Cities full of hatred, fear and lies
Withered hearts and cruel, tormented eyes
Scheming demons dressed in kingly guise
Beating down the multitude and
Scoffing at the wise
— Rush “A Farewell to Kings”

We live in an interesting time. We live in a time when we are more connected than ever — and yet have trouble connecting. We live in a time where we have all this great technology at our fingertips — yet this same technology is sometimes weaponized and used against us.

I’ve discussed before how passwords were never designed to be a security construct and how they continue to plague us:

BYOD Passwords and the Law of Unintended Consequences

https://duo.com/blog/byod-passwords-and-the-law-of-unintended-consequences

I’ve highlighted some examples of where passwords have been compromised to cause great harm to our democracy:

Breaking Down the DNC and DCCC Cyber Attack

https://duo.com/blog/breaking-down-the-dnc-and-dccc-cyber-attack

I’ve also highlighted many times that we need something better. We need to combine our password affliction with the healing salve of simple, effective two-factor authentication (2FA). But hey, I work at Duo, so I’m supposed to say that. Here’s the thing (and I tell people this all the time)....I don’t say these things because I work at Duo…I work at Duo because I believe these things to be true.

Here’s Another True-ism. Not all 2FA is Created Equal

Now, don’t get me wrong, ALL 2FA is better than no 2FA at all. The goal of 2FA is to make it hard (impossible would be nice) for attackers to get what they’re after. In other words, don’t make their job any easier than it already is. But some 2FA solutions are only marginally better.

For awhile now, we’ve known that savvy attackers would just find another way in to bypass the lower-level 2FA capabilities deployed by most web sites. Things like SMS two-factor authentication and one-time password (OTP) based on two-factor authentication really only forced the attacker to move a little higher up the stack.

We’ve known for some time that these types of bypasses were possible, long before well-known hacker guy Kevin Mitnick showed the world how easy it could be:

PSA: Keep in mind that this still isn’t trivial. You need some pretty decent skills to set all this stuff up, but it is a vulnerability and I applaud those who go out and break things in order to make it all better. But, I am not a fan of the “gotcha security” folks that while providing a valuable service also perpetuate a culture of fear. Nobody needs that.

I won’t go into gory details about how this gets set up, but suffice to say, if you sit in the flow between the user and the app, and can capture not only the primary authentication (password), and the secondary authentication (a passcode that the user enters — or even better/worse the session token) then yeah, you get access.

The important thing to keep in mind however, is that while that is not a good thing, the session tokens have a limited life span, so this attack would have to persist to be useful. There are all kinds of things that would raise red flags should this kind of “man in the middle” attack be present. Things like location tagging, behavior analysis, etc. So, what I’m saying is that the sky is not falling, and all is not lost.

This is why it is so important, as an enterprise, to deploy an enterprise-grade two-factor authentication solution. By using a cryptographically connected token or security key like a Universal 2nd Factor (U2F) key, you don’t hand over the 2FA “crown jewel” to the attacker and the secondary authentication is completely “out of band” and out of sight from the attacker. 

But wait. There’s more. Duo is also committed to applying it’s “simple and effective” security philosophy to upcoming, game-changing authentication technologies such as WebAuthn — which has recently been ratified as an open standard by the W3C. This technological shift will be fundamental to changing authentication dynamics and shifting the balance of power in the user’s favor.  

Misleading Headlines Proclaim Phishing Attacks Bypass 2FA

As I said, not all 2FA solutions are created equal. It’s up to the enterprise to pick the right one. This won’t stop some news outlets from posting headlines like, “Phishing attacks that bypass two-factor authentication are now easier to execute.” And so on. Because the job of the press is to inform, and I respect that, but sometimes in order to do that you need a scary title. And that one is pretty scary. If I didn’t know better, I would believe that was true based completely on the title, and that 2FA was useless. But it’s not. Quite the opposite.

We security folk are a resilient bunch. We roll with the punches and manage to maintain an optimistic outlook, regardless of all the “evil” we see in the world. As a group, we can do this — and oh by the way — we are ALL security folk. In today’s world, preserving company security is everyone's responsibility.

Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Week one we explored the history of zero trust and how to establish user trust. Week two we explored the history of endpoint security and gaining visibility into devices. Today we will explore the third principle in this five-part blog series — how establish device trust.

Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in the last post, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network. Establishing device trust is the third principle to adopting a zero trust security posture for the workforce.

What Is a Zero-Day Exploit? 

A zero day exploit is defined as software, firmware or a hardware flaw from the software manufacturer that is either known or unknown to them and that has not been patched. Hackers can manipulate this hole and cause harm until the patch is not only released, but applied by users by updating their versions of the compromised software. And plenty of users do not update software right away, if at all. A zero day exploit covers a lot of ground. And it is just damaging. If you are CISO or CSO or an executive at a company, the idea of a zero day attack is pretty stressful, yet, worthy of concern because it is not good and it can cost billions in damages and reputation. But no need to worry, we made an multi-factor authentication app (MFA) for that.

What Have We Learned About Technology and Security So Far?

If there is one consistent theme throughout the history of endpoint security and the history of zero trust (see previous blog posts) it is that the most damaging computer breaches often start with stolen credentials and/or outdated software.

Today software is often a patchwork quilt of proprietary code, open source code and third-party vendors. All of this has equal parts good stuff and bad stuff. Third-party vendors are often brought in as pieces to the overall strategy puzzle as contractors, consultants and more. They speed up the time it takes to release software (ship it) or add value and features. These are not employees, yet have access to key technology and the opportunity to leave backdoors open in code, whether for malicious reasons or not. Backdoors and shipped products with known software flaws is pretty common. The goal is to ship the best first version as fast as possible while working out the bugs in real time. The bugs can be vulnerable to hacking.

Then there are the open source code libraries (like GitHub). On one hand, open source code leads to innovation in tech and progress through shared resources. It is a democratic approach to improving an idea by letting others use it and work on it. On the other hand, the code is super accessible, flaws and all. The epic Equifax breach was blamed on a security code hole in the open source code software Apache Struts Model-View-Controller (MVC) framework for Java.

The third principle of zero trust architecture is to establish device trust. This is a game-changer and a blocker for zero day exploits.

STEP 3  — ESTABLISH DEVICE TRUST

Establishing device trust is crucial to securing the workforce because once the user trust has been established in step one, and the visibility into devices accessing the environment in step two, establishing device trust is the third step to a multi-layered security posture that continuously monitors adaptive risk and trust assessment by checking the security health of all user devices attempting to access your applications.

Not only does establishing device trust include inspecting, logging and tracking devices but also controlling access based on mobile and BYOD (personally owned) devices. In other words, you can deny access to your environments by requiring devices to keep their software up to date. Ensuring that same software that has holes in it, gets updated patched right away.

Cisco Defines Zero Trust As

Workforce: Verify user identity and device hygiene before granting access to your cloud and on-premises apps.

Workplace: Verify compliant device profiles before granting software- defined access to your segmented network.

Workload: Verify app behaviors to implement micro-segmentation across on-premises data center and multi-cloud infrastructure.

Duo offers the first line of defense to securing credentials and enforcing software updates, thus establishing device trust and the third principle to achieving a zero-trust framework.

Ciso calls it establishing excessive trust. No user or device is automatically trusted inside or outside the perimeter. Now trust must be controlled by microsegmentation when everything is being targeted.

HOW DO I ESTABLISH DEVICE TRUST?

Ask yourself a few quick questions.

• Can you enforce endpoint controls for risky devices or corporate-owned devices?
• How are you establishing mobile device trust?
• Are you able to automatically notify users of out-of-date software to reduce your help desk tickets?
• Can you enforce access policies based on the application risk or whether the device is corporate or personally-owned
• And can you do this without requiring endpoint certificates?
• Does your solution enable your users to manage their own devices?

Enforce Endpoint Controls

By leveraging the visibility of devices connecting to your applications (as discussed previously), you should be able to establish device-based access policies to prevent any risky or untrusted devices from accessing your applications.

Duo’s Unified Endpoint Visibility helps you better understand your user and endpoint inventory and activity. Traditional endpoint visibility solutions are siloed because they were designed exclusively for Windows or Macs or mobile devices. Duo offers a comprehensive solution - you can see, track and report on all end user devices from a single dashboard: managed devices, unmanaged devices, Windows PCs, Macs, iOS devices, Android devices, ChromeBooks and more.

After Duo is deployed, administrators can use Duo’s Unified Endpoint Visibility to view and monitor all devices that access corporate applications on a single dashboard, allowing for more easy tracking and enforcement of security policies when users login to access applications. At the same time, users have the flexibility to use any device they like as long as it meets corporate security policies.

Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.

At a high level, Duo's certificate-based trusted endpoint verification works like this:

Determine Risk‐Based Device Access

For access to high-risk applications, you may require a device to be corporate-owned or managed by your organization’s IT team. High-risk applications may include electronic health record (EHR) systems like Epic that contain patient health information; cloud infrastructure like Microsoft Azure and Google Cloud Platform; and many others.

Identify Corporate vs. Personal Devices

Get a breakdown of corporate-managed and personal devices accessing your applications, and enforce policies based on device type. Duo's Trusted Endpoints lets you issue device certificates that are checked at login for greater insight into and control over your BYOD environment, while limiting access by any personal devices that don’t meet your security requirements.

Duo Security revealed after analyzing one billion user logins to customer work applications - nearly 43 percent came from outside of the corporate office and network.

Support BYOD & Mobile

Get insight into personal and corporate-owned devices, including mobile devices. BYOD devices may not meet security requirements or may be running older software versions prone to vulnerabilities but Duo helps admins and users stay up-to-date at all times.

Require Multi-Factor Authentication for Device Access

By requiring MFA for access to more sensitive applications, you will get a higher level of assurance of your users’ identities. MFA enable push notification, U2F security keys or  biometric-based WebAuthn before granting them access to certain applications. MFA also ensures that you are compliant and protects sensitive information and access.

Establish Mobile Device Trust With or Without MDM

Use a solution to establish mobile device trust with or without the use of mobile device management (MDM) software. Users may object to installing MDMs on their personal devices due to privacy concerns, resulting in lower overall adoption and reduced insight into their device security.

Control or Restrict Device Access to Applications

Whether or not you have an MDM solution, you should be able to block devices from accessing your applications based on:

1. OS, browser and plugin versions and how long they’ve been out of date
2. Status of enabled security features (configured or disabled)
3. Full disk encryption
4. Mobile device biometrics (Face ID/Touch ID) + Screen lock
5. Tampered (jailbroken, rooted or failed Google’s SafetyNet)

Notify Users to Update Risky Devices

Duo multi-factor authentication can detect older software versions, then notify users when their device software is out of date. This can relieve the burden on your help desk support team and prompt users to update the software on their own devices at login.

A self-service portal also allows them to easily manage their own authentication devices without submitting a help desk ticket. Now you can enforce controls and policies to keep risky endpoints from accessing your applications.

