Defending against today's threats requires the right kind of MFA,

device trust, ease of use, and more. Learn what it takes to protect
everything that matters—and how to choose the access management
solution that's right for you.

Table of Contents
Access management in a changing world  1

Today's threats call for strong security  3

MFA bypass attacks prey on weaker solutions 4

Access management is the foundation of zero trust 4

What to look for in access management solutions  7

Security 8

Productivity 9

Value 11

10 metrics for measuring success  12

Duo: Stronger Security. Increased Productivity. Unmatched Value. 14

Solution Comparison Worksheet  17

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Access
management in a
changing world

1
That phone in your hand is a • How can you extend access only to
vulnerability. So is your laptop, your those endpoints that are compliant
colleague's home computer, and every with your security policies, while
other device an employee, customer, also verifying the identity of the
or partner may use to access your people who are using them?
network, applications, or data.
• How can you ensure that smart
The environment your security team phones and other devices your
works hard to defend is changing employees use daily—but that aren't
constantly. Employees are no longer managed by IT—won't put you
bound to desktop systems. They're at risk?
working from everywhere, at any hour,
and on virtually any device. • How can you make authentication
and security protections user-
So too are threat actors who want friendly enough to ensure people
to gain access to your networks, will be willing participants in
applications, and data. These attackers securing your enterprise?
are constantly innovating to find weak
spots in your existing defenses, such • How can you ensure that
as recent efforts to bypass weaker strong security doesn't threaten
multifactor authentication (MFA) productivity?
systems. Anything less than strong
security will leave you and your • Lastly, how can you tell which
organization unnecessarily open access management offering is
to attacks. right for you? (That may be the
hardest part, but we've figured out
For security and IT teams, the questions how to make that easier too.)
this changing environment poses
are many. This eBook aims to answer all
those questions.

2
Today’s threats call
for strong security
Cyber attacks continue to grow in volume and But network perimeters aren't what they used to
sophistication. And access has become its own be; today, they're built around people, not sites. So
valuable currency for threat actors. Take ransomware access must be adaptive, and managing it must
attacks, which infiltrate systems or data and hold involve more than enforcing strong password policies.
them hostage until the victim pays money to get You need to protect employees wherever they
its digital property returned. The 2022 Verizon are, even as their location changes or they switch
Data Breach Investigations Report (DBIR) finds that devices, and as they move from one application to
ransomware attacks grew more last year than in all the next. And you need to achieve all this without
five previous years combined. compromising the user experience or productivity,
because security that's difficult to use makes you
It only makes sense. If you can lock down your less safe.
perimeter—if you can control who and what enters
your network and all it contains—you'll be in a better
position to protect your applications and data.

“Ransomware by itself is
just a model of monetizing
an organization's access.”
2022 Verizon Data Breach
Investigations Report

3
MFA bypass attacks prey
on weaker solutions
Achieving trusted access has become a bigger
challenge than ever, thanks to a new generation
of attacks targeting gaps in weaker MFA solutions
and counting on busy employees' impatience with
difficult-to-use authentication platforms. MFA
bypass attacks deploy techniques such as push
bombing, in which attackers armed with stolen user
credentials (such as a username and password)
repeatedly push authentication notifications to the Access management is the
victim's smartphone. These attacks, also called MFA
fatigue attacks, can result in users confirming the foundation of zero trust
MFA access request just to end the With a zero trust security model, you never
notification bomb. assume trust—you always verify it. Here, access
management plays a crucial role by enabling
Attackers also are buying phishing kits and stealing essential elements of zero trust:
session cookies (or tokens) that are created on
endpoints when legitimate users successfully • Establish trust for users and devices requesting
authorize a device via MFA systems. Token access to your applications or network.
theft is popular because MFA session cookies
have become as valuable as passwords among • Enforce trust-based access so access is
granted explicitly, based on the need-to-know
cybercriminals, who use them to bypass less robust
principle of least privilege.
MFA platforms.
• Continuously verify trust even after initial
Governments mandate strong access is granted (because change
MFA and zero trust, but are is inevitable).
organizations equipped?
• Respond to changes in trust by denying
It's no wonder governments are increasingly access, prompting the user to remediate, or
by granting additional access once trust has
requiring strong MFA, including phishing-resistant
been rebuilt.
MFA, as part of a zero trust security model for
organizations needing to comply with regulations to
do business. The regulations require organizations
to have awareness and visibility into the health and
security posture of all the devices used to access
their critical applications and data.

