Professional Documents
Culture Documents
Duo for
How to Successfully
Deploy Duo at
Enterprise Scale
1 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Duo for
Enterprise
How to Successfully Deploy Duo at Enterprise Scale
CONTENTS
Introduction 3
User-Centered Planning 4
Application Scoping 7
Application Access 8
Device Trust 10
Rollout Strategy 12
Communications 14
Measuring Success 19
2 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Introduction
3 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
User-Centered
Planning
Often, what makes or breaks a successful rollout is the users.
Companies can often make the mistake of focusing too much on
technical implementation and pay little attention to their users—the
folks who will actually use Duo day-to-day. This can cause frustration
on both ends. It can be a tax on support resources. And, in the worst
case, users could refuse to adopt or lose access. Executives may limit
future projects and individual business units can pursue their own
solutions or place roadblocks to success. We have found that this
can get amplified when it comes to security. No one starts out building
a security program wanting to be a “department of no.”
Enterprises find success when they place users at the center of the
rollout and plan accordingly. The first step is to map out what the user
base looks like and create user profiles. Answering questions such as
the ones on the next page help to frame the rollout, help avoid making
assumptions, and account for edge cases.
4 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
What types of users do we have? Where do users work?
• Identify the distribution of employees, • Are they in offices, working at home, on-site with
contractors, and vendors—note any groups customers, or a vendor?
of users that will need any specific access
requirements.
• Do employees travel often and work from planes,
hotels, and coffee shops?
• Who owns the devices each group uses?
• Is flexibility needed?
• Do multiple people use the same devices
or credentials?
• Are they in different regions or countries? • Does any of this differ by business unit?
• Is English the standard business language? • Do we need to account for acquired companies
Are other languages required? that may have different systems entirely?
• Do rules and regulations differ by country? For • How technically savvy are our users? Does this
example, some European countries may have differ by user profile?
rules against using personal devices for work.
• Do we need to customize our training
• Are there cultural differences? In France, and approach?
for example, a clear division between work
and personal life is important and users may
• How have past rollouts gone?
5 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Many enterprises identify executives who will be champions. This
encourages a positive view of Duo and early adoption by users. Cisco,
for example, took this approach when it deployed Duo. Along with
identifying executive champions, Cisco also rolled out Duo alongside
an Office 365 launch, which reduced the burden on users to adopt new
processes and software. Adding a new security feature that enabled
frictionless access to 365 contributed to positive reception from users
at the time of adoption.
6 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Application
Scoping
Each organization is unique and the larger and more
established a company is, the greater the likelihood
that its environment is very complex.
7 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Application
Access
An often-overlooked risk vector is how your
users access applications, especially when
working remotely.
8 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Many organizations take an iterative approach to rolling out features
or applications. If you don’t include certain features or functionality
in your initial rollout, plan to revisit it every few months post-launch.
You can also subscribe to Duo’s release notes to stay informed on
new feature launches. Several features are available to help you
manage and secure application access:
• Use named integrations for RDP, Unix, AWS, and other developer
tools and environments to ensure all access attempts are secured
while providing an audit trail.
9 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Device Trust,
Device Health,
& Adaptive Risk-Based
Authentication
It is quite common for our customers to deploy
Duo and find that the number of devices accessing
applications and data is three to four times more
than they had thought.
Devices may pose a risk if they are not trusted, out-of-date (browser, plugins,
or operating system), jailbroken, missing screen locks, or contain malware.
And too often, users are accessing more than just email on personal devices.
When deploying Duo, it’s important to answer several questions about devices
and how you plan to secure access:
10 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
If you aren’t sure where to start, here are some ways
to begin assessing the best approach:
• Review Device Insights reporting to understand • Deploy Duo’s Risk-Based Authentication (RBA)
what your device landscape looks like. Identify which checks for changes in user, device &
any risks that immediately need to be addressed. location risk and can step up authentication to
For example, if you have jailbroken devices in a more secure authentication method based
a healthcare setting or sensitive devices that on industry-leading signals such as WiFi
are running vulnerable plugins, browsers, or fingerprinting combined with additional user,
operating systems. You can also use policies device, and location signals. Duo’s RBA solution
to limit access based on factors like country, also features risk-based remembered devices
networks, and more. You can customize policies which enable longer remembered device sessions
for each application—even the ones accessed via by looking for signs of token theft and revoking
SSO and the Duo Network Gateway. the session if found, enabling secure, fast, and
easy access to users.
• Start with a quick win by enforcing posture
checks using Duo Endpoint Remediation for • Deploy Trusted Endpoints if you need to limit
browsers and operating systems. access to only registered devices. Remember,
this can differ by application. For instance, you
• Enforce stronger yet minimally intrusive access
may allow access to email by up-to-date personal
controls across devices by deploying the Duo
devices but allow only registered devices to
Device Health application, which is a lightweight
access HR info.
app that complements and runs alongside your
existing endpoint security stack of MDMs and • Educate users on security best practices
anti-virus (AV) agents for granular posture and and give tips for how to also apply those best
hygiene control. practices in their personal life.
• Decide on your philosophy for remediation: • Evolve your security practices as you learn more
about your risk landscape.
F Do you want to enforce policies for personal devices?
11 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Rollout Strategy
The next step for an enterprise-scale deployment involves
planning how to roll out Duo to the organization.