Get Detailed Device Logs & Reports

Duo enforces compliance by offering device visibility and detailed reports on user behavior and risky devices – all in one dashboard while integrating with existing security information and event management (SIEM) software. Many compliance regulations and auditors require user activity and device security logs and reports. And it integrates nicely with any existing SIEM (security information and event management) software

“Zero trust demands that security teams retain visibility and control across their entire digital business ecosystem, regardless of location, device, user population or hosting model.”

—Forrester Zero Trust eXtended (ZTX)

STREAMLINE AUTHENTICATION

At the end of the day, users want to login into their systems quickly with fast access. With Duo you can designate certain devices and networks as trusted and let your users log in without going through the two-factor process each time, giving them faster and more secure access.

Keep Remembered Devices

Duo helps you establish user trust to computers after the initial authentication, and let users log into your applications without completing two-factor authentication each time.

Establish Trusted Networks

Duo helps you establish trusted networks by flagging trusted networks with listed IP addresses or CIDR blocks, so you can develop policies to require strong authentication for certain web-based access to company services.

DUO’S MULTI-FACTOR AUTHENTICATION

Duo provides the foundation for a zero-trust security model by providing user and device trust before granting access to applications – ensuring secure access for any user or device connecting to any application, from anywhere.

Each time a user logs into an application, the trust of their identity and security of their device is checked by Duo, before granting access to only the applications they need. Duo gives you adaptive policies and controls to make access decisions based on user, device and application risk. Paired with deep insights into your users’ devices, Users get a consistent login experience with Duo’s single sign-on that delivers centralized access to both on-premises and cloud applications.

Duo’s Approach to Zero-Trust Security Is Different in Four Ways:

• Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
• Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
• Integrates With All Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
• Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far fewer resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.

In conclusion, we have covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust and establishing device trust is the third principle. In next week’s blog we will review the fourth principle to achieving zero trust: how to enforce adaptive policies.

Learn more about Duo Beyond, our zero-trust platform - or sign up for a free 30-day trial to try it out today.

**Zero Trust Evaluation Guide: Securing the Modern Workforce** We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.

Download Guide

Duo Security is thrilled to announce that we won the “Best Authentication Technology” award during this year’s SC Awards Europe gala dinner!

Hosted by SC Media, SC Awards Europe celebrates the achievements of the cybersecurity professionals and companies throughout Europe who strive to protect and secure businesses, customers, and critical data. Entrants are evaluated by a panel of judges against a range of criteria, including customer satisfaction, and then selected for awards such as:

• Best Advanced Threat Persistent Threat (APT) Protection
• Best Threat Intelligence Technology
• Best Behavior Analytics/Enterprise Threat Detection
• Best Cloud Computing Security Solution
• Best Identity Management Solution

And many more.

This year’s SC Awards Europe Gala was hosted at the London Marriott Grosvenor Square on Tuesday, 4 June, during Infosecurity Europe. Cybersecurity professionals from across the continent gathered together to network with one another and recognize the companies and people who have contributed so much to the industry.

Duo is so excited to have received the “Best Authentication Technology” award. To have our technology noted as best in its class is thrilling, not only because it is an honor to be recognized, but also because it means we are achieving our goal of delivering the best security to our customers.

Truly, the security of our customers is what drives everything we do. We want our solutions to enable security without impairing performance, so we’ve built our simple and effective multi-factor authentication solution with both users and administrators in mind. Our solution is easy to deploy and manage at scale, and allows employees to quickly and securely log into their applications anytime, anywhere with a variety of authentication methods. To learn more about our security solutions, please visit our product page.

Many thanks to SC Media for hosting this event. We are honored to have participated, and will work hard to live up to and maintain our title as we continue providing the “Best Authentication Technology” to our customers.

Richard Archdeacon and Mike East from Duo at SC Awards Europe 2019

Pull up a chair, and get ready to dig into the changing security landscape.

According to the 2019 Verizon Data Breach Investigations Report (DBIR), which analyzed 41,686 security incidents in over 86 countries, with 2,013 confirmed data breaches from 73 data sources and 63 external private and public entities (including the FBI), “no organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack.” The report notes corporate executives and small businesses are increasingly the top targets by bad actors.

Security Incident vs. Security Breach

• Security Incident: A security event such as impersonation, denial of service and website defacement that doesn’t involve the theft of sensitive personal data.
• Security Breach: A security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers and personal health records.

Corporate Executive Credentials Highly Desirable

While business email compromised (BEC) attacks on Human Resource personnel have decreased by six times from last year, corporate executives were targeted nine times more for social breaches and C-Level executives (CEO, CFO, CMO etc.) were targeted 12 times more for social incidents according to Verizon.

Corporate leadership, which often has privileged access to valuable information and computer systems coupled with undisputed and unquestioned authority to make requests, is an obvious sweet spot for bad actors. Corporate executives are often seen as easy marks with big impact – they’re frequently on the move with limited time to digest large amounts of information, making them targets of dedicated social engineered attacks such as phishing, spear phishing and more.

Security does not have to be complicated and it does not have to be scary either. Luckily, these attacks can easily be thwarted by multi-factor authentication, one of the building blocks of zero-trust security, to establish and protect trusted users.

“Security must remain front and center when implementing these new applications and architectures. Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cybercrime.”

— George Fischer, president of Verizon Global Enterprise

What is Causing Data Breaches?

• Phishing
• Use of stolen credentials

Top Application Vector Threats

• Email accounts (OWA or O365)
• Web applications (SaaS/cloud)
• Workstations

Important Findings for Stolen Credentials and Application Threat Vector

• 60% of the time, the compromised web application vector was the front-end to cloud-based email servers
• Workstations, web applications, and surprisingly, mail servers are in the top group of assets affected in data breaches
• Most often, those compromised credentials were to cloud-based mail servers. There was an uptick in actors seeking these credentials to compromise a user’s email account. Once an actor has one credential, they can launch large phishing campaigns from the account, or if the account owner has a certain degree of clout, send more targeted and elaborate emails to employees who are authorized to pay bogus invoices

Mobile Users Are More Susceptible to Social Attacks

• The small screen size of mobile screens restrict viewable information necessary to verify fraudulent emails
• Many mobile browsers limit access to website SSL certificates
• Prominent features on mobile like “accept, reply, send” make it easier for users to make snap decisions
• Mobile users are often walking, driving, talking and more decreasing their attention to details

Healthcare Industry Breakdown

• 15% breaches in 2019
• Attackers are going after email accounts via stolen credentials
• 72% of breaches result in medical data being compromised

Financial Industry Breakdown

• 10% of breaches in 2019
• Attackers are going after email accounts via stolen credentials
• Attackers are leveraging Social Phishing as a means of obtaining comprised credentials

More Major Findings

• 69% of attacks are perpetrated by outsiders
• 39% of all attacks are perpetrated by organized criminal groups
• 23% of bad actors are identified as nation-state or state affiliated
• 43% of breaches involved small businesses victims
• 52% of breaches involved hacking
• 33% included social attacks
• 28% involved malware
• 12% increase in C-level executives proactively targeted by social breaches
• 98% rise of compromise of web-based email accounts using stolen credentials - seen in 60% percent of attacks involving hacking a web application
• Outsider threats remain dominant: External threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34%
• Misconfiguration (“Miscellaneous Errors”) led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records analyzed in the DBIR dataset. This accounts for 21%of breaches caused by errors.

As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed. They really need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.”

— Bryan Sartin, executive director of Global Security Services at Verizon

Recommended Protection From Phishing

Verizon reports the ease of use and proliferation of bad actors accessing or stealing credentials to gain access to corporate environments is on the rise. The good news is protectection doesn’t have to be scary. Our founders created Duo multi-factor authentication to make security compliant, easy, affordable and accessible to companies regardless of their size.

Multi-factor authentication is recommended by the FBI and Department of Homeland Security as the first barrier to the protection of systems because it not only establishes user trust, it also authenticates users using several different factors that can not be replicated by bad actors. Multi-factor authentication uses the zero-trust criteria of trust no one until identity can be verified and permission validated. 

Duo's Multi-Factor Authentication

Duo is a cloud-based zero-trust security platform that protects access to all applications, for any user and device, from anywhere. It’s designed to be both easy to use and deploy, while providing complete endpoint visibility and control.

Duo verifies users’ identities with strong multi-factor authentication (MFA), paired with deep insights into your users’ devices. Duo gives you the policies and control you need to limit access based on endpoint or user risk. Users get a consistent login experience with Duo’s single sign-on (SSO) that delivers centralized access to both on-premises and cloud applications.

Duo protects against compromised credentials and risky devices, as well as unwanted access to your applications and data. This combination of user and device trust builds a strong foundation for a zero-trust security model.

LEARN MORE ABOUT PHISHING

**Phishing Assessment Made Easy** Duo Insight is a **free phishing assessment tool** by Duo Security that allows you to find vulnerable users and devices in minutes and start protecting them right away.

Go Phishing!

Download our ebook "Phishing: A Modern Guide to an Age-Old Problem"

Get a free trial for 30 days and quickly protect all users, devices and applications.

Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Last week we explored how to establish user trust. Today we explore the second principle in this five-part blog series — how to gain visibility into devices.

Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in the last post, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network. 

The first principle of zero trust is to establish user trust, which identifies the user is who they say they are. The second principle of zero trust is to gain visibility into all of the devices and endpoints that have access to your environment.

The History of Endpoint Security

The first ideations of “malicious software” dates back to early computing in 1949 with John Von Neumann’s research “Theory of Self-Reproducing Automats” – long before mass computer adoption was a thing. In 1983, Fred Clone, a leader of antivirus software, introduced the term “computer virus” (a parasitic application that seized control of computer operations) in his student research paper "Computer Viruses – Theory and Experiments" while studying engineering at the University of Southern California.

Computer viruses initially spread through removable media until the 1990’s when macro viruses infected Microsoft software. By the 2000’s computer viruses were transmitted over the internet and through email — and expanded into worms (Melissa and I Love You) and trojan horses that rapidly proliferated to corporations and institutions throughout the world. 

Email has always been an easy target to permeate malicious code by hiding it in memory or files within the endpoints. The first mass attempt at endpoint security was in the antivirus era, along with the VPN, and a moat of protection called the firewall perimeter. But not for long.

* 2018 Verizon Data Breach Investigations Report (DBIR)

Antivirus security companies faced a backlash in the mid-aughts when their signature-based technology failed to keep up with progressive malware due to a lack of timely critical updates. In 2014, Symantec’s Brian Dye declared antivirus software was dead in an interview with The Wall Street Journal while introducing new approaches to preventing the spread of malware that included new tools to protect against phishing, spam attacks, and malicious websites.

