“Presume not that I am the thing I was” 
— Henry IVth Part 2 5.5

What’s old is new again. I was reminded of this after reading the Cybersecurity Insiders’ 2019 Cloud Security Report produced in conjunction with ISC2. The report surveyed over 400,000 cybersecurity professionals. The key findings sound familiar.

The survey results show that the biggest cloud security challenges that businesses face are:

• Data loss / leakage (64%) 
• Data privacy / confidentiality (62%)
• Legal and regulatory compliance (39%) 
• Accidental exposure of credentials (39%).

The biggest cloud security threats are:

• Unauthorized access (42%) 
• Insecure interfaces / APIs (42%)
• Misconfiguration of the cloud platform (40%)

Within operational security concerns, compliance was rated the most challenging (34%), followed by visibility into infrastructure security (33%) and lack of qualified staff (31%).  

This brought to mind an incident I become involved with a few years ago.  A cloud environment had been compromised and the organisation’s key IP had been exfiltrated over time. The question arose as to how the attackers had gained access into this environment in the first place. Working with an amazing D.F.I. team we looked at how this happened. The attackers had very successfully covered their tracks and removed all evidence of the zero-entry point. We could track the escalation and exfiltration, but not the entry. 

What made this all the more impossible was that the management of both identity and access controls were spread over outsourced support teams, cloud administrators and internal administrators. So there was no single point of control. This obfuscation was a reflection of unplanned management of these key elements of security and made it an easy target for the attackers. It was not simply a technology shortfall, but a lack of process and confusion around responsibility. 

Despite the efforts of some of the most talented people around, we could not identify the entry, and therefore we were unable to attribute who the attackers were or who was liable for the operational shortfall.

Securing the Cloud

Migration to cloud environments is a key driver in modern organisations as they look to optimize their operational IT. It provides a great opportunity for any CIO to work with their CISO to bring structure and control over the areas of identity and access management (IAM). It also is an opportunity to introduce proper authentication and develop an “IAAM” programme. Building a framework for this will enable any past confusion to be cleared up, as well as providing a clear path forward.

The first step is to understand the applications being moved and their risk profile.  As the applications are migrated users are enabled on them, they should be managed within a new structure. A policy around access control can be developed against the risk profile. Controlled access will reduce the risk of lateral movement should there be a breach. Making sure that each user is properly authenticated dramatically reduces the chance of a compromised account being used for a successful entry into the cloud environment. Especially, for those with administrator rights. These steps should be built in to any migration programmes as essentials in an approach to security from the end-user to the application in the cloud

Looking back at the incident mentioned above I often wonder if it could have been prevented in the first place by a solid framework which covered the elements above. And, if in the unlikely event that a breach had occurred despite these protective measures, I am certain that the team would have been more than capable of tracking the initial entry through the additional data from all the authentication log files

Any transformation programme is a great chance to fix the errors of the past and build a more solid way forward for the future.  It also enables the business case for security to be aligned with a case for the greater business change.  

Let’s hope CIOs demand this as they go forward with the cloud migrations, like the Henry IVth character Prince Hal, presume that they don’t have to be the thing that they were and discard the ways of the past to meet up to their new responsibilities now and in the future. 

**Download Securing the Modern Enterprise Guide** As the modern enterprise workforce evolves, so must the security technologies that support them. Traditional security models are far too rigid and painful for end users - Duo has replaced them with flexible, easy-to-use security that focuses on user experience.

Free Download

Odds are your organization uses Microsoft applications for some business critical function. Maybe it’s Windows environments or productivity with Office 365.

Thousands upon thousands of organizations are Microsoft shops. As such, there’s a rising need to protect access to Microsoft applications. This is especially true as organizations migrate applications from on-premises to the cloud and begin adopting the principles of zero-trust security, which shifts access decisions to outside of the traditional secure perimeter. 

A zero-trust model for the workforce focuses on authenticating users and checking the security posture of their devices before granting access to applications. It helps mitigate the risk of unauthorized access and reduces the risk of data breaches, while ensuing user productivity isn’t impacted when they access applications.

But zero-trust protection doesn’t end with Microsoft. It’s imperative to also protect your other applications. You probably have Salesforce, right? Or HR systems? How about payroll? Or supply chain management?

You have a lot to protect.

And while Microsoft licenses include a solution to protect your Microsoft apps, you’ll have to search elsewhere to secure the rest of your application environment.

Can you spare the resources, money and time needed to manage two disparate MFA offerings? Should you?

With Duo, you can protect your entire application environment, and reduce your risk surface, without managing disparate access security solutions.

That means you get consistent MFA access to all of your Microsoft applications (Office 365, Windows, Azure) along with your other cloud and on-premises apps – custom apps included. That makes end users’ lives easier, as they use the same method to log into all of their applications – Microsoft or otherwise. 

Duo gives you the most extensive coverage of users, applications and devices; a better end-user experience through consistency and ease of use; and faster speed to security with rapid deployment, fastest user adoption and the ability to quickly respond to changing threats.

More than 80 percent of Duo’s customer base currently protects Microsoft applications, and a major portion of those are protecting applications outside of their Microsoft environments. 

For example:

• University of Louisville Hospital uses Duo to secure access to Office 365 and other applications, such as Palo Alto Global Protect, Citrix Netscaler and Thycotic, to meet HIPAA and PCI compliance requirements.
• University of Wisconsin-La Crosse chose Duo to easily integrate with its existing infrastructure, which comprises Microsoft Office 365, Cisco AnyConnect VPN, PeopleSoft, Canvas, PeopleAdmin and various custom applications.
• Leapfrog Online chose Duo’s MFA to reduce its overall cost of ownership and deliver consistent secure access as it migrates from on-premises apps to the cloud. They protect applications including Silversky, Dyn, Sauce Labs, Workfront, Salesforce, while also switching from on-premises Microsoft Office and Exchange to Office 365.

Securing your Microsoft environment, and all of your applications, with Duo gives all of your users a consistent access security experience and lowers the ongoing cost of management. You also get swift speed to security by customizing security policies for Office 365, reducing user friction, and device visibility without agents. You can also reduce help desk burden and resources with self-service user workflows and native integrations with Azure AD, which means there’s nothing additional to deploy. 

And with Duo, you get secure access for not only your Microsoft applications, but all of your applications, which results in increased user productivity and a consistent and easy user experience.

Learn more about protecting your MIcrosoft applications with our new ebook, An Essential Guide to Zero Trust for Microsoft Applications.

Well I've said it before, and I'll say it again
You get nothing for nothing: expect it when
You're backseat driving, and your hands ain't on the wheel
— Judas Priest (Heading Out to the Highway)

So it seems like it’s time.

Past time really.

Yes, it’s time to really have a serious conversation about election security. I mean for real this time. Really. No seriously.

I wrote about this a bit a while ago here, and while some things have gotten better, some things have gotten worse. Case in point is this little ditty by Kim Zetter HERE. As a matter of fact, everywhere we turn there are new things to discover and new things to protect. Makes sense. It’s complicated.

First, we have the Senate intelligence community assessment that our elections are (and have been) more vulnerable that we initially thought. The Senate Intel committee determined that not only did Russia interfere in our elections, they were sniffing around our election systems, undetected, in all 50 states.

THIS is sounding an alarm.

This is a lot wider spread and way more pervasive than we’ve been led to believe. Our states and localities are under attack. All the time. And I don’t think we’ve had the sense or realization of how ill prepared they are. They don’t have the time, energy or resources to repel this attack as we head into the next presidential election cycle. And as sad as it may seem, there are even some states who refuse to recognize the threat exists (best case) or are unconcerned about it (worst case). These folks boggle the mind and I hope they come to their senses before it’s too late. But for the rest, we all have to do our part and help where we can.

Second, we had the congressional testimony of Special Counsel Robert S. Mueller and while this was lacking in political theater (which was never the point) it was another very clear indication that our elections are at risk. And it’s not just the Russians. They’re all coming for our democracy.

Journalists and the media tend to focus on the voting machines themselves which while this IS super important and I get it, is not the only thing requiring security attention. But it is a very sexy headline. Like attacking ATMs. And if you want to look at this aspect of election security I recommend a Twitter follow of none other than my friend Josh Franklin who has looked into this, and knows more about this than anyone I know. 

But there is a much overlooked aspect to the voting system apparatus that is more centralized and much easier to address and it tends to look more like enterprise security — which is something we security humans spend a lot of time focusing on.

<disclaimer> none of this is easy. Security just isn’t. </disclaimer>

“We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.”

