<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Wed, 03 Mar 2021 08:30:00 -0500 en-us info@duosecurity.com (Amy Vazquez) Copyright 2021 3600 <![CDATA[The Zero Trust Approach to Important Control Planes]]> jgreen@duosecurity.com (Josh Green) https://duo.com/blog/the-zero-trust-approach-to-important-control-planes https://duo.com/blog/the-zero-trust-approach-to-important-control-planes Industry News Wed, 03 Mar 2021 08:30:00 -0500

Although zero trust  as a concept has been around for over 10 years, it is only recently that it has been recognized and accepted as a leading strategy for securing modern enterprise. In this blog, we set out how we approach zero trust from a practical perspective with particular emphasis on how it will impact on our end user colleagues.

Zero Trust Key Concepts

Zero trust, as a set of design ideas and principles for a security architecture allows for numerous interpretations about how to approach an efficient and safe implementation.

There are a number of control points at which assessments should be made. It is important to realize that both humans, devices, and applications all have specific checks to which they must be subjected to confirm trustworthiness.

The key concept is that the network perimeter, by itself, is not a factor in determining trustworthiness. The basic assumption is that there is no difference between an access request being made to a resource that is either on our network or in another environment such as a public cloud provider. Controls have to be employed on the assumption that every network is untrusted.

 So, in a completely untrusted world, where are the control points that determine access? 

Cisco’s Zero Trust Security 3Ws: Workforce, Workload, Workplace

Cisco has developed a model for translating zero trust ideas into practice. We refer to this as the 3Ws approach: The Workforce, the Workplace and the Workload.

These are outlined as follows:

Workforce: Any interaction between end users and information systems. Validation must include both the identity of the user, preferably using biometrics and a secure enclave/TPM (trusted platform module) if possible, and the access device.

Common challenges involve restricted availability of authentication methods and difficulty in gaining visibility of non-managed devices. 

Workload: Interactions between applications and services. Attackers can hijack the pathways used by legitimate applications to send malicious traffic across a network. It is important to assess this traffic and assure it is legitimate. It’s also important to inspect processes to ensure they are legitimate.

Common challenges are usually related to the scale of an environment, and a lack of knowledge of what legitimate traffic looks like and gaining visibility into what services are legitimate and essential. 

Workplace: Interactions between devices in the environment. In the IoT world, device counts are skyrocketing, and so are their capabilities. Security is often a secondary concern for manufacturers, so it falls to the customer to ensure these devices’ communications are appropriate and secure.

Common challenges are often, again, related to the scale of the problem and difficulty in defining what is legitimate.

The diagram below shows some of the most important control points, and outlines Cisco’s 3Ws model for discussing zero trust.

Figure 1: Key Zero Trust Control Points

These control points enable a policy-based decision when access is requested.  These policies take into account the risk level of the resource that is being accessed as well as the conditions of the access.  So, a high-risk resource will require a higher level of examination and approval before access is granted.

The Workforce:

Now to look at this area in a bit more detail.

The Workforce Control Points

The Workforce is represented by the two control points at the top left of the diagram. It is critical that organizations verify user identities using strong authentication, and that they verify devices with equal rigor. A failure in either area can lead to equally serious breaches.

We need to be able to build a complete picture of the access based on a set of parameters. This must include non-managed devices as well as managed ones as they are inevitably a part of any environment, whether officially permitted or not.

The annals of cybersecurity are particularly filled with attacks that were facilitated by devices that didn’t have their data stores encrypted, devices that didn’t have their firewalls enabled, and devices that didn’t even have a viable password.

These are all easy things to validate during an authentication, and most are even easy enough for end users to remediate themselves, given a little bit of guidance. Yet, many organizations don’t check these things, or if they do, they only do it on devices that they own.

If any of these parameters is not in an acceptable state, then even if we are certain of the end user’s identity, access should be blocked. This is where “2FA” truly becomes “MFA.”

When we set these parameters in a granular fashion and match them to individual applications and services (and not based on network location), then MFA begins the transformation into zero trust.

The Importance Of the User

Often overlooked, or seen as a “nice to have” is user experience. Security professionals often see the ability to block/deny actions as paramount. They are prone to seeing security solutions as zero-sum: either the user complies with the rules or their access is denied.

The reality is more complex. In the age of cloud, users are not always constrained by the tools they are provided by their organization. If the barrier to accomplishing a given task with the provided tools is too high, they simply find their own tools. So, the problem of Shadow IT is born. 

As we drive security to the endpoint and ask the user to validate themselves and the devices they are using, we are also including them in the security process.

When designing the solution, user experience is NOT secondary for end users or for administrators.

Simplifying Administration

Centralized administration is also key. Agility is an important capability to have when adapting to changing circumstances, and centralized administration delivers it. Distributed policies and fragmented management create gaps and oversights. It also adds hidden costs to the management and maintenance of any such solution.

A proper solution is designed to interfere in the user’s life as little as possible, and to allow the user as much control over their experience as possible.

Cisco relies on Duo to deliver these key administration and user experience capabilities.


The solution is designed to integrate flexibly so that “rip and replace” is never a requirement, and that customers can begin their journey to zero trust wherever they want.

In order to ensure compatibility from legacy systems all the way to the modern day, we need support for RADIUS, LDAP, and SAML 2.0. When combined with Cisco ISE, we can also reach even low-level switches and routers communicating via TACACS (Terminal Access Controller Access-Control System). This is in addition to our native plugins for SSH (secure shell) and numerous popular IAM (identity and access management) applications like Sailpoint.

Beyond making the Duo deployment itself more hassle free, it also reduces the risk of larger IAM transformation projects. Customers aren’t forced to align their IAM choices to their security choices. Instead, their choice of a best-of-breed security solution in Duo also frees them to make a best-of-breed choice in the Identity Management space.

“When speaking to CISOs about zero trust one of the most common responses is to ask where they should start. Having a clear architecture is the best way to define your starting point.” — Richard Archdeacon, Advisory CISO, Duo

The Five-Step Journey to Zero Trust

Every company is different, and so there is no single “right” way to get started with Zero-Trust. Even within the workforce, we can divide the journey into 5 distinct steps.


Figure 3: The Five-Step Journey to Zero-Trust

Step 1 - User Verification 

The journey begins with establishing user trust: Using multi-factor authentication to confirm user identities. If we cannot be sure of user identity, we definitely should be blocking access to a protected application. Duo supports at least eight different methods of authentication; from traditional hardware tokens, to modern WebAuthn biometric authentication.

Key Outcomes: Increased compliance through the discovery and control of users, whilst ensuring consistency & ease of use remain a priority.

Step 2 - Device Visibility

One automatic side effect of protecting applications with Duo is device visibility. One can receive security value at each step along the way and allows for gentler rollouts.

Duo’s experience in the market has repeatedly shown that, even in proofs of concept, there are often orders of magnitude more devices present in customer environments than customers realize. This often comes from contractor and personal devices, and is usually a surprise to customers who either don’t do device management or who only do it via MDM. 

This generally leads to a desire to gain further visibility into the trustworthiness of these devices.