Statistics released in “2018 State of Endpoint Security Risk” by the Poeman Institute state:

• 74% of compromised organizations report the attack was a new or unknown zero-day attack
• 64% say their organizations were compromised in 2018 with one or more endpoint attack(s) that successfully compromised data assets or IT infrastructure
• Antivirus missed an average 57% of the attacks
• Organizations report the average time to patch is 102 days.
• Only 46% organizations that do adopt features and functionality to detect and block early signs of an attack use all the features and full functionality because of long deploy times

The Zero-Trust Era: A Multi-Layered Approach to Endpoint Security

As endpoints continued to grow with the rise of mobile devices and the remote workforce, the perimeter was no longer contained to the internal firewall. More computing shifted to the cloud. By 2009, zero-day hacks had infiltrated the most secure brands, institutions and government departments. Infiltration of systems through stolen or compromised credentials through email phishing was easy and rampant — and still is today. Gaining visibility into all devices and endpoints connecting to the corporate environment is a critical component to adopting a zero-trust.

THE NEW PERIMETER

The new perimeter is more of a micro-perimeter.

STEP 2 - GAIN DEVICE INSIGHT TO SECURE THE WORKFORCE

Cisco defines the journey to zero trust as three key areas: the workforce, the workload and the workplace. Gartner and Forrester Research are leading the industry in education of the importance of taking a zero-trust stance to security through microsegmenation, which starts by securing the workforce and having insight into devices.

"Okay, if we were to try and fix this from the start, where would we start? We'd obviously start around taking care of the largest swath and compromise areas, which would probably start with users. Followed closely by devices. Because if we can take care of those two pieces, we can actually gain some ground and work our way going forward.”

— Dr. Chase Cunningham Principal Forrester Analyst, 2019 RSA Conference

How can I see the endpoints connecting to my environment?

Do you have visibility across every type of end user device – mobile, desktop and laptop?

Can you easily get an overview of your users, endpoints and authentication activity?

Is there one tool that centralizes authentication and endpoint data across different device platforms?

According to Duo’s “2018 Trusted Access Report” more and more environments have no clear insight into the devices connecting to their environment. Thanks to the demand and savings incentives around personal devices (BYOD), many companies have a large number of shadow devices connected to their systems that they are not aware of. Or alternatively, they have to rely on multiple vendors to get information about those devices. But there is a zero-trust solution that solves all of these issues and shines light on all endpoints.

Companies want to gain visibility into personal and corporate-owned devices, including mobile devices. Because BYOD devices may not meet security requirements or may be running older software versions prone to vulnerabilities, which are easy targets. Being able to see and flag devices without outdated software is critical.

Avoid surprises with easy peasy device visibility

Today threats come from anywhere and everywhere; attackers use ever-more sophisticated technologies such as hiding in encrypted traffic to evade detection. Visibility into devices can stop them in their tracks, aids in detection and response, and raises awareness of risk exposure. Getting a clear view of devices can reduce the threat of compromised credentials and devices caused by phishing, malware and other vectors – and helps to meet data regulatory compliance requirements for access security. 

Gaining device visibility is easy to access, simple to use and effective for users and admins, whether you are small company or a global corporation, with Duo's multi-factor authentication.

ENDPOINT VISIBILITY BASED ON ZERO TRUST

So long, farewell mobile device management (MDM). Duo gives you data on who’s accessing what company applications, where and under what conditions– without requiring any agents on your users’ devices.

Get Remote Access Without VPN

Now you can support BYOD and mobile without being tethered to the VPN. Identify both corporate IT-managed and personally-owned devices with Duo’s Trusted Endpoints. Use existing device management infrastructure to establish and enforce device trust with Duo’s integrations with Active Directory, AirWatch, Google, Jamf, Landesk, MobileIron and Sophos without the need to deploy and manage a complex PKI certificate infrastructure.

See Every Device on Every Platform

Duo’s Unified Endpoint Visibility gives you actionable data on operating system, platform, browser and plugin versions, including passcode, screen lock, full disk encryption and rooted/jailbroken status. Easily search, filter and export a list of devices by OS, browser and plugin - refine searches to find out who’s susceptible to the latest iOS or Android vulnerability.

One View to Rule Them All on a Centralized Dashboard

See risks, and flag them. Duo’s detailed reports give admins data on user behavior and risky devices, as well as user, admin and telephony data – all easily integratable with existing security information and event management (SIEM) systems.

“With Duo’s platform, we were able to instantly get visibility into all devices accessing our network and quickly deploy access policies to shore in these devices. Duo helped us increase our security and was easy to deploy - period.”

—Chad Spiers, Director of Information Security, Sentara Healthcare

Have Peace of Mind – Get Transparent Device Insight

Using Duo’s Unified Endpoint Visibility with multi-factor authentication you will: 

• See all end user devices, including BYOD and shadow devices

• See who is using these devices

• See if the devices are managed or unmanaged

• See the security posture of the devices

• See what apps the devices are accessing

• Meet government compliance regulations for NIST and DHS

Duo’s Approach to Zero-Trust Security Is Different in Four Ways:

• Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
• Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
• Integrates With All Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
• Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far fewer resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.

Last week we covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust. In next week’s blog we will review the third principle to achieving zero trust: how to establish device trust.

Learn more about Duo Beyond, our zero-trust platform - or sign up for a free 30-day trial to try it out today.

**Zero Trust Evaluation Guide: Securing the Modern Workforce** We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.

Download Guide

Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Today we explore the first step in this five-part blog series—how to establish user trust in the workforce.

What Is the History of Zero Trust?

The principle of least privilege (PoLP; also known as the principle of least authority) has been an essential aspect of IT security for decades. Born out of this philosophy is the concept of “zero trust.” Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network.

In 2008, Cisco reported the number of things connected to the internet exceeded the number of people on earth. Prior to the time mobile adoption hit the tipping point, security mostly revolved around keeping everything behind the firewall with workers and contractors tunneling in through their VPN at the office or their MDM. The corporate network was perimeter-based with weak points around remote workers, trusted vendors, partners and customers. 

The four important aspects of external network traffic (source address, destination address, port and protocol) were guarded, however if a connection met the specific requirements — the traffic was granted access and user trust was automatic. Little attention was considered for the internal networks once the external traffic was validated. But then, the world became increasingly mobile first and users were no longer connecting from their computer at the office, rather connecting on the go, often using their own personal devices (BYOD bring your own device). With the new technology came new security breaches.

In 2009, a massive Chinese hack known as Operation Aurora targeted at least 34 global organizations. Google had intellectual property stolen in the hack. It was discovered the Chinese military was behind the attack and wanted to gain access to the email accounts of possible dissenters like U.S. government officials, Chinese political activists, military personnel, journalists and Asian officials. Shortly after, McAfee reported the hackers used a zero-day exploit in Internet Explorer that Microsoft had been aware of three months prior but did not release a patch until after the attack.

It was not until 2011 that the security conversation changed dramatically after a zero-day vulnerability in Adobe Flash resulted in the successful phishing attack of RSA tokens. The hack revealed the weakness of RSA’s token-based 2FA. The U.S. Government and its defense contractors relied on RSA tokens to protect access to documents pertaining to research, plans involving various defense technologies, and credentials for regaining access. At the time of the phishing attacks, millions of tokens had to be manufactured, provisioned, and deployed to customers who had to configure their systems and deploy them internally, which was extremely expensive and labor intensive. At the same time, the hackers access began to show. Companies began to seek solutions to zero-day attacks.

The Zero-Trust Framework

The evolution of the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device. When 81% of breaches target identity through phishing and spear phishing of compromised credentials, establishing user trust eliminates an incident before it happens.

Duo Security was formed in 2009, when our founders wanted to make zero-trust technology easy and accessible to all companies big or small, not just banks and global corporations. They developed Duo, a cloud-based mobile multi-factor authentication security solution, based on the principle that establishing user trust would eliminate opportunities for zero-day attacks.

Forrester’s Zero Trust eXtended (ZTX)

In 2010, the U.S. House of Representatives on Oversight and Government Reform issued formal guidelines to harden their systems and guided federal agencies to the report by Forrester analyst John Kindervag. Kindervag introduced the term zero trust in his write-up of “Zero Trust Architecture.”

Today Forrester’s Zero Trust eXtended (ZTX) Ecosystem has evolved into a holistic approach to securing data, network, workforce, workloads and workforce with “monolithic perimeters” into a series of micro-perimeters or network segments to apply granular security controls around them.

• Zero Trust Workforce: Authenticate users and continuously monitor and govern their access and privileges
• Zero Trust Workloads: Enforce controls across the entire application stack, especially connections between containers or hypervisors in the public cloud
• Zero Trust Data: Secure and manage data, categorize and develop data classification schema, and encrypt data at rest and in transit

Google’s BeyondCorp

Google began to publish and share their research around their zero-trust approach to security they dubbed BeyondCorp in 2010. Their mission was “to have every Google employee work successfully from untrusted networks without the use of a VPN utilizing single sign-on (SSO), access proxy, access control engine, user inventory, device inventory, security policy and trust repository. Their steps to implement zero-trust architecture include securely identify the device, securely identify the user, remove trust from the network, externalize apps and workflow, and implement inventory-based access control.

BeyondCorp Principles

• Perimeterless Design: Connecting from a particular network must not determine which services you can access
• Context-Aware: Access to services is granted based on what we know about you and your device
• Dynamic Access Controls: All access to services must be authenticated, authorized, and encrypted

“The first step to moving from a privileged corporate network (usually with a VPN at its core) to a zero-trust network is to know your people and know your devices.”

—Max Saltonstall, Technical Director of Google’s office of the CTO

Gartner’s CARTA

In 2017, Garner introduced their zero-trust principals—the Gartner CARTA model (continuous adaptive risk and trust assessment).

• Shifts away from one-time binary decisions with context-aware security platforms
• Advocates for microsegmentation using granular policies and controls
• Is always checking to continuously discover, monitor, assess and prioritize digital risk and trusts—reactively and proactively
• Performs risk and trust assessments early
• Moves to a Software-Defined Perimeter (SDP)

Cisco defines the journey to zero trust as three key areas: the workforce, the workload and the workplace.

Zero trust is a modern approach for establishing user trust and securing organizations that:

• Have remote or mobile workers
• Use cloud applications
• Need to secure BYOD access

STEP 1 — ESTABLISH USER TRUST

Can you verify your users are who they say they are? Do you know how many shadow devices (personal devices that are not known) are accessing your network? At the heart and soul of the zero-trust journey is the basic concept: trust no user or device inside or outside the perimeter by default. A zero trust‐centric model is focused on authenticating and authorizing every user and device before granting access to any application. Authenticating users, knowing who they are, where they are, and what devices they are using (and requiring they prove it) and setting granular policies to control access to applications and networks makes up the bulk of security required to achieve and adopt the foundation of zero-trust security.

HOW DO I AUTHENTICATE A USER AND ESTABLISH USER TRUST?

Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication (MFA) a user’s identity can be authenticated and user trust (authorization) established by using two or three factor combinations.

