What Is Trusted Access?
For years, many in the security industry operated under the assumption that breaches were inevitable - and our only option for breach mitigation is getting better and faster at detection, after they’ve already compromised us.
The number of breaches are rising, because our security practices were created for a different time - a time when protecting the network perimeter was considered enough to keep the adversaries out.
That’s why it’s time for a new security approach that focuses on prevention as the most effective form of protection. Instead of fighting against the consumerization of technology that has brought with it a new wave of user-owned personal devices to the workplace, Duo has embraced it, incorporating it into our approach to security.
We want to enable easy access for your users and their devices by creating a frictionless security solution, while ensuring they’re free of known vulnerabilities at the same time. Our solution relies on more than just your username and password, addressing security threats before they become a problem.
We ensure Trusted Access by verifying the identity of your users and the health of their devices before they connect to your organization’s applications:
Ensure your users are really who they say they are by using two-factor authentication, an effective way to verify the identity of your users before they access your applications and data.
Go a step further and enforce access policies based on contextual parameters such as user location, IP reputation and more. For example, block users from countries you don’t do business in, or require stronger access controls for a more privileged group of users, like administrators.
Ensure each device meets your security standards by checking each device before they connect to your company’s applications. Inspect each endpoint to verify if they’re running the latest operating systems, browsers, and plugins like Flash and Java to protect against known vulnerabilities and exploits that affect older versions.
Check to see if your users’ devices have important security features enabled, such as screen lock, fingerprint identification and passcodes to keep intruders out.
Integrate with every type of application to ensure complete coverage across every entry point, including VPNs, cloud apps, web apps and your proprietary/custom apps.
Limiting user access to only the apps they need to access in order to do their job can reduce the scope of risk associated with any one user account.
Learn more in What is Trusted Access?
Discovery, Awareness and Mitigation
There are different stages in the prevention approach - the first phases include Discovery and Awareness.
In these phases, getting in-depth insight into your users and devices is key to assessing your risk profile in order to make data-informed decisions. Meaning, you need to know all of the warning signs and symptoms of an unhealthy device that is more susceptible to malware infection and a compromise in order to prevent a breach.
Duo’s Device Insight gives you a complete inventory into your users’ devices, allowing you to drill down into detailed device data and find out platform, OS versions, model type, browsers and plugins, and more. You can also see which devices have certain security features enabled, and which ones don’t have passcode, screen lock, encryption, Touch ID, etc. enabled.
Identify At-Risk Devices
This lets you identify any devices running at-risk software, meaning out-of-date versions of Flash Player and Java. And Duo does the device analysis for you, flagging which devices are out of date. Combined, Flash and Java have over 500 known vulnerabilities that can be exploited by an attacker seeking to compromise your users’ devices and install malware - which could be passed onto your company’s network after your user connects to your applications.
User and Authentication Logs
Detailed authentication logs show you data about your enrolled users and their logins, including user’s name, time of attempt, application/integration type, authentication method used, IP address and location and the result - if the authentication was a success or failure.
In the Mitigation phase, you can create custom policies and controls based on certain user and device security profiles.
Trusted Devices and Networks
Knowing what you know from the Discovery and Awareness stages, you can choose to either trust certain devices and networks when they authenticate into your applications, or set more stringent authentication requirements based on a certain profile.
For example, you can set a policy for a certain user group - like Engineering. Since they have access to code repositories and proprietary business data, you could require them to complete two factor and use Duo Push or a U2F token every time they use a remote terminal to connect to your SSH server. For other users logging into less sensitive services, you could allow their device to be trusted for 30 days before completing two factor again to make it easier and faster for users to log in daily.
Urge Users to Update
Using Duo’s Self-Remediation feature, you can also notify and prompt users to update their own devices. As they log in, we check their devices for out-of-date software and then give them the option to update their browsers, plugins, OS, etc.
Block At-Risk Devices
Finally, we also give your admins the power to block any devices that don’t meet your minimum security standards by using Endpoint Remediation. That way, you can ensure only healthy devices are accessing your company’s applications and data.
The 2016 Duo Trusted Access Report
Learn more about the current state of device security in The Duo 2016 Trusted Access Report. In this report, you’ll get:
- A breakdown of how many Mac, Windows and other users and devices are running outdated, unsupported browsers, operating systems, Java and Flash
- The types of known vulnerabilities your users and company are susceptible to
- Duo’s security hygiene recommendations to secure your devices, users, apps and data
- A real-life breach scenario and how a Trusted Access solution can prevent a breach
Get advice on securing your organization’s endpoints to protect against a successful attack using stolen credentials or known vulnerabilities. Download it now.