Key Outcomes: Discovery and visibility of what and how many devices are accessing corporate applications, providing an accurate view of device security posture.

Step 3 - Adaptive, Contextual Policies

Once we can verify both users and devices, we want to ensure that our policies are appropriate for the applications they’re meant to protect, and granular enough to meet security requirements.

This can be done at the group, application, or global levels and often includes a combination of all three.

Key Outcomes: Rules to control access to assets aligned to risk and sensitivity, closing security gaps without disrupting workflow.

Step 4 - Ensure Device Trustworthiness  

Once we see these devices, we need to empower administrators to control, if not the devices themselves, what they can do within the environment. In doing so, we need to deal with personal devices, and we need to do it in a way that doesn’t push users towards using shadow IT solutions.

Duo does this with both agentless checks and a non-privileged Device Health Application that assures users that it cannot and will not make changes to their devices without their permission.

Key Outcomes: Control over device access, securing BYOD strategies, reducing risk from unknown and unmanaged devices.

Step 5 - Zero Trust

Each step along the journey has brought us to a point where we can safely do access control based on users, their devices, and their behavior. When we have confidence in these control points, we no longer need to consider a user’s network location as part of their trustworthiness.

This allows us to provide access to both internal and external applications from anywhere. To make this easier, we can use a reverse proxy to allow users to reach internal applications without having to be part of the network.

Key Outcomes: Providing and securing access to all applications regardless of location, increasing business agility as well as overall security posture.

NCSC Zero Trust Architecture Principles

Aligning to the Zero Trust Architecture Principles as proposed by the National Cyber Security Centre (NCSC)

The NCSC has published 10 principles to help guide organizations when planning their transition to a zero trust architecture.

Duo developed the five-step journey above over two years ago and aligns particularly well to these principles.

Source: https://www.ncsc.gov.uk/blog-post/zero-trust-architecture-design-principles

“Implementing a zero trust approach for your business colleagues will be a transformation over time. Creating a step-by-step approach reduces any program risk and provides a way of reflecting business outcomes” — Richard Archdeacon, Advisory CISO, Duo

The Next Step

It can be difficult to know where to determine where one is on this journey and what the next steps are, both technically and strategically.

We’ve put a lot of work into helping customers make this determination of where they are and where they’d like to go.

Cisco is in a great position to help guide you on your own zero trust journey and is able to run workshops tailored to your own requirements. 

Learn more by visiting Duo Zero Trust Security.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Passwordless Authentication – Going Beyond the Hype With 3 Key Considerations]]> mmehta@duosecurity.com (Megha Mehta) https://duo.com/blog/passwordless-authentication-going-beyond-the-hype-with-3-key-considerations https://duo.com/blog/passwordless-authentication-going-beyond-the-hype-with-3-key-considerations Industry News Tue, 02 Mar 2021 08:30:00 -0500

There’s no denying that passwordless is a hot topic. And rightly so, no one likes passwords – users have too many to remember and manage, and IT admins spend a lot of time on password-related help desk tickets and password resets. Moreover, compromised passwords are still the leading cause of breach.

“I define passwordless authentication as the act of authenticating without a shared secret. I think it's as simple as that and I say it like this on purpose - because passwordless can take many different forms. Depending on the use case or vendor you're talking to, passwordless can mean a mobile push, certificate based auth or biometric auth or any number of other solutions. However, whatever form it takes, passwordless should increase security, make it faster for users to login and be easy to deploy. At Duo, we have strong opinions that passwordless technology should be based on asymmetric cryptography, as enabled by a protocol like WebAuthn.” — Chris Demundo, Product Manager, Duo

The Promise of Passwordless Authentication

The promise of passwordless technology is that it will both increase usability, by streamlining authentication, while simultaneously increasing security, by removing the password as a weak point in authentication. The traditional trade-off in security is that in making environments more secure, more rules and restrictions are placed on end users. Passwordless potentially throws this relationship out the window.

So, it’s not very surprising that organizations are increasingly exploring this technology. Consequently, there’s a lot of noise from multiple vendors related to passwordless authentication today, turning it into more of a buzzword! But as with any new technology, organizations need to think about their own goals and use cases and map them to the best-aligned solution in the market.

3 Key Considerations For Passwordless Authentication

In this blog, let’s talk about some key considerations while adopting passwordless:

1. Passwordless Is a Journey

As much as we would like it, passwords won’t disappear overnight. Modern IT environments are complex and replacing every authentication use case with passwordless technology will need a lot of planning and has to be a phased approach.

Here are some important questions to ask:

  • Which authentication use case should be targeted first while rolling out passwordless authentication?
  • Are you making any security tradeoffs while choosing an application for the passwordless authentication use case? Will the same application be able to provide other authentication capabilities, or will you need to add multiple vendors?
  • In order to ensure a smooth rollout, will you have the option to enable passwordless authentication for a subset of users before expanding to the full workforce?
  • In cases where passwordless authentication might not be a good fit yet - either due to technological or budget limitations – will there be a fallback to another secure authentication mechanism?

2. Providing Frictionless Usability

Passwordless authentication is promising technology, but promising doesn’t automatically mean usable. One of the motivations for passwordless is saving IT teams time responding to password-related help desk tickets. But if not implemented thoughtfully, passwordless authentication could lead to other user issues for the IT team.

Organizations should be thinking about the following:

  • Today, with passwords, users are well aware of the self-service password recovery process. Will there be a seamless recovery process available in case passwordless does not work, for example, due to lost or stolen devices?
  • Will passwordless work for users with multiple devices, as well as for users with shared devices?
  • Will the passwordless application be able to provide a consistent end user experience across all authentication use cases, passwordless or not?

3. Passwordless Authentication Alone Is Not Enough

Perhaps most importantly, customers should be aware of the security tradeoffs they may face when leveraging a passwordless authentication solution that doesn’t offer the same robust functionality in terms of other authentication use cases.

The focus should always remain on increasing trust in authentication while simultaneously reducing authentication friction and leveraging all use cases that can get you there.

Duo Is Making Secure Passwordless Authentication a Reality

Here at Duo, we are excited about passwordless too! We have developed an extremely thoughtful approach to passwordless to help our customers securely and seamlessly transition to passwordless. We want to ensure that Duo continues to meet our customers where they are today without being disruptive, and that it aligns with their future plans and initiatives. 

Stay tuned to hear more about Duo’s approach to passwordless and how we address all the considerations mentioned above.

Also check out prior blog posts on passwordless authentication.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[(VIDEO) Getting Started With Duo - Step 1: Authentication Methods]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/video-getting-started-with-duo-step-1-authentication-methods https://duo.com/blog/video-getting-started-with-duo-step-1-authentication-methods Industry News Fri, 26 Feb 2021 08:30:00 -0500

Duo's two-factor authentication (2FA)/multi-factor authentication (MFA) offers several methods through which users can verify their identity before being granted access to applications. Those methods include push notifications, U2F, biometrics, tokens and passcodes. With 2FA, users prove they are who they say they are by using two of the following items: something they know, something they have or something they are.

