Fire Jumper Academy

Stage 2
Cisco Duo
Messaging and Positioning

Submit questions here

2023
 ‣ Describe the industry landscape
and how to position Cisco Duo
Learning in it
Objectives
‣ Explain the value proposition

‣ Explain the limitations

‣ Confirm key takeaways

Why customers use Cisco By Duo
Block use of stolen Duo MFA and Duo Passwordless prevents unauthorized access to attackers
credentials even when their passwords are compromised

Mitigate attacks that bypass Verified Duo Push and FIDO2 authentication options prevent sophisticated
MFA phishing attacks that bypass MFA

Single sign-on, device trust and risk-based authentication allow organizations

Implement Zero Trust Access to implement granular per-application policies without creating user friction

Duo comes with out of box integrations with Microsoft applications and other
Protect Microsoft 3rd party applications, enabling organizations to consolidate multiple siloed
Applications solutions

Duo Device Trust provides comprehensive visibility into all devices that
Verify Device Trust access protected applications and verifies their posture before granting
access.

Start your Passwordless Duo Passwordless enables organizations to start their journey towards a
Journey passwordless future securely in a cost-efficient manner

All Duo editions can help organizations meet compliance requirements and
Compliance and Regulations regulatory framework guidelines.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Current IT Landscape
Users, devices, and apps are everywhere

Cloud
Remote Users
Applications

Evolving Perimeter
Personal and Hybrid
Mobile Devices Infrastructure

IoT Devices Cloud

Infrastructure

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Threats Today, as a Result
A new approach to security is needed – Zero Trust – to address evolving
threats

Growing attack surface: Stolen credentials Sophisticated phishing

hybrid cloud and remote account for >80% of attacks are on the rise
work web app attacks
Attackers can use readily available
As your apps and data moves to Weak passwords and bad security
phishing kits to bypass MFA, turning
the cloud, it has also become practices such as password reuse or
push notification, one-time
more accessible to bad actors sharing increase the risk of a data
passcodes and authentication device
increasing your attack surface. breach.
enrollment into a security risk.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Source: 2022 Verizon DBIR 5
Duo’s Zero Trust Access for Workforce

Authenticate users Verify devices Enable access

✓ MFA ✓ Real-time posture check ✓ Single Sign-On (SSO)

✓ Passwordless ✓ Mac, Win, iOS, Android ✓ VPN-less remote access

Cloud platform I Adaptive & Risk-Based policies I Anomaly detection

Secure access for all workforce and any work application.

Cisco Zero Trust Deployment
170,000+ devices secured
5.76 million health checks/month
86,000 devices/month remediated

100,000+ users onboarded

Only < 1% contacting helpdesk, $500,000 per
year savings in helpdesk support costs

410,000+ fewer VPN auths/month

Users no longer need the VPN for access to over
100 applications (on-prem and SaaS), $3.4M in
employee productivity savings per year

5-month deployment timeline

From defining requirements in July to
enterprise-wide rollout of 98 countries in
December

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Strong User Authentication
Today: Password-based Future: Passwordless
MFA MFA

• Something you have (eg: laptop /

• Something you know (eg:
desktop, security key,
password, security question)
smartphone)
• Something you have (eg: hardware
• Something you are (eg: biometric,
/ software token, phone)
TouchID, FaceID)

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
The World’s Easiest and Most Secure Multi-Factor
Authentication (MFA)

• Instantly integrates with all apps

• Users self-enroll in minutes
• Users authenticate in seconds; no
codes to enter

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Broadest Range of
Multi-Factor
Authentication (MFA) Wearables Push

Options
• Configure authentication Soft Token
Phone Call
####

options for each application or

##

group of users
• Enable multiple options for
FIDO
users for ease of use and Biometrics
Security Keys
flexibility

Hardware
Tokens SMS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Mitigate MFA Fatigue
or Push Bombing
attacks with
Verified Duo Push

Increases security of push-based MFA

while preserving ease of use

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Duo Passwordless.1, 2, 3...you are in!

Enter your current username​ Use Passwordless Authenticators: That’s it!

Platform Biometrics (TouchID, Windows
Hello)
FIDO2 security Keys (Yubikey, Feitian)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Duo Mobile (passwordless push)
Duo Passwordless Benefits

Easy to Use Simple to Deploy Seamless and Secure

● Works on any device ● Works with any Identity ● Resistant to phishing and
Provider stolen credentials

● Register multiple devices ● Configure within minutes ● Secure fallback to MFA

● Enable phased rollout ● Holistic security for

● Intuitive enrollment and application access
authentication experience

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Enroll Users in a Few
Easy Steps

• Users can self-enroll

• Enrollment in few steps
• Just-in-time when logging into
applications
• Self-Service Portal: Update or
reset devices

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Easily Verify Devices with Duo Device Trust
Verify the trustworthiness of any device before granting application access

