Enabling Zero-Trust Access for AWS Resources
Zero trust is a phrase that gets invoked a lot these days when talking about security. As companies move to cloud environments and their employees begin to use personal devices from all parts of the globe — the traditional approaches to securing an evolving perimeter are going to get more complicated — if they work at all. That being said, zero trust can still sound pretty opaque. How does zero trust apply to cloud applications? Can I implement a zero-trust strategy for accessing resources like AWS?
Secure Your Workforce and Their Devices
At Duo, our speciality is providing zero-trust security for the workforce. Zero trust for the workforce means not assigning automatic trust through one password, rather securely connecting a user and their device to workplace applications based on multiple factors and then allowing trust and access. Our solutions verify the identity of users, enable visibility into the health (is it safe?) of their devices, and gives the right users the right authorized access to applications. Instead of simply allowing access to critical applications based on primary authentication, Duo challenges the user with a second factor. Whether or not primary credentials are compromised, this second authentication factor ensures that Duo provides an additional layer of security. Duo’s role in the authentication workflow enables us to evaluate the security of the authentication request based on factors like user role, geography or access network
AWS Management Console Use Case
To illustrate the principles more fully, let’s look at a concrete use case: enabling zero-trust access to the AWS resources like the Management Console.
Given the flexibility and scalability of cloud infrastructure, many companies are moving portions of their environment to the cloud. AWS often hosts critical components of a company’s infrastructure or codebase. Developers use AWS Management Console to access, review, and build out their AWS environment. Another common resource is the AWS remote desktop service WorkSpaces.
However, providing a simple second factor for access on AWS is often a challenge. Customers recreating users in AWS IAM lose out on the value of consistent corporate credentials and a multi-factor authentication (MFA) solution with coverage beyond AWS resources. For customers porting their corporate credentials via AWS Directory Service, AWS does not currently offer an MFA solution. In both cases, Duo can provide a seamless integration, enabling a second factor of authentication.
Duo offers two options for AWS customers to secure access to their AWS resources:
If a company is using a variety of other cloud applications alongside their AWS environment, utilizing the Duo SSO is an excellent option.
If a company has an existing SAML IdP or SSO, integrating Duo with the current environment provides an additional access security layer. If a company doesn’t have an existing IdP, Duo can act as the SAML IdP!
The Duo Access Gateway can provide secure access to both the AWS Management Console and the other applications that speak SAML in the company’s environment. It can also act as an SSO solution for employees by effectively federating access. Finally, administrators can enable granular access controls for users based on application sensitivity, corporate role, geography, and more.
On the other hand, if a company is already leveraging Amazon Directory Service to port data from an on-premises Active Directory to AWS for primary authentication, then Duo’s Quick Start can enable MFA for a variety of AWS resources like the Management Console, Workspaces, WorkDocs, and QuickSight in less than 10 minutes. Quick Start guides are built with a focus on reducing manual steps, which in turn decreases time to security.
In either case, Duo helps companies implement a zero-trust strategy for the workforce by ensuring that users accessing AWS resources are verified with a second authentication factor. Though zero trust may still seem a bit overwhelming, hopefully thinking about zero trust for the workforce specifically helps to dispel a little skepticism or confusion. If your company is transitioning resources or workloads to AWS, and would like to learn more about a zero-trust approach to accessing AWS resources, check out our AWS documentation or sign-up for a free trial of Duo to start protecting the Management Console today.