After successfully using the first authentication method (usually a username and password), users simply approve a secondary authentication request pushed to our Duo Mobile smartphone app. Users may also authenticate by answering a phone call or by entering a one-time passcode generated by the Duo Mobile app or a compatible hardware token. 

We have created myriad resources that make it easy to get started with Duo. Here are five easy steps to get you on your way. Today, we'll showcase  Step 1, in which we cover the various authentication methods Duo offers.

Step 1: Authentication Methods

See the video at the blog post.

If you are considering a trial first, take a look at our Advisory CISO Wolfgang Goerlich's blog, "Trials and Transformations: Test Driving Multi-Factor Authentication and Zero Trust Solutions." In it Wolfgang breaks down how to get the most out of your free Duo trial. 

If you'd like to learn even more, we created this handy dandy Getting Started Resources Guide and 2FA Guide.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[How a Popular Company Could’ve Prevented a Phishing Attack]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/how-a-popular-company-couldve-prevented-a-phishing-attack https://duo.com/blog/how-a-popular-company-couldve-prevented-a-phishing-attack Industry News Thu, 25 Feb 2021 08:30:00 -0500

The first known mention of the word “phishing” happened in the America Online (AOL) user group named appropriately “AOHell.” Phishing has raised hell ever since. As technology has evolved so has the sophistication of targeted phishing attacks. In this report, we walk through a real-world case study of how a socially engineered phishing attack worked on a popular company, and show you some steps on how it could have been prevented. 

This report guides you through some big questions and answers about phishing, including:

  • What is social engineering?
  • What is spear-phishing?
  • What happened when a popular company was breached?
  • How was the breach successful?
  • How can social engineering, targeted phishing and lateral movement lead to a security breach?
  • Authentication best practices to prevent sophisticated phishing attacks

Phishing is low effort yet very effective at allowing hackers to steal credentials. Phishing and socially engineered attacks can be prevented with multi-factor authentication (MFA or 2FA) in most instances. MFA, (which is a security measure recommended by the Department of Homeland Security), requires multiple factors such as your device, biometrics, location and more to prove you are who you say you are before granting access. It is the first layer of a zero trust cyber security framework. 

We live in a distracted multitasking world that makes it easy to accidentally click without checking out a message thoroughly. Security Boulevard reports 2020 saw an 85% overall increase in all categories of cybercrime for the year, including a more than 600% increase in phishing attacks.

Learn how trusted devices, zero trust, adaptive user policies and more can thwart phishing.

Download Anatomy of A Modern Phishing Attack today and learn how to implement preemptive prescriptive cyber protection for your cloud and on-prem applications and network, and say farewell to phishing threats.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Celebrating Black Pioneers of Technology]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/celebrating-black-pioneers-of-technology https://duo.com/blog/celebrating-black-pioneers-of-technology Industry News Wed, 24 Feb 2021 09:00:00 -0500

We are celebrating Black History Month (BHM) all month long on Instagram! Join us and follow along as we post trivia, videos and intriguing facts to celebrate Black History Month. Like this awesome video of some of the Black pioneers of technology: 

See the video at the blog post.

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

<![CDATA[Hello, I am CISO Helen. Nice To Meet You :-)]]> hpatton@duosecurity.com (Helen Patton) https://duo.com/blog/hello-i-am-ciso-helen-nice-to-meet-you https://duo.com/blog/hello-i-am-ciso-helen-nice-to-meet-you Industry News Tue, 23 Feb 2021 00:00:00 -0500

Hello, I am Helen Patton, and I am the newest Advisory CISO at Duo. It may just be coincidence that 2021 is the year in which the original Australian “Mad Max” movie took place. In a post-apocalyptic dystopia, Max fights the breakdown of civilization, resource shortages and institutions to exact revenge against his personal enemies. This has nothing to do with why I’m choosing to come to Duo right now. Really. 

On the contrary, when I say I’m thrilled to be joining the team, I really am. While I was a CISO at Ohio State we partnered with Duo to implement MFA across our organization. Research universities are weird, less like a company and more like a city. There is every type of technology under one institutional umbrella. Some of our customers (aka students) will try very hard to circumvent security controls. You want to manage insider threat? Talk to a Higher Education CISO (note to security product engineers – if you ever want a testbed for your ideas, partner with a university).   

From Education CISO to Duo CISO

Having Duo helped raise the security consciousness of the entire university and medical center. Duo and I go back to Duo’s earliest roots. I am told I am the inspiration for the “CISO Helen” persona. My team forged tight partnerships with our Duo colleagues, which will continue long after I’ve left. I’m looking forward to being part of the Duo team because Duo builds these kinds of relationships all over the globe. I’ve seen what good it can do, and I’m in.

Fair warning, I have some pet peeves about security in general, and as much as I can I will try to convince Wendy and her amazing team to agree with me, and I will be considering these as I advise Duo and our customers:

  • Pet Peeve #1: The finance industry is not the standard for all industries - every other vertical is different. It does no good for healthcare, or retail, or higher education, or a tech start-up, to try to do what finance does – it’s a different model with different risks and different needs. Wall Street banking is not the gold standard for Security – it’s the gold standard for security of Wall Street banking. So, security vendors, stop trying to sell your products by convincing CISOs they’d be as good as a big bank. We don’t care. 
  • Pet Peeve #2: People make rational risk decisions. Yes, they do. I’m inclined to bash my non-security partners for making really bad risk decisions, but the reality is that they make the most logical decisions based on the information they have and the things that motivate them. Just because I don’t understand them doesn’t mean they are not completely valid. Like wearing socks and Crocs. 
  • Pet Peeve #3: I want security products that enable good security actions without making people think too hard first. I want security teams to be spending time on high value things, not cleaning up after a security denier.  
  • Pet Peeve #4: CISOs don’t lack security imagination, but leadership often does. CISOs are forced to get creative on the daily. They have a weird sense of humor, (slightly maniacal) and must find ways through, around and over institutional norms just to get stuff done. Tinfoil hats are part of the uniform. It is no coincidence that security folks share a common love of #dadjokes. Other company leaders rarely share the same sense of humor, or sense of how to incorporate security into delivering the mission. CISOs need help in getting the rest of leadership to see the world like we do. 

There comes a point in every CISO’s tenure when they sit back and think “what’s next?”  Duo is my next place. I’ve learned a lot, and I want a place where I can share all that learning.  Let’s get started.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Zero Trust Meets OS Patch Management]]> amorgan@duosecurity.com (Alex Morgan) https://duo.com/blog/zero-trust-meets-os-patch-management https://duo.com/blog/zero-trust-meets-os-patch-management Industry News Wed, 17 Feb 2021 00:00:00 -0500

We are always facing new vulnerabilities in our software, especially in operating systems in the EU and worldwide. Apple issued a security update release for iOS 14.4 recently, as a patch for three actively exploited Zero Days in iOS 14.2, likely being used as an exploit chain. This is an example of many vulnerabilities that can be mitigated with an available patch.

One of the mantras of defence of the organisation is “keep your patches up to date.”  Very sound advice. Not always practical. So the concern arises - what if I miss something!

