FinancialForce provides application access based on user identity and device trust, using Duo's Trusted Endpoints and SSO.
Duo became the link we needed to make our security philosophy really work. We now know that if folks were downloading reports or manipulating data in a cloud application, that they were doing it from a safe device, and that their identity had been confirmed with MFA.
FinancialForce is a cloud-first organization. “Since our inception in 2009, we’ve never had any on-premise infrastructure,” notes Richard Hall, the Senior Director of IT & Infrastructure. The company’s security philosophy started with a two-pronged approach.
For one, they invest in top notch cloud applications for their workforce. “When it comes to our applications, we consistently invest in business solutions that are best of breed, then we optimize our security around protecting access to that environment,” Hall says. “We use tools like Salesforce, Google Suite, LucidChart, and Docusign.”
The second prong of the strategy is to focus heavily on the security of the endpoint fleet deployed to FinancialForce workers. FinancialForce employees get a laptop that must be encrypted, have up-to-date antivirus software, and include a suite of security tools. One example is Cisco Umbrella, used to protect the endpoints at the DNS layer. Richard’s team even built an internal ‘compliance dashboard’ that checks on the status of the endpoints to make sure that they are in alignment with their security standards.
The problem then became ensuring that only the secured and corporate-managed devices could access the suite of applications. “Our biggest issue,” cites Hall, “was that we had a great set of applications, and a great set of secure devices - but how do we make sure that you’re using the great laptop to access the great application and not your mother’s old PC?”
Additionally, FinancialForce was also using an SSO solution to federate their corporate identities to their applications, but no matter the sensitivity of the application, device posture, or user role - the end user would be prompted once every 30 days. “The access policy of our SSO was incredibly basic,” Hall recalls.
The Duo Technical Solution
Initially, FinancialForce considered a VPN client that would be placed onto the corporate devices. However, their CISO had heard about Duo’s Trusted Endpoint functionality and wanted to evaluate Duo before moving in a more traditional direction. “At that point, it was a leap of faith,” Hall remembers, “but things ended up working better than expected. In fact, I think we haven’t needed to open a technical ticket with Duo to this day.”
In order to address their use case, FinancialForce leveraged Duo to deploy certificates onto their devices managed by VMWare Workspace One (formerly AirWatch), then the IT team was able to apply policy at the point of application access to allow corporate laptops and deny other devices. Moreover, the company also moved to Duo’s SSO solution which has much more granular policy functionality.
“Duo became the link we needed to make our security philosophy really work,” Hall notes. “We now knew that if folks were downloading reports or manipulating data in a cloud application, that they were doing it from a safe device, and that their identity had been confirmed with MFA.”
With the core security use cases satisfied, FinancialForce began leveraging other components of Duo to ensure a robust security posture. For example, at the point of access, Duo can prompt users to update OS, software or browser versions when their devices fall out-of-date. The process used to be much more manual, requiring Hall and team to reach out to specific out-of-date users. “The self-remediation tool has dramatically improved our time-to-update metric when new versions of browsers are released,” Hall notes.
Moreover, the IT team also began to group applications by their security priority within Duo. This allowed them to set access policy regarding the frequency of MFA prompt and state of device health on an application by application basis. For example, for access to highly sensitive applications, users are prompted every four hours with a second factor and their device must meet certain posture requirements. However, for access to other less critical applications, users may be prompted less often, devices may be slightly out-of-date, but access is still granted.
Working with Duo
Throughout the implementation and now-standing relationship, FinancialForce has leveraged DuoCare, Duo’s premium support, to both provide technical and business guidance to the IT team. “The experience with DuoCare has been top notch.” Hall notes, “The way that the team responds to our thoughts and concerns is absolutely fantastic.”
One example of FinancialForce’s success with DuoCare is the Executive Business Review process. The DuoCare team provides internal business and security stakeholders with information regarding the access and device status in their current environment, benchmarking them against peer groups and the industry as a whole. “These reviews have been incredibly valuable.” Hall says, “Oftentimes metrics can be very introspective, but getting that external view as to where we stand overall or against industry benchmarks is super helpful when thinking about security value.”
Over the course of the partnership, “the DuoCare experience has been so good that I have used it as a model internally to our customer success team,” Hall admits.
Hall and team have also been pleased with the development of the product in general. “Duo keeps innovating. From the time we bought to now, sometimes you have to step back and say ‘wow, that’s a lot of additional value.’”
One example is the new Duo Device Health application, which can be used to assess the security posture of non-managed devices. FinancialForce is planning to use the new Duo functionality to assess the posture of partner or vendor laptops that may need access to certain applications.
Moving Forward With Duo
“At FinancialForce, our number one value is trust.” Hall states, “Duo has helped us build that into our culture. Every time an employee logs in and sees Duo, they know they’re enacting our culture of trust.”
“We work with a lot of vendors, but it’s rare to have a partner like Duo. Duo continues to innovate, communicate well with us, and make us feel like we’re succeeding in our mission to deliver a trusted solution. The product roadmap is a coherent security vision we’re really excited about and we are looking forward to having Duo at the center of our infrastructure moving forward.”