4
 Unfortunately, most organizations aren't equipped The vital task before security professionals is to
to address these challenges or fully meet these implement a mature access solution that provides
mandates. According to Cisco's 2023 Cybersecurity robust protection against evolving threats, but
Readiness Index report, "There is significant doesn't threaten productivity, exhaust users, or
progress to be made to meet the challenge of break the budget. To achieve all that, you need an
identity verification." Just one in five organizations access management system that's simple, adaptive,
have a mature identity verification implementation. and phishing-resistant.

Being unprepared invites significant risks, including:

• Increased risk of compromise and security

incidents.

1 5
• Greater risk of compromise for weaker MFA
implementations.

• Increased liability, including exposure to fines

“Just in
due to non-compliance, costly lawsuits, higher
insurance premiums, and even ineligibility for organizations have
cybersecurity insurance.

• Eroding user productivity from poor adoption of

a mature identity
crucial security and authentication measures.
verification
• An inability to properly ensure the safety of
hybrid work. implementation.”
• Onerous IT administration and help desk time
2023 Cybersecurity Readiness
and resources required to handle cumbersome
access tools and cover special use cases such Index Report
as authenticating endpoints not managed by IT.

5 5
What are your primary THREATS? Where are your biggest RISKS?

A threat is a weapon or tactic that can lead to a A risk is an element in your environment that increases
potential attack on your network or data. the chances of a successful exploit.

MFA bypass attacks Devices

Attacks designed to take advantage of gaps in weaker Mobile phones and other personal devices are often
MFA solutions by deploying various techniques, not managed by IT admins. That means you can't
including: be sure their OS or app versions are up to date,
or whether they meet your secure trusted access
• Push bombing, in which attackers take advantage requirements. This leads to potential vulnerabilities—
of MFA fatigue by inundating users with so many and opens a door for bad actors.
push notifications that they finally approve access
just to silence the notifications. People

• Token theft, in which attackers steal session Your workforce is your No. 1 asset. They're also the
cookies created when legitimate users No. 1 target of attackers. Threat actors count on
authenticate a device. busy employees to adopt careless habits like using
recycled or easily guessed passwords, using the same
• Machine-in-the-middle attacks, which use passwords for both personal and work accounts, and
phishing schemes to lure users into clicking a storing them unprotected on devices. In fact, most
malicious link that leads them to a proxy server breaches result from stolen credentials or
designed to intercept traffic between the user and weak passwords.
the real server, stealing credentials and tokens in
the process. Hard-to-use security

Security that's difficult to use or administer achieves

Malware
the opposite of what you want. Complicated access
Software that infiltrates your environment can exploit apps that throw up roadblocks for both users and
vulnerabilities in systems and applications to steal admins can threaten adoption and limit your ROI.
passwords, access data, and take control of systems. Solutions unable to dynamically adjust to changing
context leave you vulnerable.
Phishing
Insufficient security
Emails, programs or push notifications impersonate
legitimate sources to fool users into giving up their MFA systems that are bundled free as part of larger
credentials, visit malware-infested web pages, or security offerings tend to leave dangerous gaps that
download malicious programs. attackers know how to target. Insufficient MFA fails to
cover all users, devices, and applications, lacks the
ability to verify endpoints not managed by IT, is difficult
Ransomware
to use and administer, burdens help desks, and more.
A specialized malware attack that takes control of
systems or data and demands money to release it.