In the real world there are often reasons why this can happen. It could be that the device is unknown, off the radar and not part of the inventory. It could be that there are too many devices to update. Remembering back to WannaCry days there was a crying need to patch all endpoints.

“A common mantra is "patch everything." But the operational challenges that this poses can be insurmountable. Checking status at the point of entry helps mitigate this risk in a practical and immediate way.” — Richard Archdeacon, Advisory CISO, Duo Security

But there was a limited time frame to make patches work. In a “Critical3” scenario it could be that the Critical device is running a Critical process that cannot be stopped at a Critical time. For example a process control device or a month-end payroll run. And what about change control? Often tricky to obtain.

Policy Controls Can Make Sure Patches Are Current

This is one of the reasons the Zero Trust approach makes sense, there is  policy control at the time of access. There are many tools that can be used to scan a network to report on operating system status, or other potential attack surfaces such as browsers, across devices.  

But this is relatively static and may not, for example, include third-party devices. By ensuring that a device is up-to-date and if not, requesting the user to make the update, a more flexible line of defence is being built in. 

The policy that determines what update levels the device must reach can be implemented rapidly through a centralised set of controls. The user cannot proceed unless the way is clear, and unobstructed by an outdated and insecure device. This provides a backstop in case a device has been missed as part of an update program. If missed the device will be blocked until updated.

The question may arise as to why this is needed if the user has to authenticate themselves and prove their identity.  Isn’t confirmation of identity sufficient to establish a level of trust?  

Maintaining Trusted Endpoint Security

A trusted identity does reduce risk enormously. However, a compromised device combined with increased user trust may lead to increased risk. The user will be given access as they are trusted. But an attacker may have gained control of the device, and thus established a trusted path to the organisation’s resources. So, the twin approach of trusted user and trusted device are complementary controls. Again, having these both managed by rapidly enforced policies means flexible controls and the point of access. 

“Trusted access gives you a backup option if you don’t have visibility of a device. It helps you check the unknown and make sure it is known.” — Richard Archdeacon, Advisory CISO, Duo Security

When focused on the endpoint, this cannot be achieved without the human touch. It is the business colleagues who then become the first line of defence. They are the people asked to make the update and raise the defence levels. So it is important to ensure that they are provided with tools that are easy to use. They are not there to do security. They are there to do their daily jobs. So make it easy.

Supporting Your Colleagues With Security Awareness

In addition, make sure that your colleagues are well-trained. Not with the usual awareness training. But in how they are helping protect the organisation. And in a BYOD (bring your own device) world, how they are protecting themselves.  

Enable them to update, where possible, at their convenience rather than with a forced update. Security should fit in the work day.  This may help to create a greater level of trust between the security teams and the colleagues who they protect and support.

This approach will reduce the risk of the unknown device, the time lag as change control is obtained and the need to schedule an update in an operational environment. 

And so with this approach perhaps the question can now be “So what if I miss something? I am good.”

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Celebrating Black History Month on Insta]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/celebrating-black-history-month-on-insta https://duo.com/blog/celebrating-black-history-month-on-insta Industry News Sun, 14 Feb 2021 00:00:00 -0500

It has been a year for change and social justice. At Duo we care a lot about these things. In fact, did you know Duo has an Instagram account? We do, and all month long we are posting trivia, videos and intriguing facts to celebrate Black History Month.

Here is a sneak peek video preview of some of the content we are putting together this month on the Insta. 

See the video at the blog post.

Follow along on our Instagram account all month long!

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

<![CDATA[How To Secure Remote Access Right Now]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/how-to-secure-remote-access-right-now https://duo.com/blog/how-to-secure-remote-access-right-now Industry News Thu, 11 Feb 2021 00:00:00 -0500

Times have changed and the need to provide secure remote access has gone from a nice to have perk for a few remote workers to an all encompassing need for any and all workers moving forward. But many companies were not set up to move to a virtual remote work environment, let alone a secure one. In this new age of remote work, many new BYO (bring your own) personal devices that are unmanaged by an MDM (mobile device management) system still need access but can pose a greater security risk. Fear not, there is a simple solution to this problem. 

As the months and years tick by, secure remote access is the name of the game and the most effective and efficient way to keep workers productive. Identity access management is crucial to protecting internal systems, while allowing workers to connect remotely from any device is necessary to completing work. Since lion’s share of breaches begin with stolen credentials, protecting user logins is key to security. 

The most effective way to protect credentials is through MFA or 2FA (multi-factor authentication also known as two-factor authentication

MFA takes a zero trust approach to security by automatically denying all access until credentials can be verified multiple ways, like through your location, your device, your fingerprint and more. 

There are many pitfalls to remote access that hackers rely on. We have put together “The Essential Guide to Securing Remote Accessas a free resource to help you understand the issues and concerns around remote access and how you can remedy them safely, easily and cost effectively. Take a look and learn how you can secure your remote workforce right now without a rip and replace. 

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Second-Guessing the CISO in an Emergency]]> wnather@duo.com (Wendy Nather) https://duo.com/blog/second-guessing-the-ciso-in-an-emergency https://duo.com/blog/second-guessing-the-ciso-in-an-emergency Industry News Tue, 09 Feb 2021 00:00:00 -0500

Don’t do it.

Look, I know it’s personally gratifying, but just don’t do it. It’s easy to look at what appears to be a badly secured situation and say, “Why didn’t they just do X?” But I’d like to show an example of the kinds of constraints that organizations have to work with, and why they may make decisions that you don’t understand from the outside.

Let’s say that as a state or local government entity, you have to put together and launch a website on short notice. Something has come up, and citizens need to be able to sign up for an important and potentially life-saving … resource. Service. I’m being vague here. 

Setting Up an Instant Registration Database

You don’t know who’s going to sign up and register, and you don’t have time to integrate it with any databases you have with citizen data in order to uniquely identify and authenticate them. Besides, if you don’t need to verify their identities in order to get them this resource, you shouldn’t try to get fancy, because uniquely identifying citizens of all ages is harder than it sounds, and you’re in a hurry. All you know, and can maybe ask for, is one piece of data that won’t cost your citizen anything extra, can be used to contact them, and is hopefully used only by them. Yep, we’re asking for an email address.

So, quick and cheap: we ask for an email address and full name, and we register that citizen, using the email address as the user name. That’s a very standard procedure; we’re not going to assign the citizen a different login name, because generating millions of unique login names and building a logic flow to email their forgotten username to their email address is too onerous for the layer of supposed protection it gives. (Ask me how I know this.) 

Setting Up an Instant Unique Login

Then we want to set a password for that registered citizen account, because in order to deliver the service, we are asking for some personally identifiable information (PII) that we now need to protect as best we can. We can’t force the citizen to choose a “good” password, because again, once you go down the rabbit hole of enforcing password quality, you’re going to introduce more friction in front of a potentially life-saving resource, and you’ll have annoyed citizens calling a help desk that does not scale to a sudden flood of ALL your citizens. 