— John F. Kennedy

Voter Systems Are Enterprise Systems

Voter “systems” are comprised of endpoints, users, data and applications. Sound familiar? While the US Senate Intel report is redaction heavy, there is enough data here to see a pattern. To see where attackers have been pen-testing and surprise surprise it’s the weakness of passwords/credentials. It’s access to data (both cloud and in state, local and federal agency networks). We’ve seen this movie before. In fact, we watch this movie every gosh darn (my PG self) day. There is also a fair amount of BYO technology concerns/use-cases. Local workers are temp workers. They use their own computers/phones/networks. So the voter “enterprise” has to contend with people they don’t manage, technology they don’t own and networks they don’t control. Again…. Sound familiar?

So What Do We Do?

Glad you asked.

To my state and municipality CISO/CSO and security friends:

We apply the same principled security best practices we’ve come to know and love in enterprise. You know the drill so repeat after me.

1) Passwords! We hate em but we gotta use em. Employ a 2FA solution. Employ a password manager. One day these will be gone. Today is not that day.

2) Phishing. We hate that too so be vigilant. Be wary. Do phishing drills, but don’t punish users who click links (I’ve been doing this for 20 years and sometimes I click links. It happens. The web is dark and full of links). But also, see #1.

3) Get transparent visibility. Technologies like Cisco’s Umbrella are awesome at this. It sits on your endpoints (via DNS), looks at the access and can block and tackle the bad stuff, and it doesn’t get in the way of the good stuff.

Full disclosure I’ve been running OpenDNS at home for years, for free and you can too HERE. Cisco’s Talos Security Intelligence and Research Group is good for this too. Beyond being just super great, helpful people, they’re wicked smart. And did I mention helpful? Learning what they know, watch what they watch and definitely subscribe to their Beers with Talos podcast HERE. Beer -AND- security? Where do I sign up?

Also, please read Matt Olney’s amazing blog on this topic HERE.

4) Encrypt all the things. At least the pipes. I mean seriously, it’s 2019. Just do it.

5) Make security part of your culture. Trainings, seminars, lunch and learns, Beer’s with Talos… etc. Get your organization excited to participate on your security journey. Make your users a part of this. Something that happens WITH them not just TO them.

6) Reach out for help. The security community is vibrant and super helpful. Reach out to your peers and find out what they’re doing. And if the answer is “nothing” — invite them to some security events.

7) Look into Zero Trust principles. You can start HERE with this trends report. Some of the above suggestions are part of the conversation in this report. Remember that Zero Trust is a lifestyle choice, not a product so go in with your eyes (and mind) open.

It’s a tired cliche but nevertheless a true statement… we are all in this together. And while yes, protecting voting machines is super important, and the House and Senate absolutely have the obligation to step up and deliver on their part of this challenge, there are pragmatic parts that we can do now. Today. Without a gargantuan investment.

We all have a role to participate in AND to help secure our democracy.

If you’re in cybersecurity or an IT professional, you’ve probably heard of the ISO/IEC 27001 standard for information security management systems (ISMS). Implementing the ISO 27001 standard provides many benefits to organizations, including helping them comply with data privacy laws such as the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

You can find the core requirements for the ISO/IEC 27001 in clauses 4 through 10, which help organizations identify, assess and treat information security risks. Additionally, a comprehensive list of controls under Annex A enables organizations to manage those risks. While ISO 27001 does not formally mandate specific security controls, organizations are free to choose which controls are applicable to their particular scenarios. Organizations that seek further information on implementing these security controls typically refer to ISO/IEC 27002 (a companion standard to ISO/IEC 27001), which provides a detailed guidance for implementation.

Organizations looking to achieve ISO/IEC 27001:2013 compliance are required to show sufficient evidence to auditors that they’ve put into place the necessary security controls from Annex A. To view the list of relevant controls, check out table at the end of this blog. 

As with many data compliance regulations, achieving ISO 27001 compliance takes time and planning. In this post, we’ll outline how Duo solutions can help you quickly and easily achieve ISO 27001 to ensure your organization is in compliance and stays that way.

Below are the specific security controls that Duo’s solutions can help you satisfy with ease:

A.9 ACCESS CONTROL

One key way to provide evidence to auditors is to show that proper access control policies have been enforced. This section mainly provides a list of controls to ensure that only the right people can access the network. Here are some of the functionalities that administrators can leverage for controls.

How Duo helps: 

• A.9.1.2: Duo Access can help IT administrators implement Role-Based Access Control (RBAC). Admins can define access policies per user or per application based on business requirements. Administrators can leverage additional context such as a user’s location or network before granting access.
• A.9.2.1: All Duo editions enable administrators to create a list of users that would require access to business systems. In addition, Duo helps administrators to focus on their critical responsibilities and offload routine tasks such as new user enrollment by empowering users with self enrollment.
• A.9.4.1: All Duo editions provide administrators with the ability to restrict access to protected applications based on the principle of least privilege. 

With Duo Beyond administrators can additionally restrict access to internal information systems that are hosted locally or in AWS or Azure.

• A.9.4.2: All Duo editions provide secure multi-factor authentication through multiple methods such as Duo Push notification, U2F, SMS or voice call. Duo’s authentication is completely independent of the primary authentication workflow, providing an added layer of security. Further, administrators can control the procedure for a second-factor authentication method based on group or application, reducing the risk of compromised credentials and preventing lateral movement.
• A.9.4.4: With Duo Network Gateway, administrators can restrict access to internal servers based on user groups. Duo also integrates with privileged access management solutions such as CyberArk to add a layer of authentication. Finally, the solution itself includes multiple administrative roles to enforce strict access controls.
• A.9.4.5: All Duo editions provide two-factor authentication to restrict access to source code repositories. Additionally, Duo Beyond restricts SSH access to network if your organization is storing source code on internal servers such as Github.

A.12 OPERATIONS SECURITY

The controls in this section of ISO 27001 provide guidance to ensure proper operating procedures are followed, including how event logs are recorded and protected.

How Duo helps: 

A.12.4.1, A.12.4.2, A.12.4.3: All Duo editions produce detailed logs for every event from end user login activities to changes made by administrators. These logs can be imported into your log management tools for analysis. In addition, Duo can help protect against unauthorized access to those log management tools such as Splunk.

A.13 COMMUNICATIONS SECURITY

This section deals with network security management to ensure the organization has the right systems in place to protect information in their networks.

How Duo helps: 

A.13.1.1:  Duo Beyond enables organizations to enforce zero-trust principles by establishing user and device trust for secure access to services and applications across hybrid environments.

A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

This section prescribes the controls required to secure the entire development lifecycle for applications and services delivered over public networks.  

How Duo helps: 

A.14.1.2, A.14.2.6, A.14.3.1: Duo Access enables organizations to set adaptive authentication policies based on user roles, device health, user location and network. Administrators can better protect the organization’s intellectual property by implementing need-to-know access controls. To restrict access to certain areas of the network such as development and test environments, administrators can simply create designated user groups based on roles and responsibilities.  

A.18 COMPLIANCE

The compliance section lists the controls needed to adhere to legal and contractual requirements such as protecting customer information.

How Duo helps: 

A.18.1.3, A.18.1.4: All Duo editions protect sensitive data such as customer records and personally identifiable information (PII) by verifying the identity of the users seeking access and the health of the users’ devices. The solution provides a powerful combo of contextual user access policies and device based access policies that enable administrators to easily prevent unauthorized access. 

ISO 27001 compliance can provide many benefits for an organization. Duo Security helps you achieve compliance quickly and easily by satisfying the controls required to secure access to your information systems. To understand how Duo works, try it yourself for FREE here.

Appendix : Table of Controls

A.9.2.1

User registration and de-registration - A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

A.9.4.1

Information access restriction - Access to information and application system functions shall be restricted in accordance with the access control policy.

A.9.4.2 

Secure log-on procedures - Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

A.9.4.4 

Use of privileged utility programs - The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

A.9.4.5

Access control to program source code - Access to program source code shall be restricted.

A.12.4.1

Event logging - Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

A.12.4.2

Protection of log information - Logging facilities and log information shall be protected against tampering and unauthorized access.

A.12.4.3 

Administrator and operator logs - System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

A.13.1.1

Network controls - Networks shall be managed and controlled to protect information in systems and applications.

A.14.1.2

Securing application services on public networks - Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

A.14.2.6

Secure development environment - Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

A.14.3.1

Protection of test data - Test data shall be selected carefully, protected and controlled.

A.18.1.3

Protection of records - Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

A.18.1.4

Privacy and protection of personally identifiable information - Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

A.9.1.2

Access to networks and network services - Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Learn how Duo can help. Start your free trial. 

Microsoft applications are ubiquitous. They’re the backbone of thousands of organizations. 

