Lyft was founded in 2012 and currently provides 50 million rides a month across the United States and Canada. This adoption brings the biggest challenge for Lyft’s security team: to protect their users’ sensitive personal and financial information.
The company aimed to strengthen security protection for their mission critical applications and valuable intellectual property. They wanted to enable easy and secure access for all stakeholders, empowering effective collaboration.
Lyft employees use VPN to access sensitive internal applications hosted on Amazon Web Services (AWS). Lyft has implemented a custom solution based on OpenVPN, but it has several usability challenges for users accessing web applications and SSH. Employees used VPN even when they were inside Lyft offices to access certain internal apps, which impacted their productivity. Maintaining VPN clients for disparate operating systems on all their end users’ machines required high effort and was becoming increasingly expensive.
In addition, Lyft has a diverse mix of user devices, including MacBooks, Chromebooks, Windows and Linux machines. Some are actively managed by IT, while others are users’ personal devices not managed by IT. Device visibility and its security posture was a big gap.
To protect user information, Lyft wanted to establish strong access controls for applications so only authorized and trusted individuals using company issued devices are allowed access to sensitive data.
Lyft deployed Duo and was immediately able to consolidate several projects, such as multi-factor authentication (MFA) and mobile device management (MDM), which reduced their overall total cost of ownership by more than 50 percent.
“My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey,” said Vivian Ho, software engineer on Lyft’s Security team. “We envision Duo enabling team members to innovate and deliver services by providing easy and timely access to the tools and data they need in order to be productive and effective. Additionally, we see Duo serving as a core technology building block to enable our zero trust security philosophy. We chose Duo primarily due to three reasons: broadest coverage of devices and applications; great user experience for accessing protected internal tools; and simple implementation and roll-out.”
Uncovering Risky Personal Devices
Duo helps Lyft enforce device trust by providing them a snapshot of all personal and unmanaged devices accessing their environment. Duo gave complete visibility into all devices with a single pane of glass view into all platforms such as Windows, Mac OS, iOS, Android, ChromeOS, which helped the Lyft team assess the potential security risks associated with these devices. Admins were able to identify device vulnerabilities and enforce policies to mitigate risks, such as preventing an out of date or jailbroken device from accessing applications. With device trust, Lyft can ensure risky devices including all personal and unmanaged devices do not get access to sensitive applications.
“All our employees use Duo on a daily basis which makes our team’s job a lot easier and effective,” Ho said. “As they say, ‘security is not one person’s job, it takes a village to make it effective.’”
Streamlined Access With Zero Trust
“Duo Beyond has enabled us to push our zero trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls,” said Mike Johnson, Former CISO at Lyft.
With Duo Beyond, Lyft can establish zero trust by enforcing user trust with MFA and device trust by checking the security posture of devices. Furthermore, Duo helped users access internal applications in a secure way without using a specific VPN client.