So we do the next best thing: we email the address of record after the account is created, and give them the necessary information to come back and set their own password. This does a bit of authentication by proving possession of the email address that was registered. (Yes, we know they’re probably going to reuse the password they remember best. It’s a natural law at this point.)

I hear you asking: what about multi-factor authentication (MFA)? Shouldn’t we be setting that up if there’s citizen PII being protected? We can’t, because we can’t assume that every citizen has their own phone (for SMS messages or an app), and we certainly don’t have the time or budget to mail out a token, a smart card, or even a PIN on a piece of paper. 

Think of adults who are trying to register their parents in nursing homes; think of parents trying to register their children.

You can imagine that one person — the only one in a family comfortable with technology — might be sitting there registering all their family members one by one, directing them all back to the same email address. This isn’t good if you’re trying to index these registrants by email address, but if I were the “designated registrar” in the family, that’s totally how I would do it. If I have to come up with a throwaway email account for my five-year-old, I’m going to be annoyed.

So, yikes! Can we do anything else to protect the citizen from having their access to this resource stolen through account takeover attacks? Email addresses are easy to find and guess and brute force; we know the passwords they choose aren’t going to be that great. Anything?

The Problems With Email as a Unique Identifier

Well, let’s try obfuscating the email address a little bit by adding some characters to the end of the login name. Not randomly; we’ll add the same characters to all of them so that we know to snip them off when we’re actually sending an email to that address.

I did start to scream a little inside my own head when I saw this technique being used. It requires the citizen to pay close attention to the email confirming their registration, because otherwise they’ll be assuming their login name is exactly the same as their email address. They’re going to have trouble logging in, assume it’s that the password is wrong, and they’ll end up calling that poor beleaguered help desk.

And the obfuscation is only going to work for as long as it takes an attacker to register themselves at this site, see how the login name is transformed, and then go back to brute-forcing. On the other hand, if the user does call in for support and does know the full login name, the extra characters might be used to tell the help desk which application they’re trying to log into. If you squint, you can almost see the logic behind that.

I squinted. And then I thought: well, how would I have done this myself? How do you protect citizen data in an ad-hoc registration system, and protect against account takeover attacks, without having any ability to use MFA or strengthen any of the other authentication factors?

Without spending extra budget that was never planned for this, and without blocking swift access to potentially life-saving services? How do you reach the maximum number of people, who have varying levels of poverty, Internet access, and technical knowledge, and stand up this service by next week?

Sometimes “Good Enough” Wins

Sometimes “good enough” is the best that you can do in a pinch. I can well imagine the design discussions that went on in a hurry -- over phone lines or video calls or text messages -- to model threats, mitigate risks, and simplify the user experience while saving taxpayer money and working to an impossibly short deadline. There were probably other constraints that I don’t know about and never will (“the only server we have available for this is running Windows 2000”). We live on to fight the good fight another day.

I’ll just raise a glass to the team that managed to get it operating. You should too.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[In Search of… ISO 27001:2013, 27017:2015 & 27018:2019 Certification]]> csteiner@duosecurity.com (Chelsea Steiner) https://duo.com/blog/in-search-of-iso-27001-2013-27017-2015-27018-2019-certification https://duo.com/blog/in-search-of-iso-27001-2013-27017-2015-27018-2019-certification Industry Events Mon, 01 Feb 2021 08:30:00 -0500

We are proud to announce the Duo has achieved ISO 27001:2013, 27017:2015, and 27018:2019 certification!

Ever wondered how a screw manufactured in the United States has the same screw threads as a screw manufactured in Lithuania? You can thank ISO for that! 

ISO is responsible for issuing internationally-accepted standards for (seemingly) everything, from a standard for brewing tea (3103:2019) to ski boots (5355:2005) to the two-letter country code that can form a country’s domain address (3166) to standards for information security.

What is ISO 27001:2013, 27017:2015 and 27018:2019?

ISO 27001, 27017 and 27018 (colloquially referred to as the 27000 series) are a set of security standards that were developed to help organizations improve their maturity and protect their intellectual property and data in a scalable and verifiable way. 

To achieve certification, Duo was audited by an accredited external auditor, Coalfire, who verified Duo’s control environment and assessed the implementation of our controls. Our external auditors used the information collected via meetings and evidence to make the determination Duo meets the requirements for certification.

An ISO 27000 series certification is valid for three years and requires an annual surveillance audit to ensure continued compliance for the lifespan of the certification. 

What’s the benefit of ISO 27001:2013, 27017:2015 and 27018:2019 certification to our customers?

The ISO standards for information security are viewed as the global standard for information security. While other certifications may take center stage in the US and North America, the ISO 27000 series is the most accepted standard internationally and provides our customers and partners with valuable information about the internal processes and procedures that help keep Duo secure. 

"As a provider of security controls that are critical to our customers, Duo strives to provide a trustworthy and transparent vendor security experience that provides our customers with the utmost confidence. Duo’s achievement of certification for ISO 27001, 27017, and 27018 represent a significant milestone in this effort and the latest example of third-party validated evidence of effective and trustworthy management of our security responsibilities to our customers." —Josh Yavor, CISO, Duo Security, now part of Cisco.

Beyond the utility of the certification itself, the ISO 27000 series of standards forms the bedrock for many regional and industry-specific certifications which provides Duo the opportunity to pursue more targeted compliance opportunities in the future.

View Duo's ISO 2700 certificates:

Links to ISO standards:

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Practical Suggestions for EU CISOs From the Authorities]]> rarchdeacon@duosecurity.com (Richard Archdeacon) https://duo.com/blog/practical-suggestions-for-eu-cisos-from-the-authorities https://duo.com/blog/practical-suggestions-for-eu-cisos-from-the-authorities Industry News Thu, 28 Jan 2021 08:30:00 -0500

If you worry about a data breach (and who doesn’t?), you might be wondering how a CISO can prepare to face the authorities.

Privacy and data breaches go hand in hand. We have all been bombarded with information around GDPR and similar regulations. As with all requirements the key issue is how to prepare, and what is acceptable by the regulators.  

This is becoming increasingly significant in the EU as privacy becomes more of a consumer concern, and lawyers become more aware of the opportunity a breach provides. As an observation, listening to the UK Information Commissioner giving evidence of online harm and disinformation this week to a Parliamentary committee one interesting fact that came to light was that the regulator had recently increased their team by 85%. They are taking this seriously.

As if lawyers and regulators weren’t enough, we are also dealing with the constant emphasis on digital transformation; the disappearance of the perimeter and decreasing visibility across our assets. Businesses will want to move even faster and with greater flexibility. A perfect storm.

How To Prepare for Compliance

It is therefore very useful to have a viewpoint based on multiple use cases of how an organisation should prepare or at least prioritise in their planning.  

What is helpful is that they are based on use cases and  provide a set of basic comments on standards and response capability. 

There are 18 cases discussed. The EDPB use cases cover a range of scenarios such as ransomware, data exfiltration, human error, social engineering and lost devices. At a high level the structure is: case, description, prior measure, mitigation and obligations and a simple table of actions required. So not detailed — but a useful view as to future expectations. 