6
When selecting the right access management solution for your
organization, it's important to acknowledge where your risks
are—where your organization is exposed to threats—and then
determine how an access management solution can help close
those gaps. You don't necessarily need to implement a full zero
trust environment from day one—that is a journey. Instead, it's
wise to establish a foundation built around proven zero trust
elements such as phishing-resistant MFA, trusted endpoints,
and single sign-on (SSO), and then expand from there.
Access management is the perfect starting place.

7
But the process can be confusing. Different solution 9 Strong authentication with phishing-resistant
providers make similar-sounding claims about what MFA options. You'll want a solution that's designed
their products do, even though what they offer is specifically to foil attackers no matter how they
often not comparable to competing solutions. Some come at you, including and especially attempts
bundle access management with unrelated products in to bypass your MFA processes. Your access
packages that simply don't prioritize security, leaving management solution should be able to detect
customers with solutions that leave them at risk. and respond to MFA bypass attacks in real time.
Anything less leaves you at risk.
As too many organizations are learning firsthand,
today's threats can't be neutralized by "check the 9 Adaptive, risk-based authentication. Adaptive,
box" access management solutions that provide risk-based authentication allows you to respond
substandard protection. Fortunately, there's no reason instantly to changing context, such as location,
to compromise. device role, and other factors. You should be able
to customize your security policies, defining which
Robust and adaptive access management solutions roles can gain access to which applications or
are available today. The best will meet three core data. And you should be able to deploy risk-based
requirements—the three pillars of modern access methods like identifying anomalous access that
management: security, productivity, and value. could indicate an unauthorized attempt; when this
happens, your solution should allow you to adjust
authentication requirements to require
additional verification.

9 Endpoint trust. Access management involves

more than just verifying identities. You need
visibility into every device that attempts to access
your applications—even if that device is not
managed by IT—and enforce access control based
on your own policies. Look for solutions that can
assess mobile devices, computer systems, and
other endpoints in real time by answering crucial
questions. Is the device's software up to date?
Does it meet your compliance goals and device
access policies? Is the device logging in from a

Security location you’ve restricted? Some solutions even

provide dynamic updates, which takes the heavy
lifting out of keeping devices trustworthy.
It's simple: Strong security is now a must. Attackers
are finding ways around defenses that once stopped 9 Early detection of potential attacks. Keeping a
them cold. It makes no sense to invest time and step ahead of attackers is a priceless advantage
resources in solutions designed to protect you for security teams. Look for solutions capable of
against last year's threats. alerting you to attacks as they are emerging—not
after they've happened.
To find an access management solution capable of
delivering strong security, look for:

8
 Among users, access management solutions are often
the point of the spear for corporate security. This puts
a premium on features that won't hinder productivity,
and an even greater value on those that actually help
improve it. The good news is that there's no longer
any reason to sacrifice productivity for security (or vice
versa)—so long as you choose an access management
solution that offers:

9 Seamless, consistent user experience. Ease of

use is everything, as it drives adoption which in turn
lowers your risk profile. It's important for users to
have the same experience across all platforms and

Productivity
applications. Don't settle for anything less, because
you'll feel the productivity impact down the line.

Complex security makes your organization 9 Single sign-on (SSO). The average organization
less productive while also making it less safe. manages 300 applications. That's a lot of logging in.
When security systems are hard to use and Single sign-on enables users to authenticate their
administer, people come up with workarounds and identity once, and then access all the applications
administrators get overwhelmed by cumbersome they need to work without having to log in again.
configurations and help desk requests from SSO complements MFA by pairing added security
frustrated users.
with seamless convenience.

9 Self-service remediation. When device or user

authentication fails, many MFA solutions present

182
users with confusing, even meaningless error
messages that urge them to contact their IT
administrator. Seek solutions that tell users why
they're blocked and how they can fix it. This allows
them to get back to work sooner and reduces
changes of MFA fatigue.

