“Duo Beyond creates an invisible and open gate that authorized users with trusted devices never have to see, the gate only materializes and closes when the device trust standards are not met.”
— Dan Regan, Cloud Security Engineer
Zenefits is one of the fastest growing SaaS companies in the world
Zenefits is 100 percent BYOD
They are required to meet and keep up to date on HIPAA and SOC2 compliance requirements
They use Duo Beyond to check if a device is trusted before a user is allowed to access an application from that device
They use Duo Beyond as an alternative to traditional MDM solutions
Zenefits is one of the fastest growing SaaS companies in the world. The cloud-based human capital management (HCM) software provider started in 2013 and now has more than 500 employees across offices in US, Canada and India. Headquartered in San Francisco, Zenefits gives small and mid-sized business teams a single mobile-accessible app to manage all human resources (HR) needs, including payroll, benefits, compliance, performance and more.
For thousands of companies born in the cloud and SaaS era, bring your own device (BYOD) is just part of doing business. Employees want the flexibility and freedom to use their personal mobile devices to access corporate applications to work from any location. Zenefits is no exception. Zenefits employees —like its customers— want access to company applications with their personal mobile devices.
This creates a dilemma: how do you give employees flexibility to access corporate assets from any device while ensuring data is secure and only authorized users are accessing applications? For Zenefits, their crown jewels are personal identifiable information (PII) and protected healthcare information (PHI), which need to be secured and protected. As a company that works with PII and PHI, Zenefits is required to meet and keep up to date on HIPAA and SOC2 compliance requirements.
When it comes to mobile devices, Zenefits is 100 percent BYOD. Using a mobile device for work is not a requirement, but it’s not discouraged either. So if an employee chooses to use their device for work, Zenefits wants to ensure company data in Google, Slack, Box and their other enterprise applications is protected.
Enter Duo Beyond, which Zenefits deployed to its employees. Zenefits uses Duo to check if a device is trusted before a user is allowed to access an application from that device.
“Duo is always checking the state of the device,” said Dan Regan, Zenefits cloud security engineer. Zenefits can set mobile policies to define and only grant access when devices meet those specific definitions. For example, Zenefits checks for OS version and browser plugins, strong passcode, and encryption to determine if a device can access applications.
Duo’s ease of use, transparency and convenience enable users to install Duo on their personal devices without worrying about privacy. Because of Duo’s “light touch” users don’t feel intrusions and admins don’t have to wrestle with the management headaches inherent with traditional mobile device management (MDM) solutions. That’s what lead Zenefits to select Duo Beyond as an alternative to traditional MDM.
With Duo, Zenefits is able to attest that only trusted devices are able to access corporate applications and data. Duo checks for untrusted devices in their environment every time a user tries to authenticate to a protected application. If at any point, the state of the device changes or a user gets a new device, Duo checks for the device state and blocks the device from accessing the application if the device doesn’t meet the defined corporate security requirements.
Using a trusted device model delivered by Duo Beyond gives Zenefits the power to only grant access to employee devices that meet their trust standards, and restrict access to those that do not. It’s a turnaround on the traditional perimeter security model and is instead based on a zero-trust approach. Regan summed it up this way: “Duo Beyond creates an invisible and open gate that authorized users with trusted devices never have to see, the gate only materializes and closes when the device trust standards are not met.”