, inventor and activist Margaret Atwood (known for The Handmaid's Tale, Alias Grace, The Testaments and more than a dozen other novels). I first met Margaret 10 years ago while she was doing research for what became her book MaddAddam. (To hear more about that, you'll have to listen.)

In this episode, Margaret and I discuss storytelling, and specifically how the storyteller can impact the security conversation and how to get messages heard by a wider audience. 

We also dig into how dystopia can have a firm hold in security, as we are on the leading edge of the fight to root out attacks and democratize security.

From there, we chat about Margaret's invention, the LongPen, which is now part of the company Syngrafii. And we close out the discussion by highlighting some of the many charitable causes she is championing.

I hope this interview is as fun to listen to as it was to participate in.


And in case you missed them, check out episode 1 of the Plaintext Podcast featuring Thom Langford and episode 2 featuring Mike Rothman. 

<![CDATA[Security Next – Predictions on New Ways It Might Become Interesting]]> rarchdeacon@duosecurity.com (Richard Archdeacon) https://duo.com/blog/security-next-predictions-on-new-ways-it-might-become-interesting https://duo.com/blog/security-next-predictions-on-new-ways-it-might-become-interesting Industry News Thu, 07 May 2020 08:30:00 -0400

So What Will Some of the Trends Be? 

1. Securing remote workers based on a zero-trust model

2. Reassessing how we approach third-party security

3. Building security into new devices and tools


We are currently in the midst of uncharted times. Perhaps the most medically significant since 1919. The IT industry should be one of the most aware of this. During WWII Bletchley Park in Bedfordshire in June, 1944, the Colossus, (the first large-scale electronic computer used to break the German code system of teleprinter encryption) known as 'Tunny’ started running for the first time and led to the creation of the modern computer industry as we know it. Extreme times often lead to new solutions emerging. 

Right now IT teams and security teams are flat out trying to keep their businesses going. So perhaps it’s not the time to talk about the future. Nevertheless, here it goes.  A stab at what the impact of the current emergency will have on security going forward.

How Will Our Businesses Change in the Way That They Work?

One area which there will be change is in the way we work. The work from home (WFH) culture will become more acceptable and more common. For those of us in the technology industry it is almost the norm. For others it is not. At first many will love to get back to work to see their colleagues and escape the distractions of home. Humans are social animals after all. The demand for collaborative working will have been established and easier to do than it was before. And yet, inevitably there will be a drift to a greater WFH culture. Why spend hours commuting by car of train if you can just login? Will “Dress Down Friday” become “Stay at Home Friday?” And will we start to hear of “Maybe Not Come In” on Mondays? 

Certainly, based on experiences of the 2008 market crash, business travel will be substituted for collaborative technologies to provide flexibility and cut costs.  Many CFOs will welcome this.  

Many CISOs and CIOS are taking tactical cybersecurity decisions to ensure continuity. The risk is that these may disrupt future strategic discussions. There is no reason that should occur if they follow zero-trust principles. Securing remote access is a fundamental part of the approach. Follow the principles now for both immediate and future benefit.

A top priority for security teams will be to ensure end-to-end protection for the expanding WFH workforce.

Will Globalisation Trends Be Impacted? 

There are a lot of comments that the age of globalisation will come to an end . The risk of disruption and availability of supply will be higher up the risk register. The business models based on JIT delivery enable reduced storage costs and efficient transport systems allowing easy access to suppliers everywhere. This may well change as the need to have multiple suppliers close to hand and easy to access for critical components will outweigh the unit cost advantage of remote sources. This may change the way we look at third-party security relationships. 

I recall one well-known brand company outsourcing its manufacturing to a supplier in a different country. One great risk was the protection of intellectual property. Hard to do when that country had a very different view of the legal protections afforded. In the future third-party assessments will at least come under the same legal jurisdiction, thus reducing the risk as legal redress would act as a deterrent. Not an excuse to drop one’s guard, but still a different way to think of the third-party. 

How Secure Healthcare Third-Parties

We will still need to build in the required controls and focus on how we can automate the audit and checking of those controls within the third-party.  

Healthcare will be the prime focus at the present. The trend to greater use of technology will only accelerate to enable trained staff to provide better care to greater numbers. More devices, more endpoints and easy secure access will be required. 

But as we all know hospitals are a target for constant attacks. In the US, healthcare data breaches were reported at a rate of 1.4 per day.1. There have been moves to improve security in the UK with the NHS Digital service creating a clear security support model  

However, going forward the opportunity to drive security into the new technology solutions exists and it is hoped that healthcare providers seize this chance to push higher security standards especially in the endpoint devices. Building it in at the beginning is always more cost effective.

Building Technology With Security In Mind

Most technology companies and startups work off a proof of concept, then try to get some funding or acquire users and can get well down the line of a viable product before taking security into consideration. In the future we will see technology being built from the ground up with security in mind. 


Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[How Duo and Our Technology Partners Enable a Remote Workforce]]> gleishman@duosecurity.com (Ginger Leishman) https://duo.com/blog/how-duo-and-our-technology-partners-enable-a-remote-workforce https://duo.com/blog/how-duo-and-our-technology-partners-enable-a-remote-workforce Industry News Wed, 06 May 2020 08:30:00 -0400

How do you enable an increasingly remote workforce with confidence? Duo’s security solutions complement any technical environment, and are engineered to verify identity and establish device trust no matter how, where, or when your users choose to log in.

