AmeriGas deployed Duo MFA to their entire user base of 9,500 after starting only with privileged users to achieve PCI-DSS compliance. After a security breach at one of AmeriGas’ sister companies, protecting their Cisco AnyConnect remote access systems became a key priority.
When we roll a technology out to users, we want to enable as much self-service as possible – not generate more help desk calls. Users shouldn’t have to wait for IT.
AmeriGas began using Duo in 2014 to fulfill PCI-DSS (Payment Card Industry Data Security Standard) compliance requirements. Initially, Duo provided multi-factor authentication (MFA) for a group of privileged users with administrative access to credit card processing applications.
After a 2017 e-mail based phishing event at one of AmeriGas’ sister companies, deploying MFA more broadly to protect sensitive corporate and employee resources became a more focused initiative. When Christopher Martin joined AmeriGas as the manager of identity and access security, an organization-wide MFA rollout and protecting remote access to sensitive IT systems were among his top priorities.
AmeriGas aimed to secure remote access both by external IT contractors--who worked on sensitive projects such as the financial and human resource systems from locations all over the world – as well as internal employees accessing company resources from outside the office. Security had to be robust whether the device used for access was company-supplied or a personally owned (BYOD).
However, most AmeriGas employees (such as truck drivers and warehouse staff) are not required to use computers regularly in their roles, and relatively few have broad experience with authentication technology. This led to some organizational reluctance and uncertainty about a broad rollout of an MFA solution, which prompted them to look at some different alternative solutions. Ultimately, given the previous experience of the company with how easy Duo’s MFA solutions were to use and deploy, it made sense for them to expand their initial use to this broader audience of users.
It was crucial for AmeriGas to secure remote access to their sensitive applications. Employees and contractors gain remote access using multiple solutions including Cisco AnyConnect and F5 security gateway from locations worldwide. AmeriGas needed to secure this access whether users employed company-supplied or personal devices (BYOD).
Martin recognized that getting the diverse user base on board with a process change like this was a significant challenge to the project. Therefore, intuitive ease of use was a crucial requirement for an MFA system. Since AmeriGas also had a small IT staff with limited experience integrating third-party solutions to their internal apps, MFA success depended on being easy to implement, roll out and administer at scale.
Enabling broad self-service functionality for users, minimizing the impact on finite IT resources, was also critical. The solution had to integrate easily with AmeriGas’ broad range of systems, including Cisco AnyConnect VPN, F5 security gateway, Active Directory, ADFS, SailPoint IdentityNow, SAP SuccessFactors, Microsoft Dynamics and Microsoft Office 365.
AmeriGas compared several different MFA solutions, including Duo, RSA and Ping. Martin said Duo easily won the evaluation, citing Duo’s flexibility, ease of deployment and superior user experience. “In terms of being actually usable on a daily basis, Duo was clearly superior,” said Martin. AmeriGas expanded their implementation of Duo to encompass their entire user base, deploying to both internal employees and external contractors. Users were also granted the option to use their own devices for access. AmeriGas’ small IT staff was able to quickly and easily integrate Duo to all their on-premise and cloud applications and roll it out to their users.
Robust Protection for Remote Access Authentication
By implementing multi-factor authentication to protect their remote access technology, AmeriGas has gone beyond the minimum required by PCI-DSS and applied best practices for user authentication across their entire user base.
Protecting Employees’ Personal Data
To help the user base view adding MFA as a positive thing, AmeriGas is coordinating the rollout of SAP SuccessFactors payroll functionality with Duo MFA. Users recognized that multi-factor authentication protects their personal information maintained in the payroll system. As users become familiar with multi-factor authentication in this way, they more readily embrace using it with other applications and systems.
Enabling, Not Impeding User Access
“When we roll a technology out to users, we want to enable as much self-service as possible – not generate more help desk calls, and not require users to do things manually. Users shouldn’t have to wait for IT,” said Martin. AmeriGas employees leverage Duo’s self-service portal to self- enroll, add and update their devices, Martin added, noting, “This actually enables users – for example, they get a new phone and can easily get it enrolled.”