As Microsoft-powered organizations eye the shift from on-premises to the cloud, they’re looking to augment traditional perimeter security measures to ensure secure access to corporate applications at any time, from anywhere and from any device.

But how do organizations ensure simple, secure access to Microsoft applications without introducing friction for their end-users?

A new security model has emerged that treats every access attempt as if it originates from an untrusted network. Known as zero trust for the workforce, this model focuses on authenticating users and checking the security posture of their device before granting access to applications. 

For organizations that leverage Microsoft application suites like Office 365, Windows and Azure, a zero-trust access model can help mitigate the risk of unauthorized access and reduce the risk of data breaches, while ensuring that user productivity isn’t impacted when they access applications from wherever they are.

In our new guide, An Essential Guide to Zero Trust for Microsoft Applications, we review essential tips to help administrators implement zero-trust access security for Office 365, Windows and Azure. 

Our guide highlights the need for a zero-trust approach to securing Microsoft applications and outlines the benefits, including:

• Establishing user trust
• Gaining visibility into BYOD (bring your own device)
• Establishing device trust
• Enforcing adaptive policies
• Enforcing compliance policies
• Implementing role-based access control

Download An Essential Guide to Zero Trust for Microsoft Applications now and learn how to secure key Microsoft applications, and why a zero-trust approach to securing Microsoft applications (and all of your other applications) helps reduce risk without sacrificing simplicity and ease of use.

It’s the greatest thing since sliced bread. It’s a phrase that’s so well worn that it feels like the phrase has been around forever. But it’s actually only been said for maybe seventy years. What’s more, sliced bread was the greatest thing since the toaster. And those two, the toaster and sliced bread, highlight an important rule of technological innovation.

The toaster came out during the electric age. The light, the radio, the motor and the generator all came about during the heady decades of the late 1800s and early 1900s. Houses were being wired for electricity when GE introduced the first electric toaster in 1909. But sliced and toasted bread was still a conundrum. There were two key problems that had to be solved first: bread came in all shapes and sizes; and only around 10 percent of American homes had electricity. The underlying standards and infrastructure weren’t ready for the greatest thing quite yet.

We can say the same thing about the decades before passwordless authentication was a reality. The equipment was ready. Biometrics had been around for some time. Back in 2008, I managed a data center with fingerprint authentication (I also regularly demonstrated the weakness of this security measure with a gummy bear, but that’s a story for another day). Facial recognition was commercially available in 2009 on Lenovo notebooks. Fingerprints and facial recognition hit phones in 2013 and 2017, respectively. So why are we still keying in passwords? In a word — standards.

Back to breakfast for a moment, the perfect sliced piece of bread would not be hot and toasted until bread standards became uniformed. To get there a few things had to happen. The first commercial bread loaf slicing machine was developed in 1928 followed by the debut of Wonder Bread in 1930. By then, over half of American homes had electricity. The breakfast revolution had come. By 1950, toasters were everywhere and everything new was the greatest thing since sliced bread.

FIDO2 and Web Authentication (WebAuthn) may be the standard we need to turn up the heat on passwordless. In March 2019, The World Wide Web Consortium (W3C) announced WebAuthn is now the official passwordless Web standard. Apple, Google, and Microsoft have already added WebAuthn support to their products. Much like homes with electricity, things will take off quickly once adoption reaches the halfway mark.

• Recommended reading: Developments to WebAuthn and the FIDO2 Framework.

This is a rule of technological innovation: we need standards, infrastructure, and critical mass. The underlying components come into being early, and out of order. The toaster before sliced bread. The fingerprint reader before the WebAuthn protocol. It’s when all three ingredients come together that things get exciting. And we are just about there with passwordless authentication. Get excited.

BONUS: The Rowlett Regent introduced the first commercial toasters in 1945. Their toasters have been in production, with very little change, since 1945. Check out this video to see the classic toaster being assembled.

To help enterprises stay ahead, Duo helps reduce enterprise security risks associated with user and device access by providing seamless accessibility based on trust - known as our Zero Trust platform. This document will highlight how you can leverage Duo’s Zero Trust platform to enable and secure your business for the future.

Free Guide

The Cybersecurity and Infrastructure Security Agency (CISA) recently shared an in-depth analysis of the security risks associated with Microsoft Office 365. You can read the entire report here. The CISA observed that when organizations use third-party companies to migrate their email services to O365, they are left with potential security vulnerabilities. Attackers take advantage of these vulnerabilities to compromise accounts and mailboxes and cause data breaches. 

Based on CISA’s findings, we recommend the following best practices when deploying Microsoft O365: 

1.  Always Enable MFA for All Admin Accounts

A Microsoft Office 365 administrator has the highest level of privilege. O365 admins are able to configure accounts (create new accounts, remove accounts or modify accounts). The CISA report found that multi-factor authentication (MFA) wasn’t enabled by default in admin accounts, but should be. If attackers compromise admin accounts, they can reset user passwords and log into all user accounts the admin controls. CISA report recommends that organizations deploy MFA for all administrator accounts to reduce the risk of stolen admin credentials. 

With Duo’s MFA, admins can secure O365 administrator logins in a few minutes. Duo offers a variety of simple integration options that allow admins to secure access to O365 and all third-party applications with a single solution.

2.  Protect All User Accounts Regardless of Role

To prevent attackers from using stolen credentials to access O365, organizations should protect all user logins with an MFA. With Duo, organizations can deploy to thousands of users using one of several user-friendly options to authenticate into O365 that reduce friction while keeping users secure. 

Our customers Betsson and Day & Zimmerman deployed Duo to all their users within days, and reduced the risk of account compromise.

3. Scale MFA with SSO for Third-Party Cloud Applications

When customers migrate to O365, Microsoft provides tools such as Azure AD Connect to help them move their on-premises identities into the cloud. An additional feature, Password Sync, allows passwords from on-premises AD to be replicated in Azure AD. However, Password Sync could expose admins to additional risks. If an admin account was compromised, attackers can laterally move into any cloud application that uses Azure AD identities. To mitigate this risk, Microsoft offers an option to disable Password Sync for admin accounts. The recommended and more secure option for admins is to enable single sign-on (SSO) with MFA for all cloud applications. 

With Duo’s SSO, admins can use a single username and password to log into any cloud application. Before admins can access cloud applications, Duo’s MFA will prompt them to verify their identities. Duo supports thousands of cloud applications available natively. A list of supported applications can be found here. 

4. Identify and Track all BYOD Accessing O365

With O365, users can access email anywhere on any device. While Exchange Online supports several legacy protocols such as Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP), several email clients that use these protocols do not support MFA by default. Without MFA, users accounts are at risk of compromise. Admins can enable modern authentication to support MFA on clients such as Outlook 2013 or later. 

In addition, Duo gives customers visibility into the security posture of all bring your own devices (BYOD) and unmanaged devices accessing O365 to help them stay compliant. If admins detect an out-of-date or vulnerable device getting access to O365, they can set a Duo policy to prevent this device from getting access. 

5. Detect Malicious Activity with Logging and Reporting 

The CISA recommends that organizations enable O365 mailbox audit logs. Admins can use audit logs to determine risky behavior, such as finding the IP address of the computer used to access a compromised account or determining who set up email forwarding for a mailbox. In addition to O365 logs, Duo can help admins detect malicious login activity and alert if there is a fraudulent login. Admins can even export Duo logs into Splunk or any other SIEM tools to consolidate their logs and set policies to detect risky behavior.

Duo + Microsoft: Better Together. If you are interested in using Duo with O365, sign up for a 30-day free trial in less than 30 seconds. 

What a big year for passwordless! Since March, the World Wide Web Consortium (W3C), one of the global organizations governing web standards, and The Fast Identity Online Alliance (or FIDO) Alliance, an industrial association for developing authentication and authorization standards, have come together to declare that Web Authentication (WebAuthn) is now an official global web standard.

More recently the Chrome development team at Google has begun to urge developers to migrate to WebAuthn from their U2F APIs. With the help of The FIDO Alliance and the W3C standards boards, along with many others in the security community, WebAuthn has already begun to see tremendous adoption in its debutant year.

The Open Source Community Drives Adoption

One thing that I believe helped drive rapid adoption the most is the amazing job the open source community has done at providing resources and examples of the specification. In 2017, the Duo Labs team open-sourced our own example of the the WebAuthn specification on webauthn.io, which has since been split into a core library for easy usage, and a standalone web application with a WebAuthn demonstration (that uses the core library) with links to other great open-source examples of the standard. Our work couldn’t have been possible without contributions by many developers who are equally excited about WebAuthn, so tremendous thanks to all of them! 

