AWS Partner Network (APN) Blog
How to Enhance Your Zero-Trust Security Journey on AWS with Cisco Duo
By Danny Paul, Technical Solutions Architect – Cisco Systems
By Muffadal Quettawala, Partner Solutions Architect – AWS
Cisco |
Before zero trust, previous information security architectures relied on an implicit trust defense. With implicit trust, organizations would protect their networks with admission control, but once inside the network users had mostly free reign. Some call this a “castle and moat” defense, and the obvious weakness is that bad actors often already have a foothold somewhere behind the wall.
Zero trust has been a welcomed and sorely needed revolution in information security. In contrast to previous security architectures, it places an emphasis on identity, least privilege access, device health, user context, and risk at the time of resource access.
In this post, we will showcase how Cisco Duo integrates with Amazon Web Services (AWS) to establish and maintain trust. We’ll also discuss how Duo can be used to protect an AWS environment, including the applications and services running therein.
Cisco Systems an AWS Specialization Partner and AWS Marketplace Seller with Competencies in Security, Data and Analytics, DevOps, and more. Cisco brings to cloud a comprehensive portfolio of software, infrastructure, integrated solutions, and services that enable organizations to design, plan, accelerate, and de-risk your cloud initiatives.
Solution Overview
Duo establishes and maintains user and device trust by integrating into the user authentication process. Most modern applications will integrate with Duo using Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC), though Duo can also integrate with traditional or bespoke products with a RADIUS or LDAP proxy service, or through the Duo Authentication API.
For AWS, Duo integrates with AWS Identity and Access Management (IAM) and AWS IAM Identity Center via SAML 2.0. Duo also integrates with AWS Verified Access as an external OIDC identity provider (IdP).
Duo’s efficacy comes from its powerful and flexible policy engine where security administrators describe their desired outcomes and Duo handles the access decisions. Duo’s policies stack on top of each other such that all users and applications share the same outcomes, but exceptions to policies at the application or user group level are more quickly applied.
To establish device trust across Windows, MacOS, and Linux PCs, Duo offers Duo Desktop–a lightweight app that transmits telemetry to the Duo cloud service. Similar capabilities are available on iOS and Android by way of the Duo Mobile app. Duo Desktop is available for servers and workstations in both physical and virtual forms and works with Amazon WorkSpaces (coming soon).
Figure 1 depicts the Duo and AWS components involved in helping your organization accomplish its zero trust goals.
Figure 1 – Architecture for protecting user-to-application access using Duo and AWS.
Prerequisites
To implement the solution, you’ll need administrative access to a working Duo instance configured with Duo’s Cloud Hosted SSO. If you’re not a current Duo customer, you can sign up for a no-obligation 30-day trial of Duo Advantage.
You’ll need a machine to act as an end-user device, such as an Amazon WorkSpaces instance. You’ll also need access to the AWS environment you’re hoping to protect.
Depending on whether you are protecting AWS applications via SAML 2.0 or OIDC, you may need to make external trust provider related changes to AWS IAM, AWS IAM Identity Center, or Amazon Verified Access.
Once you have your test environment set up, start creating Duo policies to establish and maintain trust in your users and devices.
Step 1: Eliminate Surface Area
To decrease the impact of compromised credentials and shrink the surface area against which those credentials could be leveraged, we recommend the following changes to the Duo policy that will apply to AWS.
In the Duo Admin Panel, find and modify the following policies:
- New User Policy: Set this to “Deny Access.” The effect here is that users who don’t have a multi-factor authenticator (MFA) set up will not be allowed access to the application and won’t be able to add an authenticator.
- User Location: For all of the countries where legitimate access attempts will be made, choose “No Action.” For all other locations, choose “Deny.” This policy shrinks the space from which unauthorized access attempts can originate.
- Anonymous Networks: Choose “Deny access.” This prevents application access originating from virtual private networks (VPNs) or anonymization services for which there are few legitimate business uses.
Step 2: Evaluate and Respond to Risk
While the above static policy sets a floor for the level of risk you’re willing to tolerate, you may want to further protect your environment to respond to dynamic risks.