1. Something you know (e.g., passwords)
2. Something you have (e.g., your smartphone)
3. Something you are (e.g., biometrics, like fingerprints)

DUO’S MULTI-FACTOR AUTHENTICATION

We developed Duo Beyond's multi-factor authentication (MFA) solution based on the belief that zero-trust security does not have to be complicated for users to deliver compliant and effective security; it can live securely in the cloud and be accessible; it can extend the perimeter to any application or device including personal devices (BYOD) with built-in zero-trust; and does not require a rip and replace of legacy system, yet overcomes legacy limitations. Duo helps users meet HIPAA and NIST compliance regulations and is approved by the Department of Homeland Security and FedRAMP In-Process. Duo combines multiple security solutions into one.

AUTHENTICATION VS. AUTHORIZATION

There is a difference between authentication and authorization. For example, Joe P. can go into a bank and say, “I am Joe P. and I work for Mr. X and he wants me to withdraw half of his savings.” Joe P. might be able to authenticate with some credentials, but the bank will not automatically give Joe P. half of Mr. X’s savings until they get authorization from Mr. X. Multi-factor authentication answers the following questions and has granular user policies that can be set to restrict authority and enforce zero-trust protection.

• Is the user who they say they are?
• Do they have access to the right applications?
• Is their device secure?
• Is their device trusted?

Duo’s approach to zero-trust security is different in four ways:

1. Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
2. Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
3. Broadest Coverage of Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
4. Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far less resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.

Multi-factor authentication is the first step to implementing a zero-trust framework. In next week’s blog we will review the second step to achieving zero trust: how to gain visibility into devices.

Learn more about Duo Beyond, our zero-trust platform - or sign up for a free 30-day trial to try it out today.

**Zero Trust Evaluation Guide: Securing the Modern Workforce** We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.

Download Guide

After waiting nearly a year for the Office of Management and Budget (OMB) to release their new identity guidance for federal and government workers — it’s finally here. The new updated identity, credential and access management policy extends the government physical credentials of personal identity verification (PIV) and common access cards (CAC) into the digital world, and paves the way to a zero-trust journey.

We’ve been waiting to see how closely it aligns with previous NIST identity guidance (SP-800-63-3), and it doesn’t disappoint. But it actually does much more than that. What it shows us is that the OMB is paying attention to all the parts that make up a zero-trust security methodology, and that the OMB believes (correctly) that a strong identity, credential and access management (ICAM) system is at the heart of it. In keeping with the spirit of SP 800-63-3, it goes out of its way to highlight the necessity to adopt a risk-based approach to identity security, much like other parts of the cybersecurity equation.

To ensure secure and efficient operations, agencies of the Federal Government must be able to identify, credential, monitor, and manage subjects that access Federal resources, including information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services, as well as individuals' privacy.

— From the memo "Enabling Mission Delivery through Improved Identity, Credential, and Access Management"

This guidance is not happening in a vacuum. Beyond the specific calls-outs on how this relates to the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) Program there is a specific mention in Section 4 of the “de-perimeterized” world we are increasingly seeing in our workflows.

IV. Shifting the Operating Model beyond the Perimeter

The interwoven technical architecture of the Federal Government creates complexity in managing access to resources, safeguarding networks, and protecting information. While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access Federal resources made by users and information systems. To ignite adoption of this new mindset around ICAM capability deployment across the Federal Government, each agency must harmonize its enterprise-wide approach to governance, architecture, and acquisition. 

Governance

1. Each agency shall designate an integrated agency-wide ICAM office, team, or other governance structure in support of its Enterprise Risk Management capability to effectively govern and enforce ICAM efforts.

The memo also recognizes the modular mobile world we live in and the acceptance of some use cases that can support a “Bring Your Own Authenticator (BYOA)” model.

“Agencies shall establish processes based on digital identity risk and associated assurance levels to allow an individual to bind, update, use, and disassociate non-Government­ furnished authenticators to their digital identity when accessing Federal digital services provided to public consumers.”

All of these mentions provide agencies with flexibility to look for a more modern way to identify and authorize users through new technology like Duo's multi-factor authentication, which is DHS and CDM approved and FedRAMP In-Process. 

I am also encouraged by the fact that the review cadence is specifically called out in the document. This has to be a living and breathing thing that gets adapted and updated as our IT environments change.

One of the problems we have been living with is the fact that the Homeland Security Presidential Directive 12  (HSPD-12) is 15 years old. Any security policy left alone for that long will not age well. It was designed and implemented in a time before cloud, and in a time before mobile, and is in desperate need of an overhaul. While the new guidance still points to HSPD-12 as the “law of the land” in Section 3, these new updates to it give it enough flexibility to securely cover us as we move into our modern new world and beyond.

It’s also worth mentioning that NIST hosted a FIPS 201 session a few weeks back to discuss open standards (FIDO, OIDC, SAML, etc.) as potential building blocks for future work in the handling of federal identities, how they’re accessed and how they will be federated. This is a direct result of the OMB impending guidance (now realized), the release of SP 800-63-3 and the update that will be required for SP 800-157 (PIV-D).

To me, these things have always been related and play off each other to provide the true “zero-trust” cybersecurity framework for a government agency’s IT modernization journey.

Game on.

**Try out our Phishing Simulator and measure your user risk for free today**

Free Phishing Simulator

One of the top-requested mobile features of Duo Mobile is now a reality. Duo Mobile iOS and Android users can now restore their personal third-party applications using Duo Restore to connect to a new device or reset their current device. Now users can protect all of their accounts and restore them with one app. In this article we’ll show you how.

What Was the Problem?

Duo Mobile provides the most secure two-factor authentication methods available including Duo Push, phone call, and SMS passcodes. Users wanting the same level of security to protect personal accounts like Facebook, Slack, and Dropbox use Duo Mobile to generate a passcode for second-factor authentication to login. These applications are considered personal "third-party" accounts. Of the past million Duo activations, 25% were third-party applications.

Previously, Duo Mobile only provided backup and restore functionality for Duo-protected accounts and applications. When you replaced a mobile device, you had to manually reconnect each third-party account. Further, if your old device was lost or destroyed, you would need to rely on alternate authentication methods or backup codes to login.

Our goal was to provide a simple way to reconnect third-party accounts while maintaining our high standards of security.

How Does It Work?

Duo Restore for third-party accounts (3PR) uses an encrypted user-created backup to iCloud (iOS) or Google Drive (Android). As a result, third-party account backup information is not stored by Duo. To access Duo Restore you will need to opt-in to third-party restore and set a recovery password to use this feature.

Here’s how to do it:

After updating to the new version of Duo Mobile, users with a third-party account will see a prompt to enable third-party restore the first time they open the Duo Mobile app. Users without a third-party account will only see the prompt after they add their first third-party account. Android users will only see this prompt if they also already have the Duo Restore toggle enabled.

The toggle to enable Duo Restore for third-party accounts will be located in the Settings section of the iOS app. On Android, it will be located in Settings > Duo Restore.

• The end user enables 3PR on the original device and sets a recovery password. When she activates a new phone, Duo will prompt her to reconnect to her existing third-party accounts by entering the recovery password. After doing so, her Duo Mobile 3rd party accounts are restored on her new device. 

What Duo Admins Should Know

Duo Restore for third-party accounts is a good thing for your users. It does not require additional administrative overhead for you and has no impact on Duo accounts that are tied to your enterprise.

Your end users may already be using Duo as a passcode generator for applications and websites that you do not have control over like Facebook or Instagram. Please see our guide to third-party accounts for more information.

Also note that this feature does not introduce new authentication methods into Duo-protected applications. It only allows your users already protecting outside third-party accounts to securely backup and recover these accounts when they install Duo on a new device. Users will only be prompted to enable this feature if they already have third-party accounts added to Duo.

One important note for Duo Admins is that Duo Restore for third-party accounts does not require Duo Restore account recovery for Duo-protected accounts to be enabled in the Duo Admin Panel.

Does the Admin Enable 3PR?

No, all Duo Mobile users can use 3PR. There is no Duo admin setting. Note that this is different than Duo Restore for Duo-protected accounts which are enabled by an admin setting.

Where is the backup data sent?

Backup data is stored in iCloud for iOS and Google Drive for Android devices. It never hits Duo’s cloud services.

In Closing

We’re excited to make Duo Restore for third-party accounts available to all users and improve the experience of setting up a new mobile device. Let us know what you think. Tweet to us at @duosec or leave us an app review in iTunes or Google Play.

Microsoft announced they're dropping password-expiration policies requiring periodic password changes in the draft release of their security configuration baseline settings for Windows 10 and Windows Server (version 1903). Expiring passwords means forcing the end of their use, and periodic password changes means making users change them every set number (60, 90) of days.

Human After All

We (non-computers) do a lot of the following when it comes to passwords, as I've summarized from Microsoft's blog post:

• Pick weak, easy-to-guess or predict phrase(s)
• Write them down nearby when forced to create complex ones
• Make tiny and predictable alterations to existing passwords when forced to change them

We are fallible when security is left to only our ability to manage or create passwords. Humans are kind of lazy after all, as we optimize our mental energy to distribute it wisely throughout our days. We're all just doing our best, ok?

Security Implications of Passwords

There are many, here's just a few:

• When passwords are stolen and dumped en masse, it's hard to detect their use
• The dark web, or underground forums, often host password lists for sale that can be used in brute-force password attacks
• Passwords alone make it easy for attackers to log in to applications and servers remotely, unauthorized
• In the case of password reuse, one set of stolen credentials can give an attacker access to multiple accounts, sometimes across both personal and work accounts

What is Better for Security?

So if password expiration policies don't actually help, what does?

• Using multi-factor authentication (MFA): The most basic and effective preventative technology to add another way to verify your identity (by layering on something you have or something you are)
• Password managers: Keep track of accounts, password changes, and generate complex and unique passwords that humans need not remember with their brains
• Long passphrases: NIST recommends using a string of words instead of special character, capitalization and other annoyingly arbitrary requirements, as I wrote about back in 2017 on NIST's updates to password security guidelines in their SP 800-63-3 Authentication & Lifecycle Management
• Enforcing banned password lists: An interesting Microsoft feature for Azure that uses a certain algorithm to help users avoid choosing weak and vulnerable passwords (documentation on how this works)
• The (one day) passwordless future: The use of biometrics tied to user devices that entirely eliminate the need for something you know. Today, you can use this method as a second factor, tying in the use of Touch ID to verify your identity

Microsoft encourages organizations to "choose whatever best suits their perceived needs without contradicting" their baseline security guidance. This frees up organizations to focus on their own risk tolerance, based on technology and business needs, and shifts the focus away from password expiration, "an ancient and obsolete mitigation of very low value."

Taking a more adaptive, flexible approach can result in more usable, actually-effective security that protects access across your environment. Learn more about Duo’s MFA, adaptive authentication, endpoint visibility and remote access, and how we can help you take a risk-based approach to security.

Anyone who has ever sold technology to the federal government or the military knows that they are a great customer to have with global reach, but their sales cycle is often very long and very slow. The government is a slow ship to turn around and they have to be sure before they signoff. Getting to the sales finish line requires many approvals, research and back and forthing that can last literally years. This makes it difficult for new technology to reach government agencies.