New standards can be hard to unpack and understand fundamentally, because they’re often more conceptual than specific to a language or framework. I think most of the time developers will look for a pre-existing package that abstracts away the understanding of the standard as a concept, and will just import the package into their codebase with the assumption that it works. While this is probably not ideal, there’s no shame in this! I’ve definitely done that in the past. It’s hard to read and fully understand everything to the fullest when you have deadlines. 

Because of this, Duo (and myself) believe that providing and promoting accessible educational resources and exemplary code is one of the best ways to help not only drive developer adoption, but help developers understand enough that they feel comfortable in their knowledge of a subject like WebAuthn to go out and implement it in a way that is most effective for them and their business. 

Technical WebAuthn How-To Video 

To help with this, I’ve recorded a video of a workshop I gave earlier this year during one of The FIDO Alliance’s annual meetings. This talk goes a little deeper than a general overview of the specification and gets a bit technical. In it, I go step by step through the aspects of the WebAuthn standard using the https://webauthn.io code as a guide. 

See the video at the blog post.

I hope that it will allow you and others to come away with a deeper understanding of what is possible with the specification, and how to make it work for your projects.

I hope to have more of these videos in the future and that this video helps you better understand the spec. As always, feel free to reach out to me on Twitter at @codekaiju or in the comment section of the video.

Organizations are moving to the cloud in order to both modernize their IT environment and reduce their operational costs. As cloud products and services mature, companies feel comfortable moving more and more of their infrastructure into hosted environments. In many cases, this journey is a daunting one. Even when the move makes financial sense, the actual steps involved in hosting applications and data in the cloud (and then enabling access to those resources!) can feel intimidating and confusing. 

Cloud-anxiety can be further exacerbated when a company already leverages many traditional on-premises services. To take a specific example, how does identity make the transition into the cloud? Is a whole new directory required with a new set of cloud credentials for each employee? Will access policies be forgotten and require re-building? How will users authenticate into the cloud environment and access resources hosted there? Will they be able to authenticate easily, effectively and securely?

If these questions incite a little cloud-anxiety, that’s okay — they are important questions with important answers. However, by partnering with AWS Directory Service, Duo is making a secure transition to the cloud a whole lot easier. 

In order to counteract some cloud apprehension, let’s talk about a few of the complications listed above, and some potential solutions. 

Q: As a concrete example, what if a company uses an on-premises instance of Active Directory for identity management, but wants to start using certain resources offered by Amazon Web Services (AWS)? Will that company have to set up a new AWS directory from scratch?

A: Thankfully, the answer is no. AWS offers AWS Directory Service to address exactly this use case. AWS Directory Service makes it easy to either replicate and host a standalone Active Directory instance in a private cloud or port data from an on-premises instance up to the cloud. Making the connection to AWS from an on-premises directory is relatively easy and secure as the bridge will be built using either a one or two-way “trust.” A trust is a time-tested, secure model in which two directories can be linked. In either case, employees can then use their original corporate credentials to access AWS resources like Amazon WorkDocs, Amazon WorkSpaces, or Amazon WorkMail. Moreover, group configurations in the on-premises directory can be pulled into AWS IAM to ensure role-based access policies carry over to AWS.  

And then the company rode off safely into the cloud sunset? Well, not just yet. The problem with any set of credentials, whether the directory holding them is on-premises or in the cloud, is that they may be stolen, hacked, or phished. One way to ensure that users are not just authenticating, but securely authenticating, is to deploy a second factor when employees attempt to access resources. 

AWS understands the importance of MFA, which is why they chose to integrate specifically with Duo. Duo is now the only provider offering out-of-the-box MFA for AWS. The integration ensures that companies leveraging Amazon Directory Service are securing their cloud authentication. In fact, 

Duo and AWS worked together to create a Quick Start guide to deploying Duo for AWS Directory Service. This guide enables companies to quickly and easily protect their AWS application access with a second factor of authentication. 

Identity and authentication may be one small piece of the long journey to the cloud, but by working together Duo and AWS are looking to make that journey just a little less stressful and free from cloud-anxiety.

**Phishing: A Modern Guide to an Age-Old Problem** Learn more about phishing and how to protect your organization in a few easy steps.

Free Guide

Time rolls on
And that’s how it should be
Here and gone
Seems to move so quickly
— David Lee Roth (Damn Good) 

It’s an exciting time to be alive.

Over the course of the next year or so, those of us who have been living in and compensating for a password-infected world will start to see light at the proverbial “end of the tunnel.” The FIDO2 WebAuthn protocol is a full on open standard — and support for this standard is heating up among the browser and identity folks. This is nothing but good news. 

But while this is happening, over here in public sector land, we set out on a journey 15 years ago to solve the same problem. And while it hasn’t been all cotton candy and peanut butter, it (for the most part) did what it was designed to do. It created a mechanism that used PKI to solve a hard problem  — the pervasive use of passwords and their inherent weakness as security constructs. It wasn’t easy and it didn’t come without a cost — a massive, massive cost. But it’s what we could do at the time, and the folks who were the backbone of this undertaking should be commended.

With all of this talk of change and modernization, we have to remember that we (here I mean the royal "we of government" and those who support the government) have a responsibility to maximize efficacy — AND — efficiency. And while these modernizing authentication capabilities are important (and they are majorly important) as the first verse in our Zero Trust melody, we also have to realize that some of this song was written before. And we’d be wise to incorporate what we can, when we can.

When NIST updated SP-800-63 to rev. 3, they did more than just make it okay to have alternatives to PIV/CAC (I’ve written about this before  — here are my thoughts on OMB memo M-19-17). The forward-thinkers at NIST also envisioned a world where the flexibility extended to federating identities AND proving separation between the authentication and ID-proofing. This separation provides for maximum flexibility for agencies to solve their authentication and identification problems today and gives them a clear path to the future. This future will be modern, and this future will carry with it the common language of open standards — which is really the only way to achieve the flexibility and agility to keep up with the constantly changing (technology, culture, policy, etc.) environment.

“Change is the only constant in life” —Heraclitus of Ephesus

Here is an example of how this can be achieved in real life. 

Duo has partnered with CyberArmed to deliver a PIV binding to modern multi-factor authentication. This is an example of leveraging the existing investment in PKI and strong-proofing to enroll a more modern, “off the shelf” authenticator, at scale, for many use cases where the PKI cannot play. All the while adhering to the standards (SP-800-63-3 for IAL3 and AAL2/3 as well as SP-800-157, the derived PIV specification).

Learn more about Duo Derived. 

We are finally at the cusp of modernizing our enterprise identity infrastructures into future-forward, flexible capabilities that will be adaptable to changing everything. However, nothing can ever be a “rip and replace” conversation. We need to “bridge the gap” while maintaining our existing capabilities. These building blocks can help us do just that. 

I consider myself very lucky that my role at Duo as an Advisory CISO affords me the ability to see the world. As a result of speaking at conferences and meeting with customers, I get to interact with an international audience. This has given me insight into the shared security problems with which we all must contend. We all worry about data breaches, security access control and privacy. 

The best part of working for the Duo Security team at Cisco is that everywhere I go people want to show me they are running the Duo app on their phone or their watches, and to let me know how happy they are with the application. This really does make me smile. 

In 2009, our founders, Dug Song and Jon Oberheide developed Duo with primary purpose of making security accessible to all by making it so simple and frictionless — it leveled the playing field. They set upon a path to democratize security. They had a mission to make security easy to use and thereby insuring a wider adoption from non-technical folks. Based on the number of very happy people I have talked to in my travels — I can safely say that they accomplished their goal!

Recently, I sat in an airport lounge in Hong Kong when a gent across from me started smiling away. He pointed at my Duo Security t-shirt and waved. I returned the gesture. Then he held up his phone to show me he was running Duo on it. In that moment, it really hit me that something was shifting in how people do business.

Years ago, I would use all manner of products. I would have to contend with green screens or applications written by engineers for engineers, and various other applications that did little to enable business. For the most part they were there to block activity, as opposed to helping the business operate in a safe and secure fashion. Back then we would rely on functions such as static passwords to “secure” access to our data. Today we have applications such as Duo Multi-Factor Authentication (MFA), Duo Access and Duo Beyond which actually helps organizations ensure the best secure access to their Crown Jewels while enabling their business to operate frictionlessly.

Duo helps to provide customers with the ability to move towards a zero-trust design and create built-in security champions within the workforce by securing the workload and workplace. Isn’t that what it’s all about? I spent years tangling with security products and implementations. More often than not they were geared towards getting to “no”. This was a huge driver behind the entrenched view of so many, that security was a blocker and cost center as opposed to being an enabler as it should be. 