The guidelines are out for comment so others are encouraged to submit their views and observations.  

This certainly is worth a look to help prepare CISOs and may well be useful when communicating the security story internally to other stakeholders, or simply as a check on what security capabilities are in place already.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What To Do if You Must Use SMS]]> wnather@duo.com (Wendy Nather) https://duo.com/blog/what-to-do-if-you-must-use-sms https://duo.com/blog/what-to-do-if-you-must-use-sms Industry Events Mon, 25 Jan 2021 08:30:00 -0500

There are many known risks in life that you simply can’t get rid of altogether. 

Despite everything we know about the risk of SIM hijacking as a vector of compromise, there’s no way that we can reasonably tell organizations to stop using SMS authentication. For one thing, not everyone owns a smartphone; you can’t force third parties and users outside of your control to switch to the device you prefer, or even agree to install a specialized app. SMS is the greatest common denominator, both in terms of global reach, user familiarity and openness; it’s the fallback when you need an out-of-band confirmation and you can’t rely on email, hard tokens or U2F keys. 

To mitigate this risk, you can try user education, out-of-band notification, or add more authentication factors.

User Education

User education is where you train the user to distinguish between legitimate actions and suspicious ones in the authentication process. For example, there are efforts to standardize the format of a one-time SMS code so that apps and people alike can detect when it’s not coming from the original site, but rather from an attacker. In essence, you are relying on the user to perform some or all of the detection: if an auto-fill mechanism isn’t being triggered to enter the SMS code into the authentication field, the user is supposed to realize that this might indicate a phishing attack. 

This mitigation has the advantage of being technologically feasible, but it has the disadvantage of depending on your entire population of fallible, unevenly skilled, carbon-based life forms to pay attention and notice something subtle every time it happens. Let me know how that works out for you. 

Out-of-Band (OOB) Notification

When you don’t fully trust one communication channel, you supplement it or bypass it with another one. In this case, if you are concerned that one prevention method has failed (that is, you think an attacker has taken over control of a user’s registered phone number in order to receive phone calls or SMS messages), you set up an alerting function that uses something else that ought to be remaining in the user’s possession. A notification by email, a direct message through another application, or even an alert sent to a third party (such as an administrator) are all options. 

As the old saying goes, “What you cannot prevent, you must detect.” The detection and subsequent notification should all be done by separate systems that don’t rely on what the attacker has already obtained and controls.

For example, when a Duo user enrolls a new device, you can use the auth log data and your alerting tools to send a notification to the user, to the Duo administrator, or both. This can help alert you to an unauthorized enrollment by an attacker.

Another example: if a user calls the help desk on a voice line and claims to have forgotten their password, the help desk can send a Duo push notification to the user’s mobile device of record to confirm that it really is the same person. The user must respond to the push to prove that they do have possession of that instance of the app. A chat bot can be used to send an out-of-band notification through a corporate messaging app: “Did you really mean to do this?” The key is to compensate for the risk that an attacker might have possession of the victim’s phone number and therefore be able to see and respond to SMS messages.

Adding More Authentication Factors

You may have to rely on SMS in some cases, but that doesn’t mean it needs to be the only factor being used. Consider that some factors can be stolen silently, such as a username, password, or the control over a phone number. Others can’t be stolen without someone noticing.

If a U2F key goes missing that is attached to the user’s keyring along with car and house keys, it won’t be long before that user notices the theft. A smart card, a biometric, or access to an endpoint device such as a laptop that requires specialized hardware components to work, all mean that on top of swapping a victim’s phone SIM, the criminal must also steal or duplicate a variety of devices, readers, and software. With every layer that you add, the attacker’s job becomes more difficult and prone to detection. 

If you have less trust in SMS as a standalone authentication factor, then you can implement a policy that prevents it from being used by itself. If SMS is used on an exception basis, you might also require the geolocation to be in a predetermined range. Or if it’s used regularly, you could require the access to be only from a device that is registered as trusted and belonging to that user. 

An attacker might steal the user’s phone number without the physical phone going missing, but if the user can only access resources through their registered laptop, then the attacker would have to steal that too. 

The trick is to use layers, combinations and constraints that conform to what the user normally does anyway; this should keep that user from encountering the friction that you want the attacker to run into. And, if the user needs an exception made (for example, their laptop isn’t working or their dog swallowed the hard token), plan for an alternative authentication flow that makes use of factors that are hard to steal silently or to impersonate.

SMS isn’t as bulletproof as some may have thought in the past, but that doesn’t mean it doesn’t still have its uses. It’ll be with us for a long time. If you craft your authentication process while keeping in mind its strengths and weaknesses, you can still keep it as a part of your portfolio.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Future Forward: Cybersecurity 2021 Predictions]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/future-forward-cybersecurity-2021-predictions https://duo.com/blog/future-forward-cybersecurity-2021-predictions Industry News Thu, 21 Jan 2021 08:30:00 -0500

It’s 2021. Where is my encryption-breaking dolphin?

I admit it. I watched Johnny Mnemonic. It is set in 2021, after all. I wager, there was no better way to prepare for my predictions blog. There will be spoilers ahead, both for the year to come and for the cyberpunk cult classic.

Any Device, Any Location, Any Service

From Beijing to Newark, Johnny accesses the Internet from borrowed computers and back alleys. In this fictional 2021, the act of carrying around a corporate laptop is long past.

Personal devices have long outnumbered corporate devices. In fact, it’s very common to deploy Duo and find people are using many more personal devices than expected. For example, take the case of the enterprise healthcare system discovering 30,000 unknown devices last year. 

Personal workspaces outnumbered corporate offices in 2020. People working from home accounts for more than 66% of economic activity, and 42 percent of the labor force, in the U.S. in 2020 according to Stanford. Work isn’t done on-premises. 

In 2021 Cloud Apps Surpass On-Prem Apps

In 2021, the use of Cloud apps will overtake on-premises apps. For a while, Cloud services have outnumbered on-premises services. But in terms of strong authentication, as identified in the 2020 Duo Trusted Access Report, there’s a clear trend line which will result in Cloud apps as the primary way people are working.

Security teams continue to grapple with how to secure this any device, any location, any service way of working. Expect more work to be done on securing the endpoint devices themselves. 

Zero Trust initiatives, already underway in many organizations, will mature and provide assurances over context and conditions of authentication. With traffic not coming from corporate offices and not going to corporate data centers, organizations will also look to move visibility and detection to the edge, perhaps with Secure Access Service Edge (SASE) initiatives.

Dropping Passwords

In the actual year 2021, we do have some recognition-based authentication. Select the images, and you’re in. Of course, some people also authenticate with QR codes, and smart links, PINs, smart cards, and certificates, biometrics, along with a multitude of other factors. If you want options, we have options.

Before we declare 2021 the year of passwordless, however, let’s acknowledge some of the concerns. As I mentioned in my 2020 review, the pandemic response pushed many IT initiatives off into 2021 and 2022. Organizations are cautiously evaluating passwordless to ensure improvements in usability, manageability, and defensibility. Given the factors and the impact on change, the emphasis is on increasing trust in authentication first, and changing the primary factor second. 