9 Comprehensive coverage. With hybrid work here

Days
to stay and IT infrastructures in a constant state of
flux, comprehensive coverage is essential to meet
your organization's evolving need to manage access.
Prioritize solutions that offer support for all types of
Is what overly complex applications (cloud, on-premises, and private and
public apps), endpoints (corporate-owned, BYOD,
security costs large Windows, MacOS, iOS, and Android), and users
(employees, contractors, third parties, remote
U.S. organizations in or on-premises).

productivity every year.” Remember: Limitations impede productivity.

- IS Decisions

9
9 Support for an array of authentication factors. To help all users get to work as quickly as possible,
a robust authentication environment will support a broad range of authentication factors, from
phone calls (necessary for some populations), text messages, and push notifications all the way to
strong FIDO2 authentication. Be sure your solution supports passwordless authentication, including
biometric factors like fingerprint and facial recognition, for even greater security and efficiency.

Authentication factors can vary widely

1 23
....
...
Phone SMS OTP Tokens Push Push with FIDO2
Call Notification Number Matching (WebAuthn)

Level of Assurance
Low High

Access denied.
What does self-service look like? Your credentials are not sufficient to gain
access to this resource. You may be using a Contact your administrator.

Less friction and easy answers. device or software that is not compliant with
your admin’s security policies.
Reach the help desk for assistance on gaining
access.
You can try signing in using a different
If you think "self-service security" sounds account, but this may not solve the problem. Error code: 276635
Time Stamp: 2023.05.08 09:40:00:32
like extra work for users, it actually means Sign in using a different account
Application: Acme

the opposite. Take the example of blocked More details IP Address: 192.0.2.1
Device type: MacOS
access. An employee tries to sign into an Device state: Unmanaged

application and is denied. Some device trust

solutions simply tell the user they can't
access the app and supply an error code
that's meaningless and frustrating to users.
Their next step? Either sign in with different
account or contact IT. With a solution
designed for self-service, like the app pictured
on the right, users find out why they're not
allowed access, and what changes they can
make to gain access. Self-service security
saves time and avoids headaches for users—
and saves on support costs.

10
Value
9 Accessible pricing. Some providers
Determining value is perhaps the hardest piece
charge premium prices for essential access
of this puzzle. Access management solutions
management features like SSO, passwordless,
can differ in pricing and features, and so-
and trusted endpoint support. These providers
called "free" bundles can muddy the waters
may market their solutions as affordable—
further. But it helps to approach this pillar by especially if they're bundled at no extra charge
acknowledging both upfront costs, such as per- with other offerings—but add-on costs can
seat subscription costs, as well as add-on fees quickly mount, especially as you equip yourself
that, if not properly vetted, can add up fast. to defend against MFA bypass attacks and
other emerging threats.
To assess the value of any access management
solution, consider what it costs (in dollars, time, 9 Reliable service and global support. This
and resources) to not only deploy the system but seems like a no-brainer, but we all know what
also to administer it and evolve it as your needs it's like when vendors don't deliver it. Be sure
change. Look for solutions that offer: your provider has a meaningful, fully supported
presence everywhere you do business.
9 Fast, easy implementation. Some access And ask hard questions about the extent of
management solutions can take six months real-world technical and customer success
or longer to deploy. And many require paid support—and what you're really getting for your
consultants to configure and even maintain money.
the solution. Waiting, however, is a poor
security strategy. Look for solutions that can be 9 Comprehensive compliance. Another key
deployed in days, even hours—and with minimal factor is ensuring that your new solution will
burden on IT. Insist on out-of-box integrations help you meet major regulations (including
for major applications and APIs that make it NIST, FIPS, and EPCS) and accessibility
easy to integrate with custom applications. guidelines (such as WCAG, HIPAA, SOX, PCI,
The solution you want will provide value up GDPR, and GLBA). Make sure your access
front, will work with both modern and legacy management solution makes compliance
systems, and will work across multiple siloed easier, not harder.
apps. Keep in mind that proprietary solutions
can be inherently expensive because they limit 9 Measurable impact on security. It's one thing
your options, not just for security tools but for to check a compliance box. But if you’re going
enterprise software in general. to go through the effort of implementing an
access management solution, make it count.
9 Simple administration. Be sure your solution is Look for solutions that demonstrably reduce
flexible enough to configure policies at various the risk of unauthorized access. Does it give
granular levels to accommodate a range of you visibility to all users and devices in your
use cases and user roles. In addition, seek environment? Does it allow you to apply access
solutions that can generate comprehensive policies to both managed and unmanaged
reports so you'll always know where your devices? Will it let you block access by
access management progress stands. geographic region? Will you be alerted to
suspicious login activity? Can you track
success metrics?