Secure Your Remote Workforce, Fast

Users have left the building, and it's up to your security team to make sure they are protected on any device, wherever and whenever they choose to work. Remote workers need secure access to their applications and critical resources, whether they reside in the public cloud or on-premises behind perimeter security. At Duo, the number of companies interested in being a Duo Technology Partner has grown by 70% and new integrations supporting Duo have doubled.

Why Security Is Important, Especially for Remote Work Environment

  • 81% of breaches involve compromised credentials. The threat of compromised credentials can magnify when you are outside of your office work environment.
  • 52% of survey respondents stated mobile devices are challenging to defend. When working remotely, employees use multiple devices to access your network and applications. Unknown and unmanaged devices are a risk.
  • 27% of organizations are currently using multi-factor authentication (MFA) when accessing any application. It is good to see organizations adopting MFA, but this should be a practice all organizations use.

What Duo Delivers To Empower Remote Workers

  • Employees can securely work from anywhere on any device
  • Duo can verify user identities and establish device trust
  • Duo ensures users can access corporate resources from remote locations

Why Choose the Duo Security Solution?

For organizations big or small that need to protect sensitive data at scale, Duo is the user-friendly zero-trust security platform for all users, all devices and all applications. At Duo, we are seeing an increased need to protect remote workers and remote access to the applications and infrastructure they need to work from anywhere.

To serve our customers, Duo has native and out-of-the-box third-party integrations with hundreds of Technology Partners to secure and enable organizations to adopt Duo in any technical environment.

Top 5 Ways to Enable Remote Access

1. Secure Remote Network Access Through a VPN

Organizations can enable secure access to the enterprise network for any user, from any device, at any time, in any location.

Cisco AnyConnect protects your enterprise resources with a single agent for access to on-premises and off-premises (cloud) applications. Duo’s integration with Cisco AnyConnect adds strong multi-factor authentication when employees request access to verify their identity and security of their devices.

Duo’s integration with Cisco ASA and Cisco Firepower Threat Defense (FTD) provides strong user authentication, device security hygiene check, and visibility into the access requests and devices made to your network.

Duo also works with these leading third-party Remote Network Access/VPN solutions:

2. Secure Remote Access Gateways

Remote Access to enterprise hosted and cloud applications. Duo's modern remote access protects every application, so your users can continue working with the tools they love from any device.

With Duo Network Gateway your employees can securely access your internal web applications from any device, using any browser, from anywhere in the world, without having to install or configure remote access software on their devices.

In addition to the Duo Network Gateway, we also support integrations with these leading providers of Remote Access:

Duo Remote Access Gateway Integrations

3. Secure Remote Desktops and Digital Workspace

Securely access your work computer from your phone, tablet, or laptop with remote desktops and digital workspaces. These workspaces are a unique virtual environment for each worker, centralizing applications, desktops and files allowing for access from anywhere.

Duo provides secure access to remote desktops and digital workspaces, ensuring only your authenticated users can access the right applications and desktops.

Remote Desktops and Workspace Duo Integration:

4. Secure Remote Conferencing and Messaging

Workers need to be able to collaborate and communicate from wherever they are working. Duo provides the simplest, most secure means for workers to stay connected with these solutions.

Duo works with Webex and Webex Teams, allowing you to stay connected from home on any device. Duo also works with other popular video conferencing and messaging solutions.

Remote Conferencing and Messaging Solutions With Duo Integrations

5. Secure Document Collaboration

The cloud makes it easy to share and work together from home, the office or wherever you are. Protecting your files and work in the cloud is a top priority.

Duo helps secure document collaboration in the cloud with these top solutions:

Document Collaboration With Duo Integration:

In addition to the hundreds of Technology Partner integrations available for customers to use, we also provide an open platform for customers to integrate their specific applications with Duo. Duo is cloud-centric, OS and platform agnostic. You can easily add Duo to your application in minutes!

Easy Integration with Duo for Secure Access

Building on the Duo platform gives you a best‐in‐class zero‐trust security solution. Vendors looking to secure customers’ login experiences with Duo can use different integration methods for authentication and access management.

Check out the Duo Demo site for hands-on interaction with Duo products and to learn how we work with our Technology Partner solutions.

If you are interested in learning more about Duo or trying out Duo with any of our Technology Partners, we offer a free 30-day trial.

You can see for yourself how easy it is to get started with Duo. If you have questions, contact us and tell us more about your IT technology stack and the challenges you need help with right now.