Going Passwordless

Passwordless will be on the roadmap for 2021 in many organizations. Expect to see security teams running proof-of-concept projects and evaluating direction. To have the full confidence that changing the primary factor won’t adversely change the security posture, work will need to be done ahead to increase authentication trust

Data Protection

Johnny stores 320 GB of medical data, the cure for the fictional nerve attenuation syndrome, in his head. This sets the clock because Johnny’s capacity is only 80 GB, 160 GB when compressed. If he doesn’t remove the extra data within a few days, Johnny will die.

Let’s address the one unrealistic detail in Johnny Mnemonic. No, not the dolphin. Not the cybernetically enhanced people. And I don’t mean the 3D Internet, either. I’m speaking, of course, about storage capacity.

 First, anyone today can pick-up a 512 GB USB flash drive. No long-term human memory required. Second, no storage technology today, no RAID, no compression, would allow 320 GB to fit onto 160 GB and set a death clock. Finally, if the vaccine science is a baseline, that’s not nearly enough space for healthcare data. 

Last year, it was reported that adversaries were attempting to steal COVID-19 vaccine data. Hundreds of terabytes of data. 

Protecting Data Theft

We can expect the trends on data theft and ransom to continue. Ransomware will continue to hit organizations. Criminals will continue to steal and resell data. Security teams must continue to find better ways to provide data protection. Too often, the app is used as a placeholder for the data. For example, we say we are protecting healthcare data because we are protecting the Epic application. Standards and requirements will shift closer to requirements on data, leading security teams to reconsider their data governance.      

Final Future Thoughts

The opening scenes find Johnny navigating a crowd of protesters wearing masks. Throughout the movie, Johnny coordinates his next steps over video conferencing calls. These ring painfully accurate as we witness the unrest, discuss it over web meetings, and wear masks out in public. We will be many months into 2021 before it begins to feel normal again. But I view this with hope. Some things have changed. Other things will return. Along the way, we have demonstrated the combined ingenuity of IT and security. 

We have much to build, to clean-up, to correct. As they say in Johnny Mnemonic: Get your VCR's ready! It’s go time.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Cloud and Remote App Access Climbs Skyward]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/cloud-and-remote-app-access-climbs-skyward https://duo.com/blog/cloud-and-remote-app-access-climbs-skyward Industry News Mon, 18 Jan 2021 08:30:00 -0500

The 2020 Duo Trusted Access Report shows a significant increase in year over year growth in remote access and the use of cloud applications. Cloud applications are more flexible, scalable and accessible remotely than typical on-premises applications.

Securing the cloud was once a barrier to entry, but MFA (multi-factor authentication) has paved the way for an easy and effective way to secure remote and cloud access. Duo’s data shows a 60% increase in authentications to VPN and RDP applications to further secure sensitive data.

This news report just in.

See the video at the blog post.

Learn How Industries Are Securing User and Endpoint Access

The 2020 edition of the Duo Trusted Access Report analyzed over 26 million devices, 500 thousand applications and more than 700 million authentications per month to gain deep insight into user security behaviors and endpoint security. The report reveals what industries large and small are using to secure identity management and to enable secure trusted access for their remote workforce.

This report is chock full of analyzed cybersecurity data points to help you understand how organizations are protecting access and mobile device security in this new reality of a mostly remote workforce.

Download the free 2020 Duo Trusted Access Report.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[How Are Companies Using Device Policies to Thwart Cyber Threats?]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/how-are-companies-using-device-policies-to-thwart-cyber-threats https://duo.com/blog/how-are-companies-using-device-policies-to-thwart-cyber-threats Industry News Thu, 14 Jan 2021 08:30:00 -0500

Companies used to rely solely on corporate networks, MDM (mobile device management) and VPNs blocking unrecognized devices as key cybersecurity protection measures. According to the 2020 Duo Trusted Access Report, companies are now ensuring endpoint security is up to snuff through granular policy controls to determine which devices can gain trusted access. 

Policy controls can set multiple parameters for access like location, device type, device health, biometrics and more. By setting detailed policy controls companies can seamlessly protect and block access from devices that do not meet the defined criteria and thwart cyber threats.

This news report just in.

See the video at the blog post.

Learn How Industries Are Securing User and Endpoint Access

The 2020 edition of the Duo Trusted Access Report analyzed over 26 million devices, 500 thousand applications and more than 700 million authentications per month to gain deep insight into user security behaviors and endpoint security. The report reveals what industries large and small are using to secure identity management and to enable secure trusted access for their remote workforce. 

This report is chock full of analyzed cybersecurity data points to help you understand how organizations are protecting access and mobile device security in this new reality of a mostly remote workforce. 

Download the free 2020 Duo Trusted Access Report

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[A 5-Step Guide to Implementing Zero Trust in the Workforce]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/a-5-step-guide-to-implementing-zero-trust-in-the-workforce https://duo.com/blog/a-5-step-guide-to-implementing-zero-trust-in-the-workforce Industry News Wed, 13 Jan 2021 08:30:00 -0500

As the cybersecurity industry continues to pivot towards a zero trust model to ensure only trusted access is granted, companies are looking for guidance on how to adopt zero trust principles into their security practices.

The zero trust model rose out of changes brought by mobility, consumerization of IT and cloud applications. And while the term zero trust continues to infiltrate IT security conversations, it raises an important question: how do we get there?

Zero trust is a philosophy that can be broken down into actionable steps in a five-phase approach. We developed the white paper “From MFA to Zero Trust: A Five-Phase Journey to Securing the Workforce” to guide you through the notable steps in your journey. Consider this white paper your blueprint to getting started with zero trust. 

In this guide you will learn: 

The five phases of Zero Trust for the Workforce and how to implement them: 

  1. Establish user trust
  2. Device and activity visibility
  3. Device trust
  4. Adaptive policies
  5. Zero Trust for the Workforce

And within each phase of the journey is a self-contained project that covers:

  • Description and objectives
  • Transformation
  • Components and challenges
  • Metrics

Use this white paper as a resource on how to implement Zero Trust for the Workforce. By evaluating and completing the projects within each phase, you will be well on your way to achieving zero trust security to protect your workforce. 

It is possible to secure access to all applications (cloud or on-premises) from anywhere in the world on any endpoint device with a single, easy-to-use and elegant solution.

Ready to get started? Download the free white paper “From MFA to Zero Trust: A Five-Phase Journey to Securing the Workforce” today.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[My 2020 Predictions Revisited: What Worked, What Didn't]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/my-2020-predictions-revisited-what-worked-what-didnt https://duo.com/blog/my-2020-predictions-revisited-what-worked-what-didnt Industry News Fri, 08 Jan 2021 08:30:00 -0500

“Turns out, people aren’t all that good at predictions,” I wrote in my 2020 article. How true this turned out to be. Few could foresee the turns 2020 would take. Yet, some of what we were looking for did come to pass. Here’s a look back at those predictions.