11
10
metrics for
measuring
success
How do you know your access management protections are
working? These metrics would be a good starting point.
Make sure your solution lets you track them.

12
12
 Lower is better Higher is better

Password reset requests. When helpdesk staff find Authentication factor types. The number of
they spend a lot of time fielding these calls, it could authentication factor types you support (such as
be a sign that your password management system passcodes, tokens, and biometric authenticators)—
is poorly designed or even malfunctioning. Lowering and their use—can be indications of your
these requests should be a goal. environment's maturity. Among Duo customers,
app-based Duo Push authentication is the most
Access creep. The policy of least privilege aims used method.
to grant users access to only what they absolutely
need to do their jobs—and nothing more. But a rise Growth indicators. Several metrics can help
in the number of users with access to sensitive data you gain insight into your organization's relative
potentially signals sloppy policy management. Careful growth. New accounts provisioned usually tracks
monitoring of accounts, especially as employees leave the number of people who join your ranks, while
or change roles, can keep this metric manageable. expansion rates (of data, apps, locations, or users)
can provide monthly snapshots into growth within
Time to provision user accounts. The sooner various parts of the business. So long as your
accounts are provisioned, the faster employees can organization can manage that expansion, increases
get to work. This is a vital metric for measuring the in these metrics can be viewed as a positive.
effectiveness of your access management program
and can flag potential areas of improvement. Admin time. Freeing up time spent administering
access management (thanks to fewer help
Offboarding flaws. Departed employees who still desk calls and streamlined configuration and
retain access to systems represent a security risk. management) leaves more time for other tasks and
Tracking and closing those accounts is crucial. It's drives down TCO.
another metric you'll want to see reduced over time.
(The same goes for inactive or orphan accounts, User satisfaction. Understanding how user
which can belong to active employees but aren't in sentiment changes over time can give you a sense
use: they're a vulnerability.) of how well your access management program is
working—and where to course correct if necessary.
Stepped-up security incidents. Risk-based
authentication gives you an added layer of defense.
Understanding how often it's deployed and in what
circumstances (by region, user role, endpoint type,
etc.) provides insights that tell you more about how
your access management solution is protecting you.

MFA bypass incidents. Tracking attempts to bypass

your MFA system, and the details around those
attempts, will help you understand how threat actors
are targeting your networks and applications—and can
provide insights to help you shore up your defenses
with user training, risk-based authentication, and more.

13
13
Stronger Security

Increased Productivity

Unmatched Value

14 14
Most IT environments are complex, and they will Duo protects against malicious attacks, including and
only get more so. Organizations rely on hundreds especially push-phishing attacks, with multi-layered
of applications and cloud services, which host their defenses that detect and block suspicious login
most valuable information. To protect these multi- attempts in real time.
environment systems, you can only allow access
to those users and devices who are known to be In fact, Duo provides strong protections like device
trusted. And you always must remain a step ahead verification as a standard feature across all of its paid
of threat actors who aim to outmaneuver the very editions. (Duo even enables organizations to verify or
protections you've put in place to stop them. block devices that aren't managed by IT.)

That's where Cisco Duo comes in. Duo provides

strong security with multi-layered defenses and
advanced capabilities that thwart sophisticated
malicious access attempts—and all in a way
that frustrates attackers, not users.

If it's connected, it's protected.

All Duo paid editions
When attackers attempt to bypass
include strong MFA with
MFA authentication, Duo doesn’t give
them a way in.
push phishing-resistant
options, single sign-on
(SSO), passwordless
authentication,
and trusted endpoint
protection.

