Sophos needed to meet the growing challenges of enabling world-wide workforce mobility and enhancing agility through access to cloud applications. To accomplish this, Sophos initiated a global digital transformation to enable its employees to securely work from anywhere, using any device they chose.
As a security technology company that protects company, customer and partner data, information security is a core element of its IT environment. It was important that the solution would extend the mobile protection available through their Sophos Mobile Device Management solution, deployed on every employee’s device.
Like most global companies, Sophos has a complex environment with a mix of software as a service (SaaS) apps (such as Office 365, Salesforce and Amazon Web Services) and on-premises applications accessed through virtual private networks (VPN) and Secure Shell (SSH).
In their bring your own device (BYOD) strategy, they wanted to provide full access to applications from managed devices provided by the organization and allow limited access from unmanaged personal devices.
Sophos had previously implemented an access security system by combining various technologies such as RSA tokens, VPN, endpoint certificates and ADFS-based federation. However, given the system’s cost and complexity, Sophos had to limit BYOD privileges to fewer than 200 of their 3000+ employees, and the only access granted was to internal applications over VPN, using RSA tokens for MFA. This model could not meet their growing business needs.
Sophos deployed Duo Beyond in combination with Sophos Mobile’s endpoint management for its users and partners. This gives Sophos a zero-trust security platform -- the ability to establish trust in user identities, ensure the trustworthiness of devices, and enforce access policies for all of their applications.
“We chose to implement Duo Beyond because it aligns with our own vision of zero-trust security. When integrated with Sophos Mobile control, it helps us securely and confidently provide mobile access to our employees, and provides additional visibility into all assets that are accessing corporate resources.” - Ross McKerchar, Chief Information Security Officer, Sophos
Sophos uses Duo’s Device Insight to check if a mobile, Windows or Mac device is trusted before a user is allowed to access a protected application from that device. For Sophos, part of that trust comes from whether the device is managed through Sophos Mobile’s endpoint management. If so, Duo allows access to sensitive applications. If not, access is more restricted.
Fearless and Painless BYOD
Before Duo, fewer than 200 employees had been set up for BYOD. Duo Beyond, integrated with Sophos Mobile, enabled Sophos to confidently expand mobile access privileges to all of their 3000+ employees with 7000+ devices, whether BYOD or company-provided.
Simplification and Cost Reduction
Before Duo Beyond, every employee who wanted BYOD access had to interact with the service desk up to three separate times, once for each enrolled device. Now, using Duo’s self-enrollment tools, no help desk involvement is necessary. Moving to Duo Beyond also enabled Sophos to accelerate the decommissioning of their RSA investment.
Streamlined Access With Perimeter-Less Security
In the past, any issues with the VPN resulted in waves of help desk tickets from users who could not access applications like email or Salesforce.com. With Duo Beyond protecting application access, Sophos has dramatically scaled back their dependence on VPN.
“Duo helps us to have strong authentication across the enterprise in a low-friction manner,” said McKerchar. Using a VPN to access applications is now “a rare event” at Sophos, delivering “a huge win both for users and for security.”