Enterprise

Duo for
How to Successfully
Deploy Duo at
Enterprise Scale

1 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 Duo for
Enterprise
How to Successfully Deploy Duo at Enterprise Scale

CONTENTS

Introduction 3

User-Centered Planning 4

Application Scoping 7

Application Access 8

Device Trust 10

Rollout Strategy 12

Communications 14

Training and Support 17

Measuring Success 19

2 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Introduction

At Duo, we have helped thousands of companies

to enable secure access to applications and services
from anywhere on any device.

Enterprise Access Management (AM) rollouts such

as strong multi-factor authentication (MFA), zero trust,
risk-based authentication (RBA), device health, and
single sign-on (SSO) can be complex and nuanced.
We have found that the most successful rollouts
include some upfront analysis and planning. It doesn’t
have to be time-consuming and usually pays off with
a faster speed to security, lower support costs, and
increased productivity.

This guide is based on our customers’ experiences

with rolling out Duo at an enterprise scale and is
designed to help you plan and maximize the success
of your security program.

3 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
User-Centered
Planning
Often, what makes or breaks a successful rollout is the users.
Companies can often make the mistake of focusing too much on
technical implementation and pay little attention to their users—the
folks who will actually use Duo day-to-day. This can cause frustration
on both ends. It can be a tax on support resources. And, in the worst
case, users could refuse to adopt or lose access. Executives may limit
future projects and individual business units can pursue their own
solutions or place roadblocks to success. We have found that this
can get amplified when it comes to security. No one starts out building
a security program wanting to be a “department of no.”

Enterprises find success when they place users at the center of the
rollout and plan accordingly. The first step is to map out what the user
base looks like and create user profiles. Answering questions such as
the ones on the next page help to frame the rollout, help avoid making
assumptions, and account for edge cases.

Learn more in our Liftoff Guide.

4 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
What types of users do we have? Where do users work?

• Identify the distribution of employees, • Are they in offices, working at home, on-site with
contractors, and vendors—note any groups customers, or a vendor?
of users that will need any specific access
requirements.
• Do employees travel often and work from planes,
hotels, and coffee shops?
• Who owns the devices each group uses?
• Is flexibility needed?
• Do multiple people use the same devices
or credentials?

Where are users located? Any other considerations?

• Are they in different regions or countries? • Does any of this differ by business unit?

• Is English the standard business language? • Do we need to account for acquired companies
Are other languages required? that may have different systems entirely?

• Do rules and regulations differ by country? For • How technically savvy are our users? Does this
example, some European countries may have differ by user profile?
rules against using personal devices for work.
• Do we need to customize our training
• Are there cultural differences? In France, and approach?
for example, a clear division between work
and personal life is important and users may
• How have past rollouts gone?

refuse to use personal devices. • What is the attitude regarding security?

After answering these questions, you can decide how best to

communicate with your users. For some, an email or two telling them
how to enroll is sufficient. For other groups, setting up a booth in
common areas such as cafeterias will make the Duo launch familiar
and accessible.

5 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Many enterprises identify executives who will be champions. This
encourages a positive view of Duo and early adoption by users. Cisco,
for example, took this approach when it deployed Duo. Along with
identifying executive champions, Cisco also rolled out Duo alongside
an Office 365 launch, which reduced the burden on users to adopt new
processes and software. Adding a new security feature that enabled
frictionless access to 365 contributed to positive reception from users
at the time of adoption.

6 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Application
Scoping
Each organization is unique and the larger and more
established a company is, the greater the likelihood
that its environment is very complex.

Enterprise organizations grow in several ways that can add complexity:

through acquisitions, adding new geographies, and entering new
industries and markets. A deployment like Duo is a great time to map
out the various applications in your environment, as well as the
access provided.

You can start by adding Duo to protect a specific application

or service. For example, when Cisco took steps to protect Cisco
AnyConnect VPN, they embraced a systematic approach to enable
access to individual applications without VPN and protected them
with Duo. This type of approach allows for a gradual transition
to cloud-based applications. As a result, security risk is minimized
while flexibility and accessibility are maximized.

A few of the key steps to take at this stage include:

Conducting an inventory Understanding if tools

of applications used and software can be
across the organization standardized

Verifying that access is

Determining how
needed and ranking application
applications are
importance by risk profile
accessed and by whom
or access needed

7 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Application
Access
An often-overlooked risk vector is how your
users access applications, especially when
working remotely.