A staged rollout can be done in many ways: A big-bang rollout gets Duo out to all users at the
same time. This approach might be necessary if
• By department, such as to IT or by functional
you have experienced a breach, are fearful of one
area (HR, accounting)
happening, or you have a major change happening
• Geographically by country or other location in your environment. For example, if a natural
disaster requires all users to work from home
• To corporate headquarters, physical offices,
and potentially use personal devices to access
and remote workers
necessary applications.
12 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Cisco used a staged approach in rolling out Duo + M365 over six
months. In addition to email communications, users saw a message
at their first login to M365 which encouraged them to enroll in Duo.
Users could enroll at that moment or within the next two weeks. At the
end of the two-week cycle, if they weren’t enrolled in Duo, they would
not be able to access M365. Using custom APIs, an interstitial page
appeared as part of the login flow that notified users of the two-week
requirement.
ROLL
REFINE
TEST
13 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Communications
When thinking about communications, the key
is to make Duo familiar enough so that it isn’t
a surprise when it comes time to enroll.
14 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Depending on your situation, you have a few options Communication with users
can take many forms:
for communications.
• Posters (digital and physical).
If you have a lead time of 30 days or more, you could consider:
• Emails.
• Sending a series of emails explaining what Duo is, what to expect
to happen, and a timeline of events. • Postings on common tools:
wikis, SharePoint, and
• Hanging physical posters in high-traffic areas such as cafeterias, intranets.
lobbies, and break- rooms. Duo has a kit of premade posters.
• Announcements at team
• Digital signage on common area screens, and in conference rooms. meetings and townhalls.
• Sending one or two emails within a few days of each other coming • Sharing FAQs and best
from a high-level executive stressing the importance of security and practices for work and
implementing Duo. personal lives on internal
websites
• Cascading messaging that can be reinforced by managers.
or portals.
• Highlighting availability of support.
15 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
And for early adopters and advocates, consider:
• They can help others enroll and act as cheer-leaders for Duo. Keep
in mind that change is difficult for people and rarely is adopting a
new technology or process easy. The more examples that are out
there of how easy it is to use, the smoother the rollout will go.
F Address these types of questions early in the process. You want to build trust
and confidence in Duo and make sure your team is as prepared as it can be.
16 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Training
and Support
Most companies find that emails leading up to
“go-live” are sufficient to prepare users. Having the
helpdesk team trained and ready is key as well.
Again, this can depend on your user base.
• You can host several short, virtual training sessions that walk
through how to set up and use Duo.
• Some groups may need high-touch help. One hospital system that
dealt with physicians who weren’t employees set up tables in break
rooms. They offered to check devices to make sure they were up to
date and helped them enroll in Duo.
17 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Most organizations find that they have significantly fewer helpdesk
tickets with a Duo rollout vs other rollouts. Often, calls involve users’
issues with their own devices and downloading the Duo application.
Prepare your helpdesk by training them in the most common issues
with Duo Level Up, our free online training and certification program
for administrators.
18 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Measuring
Success
The rollout was a success and people love Duo!
Great! Now, what’s next? How do you prove that
it was successful?
Try to understand what types of results your manager and their manager
are measured on. Is it ROI, continued costs to operate, total cost of
ownership, risk avoidance, or employee satisfaction? Simple reports
and report cards shared on a monthly or quarterly basis will keep your
most prized investments visible and demonstrate the impact of your
organization on the company as a whole.
applications protected
time to deployment
devices protected
user productivity
helpdesk tickets
users enrolled
vpn access
19 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Depending on what you’re measuring for, here are some common
things to look for to determine the success of an enterprise-scale
Duo rollout:
• Number of helpdesk tickets A strong security stance means being able to anticipate risk and
prepare for the unexpected. We have found that organizations that
• Time to deployment
make Duo part of their evaluation process for new applications are
• Users enrolled better protected and able to respond to threats. For example, one
large real estate company that is moving to a cloud-first strategy
• Devices protected
reviews each new application request and determines if it needs
• Applications protected to be protected by Duo. Another company answers requests for
new software by mapping out the potential risk, quantifying it, and
• VPN access
having the sponsoring executive sign off on that risk. This forces
an honest conversation and allows for fully informed choices.
Threat Landscape
With growing hybrid and mobile workforces, many organizations
• % of applications protected
find themselves supporting workers both on-site and remotely with
• Devices remediated a wide range of different access requirements. Whether employees
are accessing work applications with personal devices or on a
• Phishing attacks averted
corporate-owned device and VPN, your organization should provide
• Time to respond to new threats strong secure access that doesn’t impact productivity.
(zero-day vulnerabilities,
In the event of another drastic workforce shift, your organization
common malware attacks)
will remain prepared to handle any adversity it faces.
Financial Impact
Understand how your users may want to work or may need to work
• Cost to support vs. in the future, and take steps to protect those scenarios. How will
other software you secure devices? How will you account for travel and access by
contractors? What are your crown jewels that will need to be accessed
• Estimated cost of a and are they protected?
breach/number of users
A bit of planning and preparation, along with a business continuity
• User productivity
plan can go a long way to ensuring users are connected regardless
• Return on Investment (ROI) of where they work or what devices they’re using.
20 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Conclusion
Cisco Secure delivers a streamlined, customer‑centric approach Duo Security, now part of Cisco, is the leading multi-factor
to security that ensures it’s easy to deploy, manage, and use. authentication (MFA) and secure access provider. Duo is a
We help 100 percent of the Fortune 100 companies secure trusted partner to more than 40,000 customers globally,
work—wherever it happens—with the broadest, most including Yelp, Box, Generali, La-Z-Boy, Eastern Michigan
integrated platform. University, Sonic Automotive and more.
21
duo.com Duo For Enterprise