Additional Reading on Cisco Cloud Security Products

To help teams stay connected and able to continue business operations, Cisco is providing free licenses and expanded usage counts for three key security technologies (Cisco Umbrella, Duo Security, and Cisco AnyConnect Secure Mobility Client) designed to protect remote workers anywhere, anytime and on any device. Read more.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What It Is Like to Onboard and Join the Duo Team Remotely]]> atodd@duosecurity.com (Amanda Todd) https://duo.com/blog/what-it-is-like-to-onboard-and-join-the-team-remotely https://duo.com/blog/what-it-is-like-to-onboard-and-join-the-team-remotely Industry News Tue, 05 May 2020 08:30:00 -0400

It seems like ages ago when social media feeds were laden with “new year, new me” content. The end of 2019 came with the typical fodder of what we hoped to accomplish and who we hoped to become in 2020. I was among them, starting off the year like many others, ready and determined to make this "my year." I was well on my way when February opened a bright new shiny green door — Duo Security offered me a job, (a dream job), taking the lead role for Internal Communications. I was wrought with nervous excitement, chomping at the bit to hit the ground running. This is my year!

I was slated to begin in early March. I started to prepare; reading everything I could about Duo and Cisco, poring over articles on the odds and ends of information security, from acronyms like MFA and SSO, to zero-trust endpoint remediation. But I couldn’t help but be distracted by day-to-day news, where I also learned some new terminology, like “social-distancing,” “flattening the curve” and “shelter-in-place.”

Ever had the first-day-at-a-new-job jitters? For me, that feeling typically ranges from ‘I barely slept last night because I was nervous’ to ‘I’m so excited to join this team.’ But throw in a global pandemic, and that feeling goes completely topsy-turvy. I was not sure what to expect.

I embarked on my new shiny career role just as the United States began grinding our "normal" lives to a halt. Starting a new job, especially one rooted in communication, meant there was no easing into the pool, so to speak. On March 7, I went to the Duo Office in Austin, Texas for my first day. I barely got my computer up and running, met my team and went to my welcome team lunch. It was a blur of new person setup activity. By the next day, March 8, I was told we are working from home as a precautionary measure and I went downstairs to work from my home office chair. I’ve worked from that same home office chair since. I never thought I would be onboarding remotely. But here I am.

Me (Amanda Todd) at my home office

Cisco + Duo’s response was swift and forward-thinking. Before the world was in mandatory “stay home” I saw the company’s leadership put people first and take all the protective measures possible to lessen the spread of the virus. As a global org, we make the technology that safely enables a remote workforce, so it makes sense that we moved from flex-time to full time remote. It was a no-brainer. In a crisis, communication is vital, so by day five, the team I had only just joined was mobilizing to spread a very important message: Cisco is putting people first.

Cisco has been a leader during this unprecedented crisis, putting people, customers, and community before all else. It took me less than five days, even in the midst of this unprecedented situation, for that nervousness to fall away, only to be replaced with sincere and intense pride for an organization I had only just begun to understand. Yes, I am onboarding remotely and it is not ideal, but it isn’t terrible either. In fact, it has been pretty smooth.

The great culture and kindness toward each other is something special and unique here. I’ve had several people who I haven’t met, and may not ever directly work with, reach out just to say “hello” or ask if I want to meet for virtual coffee, just because, and it feels very inclusive. It’s folks living up to Duo’s core value of being “kinder than necessary.”

Duo’s leadership has found clever ways to keep us connected through online exercise classes, live streaming DJs, dress up from home theme’s like “Tiger King” and mindfulness training, to name a few. They understand the importance of wellness and levity breaks as we all adjust to this new (temporary?) normal.

Duo founder Jon Oberheide dressed as "Tiger King" on Webex

There have also been weekly all-hands meetings where Cisco leaders talk directly and openly with top health professionals from Stanford University, providing helpful information for Cisco employees on how to stay safe, ask and get answers to questions and keep connected during these uncertain times. The transparency and sincere care for the physical and mental health of employees and their families is only one example of the compassionate leadership you’ll find here.

To feel so connected to an organization with hardly any face-to-face interaction – save for Webex meetings – stands as a testament to the underlying passion and kindness the people here have to offer. It’s proof that you don’t have to physically work inside the same walls to feel akin.

There’s no question that this pandemic will change us as a society, and will change the world of work as we know it. It already has. But social distancing doesn’t have to be the end of office culture — it just means we have the opportunity to recreate what connection to an organization could look like in the future. Duo, as a part of Cisco, has the playbook already well on its way.

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Join us. Learn more at duo.com/careers

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[It’s Not Too Late to Get Your Yearly Dose of HIMSS 2020 Virtually!]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/it-is-not-too-late-to-get-your-yearly-dose-of-himss-virtually https://duo.com/blog/it-is-not-too-late-to-get-your-yearly-dose-of-himss-virtually Industry Events Mon, 04 May 2020 08:30:00 -0400

In light of recent events, the HIMSS 2020 Conference has gone virtual with the new HIMSS20 Digital, happening now through the end of June. This virtual conference experience provides complimentary access to conference programming (including all general education sessions, panels and presentations) for all 2020 conference registrants and HIMSS members through the HIMSS Learning Center. New sessions and panels will roll out each week, and all uploaded content will be available now until June 30. 

In addition to conference content, HIMSS is providing critical COVID-19 content, including a HIMSS COVID-19 Digital Think Tank, where healthcare professionals will share insights and best practices on the latest testing, triage, and treatments for the virus. 

