WHAT IS THE BLOG ABOUT?
Device trust, device health, DUO Beyond, DUO Device Health (DHA)
Determining the reliability of company-owned assets is usually a simple task. We install a mobile device management (MDM) tool and then apply security policies that allow IT and SecOps teams to secure the device or remotely remove access to it after an incident. However, organizations applying BYOD security policy, improving security by building device trust is more challenging. What if the device belongs to an external contractor with whom we collaborate on a project? Also, how do we manage our own employees’ personal devices?
If the device requiring access is not owned by the company, i.e. it is not a managed endpoint, or the owner does not want us to install the company’s management software on the device, then basically we do not allow it into our network, we do not grant access to the applications. But if that contractor/employee needs access to applications and data on the network, by definition we want the device to be in a healthy and reliable state before it is given access to our network. How to overcome this problem?
Let health be the basic principle of device trust
In corporate IT, it was believed for years that, if the user verifies his/her identity, then user is considered an internal, authenticated one, and this method is satisfactory. Anyone who verified himself/herself was trusted and had access to everything the network had to offer. However, little attention has been paid to the access device and its health.
If cybercriminals were able to install malware on an endpoint, there is a chance that the compromitted device could pass through undetected after the user’s identity was verified.
This so-called “castle-moat” model led to large-scale data breaches that caused millions of dollars in financial and reputational damage to the companies involved. Today, in the world of ZeroTrust, we already know that trusting the user is not enough. Whether it’s unmanaged BYOD endpoints or company-issued managed devices, it’s imperative to consider trust in the device used to access network applications. And a key component of that trust is device health.
Duo Device Health, the trusted solution
So what makes a device “healthy”? There are a number of recommended checks to consider when creating an access security policy. For Duo users, verification status information is collected at authentication by the Duo Device Health application (DHA) running on the endpoint.
In addition to checking the device’s health status, DHA also collects data on the device’s handling status. Is it specifically enrolled in a supported enterprise management system such as Microsoft Intune or Cisco Meraki Systems Manager? If so, we also know that it is a registered device of the company.
How does Device Health help manage BYOD devices?
Let’s go back for a minute to our external partners and our employees with BYOD devices. Although they may shy away from installing monitoring software, the Device Health app is an applet that is much less intrusive and controlling than device manager apps. Users can install quickly and easily without IT assistance.
Once installed, the Device Health app collects unique device IDs during authentication and compares them to a list of known devices stored by Duo. If these device IDs are recognized, it means that the device is trusted. This is part of Duo Beyond Duo Trusted Endpoints feature, which protects sensitive applications by ensuring that only known devices can access Duo-protected services.
And this is where DHA becomes interesting for unmanaged devices. Organizations can use DHA to extend device trust.
A manual integration feature based on Device Health allows administrators to manage macOS, Windows, and Linux endpoints that are not enrolled in a management system. They simply add external partners’ and employees’ BYOD devices to the list of trusted devices. When an unmanaged device is added to the list, it is considered trusted in the same way as devices registered in the device manager.
The function has additional benefits in addition to checking the health status. Admins can set a trust expiration date, which is perfect for short-term and seasonal work. They can add devices individually or in groups using a CSV file. Information can be edited, additional descriptions can be added, and devices can be completely removed through the Duo Admin panel. Ultimately, administrators can use Device Health as a solution to incorporate BYOD into security policies.
Can unmanaged devices really be trusted?
Determining the device’s reliability requires a complicated, multifactorial approach. We know that employees and, in some cases, external partners need to access network resources with their devices. We also know how important it is to determine the health status of each device before granting access. But does MDM need to be installed on a device to be trusted?
Not so long ago we would have said yes. But now, with Duo’s manual integration feature for trusted endpoints, there’s an alternative. You can trust any unmanaged device by adding it to your organization’s customized list of trusted devices.
Of course, this will not solve the problem if someone tries to log in with a 3-4 year old, unupdated phone or a laptop that has not been supported for a long time. The health of the device also depends on updates, not only on security settings. For this reason, it is important to note that devices that do not meet security standards will not be able to enter our network even with DHA.
The DUO Device Health application is, of course, only a part of the entire DUO application, so the solution can provide many other services in addition to the posture control of end-point devices. It is up to everyone to decide for themselves how useful this can be. The application can be tested free of charge in your own environment for 30 days.