Furthermore, the psychology is that users are somehow responsible for their security failures. In most cases I encountered, people simply were unaware that they had made a security choice, let alone a poor one. They had not been properly educated on how to do things safely and securely, yet security practitioners were to ready to throw them under the bus for their indiscretions. Instead, what we as security professionals should be doing is taking the time to better educate and enable our end users so that they are properly equipped to handle what we all too often expect them to do via intuition. We need to give our people tools that they can use effectively, in addition to training them on security. Both are crucial.

When I encounter someone smiling and showing me their Duo application on their mobile device in India, Singapore, Sweden or wherever my travels may take me, it makes me smile as I realize that these are end users who have been enabled to do their job in a safer fashion and are they proud to share their experiences with me. 

Selfies kill more people than sharks. This fact doesn’t make sense. Sharks are terrifying. The current generation of CISOs were raised on the Jaws movies. Think of death by shark and a number of images immediately spring to mind. Images with teeth. Do the same with death by selfie, and the thoughts are fuzzier. This difference in our ability to imagine the danger, known as salience bias, is but one example of how we don’t handle risk well. When security leaders seek support for controls, our human nature can become a stumbling block.

In the early days of security, we had a problem. We knew there were technology changes to be made. We knew there were technology investments to be made. And so, we described these in very technical ways when advocating for our security programs with management. Blank stares were too often the result. Other business teams were getting funding by talking about business risk. In a bolt of obvious inspiration, security switched to talking about risk. Today, most every change and investment is anchored in IT risk management. 

But today we have a new problem. People aren’t all that good at making risk-based decisions. To start with, people push back from uncertainty, and risk management is fundamentally about presenting two or more uncertain options to get one selected and funded. Then there are a host of cognitive biases that muddy up risk-based decisions. How was the business case framed? How was the supporting data delivered? People often weigh the first pieces of data more heavily. And that’s assuming we have good data. With security breaches being infrequent but high impact events, even finding relevant statistics is a challenge. The result is business cases which are ignored, shelved or deprioritized.   

A different approach to building a business case is to focus on the value side of the equation. People don’t swim with sharks because they are concerned about the downside. People do take selfies because they are focused on the benefits. Namely, fun. Applied to business cases, the least appealing security control is one that protects us from being eaten. There must be some benefit beyond simple protection to make a strong case for a control. This often comes down to providing a better experience for people. Our industry hasn’t functioned in this way so finding examples here is tricky. 

But here are some common ones:

• Fewer passwords to remember with password managers
• Simplified logins with Single Sign-On (SSO) 
• Less steps by removing the need to VPN in

Security tools may never be as fun as capturing the right selfie. And CISOs unveiling their new business case may never have the pizzazz of Steve Jobs unveiling an iPhone. But it is important to move in that direction. Yes, certainly use risk management to identify the right problems to solve. Use risk management to weigh the pros and cons of potential solutions. From there, however, it is about providing value to the organization and people. Make it simple. Make it appealing. In doing so, take security beyond shark repellent. 

Some reading recommendations

1. Me, Myself and My Killfie: Characterizing and Preventing Selfie Deaths (2016)
2. Selfies: A Boon or Bane? (2018)

It has been a year since we last met in August at Summer Camp in Las Vegas, (the epicenter for Black Hat, Def Con, BSidesLV, Queercon, The Diana Initiative, and more) and sooo much has happened since then. We can’t wait to catch up with all of you and fill you in on the latest news and happenings for all things Duo Security. Meet up with us and learn more about zero trust, MFA product information, security insights, and of course, we plan to host some epic events that you will not want to miss. So let’s get started!

Hang Out With Us

BSides

BSides Update: Plenty to See and Hear. While the BSides CISO Summit that Duo is sponsoring is completely packed, we are looking forward to several great sessions this year, including some by a few first-time speakers:

• Why FIDO Security Keys and WebAuthn are Awesome, with Jen Tong, Proving Ground, 6pm. August 6th.
• The Drunk Colonel and the Flipped Stone: Game Theory for a Defensive Strategic Advantage with Vanessa Redman, Proving Ground, 12pm. August 7th.
• The Road to Hell is Paved with Bad Passwords with Chris Kubecka, Common Ground, 10am. August 7th.

Black Hat

The 2019 Black Hat USA Conference is about to commence, campers. It is all about securing the enterprise with 19,000 of your closest security friends, including 70+ offensive and defensive technical trainings, and the 2 days of main stage Briefings, Arsenal, Business Hall, Expos and Talks. We will be there. Hear us at the Mandalay Bay.

We'll Be Speaking At:

• "Woke Hiring Won’t Save Us: An Actionable Approach to Diversity Hiring and Retention," presented by Rebecca Lynch, Duo Software Engineer, on Thursday, August 8 at 9:00am at Islander FG.
• "Inside The Apple T2," presented by Duo Labs Security Researcher Mikhail Davidov, and Duo R&D Engineer Jeremy Erickson, on Thursday, August 8 at 2:30pm at Jasmine.
• "Shifting Knowledge Left: Keeping up with Modern Application Security," presented by Duo's Head of Security Engineering, Mark Stanislav, on Thursday, August 8 at 5:00pm at Jasmine.
• "Parents and Caregivers in Information Security," presented by Jamie Tomasello, Duo's Head of Security Operations and Compliance on Wednesday, August 7 at 10:20am at Coral C, Lower Level, North Hall.
• "Friends of Bill W.," presented by Jamie Tomasello, Duo's Head of Security Operations and Compliance, on Wednesday, August 7 at 3pm and on Thursday, August 8 at 3pm at Coral C, Lower Level, North Hall.
• "Assessing Cognitive Capacity and Burnout," presented by Jamie Tomasello, Duo's Head of Security Operations and Compliance, on Thursday, August 8 at 11:15am at Coral C, Lower Level, North Hall.
• "Zero Trust is the New Collaboration," presented by Wendy Nather, Duo's Head of Advisory CISOs, on Wednesday, August 7 at 5pm at Cisco Booth 604.
• "Whose Trust Is It Anyway? Building Zero Trust On The Fly," sometimes in security you have to improvise presented by Wendy Nather, Duo's Head of Advisory CISOs, on Thursday, August 8 at Noon at Cisco Booth 604.

DEF CON

The OG hacker conference where campers have been known to bring soldering irons and lockpicks to get down with pwning and breaking containers, You will find Duo at DEF CON chilling. Meet up with your fellow cryptologist pen-tester pen pals and take a break, or break something. Up to you! Check out the workshop line-up.

The Diana Initiative

Women are half of the population, but severely underrepresented in roles and leadership in technology, not to mention the pay gap is real. The ladies take the lead in this conference that offers a platform and a stage for inspiring women in tech to discuss security and technology while encouraging more women to enter the workforce.

Learn how to submit winning proposals.

• Duo’s Information Security Analyst (and seasoned CFP reviewer) Kat Sweet leads a hands-on workshop to enable aspiring speakers to transform their talk ideas into viable conference proposals in “Conference Talk Proposal Writing 101,” at The Diana Initiative, on Friday, August 9th at 3pm at Westin Track 3 [Acacia A&B].

Are you in the market? Duo is always looking for a few good women (and people) — visit Duo careers and join us.

Queercon

Famous for their legendary hackable badge works of art, along with a vibrant LGBTQ community and one epic party, Queercon is a powerful collective, with a smart community and a big following. Stay where all the cool kids stay and make your hotel reservations to show your support for Queercon 16.

Find Us

Nothing is better than meeting in person and exchanging information.

**Win a shirt, and maybe you’ll win a set of Apple AirPods!** **Find us at Booths #675 in the Mandalay Bay Shoreline Room anytime between 10:00am and 7:00pm on Wednesday or 10:00am and 5:00pm on Thursday.**

Learn more about our zero-trust security platform via a demo, pick up some swag, or … get in front of our photo booth to create your own custom gif where we ask you to grab a virtual prop and "show us trust, then show us zero trust."

Have some fun with your interpretation of what trust and zero trust means, and make sure to share your final creation with us on Twitter (@duosec) for a chance to win a set of Apple AirPods!

Show Us Trust, Then Show Us Zero Trust

See the video at the blog post.

Want to schedule a meeting? Contact us at securitypanel@duo.com.

Party With Us

Come party with us and Cisco on Wednesday, August 7 at 8:00pm at Jewel Nightclub at The Aria Resort where we'll be networking and enjoying some food, mocktails, and cocktails. RSVP here.

