Duo Security: Enforcing Trusted Access for the Public Sector

Duo Security: Enforcing Trusted Access for the Public Sector

Sean Frazier, Advisory CISO (Federal), Duo SecuritySean Frazier, Advisory CISO (Federal)
Cloud and mobile are evolving as mainstream technologies for government. As more agencies are moving to cloud, information becomes more ubiquitous, residing outside the traditional agency ‘perimeter.’ In this new scenario, the question arises: How do agencies maintain a strong new security model that moves with cloud and mobile that is easy to deploy?

Duo Security has an answer. The Ann Arbor, Michigan-based company developed a two-factor authentication solution to protect agencies against account takeover and data theft. Governed by a mission to make security easy and effective for all organizations, Duo’s DNA sharply focuses on making this security available to everyone in the age of cloud and mobile.

The company’s logic is simple: IT is always evolving; security must also evolve to counter modern threats. Duo Security believes that passwords in the realm of security should be a relic of the past. To be more secure, the Duo team brings in an innovative technique that promises a second factor of authentication in addition to a username and password. At the heart of the company’s unique security model is a simple cloud-based comprehensive solution that confirms the identity of users and health of their devices before connecting to applications.

“Duo’s two-factor authentication solution can be installed on phones as an app with Duo Mobile for supporting a multitude of authentication methods, including push SMS, mobile, voice and FIPS validated hardware tokens,” explains Sean Frazier, Advisory CISO - Federal at Duo Security.

For delivering a seamless user experience, Duo has devised a mobile UI, which can be used as a second factor for authentication that comes with a simple notification window displaying a green checkbox and a red-cross box, making it easy for the user to understand and initiate the approval of transactions.

The Duo security model may be unique, but at its heart is a perfectly simple comprehensive security solution that confirms the identity of users and health of their devices

“This concept of trusted access extends beyond multifactor authentication to offer more of a holistic model, ensuring complete control over who and what is accessing a company’s assets,” he adds.

“The solution is capable of collecting detailed data on every authentication request to a customer application, enabling the organization to make informed, data-driven security policy decisions,” adds Frazier. Another aspect that sets Duo apart from the competition is their application access control feature that allows creating custom authentication policies and controls that limits and restricts access. “Zero trust models are gaining traction. While it isn’t really zero-trust but more adaptive or progressive trust, which means treating end-points the same regardless of what network they’re on.”

The company has been a valued security partner to a wide array of organizations including Zillow and Etsy, as well as many public sector customers. In an instance, the company assisted the social media giant Facebook in reducing friction and enforcing a two-factor authentication solution to shield their developers from targeted malicious attacks while they’re accessing internal networks and databases during development. The flexibility and versatility of Duo’s authentication service offered a great platform on which various other techniques can be used to create a custom security solution. This prompted Facebook to enlist Yubico’s Yubikey Nano as an OTP token for USB ports, allowing frequent login users to authenticate securely.

The brainchild of renowned hackers Dug Song and Jon Oberheide, Duo Security was founded in 2010. Today, although Duo has a sizeable presence across the globe, the company’s roots and values lie in the Midwest. Moving forward, Duo Security is laser focused on further increasing its reach in the public sector and helping government secure its data and users.