Speed to security - it only took two hours to add Duo's two-factor authentication (2FA / MFA) to existing solutions.
Enhanced security by providing visibility into security status of all devices accessing company's environment.
Data Equipment had a secure access solution in place, but wanted to switch. "We were looking for a solution that was easy to use - both from an IT administrator and an end-user perspective - and that would also satisfy the needs of our diverse customer base," says Goran Tømte, CISO at Data Equipment. There was a consensus in the IT security team that a new solution had to provide a stronger form of authentication methods than the existing solution had.
Traditional two-factor methods such as time-based tokens, code generators, SMS-based OTP (one-time passwords) and others were error prone, had limited device support and required a lot of overall support. Push authentication, which effectively turns mobile devices into authentication tokens, was seen as a far more attractive method. It was not only cost-effective in terms of implementation and maintenance, but was also far more secure than other forms of authentication. "Simple, yet airtight logins that will help our customers improve security without affecting user productivity were critical," adds Tømte.
Another important requirement was the ability to authenticate offline. Data Equipment has a number of public sector customers whose workforce may be occasionally offline by the nature of their job function. These users still need to run 2FA to log on to Windows computers securely. Offline MFA for laptops, desktops and servers was added to the list of requirements.
“Successful attacks take place in permitted traffic. To reduce the attack surface, we knew we had to establish trust at the application level. This meant strong access controls for applications, so that only authorized persons and devices have access to sensitive information,” adds Tømte.
Conducting user verification was especially relevant in the context of devices used by Data Equipment employees; a mix of corporate and personal ones. Both groups needed access to business applications, whether it was job email, calendar, contacts or other sensitive data.
"We wanted a solution that could provide insight into all devices that gain access to our environment, and that help our teams assess potential risks associated with these devices," says Tømte. The solution was to also enable IT administrators to identify device vulnerabilities and enforce policies to reduce risks, such as preventing an outdated or jailbroken device from accessing applications. The company was committed to ensuring that risky devices could not access sensitive applications.
With its ability to define access policies by user group and per application and identify company-owned versus BYOD devices, Duo Beyond seemed like a natural choice.
We found Duo's Device Health Application very efficient," says Petter Tidemand-Fossum, technical manager at Data Equipment, who was also involved in the deployment. "In a matter of minutes, we were able to detect devices that needed updating.
One of the most important aspects among Data Equipment's clients with a large remote workforce is securing access to the Windows environment. The process involves end users connecting remotely or virtually to a computer on the network to verify their identity via multi-factor authentication.
"We soon found out that Duo was the simplest solution we have ever implemented," says Tidemand-Fossum. “Adding Duo's two-factor authentication to remote desktop sign-in took just two hours. Some of our customers who chose other solutions for a 2FA configuration for RDP logins took between one and two weeks to complete the same task.”
“Many SaaS vendors require a license upgrade to get access to the SSO feature. Duo Single Sign-On (SSO) is included in every Duo edition,” says Tømte. This also provides benefits from a user perspective. Duo’s SSO and MFA are easily configured for each application and as such allow a seamless authentication flow for the user.
Data Equipment's clients also use Duo's policy features, especially those that make it possible to step up or down security, based on user type. Granular policies help ensure that users can access some resources with a single set of credentials, but are prompted for more credentials when requesting access to sensitive resources.
"One of the key benefits for us as well as our customers is visibility," says Tidemand-Fossum. “When administrators log into the admin portal, they can see where users are logging in from, what devices they are using and can easily identify when something goes wrong. Getting the same level of intelligence without Duo would require visibility through a number of logs,” says Tidemand-Fossum.
“This project showed us that Zero Trust is not about technology. It's about mindset. And with technology that is intuitive and easy to maintain, it is much easier to change the security mindset,” concludes Tømte.