The Argument for Security Being a Priority, Not a Feature
Negative Outcomes of Using Security Functionality From IT Tools Instead of Dedicated Security Controls
Vendor consolidation is gaining momentum in the IT space. CIO magazine reported that 95% of IT executives polled plan to consolidate software solutions due to “architecture consolidation” and “cost.” Hypothetically, consolidating vendors could seem appealing. After all, it could decrease spending and reduce silos in infrastructure, so what could go wrong?
When it comes to securing identities, the stakes are high; Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based. So, what really happens when you move to consolidate identity security from a best-of-breed identity security product like Duo to a bundled “identity management with security” solution?
Today, we’ll highlight key negative business outcomes to watch out for with the new software consolidation trend, and why Duo may be the best option for your organization’s identity security strategy.
Negative outcomes of migrating off best of breed
Bundled identity security licensing may have sticker price appeal, but customers find Duo more cost-effective to implement, maintain, and support. As stated in the Forrester Total Economic Impact™ of Cisco Duo blog, “customers saved $3.23 million net present value (NPV) and had a 159% ROI.”
On paper, the positive outcomes of decreased spending and reduced software infrastructure silos sound appealing. Still, if you decrease spending on the front end, and increase total cost of ownership, it could severely impact your return on investment.
In the long term, through complex deployment, ongoing maintenance, support, process changes and enablement, bundled identity solutions could severely reduce your return on investment and create negative outcomes for your identity security strategy.
Increased total cost of ownership
To move from a best-of-breed product like Duo to a bundled identity solution, the increase in cost of ownership begins with deployment and extends into ongoing life cycle management, support, and more.
Information technology and security leadership needs to be aware of the hidden costs and the burden of a “rip and replace” migration that impacts all users, administrators and contractors. This burden falls on your team's shoulders. Due to the impact of a project that touches the entire organization, this is the type of project with the potential impact of pushing back other projects. Your team must plan to disrupt the entire user population's access routines and prepare fellow directors and c-levels for their teams to experience disruptions and delays in response from support. Your attention must then turn to your admin teams as they secure, manage and support a new solution with a plan for an increase in support tickets and complications with advanced access policies, application gaps and other single-solution weaknesses.
Your super administrator accounts are now also a top attack vector and house both identity and security in one platform, so you need to make sure policy is as strict as possible for privileged access users and monitor abuse closely.
This also creates a lot of problems for your admins, analysts and help desk teams, as they’ll have to dedicate time to address testing and configuring new product technical prerequisites, access management policies, and new authentication configurations.
First, your team will need to test, configure, and deploy any new product technical prerequisites, access management policies, and change application configurations across your environment. Your team will then need to move any custom integrations — such as Duo software development kit (SDK) use cases, API use cases, and SIEM workflows — and address any application, logging and policy gaps in the new solution. Your team will also need to update all existing administrator and user enablement while also informing, educating, and training administrators, users, and contractors on the new solutions. This includes policy, application configuration, troubleshooting tactics, log management, configuration documentation, diagrams and more while your organization grows comfortable with the new solution.
This brings me to user experience, which will be disrupted across the organization given the change in login experience. Users, contractors and partners will need to expect delays in help desk response time and support knoweldge of the new software. They’ll also need to take any new access management training and become familiar with new access management software. There will also be changes in experience, such as self-service device management policy limitations, mobile app experience and clear user messaging when logging in or remediating issues.
“User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately.”
User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately. If users do not remediate, you can enforce software policies across browsers and devices with access control policies. This allows organizations to lessen the help desk load by keeping devices up-to-date, healthy and able to meet corporate access requirements. Unlike other access policy engines, Duo manages software versions, so you don’t have to manually update.
Decreased security
Identity is the only perimeter left, and it’s a complex problem. It can be a game of whack-a-mole trying to plug every hole the identity journey creates. Identities are accessing both cloud and on-premises applications. They’re also working from anywhere, anytime, from any device, which creates an assortment of challenges that require strong, easy-to-use and deployable security. Without this kind of security, attackers simply find workarounds for existing security solutions and infiltrate.
CISA reported that “Weak Security Controls and Practices Routinely Exploited for Initial Access.” This means that advanced identity security access management policies are either being misconfigured or deliberately not configured, which allows attackers to attack gaps and weaknesses in access management policies. As highlighted by recent identity-based attacks, both scenarios are being exploited by attackers to the same effect.
Today's threat landscape requires the strongest levels of security on identities, applications and devices accessing sensitive, corporate applications. Artificial intelligence (AI) will continue to create more challenges as it continues to improve on impersonation and automatic attack generation.
With identity being the most attractive attack vector, your organization needs strong, easy-to-use and deployable identity security solutions to combat the evolving threat landscape. Bundled identity solutions have slower-to-deploy security tools with complex, strict technical prerequisites, security limitations, expensive licensing and reliance on expensive partner products to protect all workflows across identities, apps and devices. In addition, super admin account takeover attacks can have a higher impact, since identity management and access security are centralized under one login.
Once all identities, apps and devices are configured, inferior identity and device security policies and controls can lead to weak access requirements being put in place due to policy engine complexities and limitations. Reporting and logging tools typically lack security visibility and tailored usage insight, and it’s difficult to understand app, identities, and device activity over time across portals which makes it complicated to audit login issues and troubleshoot when issues arise.
Some upsold advanced security features, such as identity protection and risk-based authentication, are more reactive threat analysis tools than adaptive, real-time authentication security solutions that assess risk at the point of login and throughout the lifetime of the session. It’s also typically complex and/or expensive to protect workstations, legacy apps and servers such as SSH, RDP, RADIUS, and most do not have a software development kit or APIs like Duo.
How Duo is different
Easy to use
To begin with, Duo makes things simple for our customers:
Simple for users to enroll, authenticate and remediate issues
Simple for administrators to configure, deploy, protect and manage
Simple for security operations analysts to review and analyze threat data
Scalable and flexible
Duo can adapt to your customers’ needs as your organization evolves:
Grows with your business as your security needs change
Offers a broad range of authentication methods for every type of identity
Flexible, deploy-ready policy controls
Faster speed to security
Duo also provides what we refer to as “faster speed to security”:
Duo is fast and makes it easy to deploy advanced identity security controls across any size organization
Thanks to Duo’s self-service and user self-remediation features, end-users can resolve issues using Duo very quickly without contacting IT
Identity security in-depth; as threats change, we enable customers to respond and block threats rapidly
Broadest coverage
Finally, Duo delivers the broadest coverage across identities, devices and applications:
Supports all identity types (employees, contractors and partners)
All types of devices (corporate-issued and managed and personal unmanaged devices, plus most operating systems including macOS, Windows, Linux, iOS and Android)
Integrates with virtually any application, whether it’s off-the-shelf or custom-built, and hosted on-premises or in the cloud
Duo is just getting started
While the allure of bundled identity may be tempting, it's essential to carefully weigh the potential risks and costs associated with migrating from Duo to alternative solutions. By considering factors such as weaker security policies, deployment and training expenses, hidden costs and the value of familiarity and reliability, businesses can make informed decisions that prioritize their security and operational efficiency in the long run. In the complex maze of cybersecurity, often the best path forward is the one you're already on.
Where Duo is headed next
To learn more about where Duo is heading, please check out the Duo blog: Announcing Identity Intelligence With Duo, which highlights Duo’s available customer preview of identity threat detection and response (ITDR) and identity security posture management (ISPM) functionality and more exciting identity security innovations.
Stay tuned!
If you would like to chat more with a sales or partner specialist about identity security, feel free to contact us!