Modernizing federal government and public agencies’ IT infrastructure has been stagnant for the past decade. The slow sales cycle had government agencies investing in high dollar (now legacy) hardware and software that was secure and compliant — just as corporate America began to shift to the cloud — and then to mobile. First in a hybrid mix of on-premises and cloud technologies and applications — then as cloud was proven to be secure — the cloud became the new normal.

A rip and replace of legacy technology is cost prohibitive and risky. Until the technology is proven, there is always the possibility of another poor investment that will be gone as fast as most bitcoin ICOs.

The federal and public agencies with shifting budgets have been sort of stuck in a legacy limbo with expensive hardware, long licensing contracts, infrastructure that is not agnostic, hardware tokens and limitations prescribed by federal security and compliance regulations. They’ve been somewhat blocked from progressing into the modern era. One of the biggest hurdles for federal and public agencies the first step of authenticating a worker to allow them access to login into secure systems. The current old technology is the use of CAC and PIV smart cards which while prolific, are extremely limited.  

In 2015, due to increasing cybersecurity vulnerabilities the then Federal Chief Information Officer (CIO) Tony Scott introduced the federal Cybersecurity Sprint that required federal agencies to:

Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems.

To maximize effectiveness, multi-factor technology should be mandatory for the entire organization as OMB guidance directs agencies not to spend time and money on new solutions that do not contribute to migrating to the mandated PIV-enabled end-state.

In 2017, Scott continued pressing for modernization of federal IT, but pointed out that he is not alone. Scott said, “On the issue of cyber, this is not unique to the federal government. I have plenty of CIO friends who work in banking, retail, media and entertainment, automotive and other industries and when I get together for a drink with my CIO buddies, guess what the number one topic is? I’ll give you one guess — it is cyber.”  Cyber as in cybersecurity.

What Is Multi-Factor Authentication?

Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication a user’s identity can be authenticated using two or three factor combinations.

1.      Something you know (e.g., passwords)
2.      Something you have (e.g., Personal Identification Verification (PIV) cards)
3.      Something you are (e.g., biometrics like fingerprints)

Duo Security developed mobile multi-factor authentication (MFA) from the belief that security at the highest levels of federal and government agencies does not have to be complicated to users to be compliant and effective against cyberattacks; can live in the cloud and expand the secure firewall to any application or device including BYOD devices with a built-in zero-trust model;  and does not require a rip and replace of legacy system yet overcomes legacy MFA limitations.

Duo MFA works with current legacy systems while consolidating multiple tools into a single vendor and a single user-friendly dashboard, to get a clear path through legacy limbo into the modern era for federal and government agencies.

How Does MFA Help Federal Agencies?

Duo helps federal agencies face many of their most thorny cybersecurity concerns quickly and head-on, with an easy-to-use and easy to deploy approach to MFA.

Duo helps you:

• Overcome the compliance confusion
• Gain deep visibility into devices
• Solve the PIV/CAC conundrum with Duo Mobile
• Escape from legacy limbo

It also:

• Provides end user-friendly multi-factor authentication with flexible authentication options for every use case
• Gives admins complete visibility into endpoint security across all devices - including unmanaged, personal devices
• Can be configured for granular access control policies based on user, device and application attributes
• Natively integrates with cloud and on-premises apps, remote access, servers, custom web applications, identity providers and standard protocols such as SAML, RADIUS, LDAP and REST APIs
• Can be deployed in hours and doesn't require a full-time security team to manage or roll out
• Provides one centralized dashboard to view all overall security policies, with reporting and logs for compliance audits
• Uses Duo's rich data telemetry to block access by insecure devices
• Provides modern remote access to multi-cloud environments

How Does Duo Work?

Duo Push

After entering a username and password, users verify their identity by approving a push notification on their phone, sent by Duo Mobile.

• Is available for iOS and Android devices, including smartwatch support such as Apple Watch
• A user-friendly, frictionless and secure way to complete multi-factor authentication
• Duo Push offers the easiest and more secure method of multi-factor authentication.

Other Authentication Methods Supported by Duo

Duo supports a variety of authentication methods. Easily authenticate anywhere, anytime, with any device using Duo.

• U2F (Universal Second Factor)
• Touch ID for Mac (WebAuthn)
• Mobile one-time passcode (OTP)
• Phone callback
• SMS (text passcode)
• OTP Hardware tokens
• Duo D-100 hardware tokens
• Third-party hardware tokens
• Bypass codes - administrator-generated OTP

Duo is FedRAMP In-Process, offers offline MFA functionality to help comply with DFARS-CUI and delivers two-factor authentication to comply with NIST guidelines.

We’ve released a new guide to help you understand the different criteria for a zero-trust security model that can secure your workforce - that is, both users and devices as they access your applications.

Here’s an excerpt from the introduction:

Why Zero Trust?

Today, the rise in a cloud-connected, mobile and remote workforce has put the visibility and control of users and devices outside of the enterprise. The perimeter has expanded beyond enterprise walls, making it more difficult for security and IT teams to verify user identities, and the trustworthiness of their devices, before granting both access to enterprise applications and data.

The new workforce model today requires an equally extended security model. The extended perimeter is now centered around user identity and their devices. The extended workforce security model must be able to establish device and user trust, no matter where the user is physically, and no matter what kind of network they're connecting from.

New Identity Perimeter Risk

Compromised credentials are a prime target of attackers, allowing for easy, unprotected access due to phishing, brute-force and other password attacks.

In an analysis of simulated phishing campaigns, Duo's 2018 Trusted Access Report found that more than half (63 percent) successfully captured user credentials.

Zero trust treats every access attempt as if it originates from an untrusted network. A trust-centric model is focused on authenticating every user and device before granting access to any application.

A zero-trust approach doesn’t require a complete reinvention of your infrastructure. The most successful solutions should layer on top of and support a hybrid environment without entirely replacing existing investments.

Zero Trust: For the Workforce

The scope of this guide will focus on zero trust as it relates to securing your workforce - that is, users and the devices they use to access work applications. Users may include employees, partners, vendors, contractors and many others, making it more difficult to maintain control over their devices and access.

A zero-trust approach for the workforce should provide an organization the tools to be able to evaluate and make access decisions based on specific risk-based context.

For example - is the user verified using multi-factor authentication (MFA)? Are their devices trusted and/or managed? Do their devices meet your security requirements?

Security teams need to be able to answer these questions to establish trust in users and devices accessing an organization's assets. They also need to do it using an approach that balances security with usability.

This trust-centric security approach for the extended perimeter makes it much more difficult for attackers or unauthorized users to gain access to applications without meeting certain identity, device and application-based criteria.

What’s Inside the Guide

In this guide, you will learn how to evaluate a solution based on:

• User Trust - Can you verify your users are who they say they are? Are you using a scalable, frictionless MFA solution?
• Device Visibility - Do you have detailed insight into every type of device accessing your applications, across every platform?
• Device Trust - Can you check the security posture and trust of all user devices accessing your applications? Can you securely support all devices and BYOD (bring your own device) - both corporate and personally-owned devices?
• Adaptive Policies - Can you enforce granular, contextual policies based on user, device and location to protect access to specific applications?
• Access to All Apps - Can you give your users a secure and consistent login experience to both on-premises and cloud applications?

You’ll also learn why all of these components are key to securing against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.

We’ll also break down Duo’s zero-trust security solution for the workforce and how it can help secure user and device access to your work applications.

Download the Zero Trust Evaluation Guide and learn more about Duo Beyond, our zero-trust platform - or sign up for a free 30-day trial to try it out today.

Hey! What would it mean to you
to know that it'll come back around again?
Hey! Whatever it means to you,
know that everything moves in circles.
-"Circle" lyrics by Incubus

continuous adjective
con·​tin·​u·​ous |  \ kən-ˈtin-yü-əs \
Definition of continuous
1: marked by uninterrupted extension in space, time, or sequence

There is an old saying that sunlight is the best disinfectant. Basically, this means that visibility is key to understanding risk and how vulnerable you are to it.

I’m a “go with my gut” kinda guy. This has served me well in life for the most part, except the gut is not always right and there is just no substitute for useful, timely data. The Department of Homeland Security (DHS) realized this way back in 2012. At the time there didn’t seem to be a uniform way to get an assessment of any given federal agency’s security posture, including their own. So they did a wise thing. They created a program to help agencies do just that, and called it the Continuous Diagnostics & Mitigation Program (CDM Program).

Continuous in that it is an ongoing security journey and mitigation in that prevention is an important part of the program, not just the visibility part. They also partnered with the General Services Administration (GSA) to provide solutions, capabilities and, just as importantly, a procurement processes for putting these types of systems in place. I won’t go into the graphic details here (mostly because there are many other folks who are better versed than I) but the program is really about the security + data relationship and its entire lifecycle.

This was (and continues to be) a very large effort. This helped agencies get their hands around their security knowledge and required them to report progress via a scorecard (and don’t we all love scorecards?). This is another example of the public and private partnership working the way it was intended. Industry worked together and with government to provide technologies and services to help address the underlying security requirements -AND- help with the reporting (visibility) requirements.

Duo is excited to announce that we’ve been added to the Federal CDM Approved Products List (APL) and we’re proud to participate in this ecosystem of government partners to help federal agencies with their cloud/mobile zero-trust journey:

There is also a relationship with the current Trusted Internet Connection (TIC) standards and how they’re evolving to address the current cloud and mobile world we live in today with TIC 3.0.

To me, all of these policies play a role in helping agencies field the best security solution for them -AND- give the agencies leeway and flexibility to make risk-based decisions going forward as technology changes, without having to wait years for updated policy guidance.

Duo is compliant for federal government use, approved by the Department of Homeland Security and is listed on the Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL). The CDM APL can be found at the General Services Administration's (GSA’s) CDM website. Agencies can purchase Duo today.

Learn more about Duo for federal and government agencies.

Editor’s note: This is the third blog in a three-part blog series that walks through the top six areas of concern for CISOs and CIOs and the technology solutions available. Our first post of the series explored gaining clear visibility into potential network threats and adopting a zero-trust security policy. Our second post covered adopting an internal culture of security and aligning security ops with IT ops.

There are six key areas security executives should focus their attention towards for the remainder of 2019: clear visibility into threats across platforms, redefining the new perimeter, encouraging an internal culture mindful of security, alignment across IT operations and security operations, early detection of risks from inside the firewall and managing cloud security. It is an ambitious list for any company, but it is nothing to lose sleep over. Duo Security has developed drop-dead simple technology that solves many of these issues — giving weary security executives restful nights with sweet dreams.

Let’s dig into the final two top concerns for CISOs: early detection of risks from inside the firewall and managing cloud security.

5. Get Instant Visibility Into Risks From Inside the Firewall

As many companies turn to contractors and expand their mobile workforce, keeping track of trusted devices and logins is difficult. Yet CISOs need real-time visibility into threats that could be intentional or unintentional entering through a lost device or hacked account.

Duo pinpoints how, where and which end users are accessing corporate applications right now.

“Duo helps us to easily verify the identity of the user, ensures that they are logging in from the device we trust and accessing the information they are allowed to access. Duo is the partner we rely on in our journey towards a zero-trust model.”