15
Duo is a core part of Cisco's assurance that "if it's • Improve workforce productivity by frustrating
connected, it's protected." Duo delivers peace of mind only attackers, not users. Minimizing user friction
through strong security, increased productivity, and delivers a delightful user experience and ensures
unmatched value. This makes Duo the smart access adoption of security best practices.
management choice for every organization, regardless
of their size, IT infrastructure, or security expertise. • Safely enable hybrid work by allowing users
Quick to set up and easy to use, Duo provides trusted to be productive from any location—without
access while driving down support costs and ramping compromising security—using SSO, passwordless,
up user productivity. risk-based authentication and device verification.

Only Duo delivers access management that is this user • Reduce administrative burden and IT costs
friendly, this secure, and this cost-effective. It achieves with Duo’s self-service, ease of use and broad
this by helping you: coverage of use cases that results in fewer help
desk tickets, less time spent administering or
• Reduce your risk of breaches with strong user supporting existing solutions, and simplified yet
authentication and device verification combined stronger access management.
with dynamic risk-based access policies to prevent
sophisticated identity-based attacks. • Maintain operations with world-class support,
which Duo delivers to more than 40,000 customers
• Easily prove compliance with regulatory in over 100 countries. That global reach and scale
requirements and data privacy standards using allows Duo to process 1.3 billion authentications
Duo's robust policy engine and comprehensive a month and analyze the health telemetry of
reporting for IT audits. 26 million endpoints. More than nine out of 10
customers recommend Duo.

16
Solution Comparison Worksheet
Use the chart below to make your own comparisons between Cisco Duo and other solutions.

Security Option 1 Option 2

Prevent unauthorized access with strong and adaptive MFA, including phishing-
resistant FIDO2 (WebAuthn) options
Strengthen authentication in real-time when signal risk rises

Rich, broad range of active security threat signals

Extend access policies to personal & 3rd-party devices

Identify anomalous/risky authentications

Establish device trust through security posture assessment

Defend against push-phishing and MFA targeted attacks

Get granular visibility into users & devices

Protect macOS & Windows devices with offline MFA

Machine Learning-based detection of potential attacks in progress

Protect legacy & homegrown applications

Ability to identify and block/allow devices without an MDM

Productivity Option 1 Option 2

Easily deploy secure access policies to all users & devices

Enable VPN-less secure remote access for private & other on-premises services

Simplify user experience & device management

Notify users when and how to self-remediate their devices to limit helpdesk burden

Accelerate risk assessment & login experience

Easy to configure advanced policies

Simple and accurate troubleshooting & reporting

Value Option 1 Option 2

Unlimited application integrations

Features and reporting that support compliance & insurance requirements

Reduce helpdesk call volume for login issues, password resets and device updates

IT can rapidly deploy & easily manage secure access policies

Support hybrid work, partners, and contractors

Straightforward and simple license costs

Protect access for entire workforce more efficiently

Integrate with existing security & identity solutions

Quickly protect new mergers and acquisitions within their existing IT environments

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved. 17
 Learn More
Learn how Duo's access management
solutions can help you protect your
environment—and achieve peace of mind
through strong security, increased productivity,
and unbeatable value.

Resources
The Latest Cisco Trusted Access Report

The Multi-Factor Authentication Evaluation Guide

The Life and Death of Passwords

Visit Duo.com to learn more and Start a Free Trial

start a free 30-day trial.

Duo Security, now part of Cisco, is the leading Cisco Secure delivers a streamlined, custom-
multi-factor authentication (MFA) and secure er-centric approach to security that ensures it’s
access provider. Duo is a trusted partner to more easy to deploy, manage, and use. We help 100
than 40,000 customers globally. percent of the Fortune 100 companies secure
work – wherever it happens – with the broadest,
most integrated platform.
Try it for free at duo.com. Learn more at cisco.com/go/secure.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.18