What is Trusted Access?

Trusted access is the continuous process of confirming the identity and location of users and the health of their devices before they connect to your network and its resources. Trusted access ensures that the right users and the right devices are deemed trustworthy, with their access privileges adjusted accordingly.

Trusted access is critical in modern IT environments, where users and devices access resources from various locations and devices. Trusted access helps organizations strike a balance between providing a seamless user experience and maintaining a high level of security. By dynamically adjusting access privileges based on trust levels, organizations can enhance their security posture and protect against unauthorized access and potential security threats.

Duo’s comprehensive security solution confirms the identity of users and health of their devices before they connect to your applications. Duo makes security painless, so you can focus on what’s important.

Trusted access is part of a zero-trust approach to authentication, or as we like to say, “Never trust, always verify”.

The zero-trust methodology establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application.

• Trusted Users - ensure your users are really who they say they are with multi-factor authentication (MFA), an effective way to verify the identity of your users before they access your applications and data.
  
  Go a step further and enforce access policies based on contextual parameters such as user location, IP reputation, and more. For example, block users from countries you don’t do business in, or require stronger access controls for a more privileged group of users, like administrators.

• Trusted Devices - ensure each device meets your security standards by checking each device before they connect to your company’s applications. Inspect each endpoint to verify they’re running the latest operating systems, browsers, and plugins like Java to protect against known vulnerabilities and exploits that affect older versions.
  
  Check to see if your users’ devices have important security features enabled, such as screen lock and passcodes to keep intruders out.

• Every Application - integrate with every type of application to ensure complete coverage across every entry point, including VPNs, cloud apps, web apps and your proprietary/custom apps.
  
  Limiting user access to only the apps users need to do their jobs reduces the risk associated with any one user account.

Trusted access typically involves a combination of authentication, authorization, and access-control mechanisms to ensure secure and controlled access to sensitive information or systems. Each plays a crucial role in ensuring secure access to systems, applications, or resources.

• Authentication verifies the identity of a user, system, or device attempting to access a particular resource. The primary goal of authentication is to ensure that the entity trying to gain access is who it claims to be. Common authentication methods include passwords, biometrics, smart cards, security tokens, and multi-factor authentication (MFA).

• Authorization determines the actions or operations an authenticated user or device is allowed to perform. After verifying identity through authentication, authorization establishes what the authenticated entity is permitted to do within a system or application. Authorization is based on user roles, permissions, or access control lists (ACLs).

• Access Control refers to the overall management platform that enforces policies related to authentication and authorization. Access control ensures that only authorized users or systems can access specific resources and that they are granted the appropriate level of permissions. Access control systems include policies and mechanisms for managing user access, such as firewall rules, role-based access controls (RBACs), and access control lists (ACLs).

Implementing trusted access involves configuring systems or services to recognize and authorize specific users and devices as trusted.

Here's a general guide on how trusted access can be implemented:

• Gain endpoint visibility – start by gathering data on your endpoints. Deploy an access management solution that provides visibility into endpoint device features. A detailed inventory of your users' devices should include platform, OS versions, model type, and plug-ins. The inventory should also list current security features, such as passcodes, screen lock, encryption, or Touch ID.

• Identify at-risk devices – with granular endpoint visibility and device analysis, identify at-risk devices running outdated software that attackers could exploit to compromise your network.

• Log users and authentications – access management software keeps authentication logs that provide data about your enrolled users and their logins. Such data includes username, time of attempt, application or integration type, authentication method used, IP address, location, and whether the access attempt failed or succeeded.

• Trust devices and networks – using information gathered from the previous stages, choose to either trust certain devices and networks or set restrictions based on custom profile groups. For example, you can require MFA for engineering users who access code repositories and business data. Others logging into less sensitive services may require fewer restrictions.

• Urge users to update – automated self-remediation features can notify users that their software is out of date. Users also have the option to update their browsers, plug-ins, or OS. Self-remediation makes your IT environment safer while reducing help-desk calls.

• Block at-risk devices – endpoint remediation lets administrators automatically block devices with outdated software from accessing enterprise applications. This action helps to ensure that only healthy devices are accessing your company's applications and data.

While trusted access offers numerous benefits, it also comes with its set of challenges and considerations. Addressing these challenges requires a holistic approach, involving a combination of technology, policies, user education, and ongoing monitoring. Organizations should carefully evaluate and tailor their trusted access strategies to their specific needs and the evolving landscape of cybersecurity.

Here are some common challenges associated with implementing trusted access:

• Device diversity – Managing the trustworthiness of a diverse range of devices (smartphones, tablets, laptops) can be challenging. Each device may have different security postures and capabilities.

• User education and awareness – Ensuring that users understand the importance of device security and follow best practices is crucial. Lack of awareness may lead to insecure practices, such as using unsecured devices or sharing credentials.

• User experience vs. security – Striking a balance between providing a seamless user experience and maintaining a high level of security is a continuous challenge. Onerous security measures can lead to user frustration.

• Privacy concerns – Assessing device trustworthiness involves collecting data about the device, leading to privacy concerns. Striking a balance between security and user privacy is a challenge.

• Technological evolution – Keeping up with the rapid evolution of technology, new devices, and emerging security threats requires continuous updates and adaptation of trusted access mechanisms.

• Contextual challenges – Managing trusted access based on contextual information (location, time) can be challenging in dynamic environments. Users may legitimately access resources from various locations and networks.

• Regulatory compliance – Trusted access solutions must align with data protection regulations and compliance standards. Meeting regulatory requirements adds complexity to implementation.

Trusted access management solutions help prevent attacks by providing:

• Continuous user and device monitoring

• Granular endpoint device visibility

• Dynamic access policy enforcement

• Remote and bring-your-own-device (BYOD) security

• Secure access to cloud and network

• Reduced risk of breaches

Duo meets the four functional requirements for implementing a zero-trust architecture:

• Duo authenticates users and verifies devices to establish trust.

• Duo enables access and applies powerful and granular adaptive policies to enforce trust-based access.

• Duo provides risk-based authentication to continuously verify trust.

• Duo provides alerts, logs, and anomalous login detection to allow organizations to detect and respond to changes in trust.

• Multi-factor authentication – ​​MFA is an access security process that verifies user identity at login with two or more identity-checking steps, supporting trusted access. Duo trusted access incorporates strong MFA designed to protect against the latest attacks that target gaps in weaker MFA solutions. ​​Two-factor authentication (2FA) is a subset of MFA.

• Single sign-on (SSO) – ​​SSO is an authentication process that allows a user to access multiple applications or services with a single set of login credentials (such as a username and password). As a result, SSO allows for seamless trusted access to approved applications without the user being prompted to log in to each one.

• Passwordless authentication – Passwordless authentication provides trusted access with verification methods that don't rely on passwords. Such methods include biometrics, security keys, and mobile authenticator applications.

• Device trust management – ​​Device trust refers to the process of verifying that a user’s device can be trusted to access your network and resources. Device trust includes determining if a device is known, up to date, secure, and compliant with organizational trusted access policies.

• Remote access – ​​Remote access refers to the trusted access practice of enabling users to connect to a computer network and its resources from a remote location in a way that prioritizes the confidentiality, integrity, and availability of the accessed information. You can enable remote access with or without a VPN.

• Adaptive access – Administrators can use access management solutions to create ​​adaptive access policies for user groups and specific applications based on contextual factors like role, device, and location. With granular visibility into users and devices and policy enforcement by application, trusted access solutions can dynamically respond to risk and protect trusted users while deterring attackers.