Enjoy delicious food, drinks, mesmerizing light shows, and special surprise entertainment from start to finish. Black Hat badge and party pass required for entry. Check-in at Cisco booth 604 starting at 10 AM Wednesday, August 7 to pick up your party pass.

SUPER SECRET EVENT - Invite Only

WHO WILL BE THERE?: It is a mystery! One not to be missed.

HOW: Interested in attending? Reach out to us at securitypanel@duo.com. Or you will have exactly 2 hours to get to Booth #675 in the Mandalay Bay Shoreline Room and snag a pass. Booth opens at 10am, secret event starts at 12:30pm.

WHEN: Wednesday, August 7th, 12:30pm

Welcome, or Welcome Back!

School’s out for summer. This year is the 27th annual DEF CON the 22nd festival of Black Hat, the 10th anniversary of BSides Vegas and the 16th for Queercon. It is time to choose your own security adventure whether you are a protector, puzzler, prodigy, professional, patriot, protestor or mischief-maker — Duo at Hacker Summer Camp has it all.

Check out our Duo events page for more info on Duo at Summer Camp. Please report to Duo while you are there!

It’s no secret that we love Python here at Duo. Every day, our engineering team is pushing new code that drives our products to help keep our customers secure.

One of our primary goals as an Application Security team is to work alongside our engineers to ensure that the code we’re developing is as secure as possible. We want to provide feedback quickly – giving engineers near-immediate feedback if any issues are found and guiding them toward improvements that can be made to better ensure the security of our product.

One way we accomplish this is by using an internal tool we developed called Dlint to perform static analysis every time a new commit is pushed. Today, we’re excited to open-source Dlint, making it available to the wider community.

But before diving into what Dlint does, let’s first talk a little bit about static analysis.

Introduction to Static Analysis

The goal of static analysis is to search through code and identify potential problems. This is an effective way to find issues in the code at a low cost compared to dynamic analysis, which involves executing the code. However, running effective static analysis requires overcoming a few challenges.

First, we have to figure out what to look for. There are quite a few dangerous uses of Python that would apply almost anywhere. For example, you would almost never want to pass untrusted input into a call to os.system. In addition to this, we have Duo-specific rules to make sure that our internal libraries are used in a secure way.

After we know what to look for, we need a way to look for it. The simplest form of static analysis would be search through the code line-by-line for specific strings. However, we can take this a step further by parsing the abstract syntax tree, or AST, of the code to make more informed and complex queries.

Once we have the ability to perform analysis, we need to determine when to run the checks. We believe in providing tooling that can run both locally as the code is being developed to provide quick feedback, as well as in our continuous development pipeline before code is merged into our codebase.

Dlint, our approach to Python static analysis, aims to solve all of these problems and more.

Introducing Dlint

Dlint comprises a set of rules that define what we want to look for, and a linter, which is able to evaluate those rules over our codebase.

For this initial release, Dlint contains a set of rules that check for common best-practices when it comes to writing secure Python. We’ve also made it easy to add new rules that can be contributed back to the community.

To evaluate these rules over our codebase, Dlint leverages Flake8. This approach lets Flake8 do the heavy-lifting of parsing Python’s AST, letting us focus on writing a robust ruleset and giving great recommendations.

Finally, to support running Dlint as part of a development pipeline, we’ve included examples of how you could run Dlint in Gitlab and Travis CI.

Get the Code

We’re excited to share Dlint with the wider security community. By working together, we can create a common set of rules that anyone can use to help increase the quality of their codebase. 

• If you want to give Dlint a shot for your projects, you can find the code on Github.
• We’re excited to share more about how we do AppSec at Blackhat USA 2019, so we hope to see you there! 
• Finally, if this is the kind of work that interests you, we are hiring! Get in touch!

How is zero-trust security for the workforce making its way into the enterprise – and how are organizations using the key principles of zero trust today?

We examine those questions and more in The 2019 Duo Trusted Access Report: Expanding the Enterprise Perimeter with Zero-Trust Security for the Workforce.

For this report, our advanced research team, Duo Labs, analyzed data from nearly 24 million devices, more than 1 million applications and services and more than half a billion authentications per month from across our customer-base, spanning North America and Western Europe.

The data shows that the explosion of cloud applications and mobility has expanded the concept of a perimeter security architecture and organizations are implementing the foundation of zero trust to secure users and devices as they access applications; we call it zero trust for the workforce.

Five Key Findings

Here are five of the many key findings outlined in The 2019 Duo Trusted Access Report. Download the full report to see all of the data.

Biometrics Use is Climbing

Over the last four years, customers are more often using biometrics as a second or third authentication factor to access applications. This year, 77 percent of devices used by Duo customers have biometrics, such as Apple Touch ID and Face ID, Android fingerprint sensors and Windows Hello configured.

Fewer Fooled by Phishing

Data from our phishing simulator tool revealed that in 2019 internal phishing campaigns are capturing fewer credentials and finding fewer out-of-date devices. Users are also opening phishing emails less frequently. 

Android Devices Still Most Out of Date

Android devices lead the pack of out-of-date devices at 58 percent. Meanwhile, as of May 31, 2019, only 9.7 percent of Android devices were on the latest patch, which had been released 26 days prior.

Remote, Mobile Work Increasing

Our data shows 45 percent of requests to access protected applications came from outside the business walls, showing that users are truly mobile and the perimeter has expanded to where access occurs.

Use of Flash Fizzles

As Adobe Flash Player continues to crawl toward end of life, more Duo customers have Flash uninstalled from their devices. So far this year, 71 percent of Duo customers have removed Flash, which is up from previous years.

Zero Trust for the Workforce

A zero-trust architecture for the workforce ensures the trustworthiness of devices and users’ identities wherever access is attempted and before granting access, whether users are on or off the network. This security model verifies users and establishes trust in their devices (those users and devices comprise your workforce), no matter where they are located, what devices they use, and which applications they access.

Zero trust for the workforce to built on five key principles:

• Establish User Trust: Verify the identity of all users before granting access to corporate applications and resources
• Gain Visibility Into Devices: Get detailed insight into every type of device accessing your applications, across every platform
• Establish Device Trust: Check the security posture and trust of all devices – corporate and personally-owned – accessing your applications
• Enforce Adaptive Policies: Enforce granular, contextual policies based on user, device and location to protect access to applications
• Enable Secure Access to All Apps: Give your users a secure and consistent login experience to on-premises and cloud applications

For The 2019 Duo Trusted Access Report, our data shows that Duo customers across all industries are starting to implement zero-trust security principles to secure their workforce.

Summary

A zero-trust architecture for the workforce is a paradigm shift. It grants or denies access based on the trustworthiness of users and their devices, which comprise your workforce, and does so wherever access happens, instead of relying on a traditional perimeter security model. As cloud and mobility continue to become must-haves, the enterprise must be able to give users access no matter where they are, regardless of which type of device they use or which applications they need to access. Implementing and adhering to the principles of zero-trust security for the workforce can make that happen. 

Download The 2019 Duo Trusted Access Report: Expanding the Enterprise Perimeter with Zero-Trust Security for the Workforce now and see data that shows organizations are moving into the future with zero-trust security for the workforce.

The UK’s data watchdog the Information Commissioner’s Office (ICO) issued a hefty £183.39M fine for infringements of the General Data Protection Regulation (GDPR) to British Airways for the 2018 data privacy breach that affected over half a million customers. The airline’s brand image of the “world’s favorite airline” is expected to suffer as a result due to the of the sheer size of the fine, and also but because it is one of the first major breaches under the new GDPR rules to get fined. One day later, the ICO fined Marriott Hotels £99.2m for a breach affecting over 339 million guests. This is just the beginning of the GDPR crackdown.

The BBC News reported that lackluster security led to the breach of over 500,000 customer credit cards, names, addresses, travel details and logins. It is the largest fine issued by the ICO to date, far exceeding the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. It appears the ICO wants to send a warning to companies to button up their systems. It is time for organizations to raise their security awareness internally and externally. 

ICO’s announcement states:

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

I previously penned the article, “A Ciso’s Reflection on the First Anniversary of GDPR” observing previous breaches that had been handled under the older legislation, the Data Protection Act of 1998 and its 2018 predecessor. I expect more news headlines around this topic to be the new normal, as consumers and governments are getting serious about the protection of private data and as more privacy laws are adopted worldwide.

Information Commissioner Elizabeth Denham comments are quite clear:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

This is a definitive statement of the attitude of the regulators. Very clear and to the point. Your organization has a responsibility with personal data. Fulfill that responsibility or else. A strong warning that the ICO will use its  power to protect personal data without hesitation.

