“Duo Beyond has proven to be one of those rare solutions that both improves the security of our company while simultaneously being easier for our employees to use.”
— Mike Johnson, CISO
Lyft, an on-demand transportation company, was working to bolster its security
Deploying Duo helped Lyft protect sensitive data without impeding productivity
Duo Beyond served as the core technology building block for Lyft’s zero-trust journey
Duo’s Unified Endpoint Visibility gave Lyft a single view into all mobile device platforms and their potential risk
Lyft is an on-demand transportation company based in San Francisco. Launched in June 2012, Lyft is a fast-growing multi-billion dollar technology company that operates in the United States and select cities in Canada, and provides over 50 million rides a month. They are in a highly competitive market with a culture of rapid product development, launching product updates several times a month. Fast, easy and secure collaboration among employees and external partners is critical for their success.
Lyft was founded in 2012 and currently provides 50 million rides a month across the United States and Canada. This adoption brings the biggest challenge for Lyft’s security team: to protect their users’ sensitive personal and financial information.
The company aimed to strengthen security protection for their mission critical applications and valuable intellectual property. They wanted to enable easy and secure access for all stakeholders, empowering effective collaboration.
Lyft employees used VPN connections to access sensitive internal applications hosted on Amazon Web Services (AWS). Lyft had implemented a custom solution based on OpenVPN, but it posed usability challenges for end users accessing web applications and SSH. Employees had to use the VPN even when they were inside Lyft offices to access certain internal apps, which impacted user productivity. Lyft was looking for a VPN alternative for certain popular applications without compromising security.
Meanwhile, Lyft also had a diverse mix of end user devices, including MacBooks, Chromebooks, Windows and Linux machines. Some were actively managed by IT and some were end users’ own personal devices not managed by IT. Gaining visibility into all these devices to analyze their security posture was a big gap. Maintaining VPN clients for disparate operating systems on all their end users’ machines required high effort and was becoming increasingly expensive.
To protect user information, Lyft wanted to establish strong access controls for applications so only authorized and trusted individuals using company issued devices were allowed access to sensitive data. Specifically, they wanted to enable two-factor authentication (2FA) to strengthen the security of remote access, and ensure that only devices with good security posture could connect to their critical applications in AWS.
Lyft deployed Duo Beyond and was immediately able to consolidate several projects, such as multi-factor authentication (MFA) and mobile device management (MDM).
“My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey,” said Vivian Ho, software engineer on Lyft’s Security team. “We envision Duo enabling team members to innovate and deliver services by providing easy and timely access to the tools and data they need in order to be productive and effective. Additionally, we see Duo serving as a core technology building block to enable our zero-trust security philosophy. We chose Duo primarily due to three reasons: broadest coverage of devices and applications; great user experience for accessing protected internal tools; and simple implementation and roll-out.”
“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls,” said Mike Johnson, CISO at Lyft.
Lyft’s deployment of Duo Beyond gave the company a zero-trust security platform, which means they have the ability to establish trust in user identities, ensure the trustworthiness of devices, and enforce access policies for all of their applications.
With Duo Network Gateway, Lyft allowed its users to access various websites, web applications, and SSH servers in a multi-cloud environment. Lyft also enforced stronger policies to allow healthy, enrolled devices to access critical applications. Today, 100 percent of Lyft’s employees access applications easily and securely from anywhere on a trusted device.
On the mobile side, Duo provides Lyft a snapshot of all personal and unmanaged mobile devices accessing their environment. Duo’s Unified Endpoint Visibility provides a single pane of glass view into all mobile device platforms and helps the Lyft team assess the potential security risks associated with each device. Admins are able to identify device vulnerabilities and enforce policies to mitigate risks, such as preventing an out of date or jailbroken device from accessing applications.
“We have 100 percent of Lyft employees use Duo on a daily basis, which makes our team’s job a lot easier and effective,” Ho said. “As they say, ‘security is not one person’s job, it takes a village to make it effective.’”