Securing SSL VPN Remote Access: Devaluing Credentials to Protect Credit Union Members’ Personal Information
“The business challenge we were looking to solve with Duo and two-factor authentication was devaluing a credential if compromised. We wanted to make it harder for an intruder to leverage a compromised credential to gain access to a system,” stated Mark Ernest, Senior Manager of Security and Threat Intelligence, at MDT.
Because MDT provides the technology backbone to credit unions, security is ingrained in the culture and is paramount to how it delivers services to its clients. MDT is responsible for protecting the personal information of its credit unions’ 1.97 million members.
“We are solving the problem of ensuring that the members' credentials and access to services are secured. We know that single-factor credentials are weak, and we know that compromised credentials are a persistent problem in the security landscape, so with two-factor authentication, we’re solving that security problem,” Ernest says. “The business challenge that we were looking to solve is devaluing credentials. If an intruder compromises credentials, which can happen in multiple ways, we’ve made it harder for them to actually exploit those credentials.”
The most active threats Ernest sees today within MDT’s credit union clients are business compromised email phishing attacks and email spoofing from trusted partners. “Duo helps us mitigate this risk,” he says.
Meeting Stringent Compliance Requirements Without Adding Undue Administrative Burden
Credit unions must comply with the regulations of several federal and state agencies. These regulatory bodies use a standard set of controls such as the Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach-Bliley Act (GLBA), and best practices from the National Institute of Standards and Technology (NIST) controls, and some of these regulations, such as FFIEC, now require multi-factor authentication for remote access.
As an MSP, It’s essential for MDT that a new vendor brought in to the mix doesn’t create an unnecessary burden on administrators. “The challenge for any security position is the balance of security and usability,” Ernest says. When he joined MDT, Ernest identified compromised and lost credentials as a top risk, prompting him to create a policy which states that all users accessing the platform must use multi-factor authentication to do so.
Ease of Deployment, End-User Experience and Customization
Among the drivers that led MDT to choose Duo were ease of use and end-user experience. “The first time I saw Duo, I immediately knew that Duo was going to be a home run. It was incredibly easy to set up users. The self-service and enrollment features made it very easy to roll out to our end-user base, and we were able to launch an application on day one of purchasing the product,” Ernest adds. MDT requires its clients to use Duo to access its hosted services, “our customers have had nothing but praise for Duo,” Ernest says.
“The rollout was incredibly easy – we created a webcast to show credit unions how to log in and how to do self-enrollment, which led to minimal tickets,” Ernest says. “We’ve never had a significant outage or issue with Duo. All we ever see is a one-off helpdesk ticket when a user gets a new phone and doesn’t realize that they need to register that device.”
Fulfilling Two-Factor Authentication Requirements
With Duo, MDT shows its credit union clients that they can see every time a user logs in remotely from two different sources, so they are correlating and validating that their two-factor authentication requirements are being met. They can do the same for internal access if credit unions deploy other services, like Remote Desktop Protocol (RDP).
“One of the home runs that we hit, right after launching Duo, was that we were audited,” says Ernest. “We were asked to demonstrate access to sensitive systems. These systems contain member PII and credit card data. We had to show all authentications to these platforms. We were already capturing window logs, but now we had a second source from Duo that showed you couldn't access this system with Duo’s MFA,” adds Ernest
MDT was also able to use Duo in customized ways. Leveraging the Admin API in real-time, MDT collected logs and ingested them into its log aggregation tools, which helped the company ”be able to start collecting user behavior analytics. And, some very security-centric alerting based on odd authentication attempts enabled us to do correlation against authentication anomalies.”
MDT’s Internal Use of Duo
MDT uses Duo for remote access and also for internal access to servers and applications. The company uses the trusted access platform and Device Insight to understand better which devices are connecting to and accessing corporate resources. MDT can see “if these systems are leveraging full disk encryption; if they are patched,” Ernest says. This visibility allowed MDT to start building a framework regarding what it allows on its network to access resources.
MDT uses Duo to help meet control standards like SSAE 16, formerly called SOC 1 and SOC 2. Ernest states, “We have alerting and correlation if a failed event occurs. This does include the Duo index and log force so we can immediately show evidence and value in the controls.”
MDT has also integrated some of Duo’s web SDK components into internal applications. “MDT does develop custom applications and, as part of a standard process, the web SDK is now part of all the authentication into those sensitive applications,” Ernest elaborated
Though MDT does not allow for bring your own device (BYOD), it wants to make sure it has control and visibility over mobile devices that access corporate resources.
Duo has allowed MDT to improve its security posture by enabling secure SSL VPN remote access. MDT requires clients to use Duo for SSL VPN remote access, and the customer feedback has been outstanding. MDT found Duo extremely easy to roll out, and was able to use Duo in customized ways by leveraging the Admin API. This experience led MDT to also start using Duo internally. “We chose Duo over the other two-factor competitors because of the simplification, the ease of use, the multi-tenancy, and the scope and coverage of applications covered under two-factor,” Ernest says,“With Duo it was a fantastic process.”