— Andrew Spenceley, Cyber Security Architect, University of Sunderland

Duo Helps CISOs Have Confidence and Insight Into Maintaining the Health of Their Networks

• Compromised credential prevention. When a user logs into an application, they verify their identity with Duo’s two-factor authentication (2FA), preventing the risk of unauthorized access due to stolen or weak passwords
• Duo’s platform detects and tracks every device accessing protected applications, including desktop, laptop, mobile, corporate and personally-owned devices – without using an agent
• Enforce endpoint controls. Whether or not you have a mobile device management (MDM) solution, Duo can block devices from accessing your applications
• Notify users to update. Duo alerts users to install required updates to prevent risk
• Have more policy control. Manage contextual policies, role-based policies, app-specific policies, location-specific policies and more with Duo.
• Customer case study: University of Sunderland

6. Manage Security in the Cloud and Gain Control Over Shadow IT

It is often with good intentions that teams will go rogue and start using unsanctioned cloud-based tools to collaborate and get work done. SaaS and open source tools are easy, often have a free version and work great. They also are not always secure and can leave an organization unaware of the potential threats and open backdoors silently lurking in the background. How can a CISO manage the use of unsanctioned tools if they do not know they are being used?

“The old way was ‘I have a lock on the door of the data center and I can control who goes in it’ and ‘I have an internal network that’s protected by a very hard exterior.' Now, with cloud-based services, we have to take a lot more control of how we let people into those systems. The days of just username and password are long behind us. Duo is lightweight and inexpensive and gives a valuable, supplemental scope of insight and control over devices that is complementary to our MDM and extends into the desktop and laptop environment.”

— Dan Ayala, Director of Global Information Security, ProQuest

Both cloud-forward organizations or large enterprises with a complex mix of both cloud and legacy on-premises infrastructure and applications can protect access with MFA, contextual access policies, and device visibility and controls.

Duo Works Seamlessly in the Background Letting Everyone Own Their Security

• Protect every application, including multi-cloud: Admins can secure any application for a consistent login experience
• Broadest access security coverage: Secure access to all applications (both cloud and on-premises) for different user groups and types of devices (laptops, desktop, mobile, personal and corporate-owned), from anywhere
• Anytime, any device, anywhere protection: Duo protects access to all platforms and applications, from any user, device, and location
• Duo helps assess your risk to phishing: Duo Insight is a free tool that pinpoints phishing vulnerabilities
• Customer case studies: Branch (analytics), ProQuest

CISOs are in a race against time to work through these six security priorities, some of which are laid out in the Cisco 2019 CISO Benchmark Study. The good news is Duo Security has created a solution that makes it simple for CISOs to lockdown potential areas of concern, provides easy-to-use and self-install technology that is device and platform agnostic and runs compliance approved security in the background without end-user effort.

Duo Security helps brings shadow IT and potential weak areas to light with a beautifully designed interface that gives CISOs instant visibility into their organization on a single pane of glass. CISOs need not lose sleep over concerns of huge costs and headcount to modernize and align IT infrastructure with IT security because Duo has it covered. Duo is affordable, effective and accessible.

Sleep tight CISOs. Duo aims to democratize security so that every device is protected on every platform. Security should not be intimidating, complicated or difficult, and we designed Duo to be powerful, simple and easy to use for everyone. Nighty night.

Sometimes it feels like we run in circles in InfoSec – chasing the same ideas, but changing the name or re-defining the concepts behind the ideas. Largely, the initiatives remain the same. In cyber security, while the goal is seemingly simple - reduce the threat surface and protect your valuable data from exfiltration - it seems the journey to get there is not.

Evolution of Trust Models - A Brief History Lesson

In the “good ole days” it was easy; everything lived behind a firewall inside the corporate network. As the business world changed to encompass remote workers, everything still lived within a controlled infrastructure and access was granted for outside users through secured virtual private network (VPN) connections. This shift in the early 2000s to allow access from outside the perimeter started buzz around the idea of “de-perimeterization,”  which the Jericho Forum was created to tackle.

The borders of the digital world expanded further with the introduction of cloud applications and services. Hybrid infrastructures meant the traditional castle and moat approach to security became antiquated and the threat surface broader. This introduced new challenges for security professionals to protect the resources of an organization. John Kindervag introduced the concept of a  “zero-trust model” for information security in 2009 and defined it as an approach that assumes no traffic within an enterprise’s network is any more trustworthy by default than traffic coming in from the outside.

This model served as the building blocks for Google's BeyondCorp, introduced in 2014, which is an implementation of a zero-trust architecture that requires securely identifying the user and device, removing trust from the network, externalizing apps and workflow, and implementing inventory-based access controls.

Today, the rise in a cloud-connected, mobile and remote workforce has put the visibility and control of users and devices firmly outside of the enterprise. The extended perimeter is now centered around user identity and their devices. To address this new reality, Gartner's CARTA model - continuous adaptive risk and trust assessment - calls for a shift away from one-time, binary access decisions toward contextual, risk and trust-based decisions. This model is about giving just enough trust to users, even after authentication, to complete the action requested.

As an industry we have been circling the horses around this notion of the shifting perimeter for years but it hasn’t seemed to gain legitimate traction within organizations. Perhaps this is due to the fact that prescribed implementations have morphed with the changing digital landscape, making it appear untenable to implement and maintain.

Now that the idea of a zero-trust approach to security has resurged in the InfoSec space, everyone seems to be offering complex models and solutions. But what problems does this approach solve? How can organizations build a zero-trust model, and where should they start? Maybe the problem is that there is uncertainty around this being the right approach to future-proof environments in this ever-changing digital landscape.

Does Zero Trust Solve New Identity Perimeter Risks?

Protecting users should be the core component of a zero-trust security strategy. Teams need the ability to verify user identities, and the trustworthiness of their devices, before granting both access to enterprise applications and data.

Compromised credentials are a prime target of attackers, allowing for easy, unprotected access due to phishing, brute-force and other password attacks. In an analysis of simulated phishing campaigns, Duo's 2018 Trusted Access Report found that more than half (63 percent) successfully captured user credentials.

A zero-trust security approach for the extended perimeter makes it more difficult for attackers or unauthorized users to gain access to applications without meeting certain identity, device and application-based criteria.

Brick and Mortar of the New Security Wall

This doesn’t mean that organizations have to deconstruct their existing environments, or add complex layers of security to adopt this model. Solutions should enable you to protect your current investments without heavy uplift in administration and implementation. In fact, the most successful solutions should layer on top of existing infrastructures and be convenient and easy for user populations to adopt without an impact to their current workflows.

A zero-trust approach for the workforce should provide an organization the tools to be able to evaluate and make access decisions based on specific risk-based context for any application within an environment. This can even mean layering security controls on top of existing remote access solutions that are in place today.

Bolstering Your Defenses With Trust

The goal of a zero-trust security approach is to enable security teams to be able to establish trust in users and devices accessing an organization's assets by adding an additional layer of security. Ideally, they need an approach that balances security with usability, to ensure adoption within an organization.

Solutions need to be streamlined and user friendly to both deploy and administer, and organizations need to create a culture of security with their users through empowerment and education. By providing tools that simulate phishing attacks and offering self-remediation options users become a part of the security team and improve the odds of a successful implementation of a new security approach.

Trusting the Future

Will establishing this security model future proof your organization? Time will certainly tell. The concept has been evolving over the years but the basic principles have remained the same. Access points – users and devices – into corporate resources need to be protected and the threat surface needs to be minimized to prevent the loss of sensitive data.

By approaching security practices with a zero-rust model enables organizations to modernize their infrastructure without introducing risk. A solution that is scalable, flexible, compliments existing solutions, and can adapt to diverse use cases will ensure successful adoption and protection.

Adopting a zero-trust security approach doesn’t have to be overwhelming. There are steps that can be taken today to establish protection on the new identity perimeter, giving organizations a layer of security that offers protection without the need to re-invent the entire infrastructure of an organization.

You can learn more about how Duo can help you future proof your security solution and apply principles of trusted access to support your zero-trust security approach. You can also join us for a security panel discussion Thursday, May 9 at 1 p.m. EDT and learn how other distinguished security professionals have approached the journey to establishing a zero-trust security approach.

Unlike the high tech government systems portrayed in spy movies, federal government agencies like the Pentagon, the Department of Defense (DoD) and public agencies are not at the bleeding edge of modern IT in all areas, particularly when it comes to the outdated PIV/CAC cards required to sign into systems. 

In 2001, the DoD first introduced Common Access Cards (CAC), a smart card used to prove identity and log on to systems, with no consolidated and interoperable ID management for civilian employees, reservists, active duty personal and contract workers. In 2006, the DoD launched an updated CAC adding Personal Identification Verification (PIV) capability as a next generation CAC solution. Today, the basic ability for workers and contractors to log into their super-secret systems is the same as it was in the early days of the internet, and the government has not kept up with technology advancements.

Back in 2013, Tony Montemarano, executive deputy director of the Defense Information Systems Agency (DISA) said, “We are really hitting hard on mobility [and identity protection]. Everything we are doing, every development activity has to show a mobile side to it.” 

The folks at the federal government who protect and serve are well-aware of the security and usability challengers of this outdated approach to IT security.

“We will use true multi-factor that actually does a couple of things for me — it gets me more agile because there is an overhead for CAC cards, not just cost overhead, but a time overhead, and in my business, it’s a location overhead. It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems. It just doesn’t work well.”

-- The then Department of Defense Chief Information Officer Terry Halvorsen told the Federal News Network in 2016 

As more operations rely on smart devices and screens, using CAC and PIV alone is no longer a viable solution. “We have to move away from the CAC as a form factor,” shared Steve Wallace, DISA’s technical director, in 2017, noting that the CAC card doesn’t plug into a tablet.

The federal and military CAC and PIV systems are as ingrained into our federal systems as the American Social Security number—and are not exactly going away, but they are getting an Avengers makeover and being reimagined from the clunky hardware and ugly UI to modern mobile user credentialing utilizing multi-factor authentication (MFA) that is seamless and frictionless. It’s the kind of modernization that senior leaders in federal agencies have been working toward for years.

Duo Security is a mobile multi-factor authentication technology developed to solve exactly these problems for federal and government agencies. Duo believes that excellent cybersecurity should be accessible to all people and aims to “democratize security” so every device is protected on every platform with the ability to access any application securely utilizing our zero-trust (trust no user and no device that is not properly vetted) technology.

Duo Moves Compliant CAC/PIV Credentials to Mobile

Duo’s MFA supports rather than replaces CAC/PIV cards, keeping the cost to implement low.

Duo works as a mobile application on smartphones that users can self-register and administer using their government issued or BYOD device, making a large roll-out a snap with few barriers to adoption. It is as easy as installing any app from the app store.

