Security

Review: Cisco Duo Helps Government Anchor Identity for Zero-Trust Deployments

This powerful authentication tool can move agencies forward when securing their work environments.

Twitter

John Breeden II is an award-winning reviewer and public speaker with 20 years of experience covering technology.

Zero trust is an evolution of traditional perimeter security in which users are constantly verified as they access data or resources, even if they have passed initial security checks. It also enforces the concept of least privilege, meaning that users only have access to the data or applications that they need to do their jobs — and nothing else. This ensures that the damage is minimized even if a security breach occurs.

State governments rightly see zero trust as the best way to protect their networks and data, but getting there is a complex process that can’t be achieved by any single product. Complicating matters further, the Cybersecurity and Infrastructure Security Agency model defines five key pillars that need protection in any zero-trust implementation. They include identity, devices, the network, applications and data.

Click the banner below to access exclusive cybersecurity insight.

Cisco Duo Supports Zero-Trust Architecture

Any effort toward zero trust is going to be a marathon rather than a sprint. But those efforts have to start somewhere, so most agencies begin with the identity pillar and branch out from there. That is where the versatile Cisco Duo platform comes into play. It can help to anchor the identity pillar of zero trust while also making inroads toward device security and other zero-trust elements.

The key protection element for Cisco Duo is multifactor authentication, for which users need to provide something other than a name and password to access resources. Duo supports biometric authentication, security tokens, one-time access codes and — yes — even passwords.

In my testing, I found it surprisingly easy to configure. Administrators can quickly set policies whereby users must supply different proofs of identity depending on what they are doing and what data or resources they need to do their jobs. It works well for on-prem and remote users alike, suited for multicloud environments or even agencies with large hybrid workforces.

Self-Enrollment Simplifies Onboarding

Another big challenge for zero-trust implementations is that admins need things to be seamless for users but difficult for attackers. Duo makes this easier. There is a self-enrollment option for authorized users that can be shared by administrators, and setup takes only a few minutes.

Even using smartphones, the onboarding process for users is very quick. Users can simply download the Duo Push application, and the platform will walk them through it in just a few minutes.

The key to zero trust is first knowing who your users are and what they need to access. Without trust in that information, admins can’t really protect anything else. That’s why the identity pillar is normally the starting point for zero trust. Cisco Duo can verify and protect user identities, providing a stable and easy-to-use platform that will become a solid foundation that all other zero-trust components can be built on.

SPECIFICATIONS

PRODUCT TYPE: Access security platform
DEPLOYMENT: Cloud-based
KEY SERVICES: Multifactor authentication, single sign-on, password elimination, device trust verification
DISTRIBUTION: As a service
SOFTWARE ENGAGEMENT TYPE: Annual subscription or a perpetual license

How Cisco Duo Manages Devices

Because officials can’t protect their data if they don’t know who is allowed to access it, the identity pillar is usually the first one addressed in a zero-trust implementation. But there are others that are just as important, including device security, network protection, application security and data protection. And while Cisco Duo does a great job with locking down the identity pillar, it also provides information on and insight into protecting the other pillars as well, especially device security.

When users access a network or application using Cisco Duo’s multifactor authentication process, they are also allowing the platform to have visibility into the devices they are using, such as a laptop or smartphone. The program can keep a detailed inventory of trusted devices and will alert if a new one pops up. Now, just because an authorized user is accessing the network using a new smartphone or computer does not necessarily mean they are compromised or malicious, but it’s one factor that will go into their overall zero-trust verification. Depending on security policies or what information they are trying to access, having a new device might be enough to trigger additional verification methods, although that is up to administrators.

Cisco Duo also provides a detailed snapshot of device health, which can become part of a device-level security policy. For example, devices can be required to have the latest OS patches or up-to-date anti-virus protection. Geolocation requirements can also be enforced, such as requiring that a device be located within a state’s borders as part of a zero-trust deployment. Cisco Duo can verify all of that and even generate an alert if any of those elements change, even after a user has been verified.

On the back end, the overall status for device health and any security issues are prominently displayed for administrators on a colorful dashboard. That makes it very easy to spot any violations or to modify and hone existing policies for even better security.

Most agencies face a long road to get to zero trust, but Cisco Duo can give them a great start by locking down their identity pillar and providing a great foothold into device security and the other elements of zero trust as well. And the fact that the platform is also so easy to use makes it a wonderful choice for state and local governments driving toward better cybersecurity.