Starting with Cisco Secure

Back in 2018, Certinia joined with Cisco to start its journey to stronger security. Since the beginning, Certinia has been a cloud-first organization, with no on-premises infrastructure. Simon Duffey, Senior IT Manager and Service Owner for Productivity and IT Security, at Certinia says, “The company consistently invests in best-of-breed cloud tools for its workforce. When it comes to our applications and IT infrastructure, we consistently invest in business solutions that are at the forefront of cutting-edge technologies, modernize our infrastructure, and create capacity to scale. We optimize our zero trust security around protecting access to those environments.” To secure its critical SaaS environment, Certinia first laid out some ambitious project goals, including:

• Enable secure access from corporate-issued endpoints to a suite of cloud applications
• Implement a single sign-on (SSO) solution that provides granular access policy
• Monitor device posture and easily prompt for operating system and browser updates

Through conversations with the Certinia team and Cisco experts, Duo stood out as the ideal solution, since Duo enables organizations to easily implement application access policies based on device management status and supports SSO with access policy based on application sensitivity, device health, and user role. Duo also ensures devices are updated in a timely fashion with workforce self-remediation.

The Evolving Challenge

Since the initial project that brought Certinia into partnership with Cisco, the company has experienced a major evolution. While Certinia was originally the first to offer a new type of financial accounting solution built on the Salesforce platform in 2009, the company quickly learned that the approach it took worked particularly well for service-oriented organizations where managing an ongoing customer relationship is essential. Based on this experience, Certinia expanded into the PSA space and quickly became the market leader in professional services automation. Today, Certinia has expanded even further, identifying new areas for innovation such as Services Configure, Price, Quote (CPQ), Service-centric Financial Planning and Analysis (FP&A), and Customer Success Cloud. The company has become the preferred platform for services businesses, and focuses its efforts on delivering solutions that help increase certainty for its customers.

Certinia’s cybersecurity has also evolved. To protect its technology investments, intellectual property, growing service offerings, and customer data, the Services-as-a-Business vendor’s security focus has expanded. Ensuring that corporate-managed devices can access the suite of applications is critical, but delivering a superior user experience, increased productivity, and streamlined work for IT teams through automation and prioritized threat intelligence is key to future success.

The Solution

When Certinia first teamed up with Cisco, its focus was securing user endpoints, authenticating access, and ensuring user device health. All Certinia employees receive an encrypted laptop with anti-virus software and a suite of security tools, including Cisco Umbrella, used to protect the endpoints at the DNS layer.

The company also deployed Duo Trusted Endpoints onto its managed endpoints. Initially this was achieved using certificates to establish device trust, but later moved to Duo’s MDM API method, providing a robust and resilient method for checking the device was ‘trusted’. Certinia’s IT team was able to apply a Trusted Endpoints policy at the time of authentication to allow access only from corporate laptops while denying access from other devices not running its management solution. Moreover, the company also moved to Duo’s SSO solution which enabled more granular policy functionality.

The IT team also began to group applications by type and frequency of access within Duo. This allowed them to set access policies, the frequency of MFA prompts, and state of device health on an application-by-application basis. As an example, for access to highly sensitive applications, users are prompted every four hours for a second factor and their device must meet certain posture requirements. For access to other less critical applications, users may be prompted less often, and have a slightly more outdated OS, but access is still granted.

“Duo became the link we needed to make our security philosophy really work,” Duffey noted. “We now knew that if folks were downloading reports or manipulating data in a cloud application, that they were doing it from a safe device, and that their identity had been confirmed with MFA.”

As its business grows, Certinia’s security focus has expanded to include balancing productivity without the loss of protection (or increasing risk), ensuring the business’s zero trust security model and secure access methods weren’t slowing down its teams or delaying customer communications.

“This is a conversation that keeps surfacing. Finding the right balance by keeping people productive, removing barriers and frustration of security tooling” Duffey, says.

One way they’ve managed to accomplish both is by deploying Duo’s Risk-Based Authentication, which automatically detects and mitigates commonly known attack patterns and high-risk anomalies. By targeting only risky authentication attempts for mitigation, Duo provides a higher level of security without compromising end-user experience.

Duffey shared that deploying Risk-Based Authentication not only mitigates risk, but it also steps up security requirements only if there are potential threats. Once trust is re-established, users can follow their normal authentication flow. “Being prompted to authenticate multiple times a day despite no change in circumstances was frustrating. It makes a lot more sense to our workforce now, if a change in circumstances, for example I go to a coffee shop to work, I’m going to be asked to step up [security] because it doesn’t recognize my location or my Wi-Fi.”

Another Duo feature, Duo Trust Monitor, has made the experiences of IT teams, not just end users, much easier. Trust Monitor analyzes and models authentication and registration telemetry data to highlight risky access events, which means that admins can identify risks faster without having to sift through endless activity logs. “That’s something that runs in the background,” Duffey notes. “It’s reassuring to know that we have detailed logs at hand. They help put the pieces together and add context for our IT and Security teams. We don’t have someone sifting through the logs daily…It’s an invaluable tool to our help desk.”

Certinia IT teams also empower users (and free up IT resources) with self-remediation. Duo’s Endpoint Remediation lets admins block access to enterprise applications based on outdated software versions, while self-remediation warns users that they're using outdated software and gives them the option to update their own devices using step-by-step instructions. “That takes a lot of resources off the team. We now have a tool continuously monitoring and communicating to our workforce reinforcing good IT security practices, rather than sending a communication with actions that get forgotten,” Duffey says.

From an IT security and IT productivity strategy perspective, Duffey says Duo helps Certinia employees, “understand the value of IT’s goals and objectives, whether it’s productivity and/or security.”

Part of the reason that Certinia has continually added Duo features and expanded security functionality is because not only does Duo help them drive the best security outcomes, but also because Duo is a true partner in its mission. This positive relationship is central to Certinia’s success. Duffey says “We have very strong relationships with Duo customer success teams. We always have someone to talk to. Duo’s innovations and product roadmap is well aligned with Certinia’s strategic goals,” Duffey reflects. “Duo remains an integral part of Certinia’s IT security infrastructure.