The proposed ICO fine of £183.39m could have been much higher. It makes a good argument that better cybersecurity through multi-factor authentication (MFA) is a dramatically better value for the money. So for a CISO, we now have a piece of real data upon which to build any business case when assessing the risk our organisations face. I recall working for one major global organization where only a risk with an impact of over $50m was considered for the risk register. Privacy breaches are well above that line now.

This is not the end of the story. The airline still has to make representations, there will likely be an appeal. The new process also requires the UK’s ICO to act as the lead authority in the EU and successfully enforce the new laws. Other regulators in countries where residents reside still have to comment. It will be interesting to see if they align with this decision, and whether this will form a new standard to be followed by others across the EU. 

The GDPR's Impact on CISOs

GDPR as a topic has not been a major discussion point for CISOs during the last year mainly because we have been preparing for some time — and have begun to focus on new issues like technology-driven change within the business. This headline may well add urgency to those who did not feel fully prepared. For other CISOs it will mean a chance to review what they have done and get support for any additional security changes they may need to adopt, such as MFA, to make sure their organizations are more immune from a breach.

The GDPR is far more than security, and following the rules requires a cross-business approach. From a security perspective, the best way to ensure “privacy” is to get the security basics right. This is where the “zero trust” concept helps. Zero-trust security assumes no user or device is trustworthy enough to gain access until their identity can be verified and authenticated. Making sure you know who is accessing your environment, who your users are and creating policies around authenticating their access is a solid step. The simplest and most cost effective way to achieve this is through multi-factor authentication (MFA). MFA has been proven to immediately decrease the likelihood of data breaches from credential phishing. 

One random thought, I wonder if the UK government will use the proceeds from such fines to improving overall security within the UK, especially for the SMEs? Perhaps this can idea could help governments everywhere who have introduced or are about to introduce privacy legislation? Just a thought. 

Many organizational trust permissions and access assumptions have been built on the tradition of enterprises buying, issuing, and managing the devices that access their applications. The bring your own device (BYOD) trend blew the assumption that an MDM would be able to manage outside devices and enable trust. Due to third-party partnerships with outside vendors and contractors, BYOD has not worked well for years. Your vendor consultant isn’t going to let you manage her laptop, nor is your external auditor. Even in the case where you have a direct hire, that person may be working for multiple organizations, and if each of them wants to use a device management agent, the ensuing endpoint battle won’t be pretty.

Believe it or not, the “zero trust” model can help you get along better with your users, customers, and partners. 

Here are some examples of how the collaborative model works:

• Rather than managing the endpoint directly, you read the security state. A read-only health check is often more palatable to users than a management agent on a personal device. 

• Instead of making configuration changes, you can specify what configuration policies the device needs to meet in order to be granted access and let the user choose whether to make those changes. (Can we all at least agree that the device shouldn’t be jailbroken or rooted? It’s a bare minimum to start with.)

• You can specify a grace period in which the user must bring the device into alignment with those policies, and the user can determine when to make the changes. For example, you might give a user a week to update to the latest software version before access is denied. This allows the user to do the updates at the least disruptive point in the workflow.

If you operate from a position of “zero trust” and make no trust assumptions, you can pull back your policy enforcement to your own infrastructure resources (networks, systems, and applications). At that point, if someone and something wants access, you can check the security state of the endpoint being used and either allow access or request remediation first. 

You can state the equivalent of, “Look, do what you want on your own time. But if you want access to our ERP system, you have to use a corporate-issued endpoint. And it has to be up to date on its software, use a lockscreen, and it can’t be jailbroken."

The users can remediate any security issues on their own schedule, not have a Patch Tuesday imposed on them when it interrupts their workflow. 

This collaborative model is already in place in environments such as higher education. Schools can’t control what endpoints the students bring onto campus, or even what devices departments purchase with their grant money. The culture of academic freedom also plays a big role, so anything that hinders access, sharing,and exploration creates conflict. 

In healthcare, security teams have to negotiate with doctors who bring in their own personal devices and insist on frictionless access, patient safety (compliance) and access to resources at all times. Security in healthcare can get tossed by the wayside any time it creates a barrier to entry. 

Changing Times for the Security Model

The traditional security model — where enterprises issue every device and manage its security — is coming to an end. It never worked with third-parties and customers anyway (you can’t dictate what they use); and it is increasingly difficult to use with employees who are used to their own personal consumerized IT experience. 

The flexibility of “zero trust” is that it checks endpoint security at the appropriate time, and never assumes it’s already there. Not only can you enforce your own security policies, but you’ll benefit from any other similar enforcement in a given user’s ecosystem, since they’ll have to comply with the most stringent policies for any resource they access. 

As the saying goes — "a rising tide lifts all boats." Ironically enough, by verifying before trusting, you can improve security and build a better collaborative and trusting relationship with your users at the same time.

Browser zero-day weak areas are thee worst. Can we all agree to that? Recently Mozilla’s Firefox browser patched not one, but two zero-day bugs in one week. The bugs were used in tandem by malicious actors to target the employees of Coinbase, a cryptocurrency exchange marketplace and wallet.  

Mozilla announced they “are aware of targeted attacks using this flaw” and urge all Firefox users to update their browser immediately with their latest discovery of a zero-day vulnerability.

Zero-day vulnerabilities could potentially expose customers without warning and opens them up to the potential breach.

Mozilla has been a leader in browser privacy controls and consumer data protection. But they are still a non-profit and like any technology, bugs exist. Mozilla was aware of the bug in (CVE-2019-11707) in April but only patched it in June after a spear-phishing campaign was reported by Coinbase that used that zero-day bug combined with another zero-day bug (CVE-2019-11708) that lured employees to a website “designed to automatically download and run an info-stealer if it's loaded on Firefox. The malware they used worked on both Mac and Windows and could collect passwords and other data,” according to Engadget.com.  

The Firefox browser zero-day bugs were a one-two-punch. ZDNet.com reported that the first zero-day bug was "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process. And the second zero-day was a “sandbox escape”  that allowed malicious actors to bypass the Firefox protected process and execute code on the underlying operating session. 

How Duo Helps With Zero-Day Browser Attacks

Whether your company uses Firefox or Chrome as a browser, it is difficult to know if or how much risk exists due to outdated devices, software or browsers.

Duo’s multi-factor authentication (MFA) gives you clear visibility into outdated devices. Duo offers built-in self-remediation software that automatically alerts users to update their software when a new patch is released — and stops devices from accessing risky applications until they do. And admins can set policies to allow or deny access based on what software version users have on their devices.

Another browser concern is the extension ecosystem, and it can be difficult for organizations to know which third-party extensions are compatible with their security standards. These extensions can be risky to user endpoint security and are often overlooked.

The CRXcavator

Duo Labs has created a free solution called CRXcavator (rhymes with “excavator”) that analyzes Chrome extensions and produces comprehensive security reports.

For more information on CRXcavator, click on this infographic

When these events take place, most companies are reactive and are unable to avoid the risk it may pose to their firms. Duo Security believes in leveraging technology to close the gap between security and ease of use. Duo Trusted Access allows an organization to implement browser based policies for all applications while simultaneously offering user-based remediation to eliminate the resource taxation historically placed on IT administrators. 

Check out Duo for yourself and sign up for a free trial.

Cisco’s Duo Security, the leading zero-trust security platform for access control, and AWS, the leader in cloud infrastructure and services, have come together to provide comprehensive access control solutions to make organization’s cloud deployments in AWS more secure.

Introducing Duo MFA for AWS Directory Services

Duo is the first provider to offer an automated way to add native like two-factor authentication and flexible security policies to Amazon Web Services (AWS), complete with inline self-service enrollment and Duo Prompt.

Duo, an AWS advanced technology partner, is committed to providing a secure multi-factor authentication solution (MFA) for all AWS services, apps and infrastructure. Duo is working with AWS on deep technical integrations to make it easier for customers to deploy and consume Duo services on AWS.

The first step towards this commitment is to provide Quick Start guide for MFA for AWS directory services (managed AD and AD connector) for securing applications authenticated through directory services. MFA is one of the strongest security controls available and also forms the foundation for zero-trust security architecture.

Duo Quick Start Benefits:

• Out-of-the-box MFA for AWS console, Workspaces, Workmail, Workdocs, Chime and many more services authenticated through directory services. Customers don't have to individually configure MFA for each service
• Deploy Duo MFA with single click under 10 minutes
• Deployment adheres to best practices, compliance as the gold standard
• Reduce deployment complexities and increase operational efficiencies
• Deployment is tested and supported by AWS and Duo

Cloud-adoption has become a central tenant for IT modernization strategy for enterprises and SMBs alike. It has been years since this strategy took its baby steps, and now it has grown and matured to the extent that most enterprises have at least one application or service running in the cloud. Organizations are adopting cloud and they are also warming up to the idea of storing sensitive data into the public cloud.