In addition to mapping out the applications you want to protect,

consider the scenarios that your organization may experience:

• Are users managing multiple • Are VPNs giving access to your

usernames and passwords?
Can the application use SSO?
• How are access policies going
to be assigned? Per application
and/or group?
• Will certain applications
or groups require stronger
security controls?
• What authentication methods
will be used? What specific
policies should be required per
application and/or group?
entire network?
• Do you have homegrown,
custom, or other applications
hosted on-premises?
• What kind of access do
contractors and vendors have?
Is your network seg-mented,
or do users have broad access
to sensitive information?
• Are RDP, SSH, SMB, or other
legacy protocols like RADIUS
and LDAPS used?

8 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Many organizations take an iterative approach to rolling out features
or applications. If you don’t include certain features or functionality
in your initial rollout, plan to revisit it every few months post-launch.
You can also subscribe to Duo’s release notes to stay informed on
new feature launches. Several features are available to help you
manage and secure application access:

• DuoSSO (single sign-on) provides simplified access to applications

and reduces the need for multiple usernames and passwords.
Because more passwords increases the likelihood of password
reuse and poor password hygiene (making them easily compromised),
SSO helps increase productivity and reduce risk. Users can go to one
location—Duo Central—to launch applications and manage their
Duo user account (if granted). Both DuoSSO and Duo Central are
included in your subscription.

• Duo Passwordless seamlessly provides secure access without

the burden of remembering a password. Duo Passwordless supports
phishing-resistant authentication methods like Verified Duo Push
and WebAuthn FIDO2 security keys.

• The Duo Network Gateway provides secure access to internal web

applications and SSH sessions without the need for a VPN client.
You can limit access to approved users and devices, reducing the
risk of compromise.

• Use named integrations for RDP, Unix, AWS, and other developer
tools and environments to ensure all access attempts are secured
while providing an audit trail.

• Insert Duo into any workflow or custom applications with web

SDKs and APIs.

• Duo Trust Monitor alerts you to suspicious login attempts

and allows you to tighten access policies accordingly.

9 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Device Trust,
Device Health,
& Adaptive Risk-Based
Authentication
It is quite common for our customers to deploy
Duo and find that the number of devices accessing
applications and data is three to four times more
than they had thought.

Devices may pose a risk if they are not trusted, out-of-date (browser, plugins,
or operating system), jailbroken, missing screen locks, or contain malware.
And too often, users are accessing more than just email on personal devices.
When deploying Duo, it’s important to answer several questions about devices
and how you plan to secure access:

• Do you want to allow access • Is it important for a certain

from only registered or corporate- level of device hygiene to be
owned devices? Does this differ met before access is granted?
by application?
• Do you want to enforce hygiene
• Do you have a formal policy on requirements for personal devices?
the use of personal devices?
How is it enforced?
• Do you want to put in place
adaptive risk-based authentication
• Is BYOD (Bring Your Own Device) on critical applications?
something you want to enable?

• Do you require using an MDM

(mobile device management)
on personal devices?

10 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
If you aren’t sure where to start, here are some ways
to begin assessing the best approach:
• Review Device Insights reporting to understand
what your device landscape looks like. Identify
any risks that immediately need to be addressed.
For example, if you have jailbroken devices in
a healthcare setting or sensitive devices that
are running vulnerable plugins, browsers, or
operating systems. You can also use policies
to limit access based on factors like country,
networks, and more. You can customize policies
for each application—even the ones accessed via
SSO and the Duo Network Gateway.
• Start with a quick win by enforcing posture
checks using Duo Endpoint Remediation for
browsers and operating systems.
• Enforce stronger yet minimally intrusive access
controls across devices by deploying the Duo
Device Health application, which is a lightweight
app that complements and runs alongside your
existing endpoint security stack of MDMs and
anti-virus (AV) agents for granular posture and
hygiene control.
• Decide on your philosophy for remediation:
F Do you want to enforce policies for personal devices?
F Do you generally want to give users time to remediate
their device, or do you want to force remediation before
a device is granted access to applications?
F Do your users have admin rights to make updates
to corporate-owned devices?
11 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
• Deploy Duo’s Risk-Based Authentication (RBA)
which checks for changes in user, device &
location risk and can step up authentication to
a more secure authentication method based
on industry-leading signals such as WiFi
fingerprinting combined with additional user,
device, and location signals. Duo’s RBA solution
also features risk-based remembered devices
which enable longer remembered device sessions
by looking for signs of token theft and revoking
the session if found, enabling secure, fast, and
easy access to users.
• Deploy Trusted Endpoints if you need to limit
access to only registered devices. Remember,
this can differ by application. For instance, you
may allow access to email by up-to-date personal
devices but allow only registered devices to
access HR info.
• Educate users on security best practices
and give tips for how to also apply those best
practices in their personal life.
• Evolve your security practices as you learn more
about your risk landscape.
Rollout Strategy
The next step for an enterprise-scale deployment involves
planning how to roll out Duo to the organization.

