Skip navigation
User Group-Level Policy: The Sharpest Knife in the Drawer
Product & Engineering

User Group-Level Policy: The Sharpest Knife in the Drawer

Building a security strategy for a company is a balancing act. How do you protect your organization without imposing an unnecessary burden on your employees? If you put too many locks on the door, sooner or later, the window will start to look like a viable option.

Using Duo’s Policy Engine empowers security professionals and IT administrators to put the right locks on the right doors. Policy is the tool that allows you to specify who gets access to what, from where, and through what authentication method.

Like onions, ogres and parfaits, your company’s security policy comes in layers. First is Global Policy, which is required and applies everywhere, all the time. Then, you can create custom policy by layering Application Policy, which is specific to a single application and works in addition to Global Policy. Finally, there’s Group Policy, for which you define a policy to apply to a specific group of Duo end users in your company, and it works in addition to Global Policy and Application Policy.

Policy is a layered, hierarchical tool. 1. Global Policy - All customers use this, and it applies to all users and applications. 2. Application Policy - This is optional, custom, and overrides Global Policy where applied. 3. Group Policy - This is optional, custom, and overrides Global and Application Policy where applied.

When it comes to creating your layers, some companies use Global Policy to build their strictest level of protection and then carve out exceptions for areas which only require lighter touches of security using Application and Group Policies. This methodology is considered best practice. Other companies choose to take an additive approach. Their Global Policy covers the solid basics, and then they layer on more strict controls to protect those applications and users which need tighter security.

Group Policy is the most granular policy control. It’s at the top of the hierarchical policy stack, allowing Duo administrators to precisely define how certain users can access company resources. However, right now, only 11% of Duo customers are taking advantage of this precision tool. The sharpest knife in the drawer can be intimidating to use if you’re not sure how to wield it! 

Let’s take a look at three cases where Group-Level Policy is effectively being used to balance a company’s security posture with reasonable ease of access for their employees.

Use Group-Level Policy when some of your users have a significantly different risk profile than others

A hospital has, in the past, experienced cybersecurity threats that originated from outside of where they are based in the United States. These threats prompted them to implement a Global Policy which denied all access requests coming from abroad. However, they sometimes have doctors who do medical mission trips to other countries and need to access hospital systems while traveling. In this case, these doctors temporarily have a higher risk profile but should still be granted access. The hospital uses a Group-Level policy to temporarily, during the time period of travel, adjust the geography-based access controls and allow an exception to the Global Policy for specific users. The hospital’s base layer of security stays strict, but all users get the access they need.

Group-Level Policy provides controlled and precise access for users who need exceptions to the Global Policy.

Use Group-Level Policy when some of your users have a different normal context, such as frequency of access requests, than others

A construction company recognizes that an IT administrator and a contractor working on a construction site are logging into sensitive systems at a different frequency. That has a couple of implications: first, the more frequent the access requests, the more frustrating it is to have to repeatedly authenticate. Secondly, the less frequent the access request, the less savvy a user is at spotting a phishing attempt. This company set up Group-Level policies to specify the authentication methods different that end users of Duo could use. This enabled them to mitigate push notification phishing risks from busy contractors in the field and to alter how long a system would remember a users’ login, to alleviate push fatigue from IT administrators.

Group-Level Policy can be used to customize the ease of access for users based on their context -- for example, log-in events; device used; Group-Level Policy; Authentication Method Allowed

Use Group-Level Policy when you want to designate a test group for new Duo features or settings

Many companies will designate a group of users, often made up of IT professionals, to be the first to have any new Duo Policy applied to them or be the first to test out exciting new Duo features or products. Having this smaller pool of users to give feedback can build your confidence in trying out Duo’s capabilities to their fullest.

Group-Level Policy can be used to designate frequently referenced groups of users, such as beta testers.

In each of these cases, Group-Level policy served to balance the organization’s security needs and a low-friction user experience. Updating policy doesn’t always mean making sweeping changes to a company’s overall security settings. Policy is the tool you need to make precision strikes that address the unique risks your company faces while doing the job that you and your company are there to do.


Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.