Cyber Crime in 2020

I predicted, with money still being the top motivating factor for crime, criminals would blend techniques and technologies into new unforeseen attacks. This was partially true with incremental advances in most crimeware packages. With the world’s attention shifting, phishing emails preying on people reading the latest headlines led to nearly 200% increase in overall phishing attacks in 2020. Ransomware saw a similar increase in attacks, with updated platforms like WastedLocker. But overall, more of the same was the theme in crime in 2020.

Hactivisim Increase

I expected hacktivism to return, after declining since its peak in 2015. This was based on worldwide protests. With 2020, protests came to the USA. There was a rise in web defacements and data theft. Some 200 police departments had records exposed. The classic distributed denial-of-service (DDoS) tactic is still in use. Hacktivism also moved up the stack in 2020, disrupting events through social media. I expect this trend to continue in the near-term as the unrest continues.

Defenses in 2020

The rapid shift to remote work this year propelled digital transformation, cloud adoption, and securing it all with zero trust principles. I’m tempted to say 2020 was the year of zero trust. However, a Google search turned up such proclamations for 2018, 2019, 2020, and even 2021. Setting that aside for the moment, a significant number of organizations deployed strong authentication, adaptive and risk-based access, endpoint device health, and brought these tactics together to secure people working in ways we never imagined back in 2019.

User and entity behavior analytics (UEBA) made significant strides as one way of determining trust in a zero-trust architecture. The other prediction I made was passwordless authentication being on the security roadmap in 2020. Well, it was. But then it wasn’t. 

As one CISO shared with me, “Our crisis response and subsequent focus on securing productivity pushed new initiatives to 2021.” We continue to chip away at the password, however, removing passwords as the primary factor will take a bit more time than I originally thought.

Final Thoughts

With 2020 in our rearview mirror, we can now look ahead to what another year brings. Periods of rapid change, periods of unforeseen turmoil, are difficult on us all. The optimist in me points to how this year has accelerated innovation, and how this year shone a spotlight on what technologists can do. We witnessed the largest migration in human history, a migration from the physical to the digital. We stood up. We made it happen. We secured it. Now, onward.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Farewell Flash, Forevermore]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/farewell-flash-forevermore https://duo.com/blog/farewell-flash-forevermore Industry News Thu, 07 Jan 2021 00:00:00 -0500

Dear Flash,

You helped us get our coding legs with Dreamweaver on sites like MySpace and the early web, but you were easily overtaken and hackable. The security and performance holes in your programming famously had Steve Jobs ban you from hardware running the iOS operating systems in his open letter “Thoughts on Flash” in 2010.

By 2017, your end of life (EOL) fate was cemented when Adobe, Apple, Google, Microsoft, Mozilla and Facebook agreed to phase your content and technology out of their products. But we kept you installed because there were those sites that ran you that we couldn’t live without.

From then on, your decline was inevitable. Flash usage in browsers fell off a cliff, dropping from 76% in 2017 to 31% in 2018, according to Duo’s 2020 Trusted Access Report. Just 10 years ago, Flash, you boomed with a user base of 99%. In 2020, Duo’s data showed less than 20% of browsers supported Flash, which will presumably end in 2021.

Flashforward to Jan. 12, 2021; the date your creator Adobe has set to pull the plug on you. Now the only message we get from you is a reminder to uninstall you.

In the release notes for the final scheduled Flash Player release, Adobe wrote: “...Adobe will block Flash content from running in Flash Player beginning January 12 2021; Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

So as with all beginnings, there comes an end. We like to think of it as retirement. As we bid you adieu, we put together this video to say farewell, Flash, forevermore. 

See the video at the blog post.

Learn all about Flash fizzling and much more in the 2020 Duo Trusted Access Report. Download it for free today!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Reducing Risk to the Enterprise With Trusted Devices]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/reducing-risk-to-the-enterprise-with-trusted-devices https://duo.com/blog/reducing-risk-to-the-enterprise-with-trusted-devices Industry News Sun, 03 Jan 2021 08:30:00 -0500

It has been a long hard slog to get to this point in the year. Not all that long ago we were plagued with the mentality that businesses needed to have butts in seats to get things done. If that past year has taught us nothing else about remote work, it is that it is a viable option.  

There was the initial mad rush for companies as they had to pivot (in some cases almost overnight) to having their workforce spread to the four winds. Organizations had to make do with the hardware that they had on hand. In some cases, they had to send desktops home with their staff in lieu of laptops. 

We have been on a remote work footing for at least 10 months now for many organizations. I’ve been very fortunate to have a couple CISO round tables per week since March, and I have been able to witness the shift in organizational responses from one of triage and firefighting to a more strategic view of how remote work will manifest in the years to come 

There have been challenges to be certain. One of the more prevalent items in discussion was around scaling to meet the demand of a remote workforce was one of the earlier issues. VPN deployments that may have historically been undersized had to ramp up in short order to meet the new demands. Companies had to contend with how they were going to address the security posture assessment of devices that were connecting to their networks. Decisions were made. There was a requirement to keep the lights on and keep business rolling wherever possible.

Now we have been able to settle in with a better understanding of how to handle our remote workforce requirements. This last 10 months has given security practices the ability to make changes to better democratize security for their employees.

Not every zero-trust approach to securing the workforce is created equal - our guide will outline the requirements your solution should have to support a modern organization.

Zero Trust and Remote Workers

So, what do I mean by that? When we look at the world through a zero trust lens it’s all about reducing the risk in our organizations, reducing costs of security through streamlined processes and tools. Looking beyond. The end goal is to make it as easy as possible for the remote staff to be able to get their jobs done safely and securely without having to worry about the security tools. 

People are very good at what they are good at doing. For instance, finance people or human resources personnel are not necessarily going to have a firm grasp of cybersecurity nor should they be expected to do so. For those of us running security programs we need to make life easier while maintaining a high level of security. Also, providing security tools to staff that enable them to be able to self-manage is a significant plus.  

As an example, if a remote employee is trying to connect to a corporate network and their browser is out-of-date it would be beneficial to provide them with the ability to patch that browser themselves without the need to engage the helpdesk which is already having to deal with a great deal.  

Compliance and Remote Workers

Compliance requirements are another reason to look at improving the tools that you use to secure the remote workers. Even in a pandemic the auditors will still need to do their job. We have a fiduciary responsibility to protect our enterprises and being able to demonstrate that we’re accomplishing this task you can utilize MFA to control access to sensitive information in your company. The audit trail from a tool like this goes a long way to demonstrate compliance for the audit team. 

Endpoint Security and Trusted Devices 

Device trust is essential for any enterprise. This is brought into sharp focus with our remote teams and the likelihood that this will continue for months to come. There is a need to be sure of the devices attaching to your assets are patched to current or n-1. Having visibility of the devices, understanding their posture and managing the risks associated with them will help to reduce vulnerability exposures. 

As the number of cloud-based services increases this breaks the deprecated notion of castle and moat perimeter-based security. The perimeter is anywhere an access decision is being made. It helps us to sleep better at night when we know that we can trust the devices that we need to keep business running and the lights on. 

See the video at the blog post.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.