In a world where headlines are dominated by breaches, the task of any information security team is daunting. A recently promoted Network Administrator at the firm notes that the top priority is “protecting the firm’s brand.” The actual work behind protecting the brand is where things get tricky.
The firm must protect important customer data like plans and designs in order to foster trust with clients. Some prospects even require specific security controls to be in place for the firm to bid for business. Additionally, the administrator notes that there “must be a balance between the secure and the functional. We can’t have security hinder our company’s business goals.”
The construction firm is in the midst of transitioning on-premises workloads and applications to the cloud. “We’ve had a big push to move our native applications up to the cloud, everything from time sheets to HR information,” the Network Administrator says “We need to feel secure in this move.” Therefore, the task of protecting the brand actually includes walking the tightrope of protecting access to customer blueprints and important data, in a way that is easy and effective for employees, all while transitioning their environment to the cloud.
Choosing a Solution
The detection of phishing attempts catalyzed the conversation about how to avoid compromised credentials and implement access policies at the construction & engineering firm. Before choosing a solution, the team underwent a penetration test to locate and prioritize vulnerabilities. “The number one recommendation coming out of the pen test was to implement MFA,” the Network Administrator says. Though MFA is a baseline, the team was starting to think about a zero trust approach as well. “We want to protect application access beyond the traditional perimeter,” the Network Administrator notes. This is why the firm was also implementing a strategy around least privilege and role-based access.
Given the firm’s diverse set of employees, from executives to contractors, enrollment in multi-factor and a flexible set of authentication options were key. Many employees are busy at work sites, involved in building and construction, so supporting many types of authentication options (from mobile push to hard token) provided required flexibility. There was also some skepticism around an additional security layer in general, especially if it was going to be cumbersome or confusing. “We evaluated both the ease and flexibility of end-user enrollment, and Duo met those requirements best out of all the other vendors,” the Network Administrator notes.
The Technical Lift
The big use case for the construction firm was to integrate Duo with ADFS, ensuring that all employees were challenged with a second factor before accessing any federated applications. “The documentation was really comprehensive,” the Network Administrator notes. The team was able to stand up this critical integration in one day.
Throughout the sales and deployment cycle, the firm chose to work with Duo’s premium service team Duo Care. “The Duo Care team is awesome - from the licensing and strategic folks, to the technical people,” the Network Administrator said. The construction firm has a change advisory board that reviews any production environment changes, and the Network Administrator says that Duo’s team gave him “peace of mind” going into those meetings. “Duo knows our environment and knows our business. It is overall a great experience working with them - it wasn’t a random person, I feel like they really care about my success.”
Going forward, the Network Administrator notes that the Duo Care team was like “having another employee.” Since the firm is also moving to the cloud, they’re staging a new Duo integration with Microsoft Conditional Access. The Duo Care team was a trusted advisor in preparing for this new launch.
Deploying Duo to Firm Employees & Staff
With the primary technical integration behind them, the construction firm now faced the monumental task of deploying Duo to over 8,000 employees. The staff is based primarily in the United States, but there are employees located all over the world. “We use Office 365 and everyone that has an email account needs to be protected,” the Network Administrator says. Since every user is accessing Office 365 through ADFS, Duo’s integration with ADFS is critical.
The change management was extensive and the firm implemented a tiered-approach where many key employees were enrolled first, followed by a companywide rollout. “One of the challenges in the rollout involved finding all the gaps in enrollment, but I came in and enforced enrollment. Our enrollment obviously skyrocketed after that.”
There was some pushback to enforced enrollment, but in order to prepare for the change, the Network Administrator set-up all of their help desk users with administrative access to Duo. “They were able to leverage Duo’s documentation and quickly find useful information. In the end, when a problem arose, they were able to help end users really effectively.” The construction firm now fully protects its workforce with Duo’s MFA.
After deploying Duo, the firm noticed an improvement in their security posture very quickly. “We obviously had instances where people denied the second factor by accident, however, we had two situations where an employee was sitting in their office and the push showed up on their phone fraudulently,” the Network Administrator notes. These instances were remediated as real cases of compromised credentials and raised to leadership. “If it weren’t for Duo, these would have been compromised accounts. Management was extremely happy about that.”
In the end, the Network Administrator is moving on to a new role, but he told his replacement, “lean on your Duo team, they know what they’re doing.” As a final thought on this security project, he notes that “the experience with Duo is very, very good. It’s hard to beat.”