With Duo’s single sign-on (SSO) login with a password and username, which triggers the Duo Mobile App to send a push notification (Duo Push). User’s can tap “accept” (or deny suspicious requests) and quickly complete the second-factor authentication process (2FA). Duo allows users authenticate into cloud and SaaS applications and access applications from mobile devices

Duo keeps agencies and users compliant with granular policy controls that allow admins the ability to set policies for:

• Location-based access
• Role-based access
• Contextual access
• App-specific access
• Outdated applications and required updates
• Endpoint control enforcement whether you have an MDM solution or not
• Detecting and tracking every device on your network without using an agent
• Notifying users who have not added password protection or biometrics or restricting them until they do 

All-In-One Solution

Imagine a single solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity. Duo and YubiKey have teamed up to offer a single elegant solution for all scenarios.

Duo + YubiKey

 Together, Duo and the YubiKey satisfy the government guidance on:

• FedRAMP
• DFARS/ NIST SP 800-171
• NIST SP 800-63-3 AAL

Duo Security is proudly FedRAMP “In Process” on the FedRAMP Marketplace and adheres to NIST regulations for compliance for commercial alternatives to CAC/PIV cards. Federal and public agencies can buy Duo now.

Want to learn more? Watch this webinar on "How Mobile Will Replace Your CAC/PIV Cards"

Watch Webinar

Editor’s note: This is the second blog in a three-part blog series that walks through the top six areas of concern for CISOs and CIOs and the technology solutions available. Our first post of the series explored gaining clear visibility into potential network threats and adopting a zero-trust security policy.

There are six key areas security executives should focus their attention towards for the remainder of 2019: clear visibility into threats across platforms, redefining the new perimeter, encouraging an internal culture mindful of security, alignment across IT operations and security operations, early detection of risks from inside the firewall and managing cloud security. It is an ambitious list for any company, but it is nothing to lose sleep over. Duo Security has developed drop-dead simple technology that solves many of these issues — giving weary security executives restful nights with sweet dreams.

Let’s dig into the next two top concerns for CISOs; adopting an internal culture of security and aligning security ops with IT ops.

3. Nurture an Internal Culture of Security Automatically

Between smart devices, laptops, phishing scams, wifi hacks and malware — preserving company security is everyone’s responsibility. Educating employees of potential risks and creating an internal culture of security is a top priority for security executives. In the recent Cisco 2019 CISO Benchmark Report only 39% of companies surveyed had security training in place for employees. This large internal security risk deeply concerns CISOs and could lead to needless sleeplessness, but it certainly does not have to. Duo was created to make security frictionless and automatic for everyone.

Duo helps organizations avoid the legacy limbo and modernize IT infrastructure with super simple self-service technology that is system agnostic and offers maximum security. It is a win for CISOs and a win for employees.

“The only way we knew to get insights into mobiles devices was to push a mobile device management (MDM) tool onto user’s devices, but due to cost and complexity we didn’t want to pursue this idea. Duo’s push functionality, flexible authentication options, inline enrollment and user documentation made it easy for us to enroll all of our users in a timely manner.”

— Chad Spiers, Director of Information Security, Sentara Healthcare

Everyone can own their security. Duo’s DIY mobile authentication is as easy as downloading an app from the app store.

• Users can self-enroll. Duo's automated sign-up options, such as user self-enrollment, and Active Directory sync options allow for scalable user provisioning
• Duo’s self-service portal lets users manage their own devices
• Duo’s Self-Remediation notifies and assists users to update any out-of-date devices
• Duo’s technology stops phishing attacks before they happen by identifying vulnerable users
• You control and customize policies based on the user or group or their specific roles and responsibilities
• Customer case study: Sentara Healthcare

4. Align Security Operations with IT Operations

The Chinese symbol for danger doubles as the same symbol meaning opportunity. This paradox is similar to the competing priorities between CSOs and CISOs. On one hand, the CISO manages the security operations team with the goal of enforcing and controlling trust to keep data safe; while on the other hand the CIO manages the IT operations team and is tasked with completing projects and increasing revenue with a focus on expanding business with new technology. They often have similar but competing goals to modernize the way business is done and to be secure while maximizing efficiency and business objectives.

Duo helps to align security operations with IT operations by streamlining multiple security tools in one agnostic platform. Duo democratizes security for all organizations regardless of their current technology stack. CISOs can finally catch more zzz’s.

“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls.”

—  Mike Johnson, CISO at Lyft 

Together at last, Duo helps CISOs and CIOs meet their goals side-by-side.

• Reduce time to security: Duo's native integrations protect on-premises, cloud, remote access, VPNs, etc. to enable business agility, allowing admins to roll out security in a matter of hours and days
• Secure cloud infrastructure access: DevOps and engineering teams can SSH to servers remotely and securely with Duo to access development environments and deploy code, as required by compliance regulations
• Duo does the work of many different security tools, all in one platform: strong/adaptive authentication, endpoint visibility and control, remote access and single sign-on – increasing the value of your security investment
• Duo's technology and security partnership ecosystem makes it easy for you to eliminate complexity while protecting your existing IT investments
• Customer case studies: Withers Worldwide, Lyft

Studies show vendor consolidation as a trend. Duo is a single vendor solution that takes the place of multiple vendors and technology. Duo Beyond makes it easy to develop an internal culture of trust through zero-trust security. CISOs can worry less and get deeper sleep by implementing technology that automatically secures everyone and aligns with the goals of security ops and IT ops.

Our final post in our three-part series will review how Duo helps with early detection of risks from inside the firewall and managing cloud security so more CISOs can get quality REM sleep.

Recently at Duo Tech Talks we hosted Emma Dauterman of Stanford University for an outstanding presentation on True2F, a joint research project between Stanford and Google surrounding backdoor-resistant security keys.

The True2F work builds on top of FIDO U2F, which is a 2nd-factor authentication standard supported on sites like Google, Dropbox, GitHub, and Duo. U2F, (and similar technologies like WebAuthn), provide strong, public-key based authentication on the web with built-in phishing resistance. Instead of relying on shared secrets, protocols like U2F and WebAuthn use a challenge-response protocol. U2F and WebAuthn authenticators can be physical security keys such as a YubiKey or Google Titan Key, platform authenticators built into computing devices, or can even be software-based.

U2F and WebAuthn provide some protections if faced with malicious websites, (e.g., a phishing site), or even a malicious web browser. However, these protocols currently provide no protection from token faults or backdoors. True2F changes this by providing a two-party protocol for generating cryptographic keys and ECDSA signatures.

Emma’s talk covers the design and implementation of True2F, as well as performance differences between U2F and True2F. The full paper is available online, which goes into even greater detail and provides complete proofs.

If you missed it last time, check out Emma’s talk here, and if you’d like to attend future Duo Tech Talks, you can find them posted on our Meetup page.

You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that's clear
I will choose freewill
-Rush

Change is hard. We humans have a built-in CRD (Change Resistance Diode) and we spend an inordinate amount of time and energy fighting change. I am as guilty of this as anyone. I’ve been wearing the same style of shoe for almost 40 years. “It works for me, has always worked for me and if it ain’t broke, don’t fix it.” This is a fine mantra for shoes, but status quo is a killer in the enterprise. This mindset makes us miss things – trends that might actually help the business. But the greater threat is missing areas where the business is vulnerable or at risk. This mindset also gives way to “do nothing” thinking, and, well, just because you don’t make a decision or don’t make a change doesn’t mean that the change happening around you, won’t affect you.

This behavior gives way to “the law of unintended consequences” and “unintended or accidental motivation.”

It’s always talked about and often examined but worth taking a look at it in an IT security context. We as human creatives act and are compelled to act by a few different “drivers.” The biggest driver, imho, is the incentive driver. While we all have others – things like a moral driver, a moral “compass,” if you will; some people’s moral compass will never find true north – one thing that all of us human animals have in common is a drive that will align with some kind of compensation. I’m not talking strictly about money, although this tends to be a big driver and the most equated attribute to compensation. I’m talking about incentives. The incentives can be wildly varied, as it should be. And what motivates one might not motivate another. For example, some people are rewarded by sheer satisfaction. The satisfaction that comes from a job well done. Some are not motivated by this at all and couldn’t care less about how well a job is done. Add to this that the job itself plays a role in satisfaction being a driving incentive, and you have a complex set of attributes and psychology that are both fascinating and terrifying.

When my first born son was a teenager he was not at all worried about how well he mowed the lawn. He cared a little more when he got paid for it, but it wasn’t a task that he could be motivated into easily. He was however, very motivated to become good at the video game Halo. He played it a lot. I didn’t have to pay him to do it. The incentive was the satisfaction. He was good at other things and took pride in things that weren’t video games, but my point is: the task itself plays a role in how things are incentivized. Playing this game was also incentive for doing his homework. Bribery/incentivization is a parent’s strongest tool.

“When I do good I feel good, when I do bad I feel bad, and that is my religion.” - Abraham Lincoln

All three of our boys are very compassionate souls, even if they didn’t ever want us to know it. My wife instilled in them a volunteer spirit. They volunteered (and continue to volunteer) quite a bit with many organizations growing up. They did this with pride and without compensation. The job was the reward. There was an incentive to do a good job for their fellow humans.

Not all jobs are like this. Some jobs or tasks require compensation. This is the whole point of sales compensation.

So this brings me to accidental motivation (and before you say “there’s no such thing!” yea, yea there is, and it’s actually the prevailing motivation in the world).

It can be a sales comp plan that provides incentives and compensation that are good for the business, but not as good for the customer: “I only want widget A and don’t want widget B. Why do you keep pushing widget B?”

Usually this is because someone inside the selling organization has incentives/compensations to move more widget B. This is probably due to the fact that no one wants to buy widget B because it doesn’t solve any useful problem for the customers. Now, no organization on earth wants to hurt their customers. Not on purpose. So while this example is premeditated, the outcome is not a wanted outcome for either the customer or the organization. Unintentional consequences or accidental incentive.

We do this in InfoSec all the time.

Everytime we decide not to have a policy or to have a policy that puts undue burden on our users, we have decided to allow chaos or accidental incentives to take over.

Trying to COPE with BYOD

One of the biggest examples of this was/is bring your own device (BYOD).

BYOD happened to IT, not the other way around. People got cool phones and tablets and more than that they got useful smart devices that could do email, calendar, notes, and many other things. And once the apps started coming, forget about it. Computing changed forever. The early days of BYOD were people bringing their personal devices and using them for business, in most cases without the IT department’s knowledge. Once IT got wind of it, that’s when the party started. CISOs and legal folks got involved and the privacy and data protection dance started. The irony is that there are lots of cases now where people won’t allow IT to put a control agent (MDM) on their device. So InfoSec invented this thing called COPE (corporate owned, personally enabled) devices. This was a fancy way of saying, “we’ll give you one of those cool devices, but we own it and we can do whatever we want to it. You can put your pictures and songs on it but we may wipe it anytime we want. Here’s our 30 page policy. Have a nice day.”

So what behavior did we incentivize? People will either carry two devices or just use their personal device anyway. Sure, you can try and block their email. But they can still text and make calls and people are creative. They will find a way. You’ve essentially, but accidentally, encouraged people to work outside the confines of corporate security.