Complete Visibility Assess Security Posture Continuous Inspection

Gain complete visibility Easily identify device security Continuously monitor if devices
into all laptops and mobile posture, presence of AV agents are infected with malware by
devices using native or EDRs, and if they are using solutions such as Cisco
device visibility managed or not based on Secure Endpoint to prevent them
enrollment in MDMs / EMMs from reaching sensitive apps

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Complete Visibility
Gain complete visibility into all your devices

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Assess Security Posture
Easily identify device security posture

Duo Mobile App

• Is it managed?
Duo Device Health App
• Is it running up to date software?
• Is it encrypted?
• Is it passcode protected?
• Is the firewall enabled?
• Is it biometric enabled?
• Is AntiVirus enabled? (MacOS, Windows)

(iOS, Android)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Continuous Inspection
Duo and Cisco Secure Endpoint work together to provide stronger access security

Users use their devices Cisco Secure Endpoint Cisco Secure Endpoint Duo blocks that device
to access application running on the device notifies Duo about the from accessing apps
detects malware infected device

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
 Enable Secure Access
to Every Application
Manage and control who can access
which applications

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Secure Any Corporate Application
Internal
Proprietary Apps Applications
(APIs) (VPNs)

Microsoft Cloud
Environments Applications

Cloud Web
Services Applications

Unix Devices SAML 2.0

(SSH Sessions) Applications

Integration documents are available at duo.com/docs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Enable Single Sign-
On
• Integrates easily with any identity
provider

• Securely federate access to

applications

• Reduce reliance on passwords

• Streamline login process for

workforce

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Duo Single Sign-On Benefits
‣ SSO + MFA + device trust
Greater Security, ‣ Reduced data breach risks
Less Complexity
‣ Enhanced application security posture

‣ One password and web portal

Improved Employee ‣ Integrated SSO + Passwordless + MFA
Experience ‣ Access from any location/device

‣ Help expediting
Time and onboarding & offboarding
Cost Savings ‣ Self-service capabilities for end users
‣ Reduced overhead costs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
VPN-less Remote Access to Private Applications
Detect user & device context for internal apps with the Duo Network Gateway

10.0.0.1-4
Use Cisco Duo to secure access
Tier 1
to private applications on-
*.domain.local
premises or in the public cloud.
Tier 2
192.0.0.1/24
DNG Tier 3
(443)

Trusted User Public Security Groups

Internet
Trusted Device

Supports: HTTP/S SSH RDP SMB

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Enforce Adaptive
Policies
• Create customizable security policies
• Enforce global, application, and group
level controls
• Establish a level of trust based on
users and devices

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Dynamically step-up with Risk-Based
Authentication OUTCOME CORPORATE
RESOURCES
No Re-Auth
Required

RISK SIGNAL ANALYSIS Duo Push

2FA

Device Trust

Location Verified
Duo Push
Wi-Fi Fingerprint

Known Attack Patterns

FIDO2
Authenticator

Block

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Risk-Based Authentication: Wi-Fi Fingerprint
Network 2

Network 1 Network 3

Anonymized Wi-Fi network data provides a strong risk signal.

Low Risk: Familiar network fingerprint High Risk: Novel network fingerprint

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Risk-Based Authentication: Verified Duo Push

Minimize user friction

without compromising
security by invoking a
Verified Duo Push only
during risky logins.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Risk-Based Authentication CORPORATE
RESOURCES
No Re-Auth
Required

RISK SIGNAL ANALYSIS Duo Push

2FA

Device Trust

Location Verified
Duo Push
Wi-Fi Fingerprint

Known Attack Patterns

FIDO2
Authenticator

Block

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Risk-Based Authentication: Authentication Log

Risk assessment
transparency through
the Trust Assessment
in the Authentication
log

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
 Secure Access made seamless and frictionless

Evaluate Adjust
Risk Signals Outcomes

User starts User gains the right

authentication access and session

Risk Based
Authentication

... we continuously assess risk and

trust.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
 Key Benefits:

• Ease of Use: Streamlining

access and user experience
in trusted scenarios
Risk-Based
Defense in Depth: Dynamic
Authentication
•
reactions to changes
in trust or risk

Risk-Based Authentication fulfills

the security of zero trust without
constant friction.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Monitor Access Risk
• Analytics engine evaluates historical
and contextual access patterns
• Duo Trust Monitor then surfaces
risky and atypical login attempts
• Leverage anomalies to update
policy or remediate compromised
credentials

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Meet Compliance Requirements
Every security best practice guide and regulation asks for MFA and device visibility

Meet MFA requirements outlined Helps meet NIST 800-63 and 800- Meet DEA’s EPCS requirements
in PCI-DSS 3.2 Section 8.3 171 access security requirements when approving e-prescriptions

Aligned with GDPR data protection Meet FFIEC requirements for Get visibility into personal
laws in Europe financial applications devices used to access PHI

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Specific Industries Have Additional Challenges
Healthcare Education Federal

• Secure PHI and issue • Secure personnel and • Easily meet NIST 171 and
controlled e-prescriptions payroll data DFARS / FAR compliance