While cloud computing provides a number of benefits such as lower costs, faster deployment, scaling as needed, a more robust system, and CapEx-free computing — security is still the biggest worry for most CIOs when they shift their applications and data to the cloud.

Cloud providers normally have dedicated cybersecurity measures in place and go to great lengths to protect their platforms and customers, however, they are not a managed-security provider for customers. It is the customer’s responsibility to protect their data as highlighted in the shared security model for AWS customers.

Zero-trust Security Is Essential in the Perimeterless World of the Cloud

Though the traditional network perimeter-based security model is a key part of overall security architecture, it is not sufficient alone in the cloud era as there are no network boundaries that can safely achieve automatic trust. Adopting a zero-trust posture of “trust no one” prevents all users and devices from access until the access request is verified for trustworthiness is most suitable for cloud.

In Closing

Duo is committed to securing cloud deployments for its customers. The Quick Start guide is the beginning of many more integrations and deployment solutions for AWS. To learn more about 

Duo’s partnership with AWS, visit duo.sc/aws.

Let us know what you think about this Quick Start and also send us your suggestions regarding integrations you desire. You can reach us at techpartners@duo.com.

Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Week one we explored the history of zero trust and how to establish user trust. Week two we delved into the history of endpoint security and gaining visibility into devices. Week three we reviewed zero-day exploits and establishing device trust. Week four we discussed the amazing protective powers of enforcing adaptive policies. Today we will explore the final and fifth principle in this five-part blog series — how to enable secure access to all applications.

Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in this series, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network.

Some Background on Cloud Computing

Throughout this series, we have touched on a few historical key technology innovations that have led to faster and better computing, as well as more opportunities for stronger security. Back in the late 90’s VMware started the virtual computing revolution that made cloud computing possible. Cloud computing freed applications and storage from physical locations and dramatically lowered costs making virtual infrastructure affordable for all, scalable on demand, and accessible from anywhere. Thus began the hypergrowth of everything over the internet.

In 2006, with the launch of Elastic Compute Cloud (EC2) from Amazon Web Services (AWS) the power of cloud computing made all kinds of new businesses and services possible. New multi-cloud options surfaced with Microsoft Azure in 2010 and Google Cloud Platform in 2011. Automation helped computing speed up and streamline. Open source code libraries made sophisticated code structure available for free to anyone, and many new cloud capabilities were offered as a service. But all of this awesome technology outpaced compliance and governance, and many industries kept their feet planted both on-prem or in the cloud or in both to have more security and control.

Regardless, the train had left the station and many teams found cloud collaboration tools easier, bypassing security and creating their own rogue shadow accounts for corporate business projects. Personal devices were cost effective and more desirable than company devices in many situations, which added more shadow devices connecting to corporate environments often without visibility or trusted security enabled. On those BYOD (bring your own devices) were new mobile apps made by mobile application developers who did not have security front of mind when creating the next big thing. 

Protecting Application Access for the Workforce

The first line of defense in the zero trust model is to secure credentials for the workforce. According to the 2019 Verizon Data Breach Investigations Report (DBIR), which analyzed 41,686 security incidents in over 86 countries, with 2,013 confirmed data breaches from 73 data sources and 63 external private and public entities (including the FBI), “no organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack.” The report notes corporate executives and small businesses credentials are increasingly the top targets by bad actors.

Corporate leadership, which often has privileged access to valuable information and computer systems coupled with undisputed and unquestioned authority to make requests, is an obvious sweet spot for bad actors. Corporate executives are often seen as easy marks with big impact – they’re frequently on the move with limited time to digest large amounts of information, making them targets of dedicated social engineered attacks such as phishing, spear phishing and more.

Mobile Users Are More Susceptible to Social Attacks

• The small screen size of mobile screens restrict viewable information necessary to verify fraudulent emails
• Many mobile browsers limit access to website SSL certificates
• Prominent features on mobile like “accept, reply, send” make it easier for users to make snap decisions
• Mobile users are often walking, driving, talking and more decreasing their attention to details

Duo’s Zero Trust for the Workforce

Duo provides the foundation for a zero-trust security model by providing user and device trust before granting access to applications – ensuring secure access for any user and device connecting to any application, from anywhere.

Each time a user logs into an application, the trust of their identity and security of their device is checked by Duo, before granting access to only the applications they need. Duo gives you adaptive policies and controls to make access decisions based on user, device and application risk.

STEP 5 - SECURE ACCESS TO ALL APPLICATIONS

You may be a cloud-forward organization, or a large enterprise with a complex mix of both cloud and legacy on-premises infrastructure and applications. Secure access to all of your cloud apps such as Office 365, Google, Box, Dropbox, Slack, and more, as well as access to any existing single sign-on (SSO), identity providers and federation services. Make sure your solution provides secure access to any SAML 2.0-enabled cloud application.

Best practices recommend securing access to these apps by separating your primary authentication method from your secondary (using multi-factor authentication or MFA). Shift away from depending solely on a primary authentication provider to avoid a vendor-based breach that can risk exposing both primary and secondary authentication.

HOW DUO CAN HELP

Enable Secure Access to All Apps

Duo provides broad coverage across every application, with out-of-the-box integrations for ease of setup with all types of apps - from legacy to modern to custom tools. For custom applications, Duo also offers APIs, WebSDKs and support for other protocols to allow you to extend Duo's security platform to protect proprietary services.

Duo provides flexible, frictionless access to hybrid and multi-cloud environments, allowing you to apply a zero-trust security approach for remote access to cloud infrastructure and corporate applications.

Remote Access

Secure against compromised credentials and protect access to your remote access gateway providers with Duo’s integrations for virtual private networks (VPNs), virtual desktop infrastructure (VDI) and proxies.

Duo’s solution integrates seamlessly with major enterprise remote access gateway and VPN providers, including CA SiteMinder, Oracle Access Manager, Juniper, Cisco, Palo Alto Networks, F5, Citrix and more.

Download Yelp + Duo Security: A VPN & SSH Case Study

Duo secures application access to:

Cloud/Identity Access

As organizations migrate their applications and infrastructure to the cloud, Duo can fully protect both a hybrid and multi-cloud environment. Duo provides users with consistent remote access to multi-cloud and hybrid environments, including cloud infrastructure providers, as well as on-premises and cloud applications.

Duo supports cloud access use cases, such as developers accessing Amazon Web Services (AWS) and contractors who need remote access to internal applications. Duo’s MFA also integrates with other SSO provides like Ping, Azure, Okta, Oracle and Shibboleth; providing identity integration with AD and SAML.

Secure Single Sign-On (SSO)

Users get a consistent login experience with Duo's single sign-on that delivers centralized access to both on-premises and cloud applications. Reduce password fatigue and increase user productivity by enabling your users to log in just once to Duo's single sign-on (SSO) to access all of their apps. Duo's secure SSO checks device security every time before granting access to each application

Tech Partnerships

Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments. Our tech partners (Microsoft, Cisco, Workday, Citrix, VMware and many others) include identity and access management; network and remote access; endpoint management and security; detection and response; as well as popular business applications.

How Duo Secures Applications

Duo Access Gateway is part of the Duo Beyond, Duo Access, and Duo MFA plans.

Duo Access Gateway supports local Active Directory (AD) and OpenLDAP directories as identity sources, as well as on-premises or cloud SAML IdPs.

You can also use the Duo Access Gateway with Azure and Google directories or third-party IdPs hosted in the cloud.

Define Duo policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Google Apps. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Once you deploy Duo Access Gateway with multiple service providers you can opt to minimize repeated Duo authentication prompts when switching between your SAML applications with shared remembered device policies for SSO.

Duo aims to democratize security so that every device is protected on every platform. Security should not be intimidating, complicated or difficult, and we designed Duo to be powerful, simple and easy to use for everyone whatever your company size.

Duo’s approach to zero-trust security for the workforce is different in four ways:

1. Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
2. Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
3. Broadest Coverage of Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
4. Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far less resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.

This post completes our blog series “5 Principles to Achieve Zero Trust for the Workforce.” Previously we covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust and establishing device trust is the third principle and the fourth principle is enforcing adaptive policies. We hope you enjoyed this series and feel more informed on how to begin your journey to zero-trust security.

 Learn more about Duo Beyond, our zero-trust for the workforce platform - or sign up for a free 30-day trial to try it out today.

**Zero Trust Evaluation Guide: Securing the Modern Workforce** We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.

Download Guide