Zero Trust Access in the Cloud: How Cisco Duo Bolsters Security for AWS Environments
As organizations migrate their workloads to cloud infrastructure platforms, new security risks can emerge. Certain risks may expose critical infrastructure to cyberattacks, enabling malicious actors to gain unauthorized access to critical business information and potentially causing large-scale data breaches. We live in a world where information is the new currency, and the consequences of security breaches can be catastrophic both financially and for the company’s brand reputation. As such, the importance of ensuring that cloud applications and services are secure cannot be overstated. In fact, IBM's 2023 Cost of a Data Breach Report found that 82% of data breaches involved data stored in the cloud.
In this blog, see the depth of Duo integrations with various AWS applications and services, and learn how you can better equip your organization with security that frustrates the attackers and not the users.
IBM’s 2023 Cost of a Data Breach Report found that 82% of data breaches involved data stored in the cloud.
Three primary challenges to securing cloud access
Wide and complex attack surface: The increased flexibility of cloud services comes with a trade-off; a larger attack surface exposes organizations to more cloud breaches than ever. What does that mean? This means the potential entry points or vulnerabilities available to attackers seeking unauthorized access to the cloud have become numerous and diverse.
Password reuse and weak password practice: The practice of reusing passwords and relying on weak passwords to access multiple cloud applications introduces security vulnerabilities that can cause data breaches, obstruct productivity and lead to password fatigue. Additionally, it imposes a substantial workload on IT administrators responsible for user account management.
Hybrid work and device trust: Hybrid work has been complemented by adopting cloud, offering workforce flexibility, accessibility and scalability. It has also presented security challenges causing cybersecurity attacks. Users work on a variety of devices to access essential applications vital for daily productivity. Outdated, unmanaged and obsolete devices add significant risk to critical infrastructure.
Large enterprises aspire to have roughly 60% of their environment in the cloud by 2025, according to a recent McKinsey report. As cloud adoption continues to accelerate, it is imperative that organizations fortify access to critical data through advanced access management tools and technology.
Together, Duo and AWS enable organizations to adopt cloud services securely
AWS provides organizations, from nimble startups to global enterprises, a cloud platform to build, deploy, and manage applications with flexibility and scalability in mind. As a modern authentication and access management solution, Cisco Duo helps organizations establish a comprehensive zero trust security model for cloud infrastructure. What does it mean to build a successful zero trust security model? It means that we never assume trust, we always verify it. With Duo, this can be achieved while prioritizing user productivity and scalability, all while minimizing security risks.
Preventing unauthorized access and keeping customers’ data safe is a top priority for Duo and AWS. To support an expansive AWS infrastructure, Duo provides robust access management capabilities including:
User-friendly and adaptive multi-factor authentication (MFA)
Single sign-on (SSO)
Policy-driven device posture check and trusted endpoints
Contextualized risk-based authentication and more
Improve overall security posture with zero trust access to Amazon-hosted applications
In a Zero Trust architecture, context, device trust, and risk should be evaluated on all authentication requests. Most AWS services leverage AWS Identity and Access Management (IAM) or AWS Identity Center to authenticate users. By integrating Duo’s SSO with AWS applications such as AWS IAM, AWS Identity Center, and others, AWS admins establish trust in users and devices and use contextual clues to allow access based on the risk it poses to an organization.
Duo SSO enables verified users to authenticate their identity once and seamlessly access AWS and integrated applications eliminating the need for repeated logins. Every time a user accesses an application, Duo’s SSO performs a risk assessment.
Admins can can implement granular control, creating policies for specific users or groups. If the user’s authentication request matches the policy created by the administrator, the user is granted access to the application. As an example, if an organization wishes to make sure that their Site Reliability Engineers (SREs) are connecting to AWS with up-to-date endpoints, they’ll require employees to run firewalls and have disk encryption, in addition to having anomalies in authentication requests evaluated further before a resource is accessed.