• Save admin time with native • Instantly deploy to faculty, • Duo Federal Editions are
healthcare app integrations students, alumni FedRAMP Authorized
such as Epic
• Proven solution: 350+ higher • Improve user productivity
• Improve clinician productivity EDU customers with more flexible auth options
and save time than PIV / CAC

• Lower TCO compared to

traditional MFA solution

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Customer Story
University of Louisville Hospital
Duo for Workforce
Challenge
• Protect against phishing attacks and block malicious attempts to
access their applications
We are adopting a Zero Trust security
• Comply with HIPAA & PCI-DSS
framework, and we know we needed
Solution MFA to start with, and multiple clinician
leaders recommended Duo. It was an
• Consolidated MFA, single sign-on (SSO), and mobile device
easy choice for us. It was the first ever
management (MDM)
security solution recommended by the
• Reduced their overall total cost of ownership by more than 50% users and by clinicians. This never
happens in healthcare.”
Business Outcomes
• Secure and convenient remote access for every user - John Zuziak, Former CISO
• A Zero Trust approach to workforce security, plus a single view into
SalesConnect link
mobile devices and risk

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Customer Story
Lyft
Duo for Workforce
Challenge
• Protect sensitive user information and financial information
• BYOD visibility
Duo has proven to be one of
Solution those rare solutions that both
• Secure every application access with Duo improves the security of our
• Complete device visibility company while simultaneously
• Risk based access policies being easier for our employees
to use.”
Business Outcomes -CISO
• Zero Trust security for any application
• Reduced security risks due to compromised credentials
• Consistent user experience when accessing applications SalesConnect link
• Reduced TCO with a single product for MFA and device security

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Limitations
and
Considerations
Cisco Duo
• Duo’s SSO, Device Trust policies and Duo Network Gateway do not work with 3rd
party MFA.
- There is a pilot program to support BYO MFA. Contact Duo product specialist for more
information.

• Duo’s Passwordless solution requires Duo SSO and Microsoft Active Directory.
- Customers that already have an SSO solution should either migrate to Duo or redirect their
current SSO to Duo SSO to enable passwordless authentication.
- Customers that are using Okta or any other user directory will need to engage with Duo
product specialist

• Duo Network Gateway (DNG) currently supports HTTPS, SSH, RDP and SMB
protocols for VPN-less remote access to private applications.
- DNG is not Cisco’s ZTNA solution, but there are some overlap in use cases.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco Security Portfolio
How Cisco by Duo fits into the portfolio and is
#bettertogether
Duo and Secure Endpoint for Device Trust
• Duo and Secure Endpoint (formerly AMP for Endpoint) work together to
provide stronger access security
• Configure Secure Endpoint policy in Duo to instantly block risky devices

Users use their devices to Cisco Secure Endpoint Secure Endpoint notifies Duo blocks that device
access application running on the device Duo about the infected from accessing apps
detected malware device

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Duo and Cisco Secure VPN
• Secure Cisco Secure VPN in < 30 minutes
• Users authenticate in seconds
• Block unmanaged devices
• Several integration options
• *AVAILABLE ON* ASA and FTD

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Packaging
• Duo Essentials
Everything needed to secure access and
boost user productivity

• Duo Advantage
Higher security and user productivity with
risk-based authentication, device health
checks and visibility

• Duo Premier
Highest security and user productivity with
easy access and protection for private
resources

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Feature Highlights

Duo Essentials Duo Advantage Duo Premier

• Multi-Factor Authentication • Duo Essentials + • Duo Essentials and
• Single Sign-On • Device Visibility Advantage+
• Passwordless • Device Health Checks • Secure VPN-less Remote
Authentication • Adaptive Policy Controls Access for internal and
• Trusted Endpoints based on user, device and private apps
• Group-based policy location
• Secure access to any • Risk-Based Authentication
number of Applications

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Cisco Security Portfolio: Simpler to Buy and See
Security Choice Enterprise Agreement
Talos
• Great discounts on 2+ security Threat Intel • Cloud-native, built-in platform
products with support included experience including XDR
capabilities and beyond
• Buy what you need now and
add more in the future • Integrated and open for
simplicity with true turnkey
Network Cloud interoperability
• Single coterminous agreement
Security Edge
managed in one portal
• Unified in one location for
• Built-in 20% growth allowance visibility that accelerates your time
with true forward terms to detect and investigate
User & Endpoint Application
Protection Security
• Pay annually with 0% financing • Maximized operational
efficiency that accelerates
Zero your time to remediate
Trust

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
 • Identity-based attacks and tactics
to bypass MFA are on the rise.
• Duo provides secure access for the
workforce to any application
• Duo offers flexible and strong MFA
or passwordless authentication
Key Takeaways options, including phishing resistant
MFA
• With SSO, Device Trust and Risk-
Based Authentication, Duo makes
zero trust access seamless and
frictionless
• Customers can purchase Duo
through enterprise agreements to
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
reduce TCO 45