Staged Big Bang

A staged rollout can be done in many ways:
• By department, such as to IT or by functional
area (HR, accounting)
• Geographically by country or other location
• To corporate headquarters, physical offices,
and remote workers
A big-bang rollout gets Duo out to all users at the
same time. This approach might be necessary if
you have experienced a breach, are fearful of one
happening, or you have a major change happening
in your environment. For example, if a natural
disaster requires all users to work from home
and potentially use personal devices to access
necessary applications.

12 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Cisco used a staged approach in rolling out Duo + M365 over six
months. In addition to email communications, users saw a message
at their first login to M365 which encouraged them to enroll in Duo.
Users could enroll at that moment or within the next two weeks. At the
end of the two-week cycle, if they weren’t enrolled in Duo, they would
not be able to access M365. Using custom APIs, an interstitial page
appeared as part of the login flow that notified users of the two-week
requirement.

In the instance of a big-bang rollout, there is a three-step process to

consider, which we call “test, refine and roll.” It’s important to test with
a small group, often made up of IT and superusers or influencers. The
idea behind this approach is to identify any challenges that may come
up and address or refine them. Additionally, those early users can act
as point people for others—increasing enthusiasm, buy-in, and rapid
adoption.

Our Duo Policy Guide can help you get started.

ROLL

REFINE

TEST

13 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Communications
When thinking about communications, the key
is to make Duo familiar enough so that it isn’t
a surprise when it comes time to enroll.

Often, many organizations have experienced a security breach leading

up to the implementation of MFA. Understandably, your users may be
on high alert and may not trust enrollment communications.

Communications should be clear, concise and meet your users

where they are. We have found that focusing on Duo’s ease of use
and underscoring the importance of security in a non-threatening
way helps users to embrace it. People tend to gravitate toward things
that give them an intrinsic sense of purpose.

Linking security to a sense of shared responsibility helps to demystify

it and make it feel purposeful. For example, in healthcare, flu shots
are required to protect everyone. Using the same idea of shared
responsibility when it comes to protecting patient information can be
quite effective. The key here is not to make it fear-based because that
can leave people feeling helpless and that their actions don’t matter.

Check out our handy end-user and administrator education including

communication templates, posters, and Duo Level Up training to
get started.

14 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Depending on your situation, you have a few options Communication with users
can take many forms:
for communications.
• Posters (digital and physical).
If you have a lead time of 30 days or more, you could consider:
• Emails.
• Sending a series of emails explaining what Duo is, what to expect
to happen, and a timeline of events. • Postings on common tools:
wikis, SharePoint, and
• Hanging physical posters in high-traffic areas such as cafeterias, intranets.
lobbies, and break- rooms. Duo has a kit of premade posters.
• Announcements at team
• Digital signage on common area screens, and in conference rooms. meetings and townhalls.

• Notifications on internal wikis. • Booths or tables set up in

common areas to answer
If you have a shorter lead time, consider: questions.

• Sending one or two emails within a few days of each other coming • Sharing FAQs and best
from a high-level executive stressing the importance of security and practices for work and
implementing Duo. personal lives on internal
websites
• Cascading messaging that can be reinforced by managers.
or portals.
• Highlighting availability of support.

15 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
And for early adopters and advocates, consider:

• Having a group of influential users embrace Duo and lead by

example. That can go a long way toward organizational compliance.
This can either be made up of high-level executives, a cross-
sectional group of early testers, and/or a department.

• They can help others enroll and act as cheer-leaders for Duo. Keep
in mind that change is difficult for people and rarely is adopting a
new technology or process easy. The more examples that are out
there of how easy it is to use, the smoother the rollout will go.

It is also worth considering your organization’s specific culture

and policies and tuning your message to reflect them. For example:

Is there anything unique that you need to account for in your

organization? For example, do you have a policy about the use of
personal devices that should change? Will your users be resistant to
using their personal phones to authenticate? Will you need to educate
them on what the Duo app can and cannot do?

F Address these types of questions early in the process. You want to build trust
and confidence in Duo and make sure your team is as prepared as it can be.

F Be sensitive to challenges your users might encounter.

16 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Training
and Support
Most companies find that emails leading up to
“go-live” are sufficient to prepare users. Having the
helpdesk team trained and ready is key as well.
Again, this can depend on your user base.

If you have a distributed workforce, either geographically or people

who work from home offices, gathering in a physical location may
be tough. If you think additional training is necessary:

• You can host several short, virtual training sessions that walk
through how to set up and use Duo.

