Lack of visibility and control
The healthcare provider uses Microsoft Office 365 suite of email and productivity applications. To realize the full potential of its cloud infrastructure, the organization enables productivity for its users from any location without requiring the user traffic to be routed through the corporate network. Two-factor authentication (2FA) is a critical component of their security program, but the solution that was packaged with the enterprise suite did not meet the requirements of the IT security team.
The administrators wanted complete visibility of users and devices accessing their Office 365 environment, and granular access controls through role-based policies for each application. Additionally, the team wanted to minimize the administrative overhead in user management, monitoring and reporting.
The healthcare provider evaluated market-leading MFA solutions and chose Duo because it provided strong multi-factor authentication, complete visibility for workforce access, and granular role-based access, with the added benefit of ease of use for both administrators and end users.
“Duo protects our Microsoft Office 365 enterprise applications and remote access to internal servers. The biggest reason to choose Duo is the level of visibility and control it provides, which was just not available with the incumbent solution. I am glad that I don't have to use powershell scripts anymore because all the reports I need are just a few clicks away,” said a Security Architect at the organization.
Duo + Microsoft Better Together
Duo fosters a strong technology partnership program with Microsoft. This partnership has enabled Duo to offer out-of-the box native integrations for multi-factor authentication with Microsoft Entra ID Federation (ADFS) and Microsoft Entra ID (AD). The healthcare organization leveraged Duo’s out-of-the box integration with AD FS to enforce multi-factor authentication for all remote employees and external users that require access to Office 365.
Duo also integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop (RDP) and local logons. The security team protects administrator’s RDP console access to critical infrastructure such as servers that contain domain user accounts, certificates and PCI information.
Security, Visibility and Control
The healthcare provider is a prime phishing target for cybercriminals because of the sensitive data they collect and maintain. Duo stops these phishing incidents from becoming data breach headlines.
“When users get phished, bad guys start attempting to use the stolen credentials within 10 mins. Duo stops these login attempts and provides the details of the login failures so we can take the necessary action. In the last 90 days, Duo has protected against three instances of account hijacking,” said the Security Architect.
Duo’s dashboard provides the security administrators a snapshot of the overall access activity across their organization. “The dashboard gives us a high-level view of our organization. Useful information such as login failures, who logged into which application and when, number of deployed licenses and inactive users are all available right there. I can then easily drill down to the details of a specific login event with just a few clicks. We did not have this level of information before Duo,” the Security Architect explained.
While role-based access per application was possible with the incumbent solution, it was cumbersome to implement and manage because each application required a separate instance of the solution. With Duo, the healthcare provider implemented role-based access policies per application with ease. “We are able to carve out applications and enforce role-based access control from a single instance of Duo, making it easy for my team to manage.” said the Security Architect.
The organization has streamlined administrative tasks with Duo. Administrators can easily pull up the recent activity log to quickly get to a resolution. They do not have to sort through pages of logs anymore. And if a user has not logged in for a certain number of days, administrators can go ahead and deprovision them to avoid incurring unnecessary costs.
Deployment and User Migration
Migrating a high-touch solution such as MFA can be daunting and complex as it impacts business productivity. The healthcare organization leveraged Duo Care’s expertise to ensure success in deploying and migrating users to Duo with minimal impact to business. “Duo’s native integration with ADFS gave us the flexibility we needed and made it very easy to deploy in our environment. The rollout was complicated but we were able to customize the deployment using scripts and we executed it very well,” said the Security Architect.
Duo recommends allowing users to enroll themselves whenever possible. The healthcare organization chose to allow users to self-enroll via email. “Enrolling users and registering the Duo Mobile application was simple. We used powershell scripts to move blocks of 1000 users at a time, unenrolling them from the incumbent solution and then enrolling them in Duo using the email enrollment option. We first rolled Duo out to a group of test users for a month and then to the entire organization in four days. The entire deployment and user enrollment process was incredibly quick and easy compared to other solutions I have deployed in the past,” said the Security Architect.
EPCS and Labor Union Requirements
The healthcare provider uses Duo to satisfy Drug Enforcement Administration (DEA) requirements for electronic prescription of controlled substances (EPCS) by adding two-factor authentication to Epic e-Prescription workflows.
“Our doctors love the Duo Push experience for 2FA. Doctors can prescribe medication, immediately approve them and do everything that they need to do even before the patient leaves the room,” said the organization's Security Architect.
The organization's staff members belong to a labor union that requires that the employees should not be allowed to read or respond to email after work hours. With Duo, the organization is able to meet the requirements by restricting email access to staff members after work hours.
The healthcare provider's security and compliance program is focused on maintaining a good security posture to protect their corporate assets. The philosophy of zero-trust security is baked into the program. Verifying the identity of the users logging into Office 365 is a critical component for a baseline security posture. The organization is looking to enhance their security program with adaptive access policies such as restricting access from certain geographical locations, as the organization increases its cloud footprint and enables Bring Your Own Devices (BYOD).