Virtual attendees can now experience the conference from the comfort of their own homes. Join this virtual conference to view on-demand presentations and webinars focused on topics like EHR, Finance, Leadership, Patient Engagement, Healthcare Security, Telehealth, and more. You can also explore the HIMSS Exhibitor Show Guide to connect with over 1300 technology and security companies to discover the latest innovations in healthcare IT. And of course, you’ll be able to download exhibitor case studies, blog posts, special offers, and more. 

Duo and Cisco Umbrella are proud to sponsor this event HIMSS 2020 

Please visit our page in the Exhibitor Showcase Guide to learn about the new Duo Device Health application and the Cisco Umbrella Secure Internet Gateway, get details about our special offer for extended free licenses and expanded usage counts, and to find out about and register for our upcoming webinar and virtual events.

Sign Up 

For a presentation by Duo’s Head of Product Management, Jim Simspon: “A Security Solution to Simplify Patient Care” on May 5 at 1:00pm CT (2:00pm ET / 11:00am PT).

We hope you’ll take advantage of this new virtual experience with us. For more information, please visit the official HIMSS homepage here

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[We Can Protect Democracy and Election Security in One Easy Step]]> srazier@duo.com (Sean Frazier) https://duo.com/blog/we-can-protect-democracy-and-election-security-in-one-easy-step https://duo.com/blog/we-can-protect-democracy-and-election-security-in-one-easy-step Industry News Thu, 30 Apr 2020 08:30:00 -0400

2016 was a watershed year for election security where all aspects of our democracy were under attack from all sides. It was a wake-up call. Now that we are awake, we’ve been thinking about election security in a much more holistic way. We tend to think of election security through the lens of the voting machines. And yes, voting machines and vote integrity in general are super important, but we have to think of the larger election system. This includes the state run systems and people responsible for delivering fair elections with speed and integrity. This also includes disinformation campaigns designed to sew distrust in our electoral system.

How Will We Vote?

2020 has added a new wrinkle that may force us to conduct elections in ways we haven’t seen before: more mail-in voting and, dare I say, casting ballots using the technologies we carry around with us everyday, and devices that know us, probably better than we know ourselves. Elections could be carried out in ways we either hadn’t thought of, or were previously apprehensive about due to our security concerns.

Now, I’m not going to wade into the debate about whether “online” or “mobile” voting should or should not be a thing, but we manage to use this technology to purchase billions of dollars worth of goods and services with a very low fraud component when compared to legacy means of payment (paper, credit card, etc.). This is a debate for another day.

Today, we need to focus on the three legs of the voting system as things we need to pay attention to:

  1. Voting Machines. Sure, they’re still important. Paper ballots or paper receipts (paper trail) for votes. There. Done.
  2. Voter System Security. I did a deep dive into this HERE. All still applies. Protect the people and assets that use, process or access voter information and election data. PERIOD. Voter system security is enterprise security. All of the lessons we’ve learned in securing our data and access in the enterprise can and should be applied here.
  3. Disinformation. This is a tough one. We are still a generation away from having a way to determine what is fake and what is real on the internet and techniques like deep fakes aren’t going to make this any easier. The only advice is to follow trusted sources (still a relative thing) and corroborate information.

Even though, on the internet no one knows you’re a dog, there are some basic capabilities that won’t break the bank to help with user access identification and authentication to help secure elections. If you use passwords, protect them. If you are looking for ways to get rid of passwords for good. Now is a good time to start looking into that.

We’ve seen what happens when we take our foot off the security gas pedal or worse yet, put our foot ON the capability gas pedal but forget to build the security in. Election security, and our democracy are too important to drive into a ditch.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your government agency, from anywhere and on any device.

<![CDATA[New From Duo Labs: Finding Leaky Radio-Frequency Side-Channels]]> mdavidov@duosecurity.com (Mikhail Davidov) https://duo.com/blog/new-from-duo-labs-finding-leaky-radio-frequency-side-channels https://duo.com/blog/new-from-duo-labs-finding-leaky-radio-frequency-side-channels Duo Labs Wed, 22 Apr 2020 08:30:00 -0400

Have you ever listened to a photocopier or a car engine to infer what it’s doing? If so, you already have all the fundamentals you need to study emission security. Be it the audible click of a relay, a whine of a capacitor, or the flickering of the lights when the heat comes on, these behaviors all have one thing in common: they leak information about some internal state and reveal what is happening inside to an outside observer. When viewed through the lens of information security, these types of electrical and mechanical side-effects form the field of emission security. 

This Duo Labs research article aims to make barely acceptable analogies about how radios work and show that you really don’t need that much in terms of know-how and equipment to find and take advantage of leaky radio signals. Towards the end, we will apply what we have learned to find a signal that can exfiltrate GPU data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away.

The Field of Emission Security

The field was formalized around the end of the second world war when, after being told to put up or shut up, Bell Labs technicians scared the living daylights out of the United States Signal Corps. Over the years, defensive requirements and certifications have been codified under the standards titled, “Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions,” or more simply put, TEMPEST.

These days a lot of attention has been going into speculative execution side-channel attacks such as Meltdown and Spectre that can be used to perform privilege escalation attacks. They function by measuring the timing of side-effects produced by executing specially-crafted instruction sequences to reveal some privileged internal state such as the contents of kernel memory. 