I know this from personal experience. I’m a CISO’s and legal team’s worst nightmare. And I’m a security guy! But for me, usability will always always always outweigh security. It’s a simple fact. I like to get things done. Security will either work with me or I’ll find another way.

BYOD works. I remember when the iPhone first showed up in 2007; the prospect of consolidating my personal compute platform from a Blackberry, plus an iPod, plus a phone to a single device was truly compelling. That compelling event is still happening today. In my world (public sector) they are constantly vacillating back and forth between “never gonna support” to “looking for a way to support.” But guess what? It’s already happening. Why? Because users find a way. While you keep thinking about it and keep talking about it, it’s happening. Unintended consequence of doing nothing.

Breaking All the (Password) Rules

Passwords are another glaring example of accidental or unintentional incentives.

We put in place strong password requirements, both for the passwords themselves (complexity) and how users use passwords (change them every 30 days, don’t write them down, etc.). We have accidentally incentivized users to break the rules (I’m gonna write that password down because there is no way in heck I can remember that) or reuse the password everywhere because I’m not going to have 30 passwords that I can’t remember.

Now, luckily we have the tools to deal with this. Password managers are a great tool. Password managers combined with a simple effective MFA (multi-factor authentication) solutions are an even better tool. But as useful as they are, they sometimes add a layer of complexity to the user’s everyday technological life, so we need to be conscious of that. Apple’s doing a pretty good job of turning the Keychain into a useful password manager. It’s always been one, but now it’s gotten much more user friendly, ie. working across all of my devices, as long as they’re Apple devices. The point is, while I absolutely recommend using password managers, it’s not a “one size fits all” solution and not everyone will embrace it. But pretending that our users don’t mind heavy handed password requirements pretty much sums up the security team/users relationship conundrum.

Some day passwords will be gone. Can’t be soon enough for most of us, but today is not that day.

<DUO COMMERCIAL>

The first thing to understand about me is that I am a true believer. What I mean by that is, I don’t preach the value of Duo because I work here. Quite the opposite, I work here because I believe in the original vision of the company and believe it does good in the world.

When I on-boarded at Duo over a year ago, it really struck me, as I put on my end user hat, how good it was. I tell people this all the time. It was the right combination of people (we’re all security right?) process (here’s how you set everything up and how it all works together) and technology (ours, plus LastPass and Yubico’s YubiKeys, browers, apps, etc.). It was the whole ball of wax and it was simple and user focused. This last part is key, and something that is most often forgotten.

It is the most crystalien example of a user-centric zero-trust security model that I have seen.

Every organization should be doing this. Now. Everyday.

</DUO COMMERCIAL>

As I finished up the above section, I realized it wasn’t really a Duo commercial as much as it was a best practice commercial. I just happen to truly believe that Duo is doing something special here and has an important role to play.

Seriously, giving the user community the incentive to be good security citizens cannot be overstated. Having well defined, user-centric policies and processes, coupled with user compassion and kick ass tools make for a winning combination.

Otherwise, we are creating accidental incentives to not do the right thing and the law of unintended consequences will prevail.

It’s just the first half of 2019, yet chief security officers (CSOs) or chief information security officers (CISOs) everywhere find themselves in a race against time and resources to modernize and shore up vulnerabilities within IT infrastructure in a way that plays nice with current legacy systems and permits device autonomy within organizations on the individual level. The good news is that solving these complex problems is not as difficult as it sounds.

Editor’s note: This is the first blog in a three-part blog series that walks through the top six areas of concern for CISOs and CIOs and the technology solutions available.

The 6 Key Areas of Concern for CISOs

There are six key areas security executives should focus their attention towards for the remainder of 2019: clear visibility into threats across platforms, redefining the new perimeter, encouraging an internal culture mindful of security, alignment across IT operations and security operations, early detection of risks from inside the firewall and managing cloud security. It is an ambitious list for any company, but it is nothing to lose sleep over. Duo Security has developed drop-dead simple technology that solves many of these issues — giving weary security executives restful nights with sweet dreams.

Let’s dig into the first two top concerns: gaining clear visibility into potential network threats and adopting a zero-trust security policy.

1. Gain Clear Visibility Into Potential Threats Across Your Network and Platform

Managing potential security risks across mobile, cloud and on-premises assets requires deep visibility into all assets that have access to applications, networks and platforms. Duo helps organizations get real-time insights on device health across platforms.

Get detailed insight into the security health of every type of device (whether corporate-managed or personally-owned) accessing your applications.

“We can see a full device inventory through a single pane of glass and have been able to secure endpoints and enforce policies to block access to applications from out-of-date and vulnerable devices. This, in conjunction with the implementation of MFA, has reduced the attack surface effectively and efficiently”

— Richard Bailey, Vice President of IT Operations at PruittHealth

Know What Is Happening on Your Network Right Now

Some device visibility solutions only give you limited insight into certain platforms and operating systems. Duo uses a single centralized dashboard that gives admins oversight across the network, hardware and software.

• Duo protects against password attacks with multi-factor authentication (MFA).  Eliminate the threat of attacks that stem from compromised credentials with Duo's easy and effective MFA

• Stay compliant. Duo provides end-to-end visibility, reporting and logs of assets. Duo's endpoint visibility gives a detailed overview of users' devices (managed or unmanaged, mobile and laptops/desktops) with compliance-friendly reporting and logs
• Get granular control with continuous reporting and monitoring of systems. Streamline data reporting and policies. Duo continuously monitors and reports on the health of your infrastructure. Identify mobile devices with certain security features enabled or disabled, as well as their security posture. BYOD, no problem
• Duo is software agnostic, accessible and open to everyone — democratizing security. Duo supports all users, types of devices and integrates with on-premises and cloud applications.
• Customer case studies: PruittHealth, Eastridge Workforce Solutions

2. Adopt Zero Trust to Secure the Perimeter Inside and Outside of Your Firewall

CSOs and CISOs are throwing out the assumption that the perimeter is confined to inside the firewall, because it simply no longer applies. The perimeter has shifted with a push toward “mobile first” and “bring your own device (BYOD)” and continues to expand to include cloud applications. This has changed the definition of what trusted users, trusted devices and safe traffic look like. Organizations need to expand the perimeter across on-prem, cloud and hybrid environments.

Zero trust treats every access attempt as if it originates from an untrusted network. This might sound like an expensive and time consuming proposition, fortunately it does not have to be.  A zero-trust approach doesn’t require a complete reinvention of your infrastructure. The most successful solutions can layer on top of and support a hybrid environment without entirely replacing existing investments.

Duo Enables Zero-Trust Security That Meets Strict Compliance Standards While Expanding the Perimeter

“We chose to implement Duo Beyond because it aligns with our own vision of zero-trust security. When integrated with Sophos Mobile control, it helps us securely and confidently provide mobile access to our employees, and provides additional visibility into all assets that are accessing corporate resources.”

—  Ross McKerchar, Chief Information Security Officer, Sophos Security

Have the power to limit access and flag risks before they become problems

• Duo Security centralizes access policies across platforms with zero-trust security. Admins can consolidate dashboards and get a single view of overall security status. Duo's Admin Panel flags risky devices allowing policy controls that limit access based on device and user trust (adaptive authentication)
• Support several authentication methods based on user choice: Duo Push, phone calls, U2F, etc. for all applications and services
• Limit or restrict access based on location or  IP ranges. Grant or deny access to applications based on where the user/device is coming from and what they are accessing with an easy to use interface
• Stop unauthorized authentications. Block authentication attempts from anonymous networks like Tor and proxies
• Customer case studies: Withers Worldwide, Sophos

Cisco recently released the 2019 CISO Benchmark Study that confirms gaining clear visibility into network threats and getting to zero trust is a top priority for CISOs. Duo Beyond is a zero-trust security platform that addresses user and device risk for every application so that CISOs can relax and rest easy, saving their energy for real problems.

Our second post in our three-part series will review how Duo creates an instant internal culture mindful of security, as well as how seamless alignment across IT operations and security operations can be.

There are many valid reasons federal agencies have been reluctant to adopt bring your own device (BYOD) policies, despite having a large remote and contract workforce.

The risk of not being in compliance, ransomware, hacks, PUS (potentially unwanted software), malware, phishing, shadow devices and information leaks on compromised devices combined with a lack of clear policy guidelines can appear to outweigh the rewards. Yet, asking government workers not to use their personal devices in 2019 is increasingly inefficient, expensive and archaic (plus, they’ll find a way to use them regardless).

So the White House released the BYOD toolkit and the National Institute of Standards and Technology (NIST) continues to update their mobile device security hub with guidelines to help federal and government agencies modernize their IT while securing their network from mobile device threats. NIST 800-63-3 updates the Digital Identity Guidelines to overcome the shortcomings of personal identity verification (PIV) cards and common access cards (CAC) credentials by allowing public agencies to choose accredited commercially available multi-factor authentication (MFA) technology as compensating security controls, meaning agencies are closer than ever to being able to embrace BYOD without the perceived security pitfalls.

Today, technological advancements in cloud security have turned the tables, and the pros for permitting BYOD devices (laptops, smart devices, phones, tablets, device screens and more) in federal agencies can outweigh the cons. In the past, the only solution to enabling secure BYOD to install an agent or a client like mobile device management (MDM). That gave visibility, but at the cost of personal privacy and invasive scanning. Now, there are low cost software agnostic alternatives that do not require a rip and replacement of legacy systems and complement and expand older technology.

MFA + Unified Endpoint Visibility = Freedom for Federal BYOD with Device Visibility

The obvious benefit of MFA is its ease of use and two-factor authentication that protects and verifies user identities before allowing access corporate applications. MFA protects public agencies from unauthorized access and attacks. MFA is as easy as uploading an app from the app store and even easier to implement with user self-enrollment.

Unified Endpoint Visibility strengthens a government agency’s control over each user’s device hygiene. It allows them to monitor and identify risky devices in real time while blocking device access until users perform critical updates that patch potential threats with easy-to-use self-remediation and Endpoint Remediation tools. Public agencies can rest assured they are always in compliance by setting up policies that automatically enforce many security hygiene requirements such as passcode, biometrics and encryption to maintain preset security standards.

See Everything Now. Shine Light on Shadow Devices

Securing BYOD by enforcing device access policies for corporate and personal devices helps agencies identify all devices logging on to the network, even unknown devices. Government agencies can set and enforce policies with contextual controls based on granular details like user groups, geolocation, device type, network and more. Finally, federal agencies can get a clear view of all the devices attempting to access or that are on their network through a single control panel. Agencies have the power to identify, control and block potential threats before they happen.

BYOD is good for government. It can keep the costs of equipment down. BYOD can eliminate new hardware and infrastructure costs. BYOD keeps staff accessible and appeals to a new mobile workforce while increasing productivity.

Duo Security is currently FedRAMP “In Process” on the FedRAMP Marketplace. Freedom for federal BYOD with clear device visibility is possible now.