Mobile Access to Company Data: Great Opportunity With Great Risk. How to Win? Command BOTH!
Posted June 13, 2016 | Security
Duo Security From RGTS Delivers Two-Factor Authentication: Easy to Use; Much Stronger than Passwords Alone
The big data-theft headlines continue for weeks or months. The names breached are astonishing: Apple, Target, Home Depot — household names you once expected not to fall victim. The damage is enormous.
Such headline-grabbing data robberies (and thousands more unpublicized thefts) attest to companies’ essential need to do business in the cloud — as well as to the swarms of automated password hacking and guessing operations working around the clock to steal companies’ online valuables.
Against such unrelenting attacks, the weak links are eventually found and breached. The 2013 data theft from Target — 40 million credit and debit card numbers stolen; 70 million personal identification records stolen — was traced to a remote attack against an HVAC company contracted by Target, according to security journalist Brian Krebs. A recent Verizon Data Breach Investigations Report found that 95 percent of breaches involve the use of stolen login credentials.
For household-name companies and small business alike, a two-factor login security solution — much stronger than passwords alone — is available from Rockefeller Group Technology Solutions. Duo Security from RGTS provides a second layer of security verification to any type of login, in addition to a password. The second factor may include:
- A known, authorized device — for example, a login confirmation call or text to your smartphone and an app to approve your login request.
- Biometrics — a scan of your fingerprint, retina, or face.
- Additional passcodes — one or several security questions and answers.
Protecting Credit Cards, HIPPA Data, Household Brands
Two-factor login can help companies meet strict security compliance standards and recommendations established by the financial services industry for online credit-card and debit-card transactions, as well as the security standards mandated by federal HIPPA law to protect the privacy of medical records.
Duo Security supports thousands of organizations, including household names such as Accenture, Boston Medical, Emblem Health, Facebook, NASA, Toyota, Twitter, Virginia Tech, and Yelp. Most recently, RGTS implemented Duo Security to protect online data access provided to the staff of a major financial investment firm.
Security Success Rule #1: Ease of Use
The first design dictum for Duo Security’s success: It must be easy for end-users and host companies to use. That way, it gets used. An oversimplification? Not at all. So many data break-ins, famous and unknown, have occurred because security was weak.
Weaknesses arise when available security measures are cumbersome, poorly configured at the outset, and/or subsequently bypassed by host companies or authorized end users.
The BYOD (Bring Your Own Device) phenomenon of recent years is both a boon for business and a security nightmare for companies once accustomed to owning and controlling any device that had access to their data — devices that were safely ensconced behind company brick walls and electronic firewalls.
Duo Security enables companies to safely welcome and embrace diverse user-owned devices. Basic two-factor logins are available without having to install or update client-access software on the users’ devices — a benefit that company employees, vendors, customers, and IT staff all value. More robust and more convenient two-factor login features are available with a downloadable Duo Security mobile app.
A cloud service that’s exceptionally easy and quick for companies to implement and administer, Duo Security integrates seamlessly with enterprise cloud apps. It secures cloud apps such as Google Apps, Box, Office 365, AWS, and Salesforce with its Duo Access Gateway, which supports SAML 2.0.
Duo Security also supports a variety of Identity Providers (IdPs), including Active Directory, OpenLDAP, Google OIDC, Azure OIDC and SAML IdPs via Duo Access Gateway.
Stronger, Bigger, More Versatile Than Expected
If Duo Security is so easy to implement and use, it must be lightweight, limited security, right? Wrong. In fact, the features, reporting, and configuration controls are particularly strong, versatile, and adaptable. You can readily fine-tune Duo Security’s features to your particular circumstances and needs. Some examples follow.
Manage bring-your-own-device access to your company’s data without installing client software on the users’ devices. You can see who’s logging in, their types of devices, their operating system versions, and the application software versions they’re using to access your company’s data. If anything is out of date or a known security risk, your company has many response options, all of them automated:
- You can deny access.
- You can allow access one or several more times until the user remedies the problem.
- You can alert the user of the out-of-date problem and provide a link to the software publisher’s update.
Restrict access geographically to block access from countries and regions where you don’t do business.
Block access that’s geographically impossible — e.g. block an individual user from logging in from Short Hills, NJ, one moment and then logging in three hours later from Bucharest.
Restrict a vendor’s special access as needed to a specific calendar window, time of day, IP address, device, number of log-ins, fingerprint, geographic region, etc.
Use two separated channels to complete a login; for example, the first authentication factor travels over the Internet and the second factor travels by mobile phone connection.
Choose among multiple options for two-factor verification:
- Hardware tokens
- Phone callbacks
- Second passcode via email or mobile text message
- Notifications pushed to a mobile device
- Second factor via a wearable hardware device
A Glimpse of Duo Security’s Own Security
Duo Security’s own cloud service and infrastructure solution are designed by some of the world’s best security experts. Duo Security uses asymmetric cryptography: Only the public key is kept on Duo Security’s servers; private keys are stored on users’ devices. If Duo Security servers were ever compromised, attackers would have access only to the public keys — not enough to access users’ accounts. User logins remain safe because Duo Security does not store passwords.
Automated Updates — There’ s no overhead required to update the Duo Security authentication app. Duo Security provides automatic updates every two weeks, sending the latest security and feature updates to users’ devices.
High-Availability Architecture — Duo Security ensures an uptime exceeding 99.995% with a hard service level guarantee and premium private hosting available. Duo Security’s servers are hosted across independent service providers that have strong physical security and certified compliance audits for PCI DSS, ISO 27001, and SSAE 16 security standards.
Duo Security provides high-availability service divided across multiple geographic regions, providers, and power grids for seamless failover. Its multiple offsite backups of customer data are encrypted.
Solid, Standardized Processes: Duo Security builds security into each step of its operations, including customer data handling, code release, upgrades, patch management, and security policies. Duo Security endeavors to meet all compliance standards, such as PCI DSS, OWASP, ISO 27001, and NIST 800. A team of independent third-party auditors regularly reviews Duo Security’s infrastructure and operations.
Is Two-Factor Security Right for You?
To learn more about how two-factor security can benefit your particular organization, call your RGTS Client Advocate or 212-282-2222 (toll-free: 800-699-9199).