Read-focused side-channel attacks generally aim to leak privileged information across a well-defined security barrier. With Spectre and Meltdown that barrier was the memory management unit and the side-channel was timing-based. 

Malware in Air-Gapped Networks

However, there are many other physical, cyber, and yes, even CyBeR-pHySiCaL barriers out there. Attackers can, and [do], implant malware into air-gapped networks. If the malware’s purpose isn’t to have some kind of effect within the air-gapped network but instead to get data back out, the options for the attacker are fairly limited. They can either rely on a willing or unknowing party to facilitate the exfiltration, or they have to find a way around the air gap. Finding ways around air gaps involves either exploiting nodes that are not actually air-gapped or, as shown in the latest Duo Labs research article, leveraging some other physical property to transmit a radio-frequency signal to a semi-local receiver or other existing attacker-accessible infrastructure.  

The article aims to acquaint you with the core concepts behind side-channel analysis, introduce the world of electromagnetic radiation, and enable you to go hunting for radio-frequency side-channels that can be leveraged for data-exfiltration from air-gapped systems.

In it we will examine a run-of-the-mill desktop workstation that has no built-in radios and show how we can abuse its GPU in a novel way and, with a little shell script, turn it into a tunable radio transmitter that can transmit data through a wall to a receiver 50 feet away. 

You can read the full Duo Labs research article here


Try Duo For Free.

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Happy 10th Anniversary Duo and Thank You! XOXO]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/happy-10th-anniversary-duo-and-thank-you-xoxo https://duo.com/blog/happy-10th-anniversary-duo-and-thank-you-xoxo Industry News Mon, 20 Apr 2020 08:30:00 -0400

It is hard to believe that Duo is celebrating its 10-year anniversary and it’s also been over a month since I’ve stepped into the Duo office. The more time I’ve spent away from friends and co-workers, the more I’ve thought about why I miss them, and why I’m so grateful this company exists. I wrote this letter to Duo, because I wanted to express my personal appreciation of the unity of this team, the culture of this company, and the collective efforts of its people, which have all contributed to my life in more ways than one.

Dear Duo,


I write that in caps but end it with a period in the hope that you’ll imagine me saying it with feeling, but not screaming it, because I’m not yelling from the rooftops here. I’m in my home office, trying to respect my husband’s kitchen conference call, so I don’t have the option of screaming. But thankfully, I do have the option of staying positive, because, thanks to you, I still have a job for a company I believe in. 

So really, THANK YOU. And not only for that. Thank you for the many things you’ve done and do for me throughout the time I’ve been here. Specifically:

Thank you for the security lessons you stressed from the beginning, especially for those of us, like me, without a security background. The importance of paying attention to details like email sender addresses or URL links. The reminder that two-factor authentication is not just for work things, but should be used for personal accounts, too. And maybe the most important lesson of all: we are all on the security team, because security is everyone’s responsibility. I might not be the most tech-savvy gal at the company, but at least I can do my part to keep our data and employees secure by being mindful about what I click, how I share information, what I’m sharing, and to whom.

Thank you for the many ways you bring us all together. From motivational emails to everyday IM conversations to video conferences to virtual meetups, thank you for showing that you’re here for us, and giving us ways to show that to each other. Thank you for making a point to share what’s happening not only with our own teams, but what’s going on in the industry and the greater world. And thank you for doing this with transparency and sincerity. I know you can’t always tell us everything, but you do what you can when you can. And I respect that. 

Thank you for giving me a place in this company and helping me grow. From my role as a contractor in the People department in August 2015, to taking over the front desk at North Ashley in 2016, to finding a home in the Field Marketing team from 2017 to now. These roles all had their challenges, but were so valuable -- thank you for giving me the opportunity to meet so many people, interact with so many different departments, get involved in the day-to-day business/office activities, and to develop some very important friendships. I even met my husband here, so I’ll spend a lifetime being grateful to you for that.

And speaking of people, my final thank you: 

Thank you for bringing so many wonderful human beings into this organization: the range of characters impresses and amazes me constantly. Thank you for the green-thumbed plant parents who brighten up the office. Thank you for murder-mystery fiends and horror-film fans I’ve bonded with. Thank you for the fierce social justice advocates who remind me to care about and contribute to things much bigger than my own problems. Thank you for the good-natured trolls who make me laugh; the sassy social butterflies who always say hello; and the scary-smart kids with their ideas, designs, and passions...thank you for all of these folks who show us there are many forms of kindness. They teach us their own unique lessons, and add something beautiful to this business that never stops growing.

It’s been an excellent four and a half years, Duo. I don’t pretend to know where I’ll be four years from now. But whatever happens, at least you know you’ve been something special to me.

So, thank you very much for everything.


We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Join us. Learn more at duo.com/careers

Try Duo For Free.

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What is CMMC? Learn How the Defense Industrial Base Can Easily Meet Cyber Hygiene Standards]]> gumapathy@duosecurity.com (Ganesh Umapathy) https://duo.com/blog/what-is-cmmc-learn-how-the-defense-industrial-base-can-easily-meet-cyber-hygiene-standards https://duo.com/blog/what-is-cmmc-learn-how-the-defense-industrial-base-can-easily-meet-cyber-hygiene-standards Industry News Fri, 17 Apr 2020 08:29:00 -0400

New Cybersecurity Certification Requirements for Defense Contractors

The Department of Defense (DoD) will require the Defense Industrial Base (DIB) —which consists of more than 300,000 contractors — to go through third-party assessments and achieve the Cybersecurity Maturity Model Certification (CMMC) cybersecurity certification. 

The required level of certification will depend on the sensitivity of the information the contractor handles, starting with level one to safeguard Federal Contract Information (FCI) up to level five to protect the most sensitive controlled information from Advanced Persistent Threats (APTs). 

What is CMMC?

The DoD published new cybersecurity certification requirement contractors called the CMMC version 1.0 on January 30, 2020. CMMC consists of 5 maturity levels across 17 capability domains encompassing 43 capabilities, which are borrowed from the [Defense] Federal Acquisition Regulation Supplement (FARS/DFARS) - Controlled Unclassified Information (CUI) regulation and NIST SP 800-171.  

                                               Source: Cybersecurity Maturity Model Certification Version 1.0

How Duo Can Help

Duo provides government agencies with best-in-class security technology and a trusted partnership that can help build and maintain a well-rounded security program. We believe that by focusing on security fundamentals and best practices, you can easily achieve compliance and reduce cybersecurity risk.

Improve Cyber Hygiene

In today’s age of phishing and stolen credentials, security professionals consider multi-factor authentication (MFA) a basic cyber hygiene. Requirements for strong user and device authentication are outlined in the National Institute of Standards and Technology (NIST) 800-53/63/171 and the updated NIST Cybersecurity Framework (CSF 1.1). 

Duo provides defense contractors easy and effective security capabilities across multiple domains including Access Control (AC), Identification and Authentication (IA) and Audit and Accountability (AU).     

“Duo has increased the level of security in the business to the point that IT can sleep well at night knowing the business has the best two-factor authentication protecting the environment.”

                                         - Charles Basile, IT Administrator, Teledyne Technologies

Speed to Security

Deploying or replacing a MFA solution can seem like a daunting task. Many customers choose Duo because they deploy and roll out Duo in a week. This is possible because Duo can easily integrate with hundreds of applications in hybrid environments. To ensure rapid deployment,  Duo has out-of-the-box integrations with local Windows logon, Linux and Unix consoles, remote access VPNs, and cloud applications, such as Office 365, Salesforce, Box, and Google. Duo’s simple one-tap, push notification-based authentication enables faster and greater end-user adoption. Duo also offers integration with OTP-based hard tokens and YubiKeys that meet FIPS 140-2 requirements.

“Duo is the most successful end-user facing solution I've ever been involved in deploying.”

                                             - Lance Honer, Manager of Cybersecurity, Day And Zimmermann

Out-of-the-Box Compliance with Duo’s Federal Editions

While the DoD’s regulation does not explicitly require a FedRAMP authorized solution, Duo’s  federal editions are FedRAMP authorized and provide the following benefits at no additional cost:

  1. End-To-End FIPS Capable: Duo federal editions provide FIPS capable implementations from end-to-end for easy-to-use access control and authentication.
  2. Telephony Removed: Duo federal editions remove telephony authenticators to align with NIST SP 800-63-3b, which considers telephony “restricted authenticators.”
  3. Easy to Deploy AAL2 Authenticators; Supports AAL3 Authenticators: Both Duo federal editions support Authentication Assurance Level 2 (AAL2) authenticators with Duo Push or Duo Mobile Passcode for both iOS and Android Devices out of the box and by default with no additional configuration required. Duo also supports AAL3 authenticators, like U2F security keys (FIPS YubiKey from Yubico) and compatible HOTP keyfobs.
  4. Protect Every Application: On-Premises, Cloud & Hybrid: Duo’s federal editions protect on-premises, cloud and hybrid applications for all federal workloads and ensure device health - wherever you are in your cloud and IT modernization journey, Duo federal editions deliver the best defense.


As the DoD continues to power ahead with the rollout of CMMC, defense contractors would do well by being ready for the impending certification. By complying with CMMC requirements, contractors can enhance their system security plan (SSP) and gain a competitive edge in winning defense contracts.

--Check out how Day & Zimmermann use Duo to meet NIST and DFARS requirements.

--Watch this on-demand webinar to learn how you can meet those requirements within a week.

--Get started today by signing-up for a free trial of Duo’s federal edition today.

Try Duo For Free.

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[EU Privacy Regulation - Is It Such a Bad Thing for a CISO?]]> rarchdeacon@duosecurity.com (Richard Archdeacon) https://duo.com/blog/eu-privacy-regulation-is-it-such-a-bad-thing-for-a-ciso https://duo.com/blog/eu-privacy-regulation-is-it-such-a-bad-thing-for-a-ciso Industry News Wed, 15 Apr 2020 08:30:00 -0400

See the video at the blog post.

We recently had a conversation on the topic of privacy from the legal perspective with Elle Todd, a partner at Reed Smith who specializes in this area of the law. During the conversation, a number of interesting observations around privacy regulation came to mind.  

Privacy Regulation Can Be a Good Thing

Firstly privacy regulation can be a good thing. Often when any issue of compliance or regulation is mentioned, it is seen as yet another set of controls to be implemented or a new reporting overhead. All to be done by the CISO, within a constrained budget, and shortage of resources. Allow me to explain.

I spoke with a group of CISOs at Cisco Live in Barcelona. We covered a variety of topics and concerns. One of the first points we discussed was that privacy is not a “security issue”  — it is a business issue. So the responsibility cannot just be dumped onto the CISO. It has to be taken seriously by the overall business as customers and consumers are taking the issue seriously. They value their data, so it is a business imperative that personal data is understood and protected in line with the appropriate regulation. A clear stance on Privacy can be a business differentiator.

A further advantage of a business-owned and led approach to privacy is that it results in a clearer picture of what data is really needed by an organisation. It also helps identify where the data is held and who owns  it. Often for a CISO protecting the data is the easy part. Finding where it is held is the hard part.

CISOs Are Concerned About a Lack of Technical Talent

On the point of a shortage of technical resources, the CISOs expressed this as their main concern. Not only was there an internal resource shortage, but it was difficult to find technical resources  in partners and suppliers. Technical help needed to implement or upgrade solutions is a major constraint holding back their security programmes.  

CISOs Can Create a Privacy Operations Centre

The CISO’s role will be important because of their experience in breach situations. One idea that is being put forward by Cisco CISO Adviser Chris Leach is that CISO’s should start to think about the idea of a Privacy Operations Centre. We have long had NOCs (network operations centers) for the networks and SOCs (security operations centers) for the security teams. Perhaps now we should look at developing POCs (Privacy Operations Centres) for the Privacy teams.

From an operational perspective the management of the data and the Information Lifecycle Management function will probably still be part of the greater IT department. Ensuring that the private data is stored in a secure fashion by adding controls over who accesses what and how can limit data flooding out without a due purpose. These controls work to prevent a breach happening, and the wrong folks getting hold of the data they shouldn’t have. Duo’s 2FA (two-factor authentication) protects identity access up front by using multiple factors to confirm a user’s identity and through robust policy controls that adds security to end points. If a business led privacy programme helps the CISO get the support they need to protect the organisation better than it will be a great help all round.

Hope you enjoy the discussion in the video.

<![CDATA[Hello and Welcome Duo Germany!]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/hello-and-welcome-duo-germany https://duo.com/blog/hello-and-welcome-duo-germany Industry News Wed, 15 Apr 2020 08:30:00 -0400

Hallo und Willkommen Duo Deutschland! 

Duo is now open for business in Germany and we wanted to take a moment to introduce you to our German dream team. 

About Us

Duo Security, now part of Cisco, is the leading multi-factor authentication (MFA) and Zero Trust for the Workforce provider. Duo's zero-trust security platform, Duo Beyond, enables organizations to provide secure access to all of their critical applications - for any user, from anywhere, and with any device. Duo is a trusted partner to more than 15,000 customers globally, including Dresser-Rand, Etsy, Facebook, Paramount Pictures, Random House, Zillow and more. Founded in Ann Arbor, Michigan by Dug Song and Jon Oberheide in 2010, Duo has offices in growing hubs in Detroit; Austin, Texas; San Francisco, California; and London. Visit Duo.com to find out more.

What We’ll Be Sharing

In our new “Duo in Germany” newsletter we will be sharing our latest news, in the form of blogs, product development, upgrades, the latest trends and news from the world of cybersecurity and more. Can’t wait to find out more about Duo and what we have to offer? Find our latest resources and a 30- day free trial on duo.com.

Über Uns

Duo Security ist jetzt Teil von Cisco, und der führende Anbieter von Trusted Access Sicherheit und Multi-Faktor Authentifizierung. Mit Duo Beyond, der Zero Trust Sicherheitsplattform von Duo, können Unternehmen vertrauenswürdigen Zugriff auf alle wichtigen Anwendungen gewähren - für jeden Benutzer, von überall und mit jedem Gerät. Duo ist ein vertrauenswürdiger Partner für mehr als 15.000 Kunden weltweit, darunter Dresser-Rand, Etsy, Facebook, Paramount Pictures, Random House, Zillow und weitere. Duo wurde in Ann Arbor, Michigan, in 2010 von Dug Song und Jon Oberheide gegründet und verfügt über wachsenden Büros in Detroit, Austin, Texas; San Mateo, Kalifornien; und London, UK. Besuchen Sie Duo.com, um mehr zu erfahren.

Was Wir Teilen Werden

In unserem neuen Newsletter „Duo in Germany“ werden wir unsere neuesten Nachrichten in Form von Blogs, Produktentwicklungen, Upgrades, den neuesten Trends und Nachrichten aus der Welt der Cybersicherheit und mehr veröffentlichen. Können Sie es kaum erwarten, mehr über Duo und unser Angebot zu erfahren? Auf duo.com finden Sie unsere neuesten Ressourcen und eine kostenlose 30-Tage-Testversion.

Das Team

Haben Sie schon alle unsere Duo EMEA Deutschsprachigen getroffen?