• Record short videos or webinars and post to FAQs and internal

landing pages.

• IT organizations within some enterprises have set up tables in

common areas such as lobbies and cafeterias to be available for
one-on-one help for those who felt uncomfortable setting Duo
up themselves.

• Consider a virtual ‘booth’ or hotline in the first few weeks.

• Some groups may need high-touch help. One hospital system that
dealt with physicians who weren’t employees set up tables in break
rooms. They offered to check devices to make sure they were up to
date and helped them enroll in Duo.

17 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Most organizations find that they have significantly fewer helpdesk
tickets with a Duo rollout vs other rollouts. Often, calls involve users’
issues with their own devices and downloading the Duo application.
Prepare your helpdesk by training them in the most common issues
with Duo Level Up, our free online training and certification program
for administrators.

Depending on the size of your organization and the anticipated volume

of calls, you can set up a short-term specialized line for Duo rollout
questions. One large healthcare system found this to be a helpful
approach because many users were not located in the same place.
It was also helpful for doctors who were not direct employees.

Find more tips in our Help Desk Guide.

18 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 Measuring
Success
The rollout was a success and people love Duo!
Great! Now, what’s next? How do you prove that
it was successful?

If security does its job, success is measured by, well, nothing.

Nothing happening is a success, but how do you justify that to
management? How do you secure funding for a largely invisible tool?

Try to understand what types of results your manager and their manager
are measured on. Is it ROI, continued costs to operate, total cost of
ownership, risk avoidance, or employee satisfaction? Simple reports
and report cards shared on a monthly or quarterly basis will keep your
most prized investments visible and demonstrate the impact of your
organization on the company as a whole.

phishing attacks averted

devices remediated

applications protected
time to deployment

devices protected

user productivity
helpdesk tickets

users enrolled

vpn access

19 Duo For Enterprise © 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Depending on what you’re measuring for, here are some common
things to look for to determine the success of an enterprise-scale
Duo rollout:
Common Performance Metrics
• Number of helpdesk tickets
• Time to deployment
• Users enrolled
• Devices protected
• Applications protected
• VPN access
Threat Landscape
• % of applications protected
• Devices remediated
• Phishing attacks averted
• Time to respond to new threats
(zero-day vulnerabilities,
common malware attacks)
Financial Impact
• Cost to support vs.
other software
• Estimated cost of a
breach/number of users
• User productivity
• Return on Investment (ROI)
20 Duo For Enterprise
Future Mapping
A strong security stance means being able to anticipate risk and
prepare for the unexpected. We have found that organizations that
make Duo part of their evaluation process for new applications are
better protected and able to respond to threats. For example, one
large real estate company that is moving to a cloud-first strategy
reviews each new application request and determines if it needs
to be protected by Duo. Another company answers requests for
new software by mapping out the potential risk, quantifying it, and
having the sponsoring executive sign off on that risk. This forces
an honest conversation and allows for fully informed choices.
With growing hybrid and mobile workforces, many organizations
find themselves supporting workers both on-site and remotely with
a wide range of different access requirements. Whether employees
are accessing work applications with personal devices or on a
corporate-owned device and VPN, your organization should provide
strong secure access that doesn’t impact productivity.
In the event of another drastic workforce shift, your organization
will remain prepared to handle any adversity it faces.
Understand how your users may want to work or may need to work
in the future, and take steps to protect those scenarios. How will
you secure devices? How will you account for travel and access by
contractors? What are your crown jewels that will need to be accessed
and are they protected?
A bit of planning and preparation, along with a business continuity
plan can go a long way to ensuring users are connected regardless
of where they work or what devices they’re using.
© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Conclusion

Every organization is unique, and introducing

new tools can be an overwhelming undertaking.
By considering the factors discussed in this guide
and planning accordingly, you will be able to gain
consensus within your organization to enable
success. And you will be in good company—
many companies before yours have used these
strategies to make their stakeholders happy,
lower support costs, and, most importantly,
secure their organization.

Start your free 30-day trial

at duo.com

Cisco Secure delivers a streamlined, customer‑centric approach
to security that ensures it’s easy to deploy, manage, and use.
We help 100 percent of the Fortune 100 companies secure
work—wherever it happens—with the broadest, most
integrated platform.
Duo Security, now part of Cisco, is the leading multi-factor
authentication (MFA) and secure access provider. Duo is a
trusted partner to more than 40,000 customers globally,
including Yelp, Box, Generali, La-Z-Boy, Eastern Michigan
University, Sonic Automotive and more.

Learn more at cisco.com/go/secure. Try it for free at duo.com.

21
duo.com Duo For Enterprise