Lyft was founded in 2012 and currently provides 50 million rides a month across the United States and Canada. This adoption brings the biggest challenge for Lyft’s security team: to protect their users’ sensitive personal and financial information.
The company aimed to strengthen security protection for their mission critical applications and valuable intellectual property. They wanted to enable easy and secure access for all stakeholders, empowering effective collaboration.
Lyft employees used VPN connections to access sensitive internal applications hosted on Amazon Web Services (AWS). Lyft had implemented a custom solution based on OpenVPN, but it posed usability challenges for end users accessing web applications and SSH. Employees had to use the VPN even when they were inside Lyft offices to access certain internal apps, which impacted user productivity. Lyft was looking for a VPN alternative for certain popular applications without compromising security.
Meanwhile, Lyft also had a diverse mix of end user devices, including MacBooks, Chromebooks, Windows and Linux machines. Some were actively managed by IT and some were end users’ own personal devices not managed by IT. Gaining visibility into all these devices to analyze their security posture was a big gap. Maintaining VPN clients for disparate operating systems on all their end users’ machines required high effort and was becoming increasingly expensive.
To protect user information, Lyft wanted to establish strong access controls for applications so only authorized and trusted individuals using company issued devices were allowed access to sensitive data. Specifically, they wanted to enable two-factor authentication (2FA) to strengthen the security of remote access, and ensure that only devices with good security posture could connect to their critical applications in AWS.
Lyft deployed Duo Beyond and was immediately able to consolidate several projects, such as multi-factor authentication (MFA) and mobile device management (MDM).
“My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey,” said Vivian Ho, software engineer on Lyft’s Security team. “We envision Duo enabling team members to innovate and deliver services by providing easy and timely access to the tools and data they need in order to be productive and effective. Additionally, we see Duo serving as a core technology building block to enable our zero-trust security philosophy. We chose Duo primarily due to three reasons: broadest coverage of devices and applications; great user experience for accessing protected internal tools; and simple implementation and roll-out.”
Streamlined Access With Zero Trust
“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls,” said Mike Johnson, CISO at Lyft.
Lyft’s deployment of Duo Beyond gave the company a zero-trust security platform, which means they have the ability to establish trust in user identities, ensure the trustworthiness of devices, and enforce access policies for all of their applications.
With Duo Network Gateway, Lyft allowed its users to access various websites, web applications, and SSH servers in a multi-cloud environment. Lyft also enforced stronger policies to allow healthy, enrolled devices to access critical applications. Today, 100 percent of Lyft’s employees access applications easily and securely from anywhere on a trusted device.
Uncovering Risky, Personal Devices
On the mobile side, Duo provides Lyft a snapshot of all personal and unmanaged mobile devices accessing their environment. Duo’s Unified Endpoint Visibility provides a single pane of glass view into all mobile device platforms and helps the Lyft team assess the potential security risks associated with each device. Admins are able to identify device vulnerabilities and enforce policies to mitigate risks, such as preventing an out of date or jailbroken device from accessing applications.
“We have 100 percent of Lyft employees use Duo on a daily basis, which makes our team’s job a lot easier and effective,” Ho said. “As they say, ‘security is not one person’s job, it takes a village to make it effective.’”