Duo consumes information about users to establish a user behavior baseline then evaluates new requests against that baseline. If there’s much deviation, or if other signals are present, Duo can require the user to escalate their authentication request to a phish-resistant authenticator, such as a hardware token, platform authenticator, or a Duo Verified Push. This feature is called Risk-based Factor Selection and is a set-it-and-forget-it method of incorporating context into access decisions.
For example, a user following the same pattern they’ve always followed should get little scrutiny. A user connecting with a new Wi-Fi fingerprint, from a new device, or after having been subjected to a push notification abuse should receive extra scrutiny as those signals indicate a compromise.
Figure 2 – Verified push, one phish-resistant MFA method supported by Duo.
Risk-based factor selection (RBFS) can be enabled under the “Authenticators” section of your policy. Enable RBFS by checking the “Limit available authentication methods” check box. You can also configure the Duo Push Code Length in this section.
Figure 3 – Enabling risk-based factor selection.
Step 3: Establish Device Trust
Critical controls for information security have always included keeping software up to date, running firewalls where possible, encrypting data at rest, and so on. With zero trust, device trust is just as important as user trust.
Time and again bad actors are leveraging well-known vulnerabilities in browsers and operating systems making IAM controls insufficient. User and device trust go hand-in-hand; zero-trust security architectures treat the two as equally important.
With user trust established, let’s look at how you can establish device trust with Duo Desktop.
As discussed in the overview, since Duo is in front of authentications it can perform posture checks and deny authentications from out-of-compliance devices with Duo Desktop and Duo Mobile. If the endpoint or WorkSpaces instance is found to be out of compliance, the user is guided through remediation, preventing an influx of calls and tickets to your helpdesk.
Figure 4 – Remediation with Duo Desktop.
Let’s look at a simplified example of device policy enforcement with Duo Desktop. In this example, we’re going to be fairly strict. The users will access applications with:
- Fully up-to-date OS
- Fully patched corporate supported browser
- Firewalls turned on
- Disk encryption enabled
- Preferred endpoint protection running
Figure 5 – Duo Desktop Device policy example.
Additional device trust policies are available and encouraged with Duo, though beyond the scope of this post. Of particular note is Trusted Endpoints, where only devices in your organization’s inventory are allowed to connect, and Remembered Devices, which decreases MFA requirements when risk signals are low.
Step 4: Deploy Zero Trust for Services and Applications in AWS
For existing environments, zero trust architecture will come through incremental improvements; the only 100% zero trust environments are new ones, and most organizations will take multiple refresh cycles to achieve a fully zero trust architecture. While Duo is simple and straightforward to use, most organizations will choose to deploy incrementally, choosing the biggest impacts with the smallest wakes.
With solid zero trust policies defined, Duo can now be injected into the login process. To configure Duo for protecting AWS services via SAML 2.0 standard, configure Duo Single Sign-On for Amazon Web Service and CLI. Similarly, for protecting private applications behind Amazon Verified Access via OpenID Connect, configure Duo’s OIDC application.
Conclusion
In this post, we demonstrated how to use Cisco Duo to establish a zero-trust security model for services and applications running in AWS. We showed how to make identity the perimeter, evaluated and responded to risk in establishing user trust, and performed posture assessment and enforcement to establish device trust.
Following this approach, you can make a leap forward in your zero trust journey. We hope you walk away with the appreciation that the zero trust journey does not have to be perilous. Using products that work well together, like Cisco Duo and AWS. to displace legacy technologies and improve the user experience to achieve better security makes the trip an enjoyable one.
To learn more about how Duo and AWS can accelerate you along your zero trust journey, explore these resources:
- Start a free trial of Cisco Duo
- Examine the Total Economic Impact of Duo
- Determine which Duo Edition is right for you
- Purchase Cisco Duo through AWS Marketplace
Cisco – AWS Partner Spotlight
Cisco Systems is an AWS Specialization Partner with a comprehensive portfolio of software, infrastructure, integrated solutions, and services that enable organizations to design, plan, accelerate, and de-risk your cloud initiatives.