The Business Challenge
Cybercriminals increasingly consider manufacturing and distribution companies a target-rich environment to infiltrate. Deploying comprehensive security controls can be hard in manufacturing, due to diverse user populations and hybrid infrastructures that include reliance on legacy systems and applications. Additionally, organizations in this space are subject to a wide array of regulatory controls, which adds complexity to the technical and security challenges that they face.
As a government contractor, Optimax must implement the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 and meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards. These requirements protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations failure to meet these requirements will result in the loss of contracts.
The Technical Challenge
Addressing compliance requirements to protect CUI on all systems operating within their environment was Optimax’s key driver in seeking authentication solution. Given the complex nature of their infrastructure which houses legacy operating systems to run machinery, proprietary applications, and increasing use of cloud applications, Optimax needed a solution that could be versatile and address a broad number of use cases and applications without creating additional overhead for the security team.
Justin Doescher, a System and Network Admin for Optimax, shared that “applying security controls can be a challenge in manufacturing, because the systems that run production equipment are constantly running older platforms which makes it hard to lock down the network. With Duo, we have been able to implement local and remote controls for access to our systems and can easily demonstrate compliance with regulations.”
With Duo Access edition, Optimax was able to implement a streamlined security solution to meet compliance requirements for access control and authentication. The ability for their security team to run reports for auditing and accountability helps provide visibility into activity within their environment, and risk assessments around the health of the devices accessing systems provides the ability to identify areas where improvements are needed quickly. With these insights, the team is able to quickly adapt and adjust the controls that are in place.
Securing Access to Critical Business Systems
A key use case for Optimax was to protect systems that contain CUI. They needed to limit system access to authorized users, processes acting on behalf of authorized users. (NIST 800-171 3.1.1)This encompasses workstations accessed by employees, as well as the systems that operate manufacturing machinery.
The security team uses Duo for Microsoft Windows to enforce multi-factor authentication at initial login and return from screen lock in order to ensure secure access at the machine level. “Due to the diverse platforms that we need to support, it is great that Duo works on any platform and it is really easy to deploy and manage for our team,” said Doescher. Having the ability to protect these systems even when they are offline is also key to ensuring consistent and cohesive security covering multiple use cases.
One of the other requirements of NIST 800-171 is to require multi-factor authentication to establish non-local maintenance sessions via external network connections (NIST 800-171 3.7.5), Optimax is able to secure remote access and empower support teams to serve diverse sites. By protecting remote access through VPN with authentication requirements and access policies, Doescher explained that they “can provide access while increasing productivity - mitigating the need for our support folks to physically travel between sites. This makes the team more efficient and the security team can ensure that only the right people are able to get remote access into our network.”
By leveraging the device insights that Duo provides, the team has visibility into all devices that are connecting to their systems and is able to implement access controls. They can quickly identify devices that need attention and use policies to block devices that may be rooted/jailbroken from gaining access to sensitive resources, reducing their risk surface and ensuring compliance by controlling the connection of mobile devices (3.1.18).
Flexible Authentication Options for a Diverse Workforce
“Change can be a challenge in any organization, we have the added challenge of having users from all different levels of technical ability, but we received no complaints when we rolled out Duo,” shared Doescher, “add to that the ability to use YubiKeys means that we were able to reduce the friction on our end-users and it provided us the ability to control logins on shared systems easily.”
With protecting systems containing CUI as the prime initiative it was crucial that Optimax could ensure that only users who needed to access certain systems could do so. By setting policies based on group membership, Duo provides the ability to confirm the user’s identity and validate that they could access the appropriate resources. Users that are not in the specified groups are blocked.
The self-enrollment options available with Duo makes it easy for users to adopt the use of multi-factor authentication. The added ability for Optimaxs to deny access to users if they aren’t enrolled means that the security team can easily monitor and manage the roll-out to the user base.
With Duo in place, Optimax is able to report on user activity and has a single dashboard which provides visibility into not just the users accessing their protected resources, but the devices that have access as well. The team is able to make security decisions and establish access policies that protect their environment without interrupting their users day-today activities.
“Being able to audit user activity means that we have knowledge on who is using what and when,” states Doescher, “this insight helps us see what is controlled and what isn’t and helps us demonstrate compliance with regulations, protecting not just our business but our clients as well.”