ProQuest is a technology company helping connect people with vetted, reliable information. The company enables people to get access to the research they need, whether it’s through magazine articles, periodicals, e-books, or books. ProQuest also offers discovery systems to help researchers understand what systems are available for them to access the information they need.
ProQuest provides content that is either sourced from publishers or sourced from others and those contacts rely on ProQuest to protect their copyrighted information. At the same time, they have a body of users -- librarians, students, researchers, professors, and the general public (via public libraries) -- who trust in ProQuest to protect their information.
Protecting Both Content Publishers and End Users Alike
“In general, we’re constantly trying to protect both sides of the coin - both the content that’s given to us and the information that our users have given to us,” said Dan Ayala, Director of Global Information Security at ProQuest. “That has caused us to look at security even more closely and continue to raise the bar in how we deploy it.”
Dan has twenty years of experience in information security, so he has used two-factor authentication solutions in previous jobs. He was already familiar with the benefits of two-factor, along with the pain points some of those previously-used solutions caused. He knew he needed a cloud-based, modern two-factor solution for ProQuest due to their own internal infrastructure.
“We are a very cloud-focused company. Most of our services are either in or moving to cloud-based locations or software as a service (SAAS) locations,” said Dan. “With the industry-wide shift to cloud and mobile, corporations have lost the ability to directly control things in the way we used to, when everything was stored on-prem. Additionally, since we want our two-factor authentication to be as ubiquitously available to our employees, we have Duo installed on a good blend of corporate-owned and managed devices as well as unmanaged, personal devices. As such, we were looking for an easy way to find all those devices and make them more secure.”
He continues, “The old way was ‘I have a lock on the door of the data center and I can control who goes in it’ and ‘I have an internal network that’s protected by a very hard exterior,’ said Dan. “Now, with cloud-based services, we have to take a lot more control of how we let people into those systems. The days of just username and password are long behind us.”
The Solution: Cloud-Based User Authentication Enhanced with Device Insight
Dan then had to determine what two-factor authentication would be best for his two very different groups of users. “We were looking at this from the external customer and internal employee perspective. Frictionless was the word that came to mind.” ProQuest’s internal team is very technology-savvy, so Dan didn’t anticipate many issues with that group during the deployment of a two-factor solution. Even with such a tech-savvy group, Dan says, “We didn’t want to burden their day. We didn’t want to get in the way of their ability to do their actual jobs by spending time logging into systems.”
The other major group of ProQuest’s users are “very focused on making content available to their patrons. And anything that stands in the way means that those patrons can’t be as efficient and they can’t be as active in doing the searches and information-gathering that they need to. So frictionless was a must,” Dan said.
The common denominator with both groups was the need for frictionless two-factor authentication and “Duo came to mind” for Dan.
Choosing Duo Access
Dan had a personal account set up with Duo and was able to test it on his own. “Quite honestly, after about fifteen minutes of using Duo myself, I knew that this was the product we wanted to go with. It made absolute sense considering the constituencies both internally and externally.”
As he puts it, “I’ve been in this space for a long time and I’ve used, deployed, and managed a number of other vendor solutions and, knowing what those capabilities were and what the user experience was, it was a fairly easy decision to go with Duo.”
Pain points he encountered at previous companies where he managed legacy two-factor authentication solutions were primarily around local management, distribution of physical tokens, and the general management of those two-factor solutions. Dan mentioned that many of these solutions required the use of proxies to be able to use the full capabilities of the two-factor solutions.
“Duo really gave us the ability to plug and play into a number of our key applications right out of the box and we didn’t really have to spend a lot of time getting our basic functionality up and going,” Dan said. “The scalability was also a concern. If we’re looking at rolling this out to our customers, that’s going to be a very significant population and not something I want to manage on an internally-hosted system. Having a cloud-based, scalable service that was designed cloud-first, designed to be scalable in that way, helps us grow into the solution as we look to roll it out outside of the company.”
What Duo Access Brings to the Table for ProQuest
ProQuest already had a mobile device management (MDM) solution in place when they upgraded to Duo Platform. “I use Platform to get useful configuration data from any mobile device quickly and to enforce the appropriate levels of control based on the amount of risk those devices bring with them,” Dan said. “Duo is lightweight and inexpensive and gives a valuable, supplemental scope of insight and control over devices that is complementary to our MDM and extends into the desktop and laptop environment.”
Has Duo Access Highlighted Any Significant Risks Within the Organization?
Dan knew that jailbroken/rooted employee personal devices are the “most common vector for compromise and that people like to click on things and break things, unknowingly.” With Platform, he can now see which devices are jailbroken/rooted and has created custom policies that are more strict about what business applications those employees can gain access to from those compromised phones.
He added that being able to identify which unmanaged devices aren’t utilizing basic controls such as passcodes has made it easy for him to notify those users and get them set up with passcodes and other related basic security measures, upping the security integrity of those devices significantly in one fell swoop.
Deploying Duo at ProQuest
After Dan had used his personal Duo account for several months, along with some members of his IT team, they bought a license for a small subset of users and then decided to do the full deployment. To do the full deployment, he and his team utilized the self-enrollment process to deploy Duo to the entire organization. “Over the course of five days, we got Duo rolled out to all of our employees, contractors, and consultants,” said Dan. “It was a very fast uptake because we put Duo in front of the system that they use to get at their primary applications.”
With about 1300 employees and 300-400 contractors in 18 countries now using Duo, Dan said that “the few folks that had any concerns about disrupting their workflow or the inability to get signal and get in quickly, we’ve found workarounds for, or we’ve shown them the Push component and we’ve had a huge uptake and positive response inside the company.”
“I don’t hear a lot from my users about using Duo anymore. Push is really the best feature, both from what I hear from colleagues and from my own experience. It just makes it trivially easy,” said Dan. He added that he uses Duo Mobile on his Apple Watch and “that makes it even easier. A little button pops up, you push the thing on your screen, and in you go. It really is frictionless.”
Listen to Dan share more details about deploying, integrating, and using Duo at ProQuest in the video.
Would You Recommend Duo?
“Absolutely, I would,” said Dan. “It’s a phenomenal product. It’s got good vision, both from in initial architecture as well as product roadmap. Support has been outstanding, when we’ve had some minor issues. Support response has been immediate. Some of our product requests have actually made it into the product.”