Security, et al

Randy's Blog on Infosec and Other Stuff

«  Live at RSA: FIDO authent... | Best Practices Primer for... »

Live with Duo Security at RSA 2015

Thu, 23 Apr 2015 10:11:16 GMT

Duo Security is a cloud-based 2-factor authentication service that I’ve been following for some time.  I sat down with Ash at the UWS booth here at RSA.  (#2240 South Hall).  Here's the #1 thing you need to know about Duo Security.  It's the easiest and fastest 2-factor authentication solution I've seen.  Here’s some highlights of our discussion about some of the cool things I like about Duo Security and their new Platform product.

Duo Security is close by at #2345 in the South Hall.

(Transcript below video)

Randy Smith:  Ash, Randy Smith here.

Ash:  Hi, Randy  it’s good meeting you.

Randy Smith:  Yeah, I’ve got Ash here at the Ultimate Window’s Secruity.com booth here at RSA. Ash is with DUO Security. I don’t know if you’re familiar with DUO. I wanted to talk to you guys because we’ve actually been using DUO security as one of our authentication solutions for quite awhile. And I don’t want to steal your thunder but what I love about it is that it’s service based. It’s just a token that runs right on your smart phone and it’s so easy to install.  Alright, so anyway, like I said, I think it’s a neat solution, but how did you get started? Let me let you put it in your own words, what makes you different from a lot of the other solutions out there?

Ash:   Sure, so a couple of things.  By the way, thanks for having me here.  We do two factor authentication and that’s what the company started as almost five years ago.   What we did is take this very reliable two factor authentication security control and make it radically easy. So when you request for a two factor authentication people are used to typing in a six digit number and typically get a SMS or hardware token. We took that away and the end user gets something like this… a push notification. All the end user does is hit the green button, right?  If it’s not the authentication they are requesting for they hit the red button. That’s all they do and boom you’re in.  It looks very easy in the front end but in the back end it’s really secure. When they hit the green button, they’re actually signing with their private key on the device and telling them, “Yes, this really me.” So that’s what the company really started with almost five years ago.

Randy Smith:    The other thing I love is there’s nothing to install except the agent, if you call it that, maybe you have a different word that you prefer. Put the agent on each server you want to control  access to. So whether we are using it for our terminal services remote access or different servers for remote desktop. Also we’ve got it integrated into the back end of our website, but that’s all there was to install. Everything else we manage from the cloud.

Ash:   That’s absolutely right, Randy. A lot of our customers get the whole department up and running in three or four hours or less than 4 hours. We have cloud based that allows us to do this. We even have something called the “DUO five minute challenge.” If you Google for it you’ll find it. It tells you how to get DUO up and running in less than five minutes. You know, we take pride in that but I think it’s one of those secure controls that you want to get up and running as fast as possible.

Randy Smith:   So what is it again that you support?

Ash:    We support all VPNs: Cisco, Juniper, FI. We support RDP from Microsoft. We also support a bunch of web applications. Also a bunch of product applications like Office 365, Google and Google applications, Amazon AWS and so on. Recently we also started supporting all the SSO. If you are using something like OneLogin or Ping or Autha then we work out of the box with all of these as well.

Randy Smith:    So, but, you’ve got this new thing “platform”. What’s that?

Ash:   Yep. So platform is a new addition that we launched last week, we’re very excited about it. It takes us beyond 2FA in securing access. It’s kind of a cliché when you say we secure access for any device and any user or any application but that’s really what we’re doing. So some of the functionality that you get is without installing any agent or any MDM on your mobile device, you can get visibility into on one or all of the devices our users may have. Are they IOS devices or are they Android devices and what version of it? Are they jail broken? Are these free login phones.  It’s kind of a mobile compliance without installing a MDM agent. You can also secure access to cloud through policy and control. A typical thing is I want to block users from China logging into my Salesforce.com and you can set that up just by click of a policy down.

Randy Smith:    So you are able to leverage the fact that you already have an app running on that device so you can do more than just ask the user is it okay to log on.

Ash:    That’s absolutely right. You know, one thing that a lot of people do not understand is that the kind of API’s, IOS and Androids have and the kind of querying and control you can do just through the API’s. We no longer live in the world of Windows XP where you need an agent for everything. So the app we have on the device talks through the API that does all the querying. These are API’s that were released like ten months ago. So we’re taking advantage of all the API’s and eliminating the need of a ticketing agent or an MDM agent and just doing the right security stuff on the device.

Randy Smith:    Alright, well I’m going to be real interested to see what you can do with that.  Well, cool. Thanks. It was nice to meet you and we’re looking forward to learning more about your platform.

Ash:    Be sure to look on duosecurity.com Thank you.

email this digg reddit dzone
comments (0)references (0)

Related:
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Additional Resources