Treffen Sie sie jetzt:

Meet the German Team

Have you met all of our Duo EMEA German speakers?

Meet them now:

Try Duo For Free.

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Duo Network Gateway – Secure Remote Access Internationally Without Specialist Hardware]]> amayle@duosecurity.com (Andy Mayle) https://duo.com/blog/duo-network-gateway-secure-remote-access-internationally-without-specialist-hardware https://duo.com/blog/duo-network-gateway-secure-remote-access-internationally-without-specialist-hardware Product & Engineering Tue, 14 Apr 2020 08:30:00 -0400

More employees are working remotely and using various types of devices, yet they still require access to applications located on-premises and in the cloud. This puts increasing pressure on IT resources and could present security challenges.

The Security Challenge of VPNs

Virtual private networks (VPNs) are a tried and true method for providing remote access to internal applications. Essentially, they create a private, encrypted tunnel for an off-site user to connect to applications in a corporate data center. But VPNs aren’t a silver bullet – organizations that provide users with just a username and password to log into their VPN connections could be exposed to data breaches if those credentials are stolen. Perimeter security can be vulnerable to a variety of different attack vectors like credential theft, that could allow a bad actor to gain access to the network over the VPN and move laterally at will, and several previous data breaches such as British Airways pay testament to this.

Protecting your VPN access with multi-factor authentication (MFA) adds an additional layer of defense. Whilst companies operate VPNs to provide secure remote access for employees, the perimeter model of trusted users on the inside and untrusted users on the outside has become outdated in the modern business environment. Working with or without VPNs, the perimeter must be secured.

A Zero-Trust Framework Is More Secure

This is just one of the reasons why a ‘Zero Trust’ approach to security has taken the industry by storm. Zero Trust is not a technology, but a set of principles that come together to build a better security model. In simple terms, Zero Trust designates that no trust is inherent, it is only gained through strict verification and access is controlled via least privilege role-based policies, that only allow a user access to the resources required to perform their job function. Security and trust are maintained by continuous verification, re-evaluating user and endpoint every time an access decision needs to be made.

With corporate assets no longer just residing inside the corporate firewall, possibly operating in a hybrid infrastructure consisting of on-premise and multi-cloud environments, adopting a Zero Trust strategy is seen as the current best model to provide security for how modern businesses operate.

Embarking on a Zero Trust strategy can seem complex on the face of it, particularly while also trying to ensure that you are providing a flexible, secure and consistent experience for your end users.

However, there is a simple way to kickstart your Zero Trust strategy with minimal impact to your current architecture and end users. Enter the Duo Network Gateway (DNG) …

See the video at the blog post.

How to Install the Duo Network Gateway (DNG)

The Duo Network Gateway (DNG) is a reverse proxy that allows your users to securely access your on-premises websites, web applications, and SSH servers using any browser, from anywhere in the world without having to install, configure remote access software on their device or worry about managing VPN credentials, while also adding login security with the Duo Prompt. Users can also remotely SSH to configured hosts through the DNG after installing Duo’s connectivity tool, providing server access without VPN.

Step 1: Installation of the Duo DNG

The DNG software is downloaded via a YML file onto a new or existing Linux server with Docker installed and can be installed on-premise into the company DMZ or in AWS, making the deployment process very fast.

Duo publicly publishes detailed installation guides with step-by-step instructions and videos to demonstrate the process of deploying DNG making it very simple for companies to get up and running very quickly. A typical installation into an appropriately prepared environment would take no more than 30 minutes. Full details can be found at https://duo.com/docs/dng

Step 2: Adding Web Applications

Once the DNG is deployed, you can go ahead and start adding your web applications that you want protected for your users to access remotely. There are two simple steps to complete before adding an application, 1. Create or update the public DNS record of your application. 2. Obtain an SSL certificate for your application using the fully qualified external DNS name of your application as the common name.

Next access the administration panel on the DNG and select Applications and Add New. Follow the configuration steps from the Duo Website to protect your first application. https://duo.com/docs/dng#protect-a-web-application-with-duo-network-gateway-

Step 3: Add SSH Server

Before adding an SSH server for protection, you will need to complete the same first two simple steps as adding a web application. Once completed, again follow the steps from the Duo website to protect your first SSH server. https://duo.com/docs/dng#protect-ssh-servers-in-duo-network-gateway 

Install and configure the DuoConnect client on the user’s endpoint to autodetect SSH session initiations to the configured SSH servers and you’re good to go. https://duo.com/docs/dng#install-&-configure-duoconnect-client- 

Adding new applications or SSH servers should take no more than 20 minutes each, demonstrating how quickly you can protect your internal web applications and SSH servers without the need to use a VPN.

Partnering the Duo Network Gateway with the Duo Access Gateway for SSO and Cloud Application protection, provides a complete coverage for the modern Enterprise, securing any application located anywhere from any device, but that’s another blog.

Download 5 Reasons to Protect Your VPN With MFA now and you’ll also learn how Duo’s MFA solution provides secure remote access to internal corporate applications using Cisco’s AnyConnect VPN on Adaptive Security Appliance (ASA) or FirePower Threat Defense (FTD).