Users can log in using passwordless methods such as phishing resistant FIDO2 authenticators like biometric sensors and security keys. Passwordless simplifies access to AWS apps by not relying on traditional passwords and utilizing modern authentication thus balancing usability with strong authentication.
Administrative overhead for password management is minimized, as users can log into multiple applications using a single password or a passwordless method. In fact, users can utilize self-service features for password resets avoiding delays and taking off that load from IT admins.
Did you know? As customers expand their operations, they can take advantage of Duo SSO login to seamlessly access an unlimited number of integrated apps, whether from AWS or other vendors.
In addition to integration with AWS IAM Identity Center, Duo SSO supports a growing list of AWS apps integrated with Duo SSO using SAML and OIDC to enable easy and secure access to developers, IT admins, end -users etc.:
Developers and SREs can leverage SSO experience when logging into AWS IAM identity Center to access the unified command line tool to manage AWS services and resources.
Contact centers can ensure their workstations adhere to posture requirements while also protecting identities with MFA giving access to valuable customer information with Amazon Connect integration.
Admins can utilize AWS Verified Access and Duo SSO to provide secure access to private applications without a VPN.
A variety of user groups can securely and easily access AWS IAM using Duo SSO login to access a range of AWS cloud services and solutions.
Amazon managed Grafana, Amazon Redshift and AWS Client VPN are additional integrations recently added to this list.
Did you know? Users get a high level of security without compromising on the experience of logging into apps with Risk- Based Authentication where Duo evaluates potential threat signals at each login attempt and adjusts security in real time.
It takes only 15 min for Duo to be configured to provide all these outcomes. By integrating AWS services with Duo, AWS administrators can bring these zero trust protections to AWS applications.
Establish device trust with Duo Desktop for AWS Workspaces (Private Preview)
Duo Desktop integrates with AWS Workspaces to give organizations control over which virtual desktop can access internal websites and SaaS services based on policy system and security requirements for that organization. Duo Desktop checks for security posture to evaluate device attributes and accepts or restricts them based on the security criteria.
Did you know? When a user's device does not meet the security criteria specified in the device health policy, the Duo Desktop application assists the user in taking the required steps to enhance their device's security posture, ensuring alignment with the application's policy.
While the users are empowered to proactively keep their devices updated and healthy, here is how IT admins benefit from this integration:
Admins can establish security policies using the policy engine for virtual devices that access AWS Workspaces for a certain user group or group of users. They can also leverage the Duo Admin panel for managing and adjusting device access policies to differentiate between corporate and personal devices.
Prevent unauthorized access to applications utilizing AWS Directory Services with Duo MFA
Duo MFA for AWS Directories: Administrators can deploy Duo MFA to the Amazon Web Services (AWS) cloud to protect IT Admin access to AWS Directory Service directory types: AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) and Active Directory Connector (AD Connector).
Duo MFA helps mitigate the issue of a wider attack surface preventing exposure from potential security risks by verifying a user’s identity at the time of login to AWS Directory Service. This is a fast and non-disruptive way to simplify login experience and can be easily done with a single tap using Duo Mobile app keeping users’ productivity high and applications secure from any unauthorized access.
Note: This integration uses RADIUS Auth Proxy.
Did you know? It takes less than 10 min to protect AWS Directories using Duo MFA using the Quick Starts. This is how IT admins can leverage Duo MFA for AWS Directory Services:
Easy deployment and provisioning of bulk users to get organizations up and running quickly. User-friendly admin dashboard to create and manage granular access policies for different user groups
Detection and response to MFA bypass attacks is done in real time using adaptive controls and changing context, including factors like location, device role, and other variables. This is done by adjusting authentication requirements to include additional verification when necessary.
In closing, with the partnership between Duo and AWS, businesses can confidently navigate the digital landscape, knowing their data and access is well-protected. As organizations rapidly expand their operations using AWS resources, they can do so with peace of mind thanks to Duo's access management solution, which fosters secure, productive, and scalable business outcomes for AWS customers.
Get Duo to secure access and boost user productivity now: