Cisco Duo: More than MFA

With hybrid and remote work remaining constant, users are accessing more applications from more devices than ever before. Multi-factor Authentication solutions, such as Cisco Duo, are a great solution to secure users' access to these applications.

Duo is widely known as being simple to use and easy to implement, but what many don't know is that it can also provide advanced security capabilities in addition to MFA.

MFA and Cisco Duo​

Cisco Duo is a cloud-delivered multi-factor authentication (MFA) solution.

Conceptually, MFA is an authentication method that requires users to provide two or more methods of evidence to prove their identity.

This typically consists of a combination of something that the users know (a password), utilizing something they have (typically a mobile device), or something they are (such as a biometric factor like a fingerprint).

Duo provides an additional layer of security for accessing online applications and services, verifying users by initiating multiple “checks" to ensure that the individual attempting access is really who they say they are.

Cisco Duo offers a wide range of Multi-factor authentication options, such as: • Push notifications

• One-time passcodes (OTP)

• Phone callbacks

• Hardware tokens

• Biometric authentication.

When a user tries to access an application or service protected by Cisco Duo, they are prompted to initiate the following workflow:

1. Provide their primary authentication factor (Typically a username and password).
2. Once the primary authentication is completed, a secondary factor is required to complete the login process, such as approving a push notification on their mobile device or entering a one-time passcode.

Deploying an MFA solution, such as Cisco Duo, helps organizations to enhance the security of their applications and data by adding an extra layer of protection beyond the traditional username and password combination, which, in turn, reduces the risk of unauthorized access and data breaches.

MFA + Security: This is the Way​

While Cisco Duo provides a comprehensive multi-factor access security solution, Duo provides more than just MFA in the way of advanced security features, such as:

• Device Visibility and Security Hygiene, which allows organizations to gain visibility into the security posture of devices attempting to access their systems by assessing them for potential vulnerabilities, outdated software, etc.

• Adaptive Access Policies, in which Duo enables organizations to define policies based on contextual factors, such as user location, device type, network security, to name a few, before allowing access for users.

• Integrations with popular SSO providers to provide a seamless SSO experience, allowing users to access multiple applications using only one set of credentials while also enforcing strong authentication.

• Endpoint security features via endpoint remediation that can help to ensure devices meet security requirements before accessing sensitive resources. Endpoint security features within Duo allows for the ability to initiate remediations on devices detected to be running out-of-date software or software that requires up-to-date patches, for example.

Duo Trusted Endpoints: Don’t Leave your Fate up to Chance​

An enhanced security capability of Duo is its Trusted Endpoints feature, which provides the ability to only allow access to protected resources from devices that have been validated and authorized by the organization.

Best of all, once a device has been marked as a trusted endpoint, it is considered secure and can bypass the regular multi-factor authentication process, creating a seamless end-user experience.

If allowing access to trusted endpoints sounds too easy to be secure, not to worry!

Establishing a device as a trusted endpoint in Cisco Duo requires certain criteria to be met. This may include factors such as, but not limited to:

• Device health and compliance: The device should meet the organization's security standards, such as having up-to-date antivirus software, operating system patches, and no security vulnerabilities.

• User Identity verification: The user's identity must be verified through one or more authentication factors, such as a password, biometric authentication, or a hardware token, before Duo defines the device as a “Trusted Endpoint”.

• Device ownership and management: Specifying that devices must be registered with either an MDM or EMM ensures to the organization that the trusted devices that are accessing resources are properly enrolled, configured, and secured according to organizational policies.

By enabling Duo to designate whether an endpoint is defined as a “Trusted Endpoint”, organizations can provide a more streamlined user experience, while still maintaining high-security standards.

In turn, users are able to access applications and data without having to provide additional authentication factors every time they log in from their trusted devices.

Duo and Cisco ISE​

Cisco Identity Services Engine (ISE) and Cisco DUO are both authentication and access control solutions, however, each product has its own set of capabilities and corresponding use-cases.

Cisco ISE is an identity-based access control solution providing user and device network access control via policy for user-access scenarios, such as:

o Network admission control

o Guest access, profiling

o Posture assessment

o Endpoint compliance

ISE is typically utilized in environments where there is a need for granular control over network access based on user identity, device type, and various contextual factors. It is commonly used in complex enterprise networks, educational and healthcare verticals, although smaller to mid-sized institutions may choose to adopt ISE as well.

Cisco DUO is designed to secure user access to applications, data, and systems rather than securing and controlling network access as with ISE.

Duo is most commonly used to protect web applications, VPN access, cloud services, to name a few. Lastly, Cisco Duo has the ability to be integrated with a wide range of applications, making it a flexible solution for various verticals and network environments.

When do I choose one solution over the other?

At a high level, choose ISE when:

• Advanced network access control and policy enforcement based on user identity and device characteristics is desired.

• There is a need to implement features such as guest access, endpoint compliance checks, and network profiling.

• Detailed reporting and auditing capabilities for compliance purposes is required.

Choose to use DUO when:

• Enhanced security of the user authentication processes is required via multi-factor authentication.

• There is a need to protect specific applications, data, or systems with an additional layer of security.

• Require compatibility with a wide range of platforms and applications for seamless integration.

Duo & Cisco Zero Trust​

Cisco Duo is a great solution to start with when looking to adopt your Zero Trust Strategy and securing your workforce to ensure that only verified users, utilizing secure devices, will be able to access business-critical applications.

Cisco's Zero trust strategy, centered around the philosophy of "never trust, always verify", focuses on ensuring implicit trust by enforcing three "pillars":

• Workforce: Ensure that only the verified users and secure devices can access applications.
• Workplace: Secure all user and device connections across your network, including IoT.
• Workload: Protect connections with all of your apps, across cloud and multi-cloud environments.

Duo's ability to establish user and device trust before allowing secure access to applications, coupled with ease of deployment and use, make it a comprehensive MFA solution that aligns with your Zero Trust Strategy.

We've only scratched the surface of adopting Zero Trust with Duo - For more information on how to adopt Zero Trust adoption, please reach out to the ModernCyber team to learn more about our consultative Zero Trust Services.