Box + Duo
Cloud content management company Box relies on Duo to help them block 100% of unauthorized access attempts.
Box manages highly sensitive data for some of the largest organizations in the world. As a result of this, we need to ensure the highest level of protection for all user interactions with our services. We also need to meet an extremely high bar for security standards while making it easy for users to be productive. Duo helps us do just that.
The Challenge
Box hosts a large volume of highly sensitive customer data in the cloud. The company enables organizations to safely move to the cloud by adhering to relevant industry regulations and data privacy standards. This ensures high standards of security for the data managed by Box, and maintains a comprehensive audit trail for complex compliance security controls to prevent unauthorized access.
At the same time, Box is a modern organization that has a large cloud infrastructure footprint and empowers employees to work from any location. Therefore, security controls implemented should not create user friction or become a barrier to productivity.
Choosing The Right MFA Solution
While evaluating multi-factor authentication (MFA) vendors, a key selection criterion was the MFA solution's ability to integrate with the company’s entire suite of applications and services. “We evaluated other MFA solutions, but they did not integrate with all the applications we wanted to secure” says Mark, “We have a lot of homegrown and custom applications so we needed a solution that met this key criterion. One of the most attractive things about Duo was that it holistically solved MFA across all our applications, whether it’s on-premise directory, RADIUS integration, or cloud. We’re able to standardize the platform, the process behind the platform, and the end user experience.”
Implementing Secure Access Beyond MFA
After deploying Duo’s MFA to ensure strong authentication to the company’s applications, Box wanted to improve their security by gaining insights into devices and enforcing granular access policies. To achieve this Box chose to upgrade their Duo edition, which enabled the IT Ops team to deploy and use the rich set of security features the solution offered - adaptive access policies, device trust, and comprehensive authentication logs. “Today, Duo sits at the center of our workforce security, ensuring all our employees connect securely to all applications and services, wherever they are. Duo’s solution was really easy to deploy and is simple to manage”, says Mark.
Ensuring High Security and Productivity Standards
“We are a very open organization and want employees to work from anywhere,” says Mark. Box places a special emphasis on employee productivity and experience when implementing access and security controls. “Box manages highly sensitive data for some of the largest organizations in the world. As a result of this, we need to ensure the highest level of protection for all user interactions with our services. We also need to meet an extremely high bar for security standards while making it easy for users to be productive. Duo helps us do just that.” says Mark.
To ensure the highest level of security and strongly comply with various regulations, Box implemented Duo’s contextual access controls to block access from certain geolocations, anonymous networks and non-corporate VPNs. Additionally, Box specifies the authentication methods allowed for MFA based on specific use cases. Most employees authenticate with the Duo Push notification, but if special user needs to access a FedRAMP environment they would need to authenticate with Yubikeys in order to meet the NIST SP 800-63-3 Authenticator Assurance Level 3 (AAL3).
Duo helps the IT Ops team at Box maintain an inventory of all endpoint devices and their health status. The team uses these insights to block devices that do not meet the organization's security requirements and guide their employees to self-remediate by updating the operating systems (OS) and browsers. “Our general philosophy is to empower employees with the data demonstrating their security posture level, we don't want to force restart their devices. Instead we track the number of devices and their health metrics and guide our users to update their browsers and OS. This keeps our endpoints healthy and updated, while keeping it frictionless for the users.” says Mark.
The Key Success Metric - Block 100% Unauthorized Access
The IT Ops team’s goal is to minimize security incidents. The organization has a strong information security program and Duo is a part of the red-team exercises. The simplest metric that the team uses to secure the organization is to understand that they are blocking 100% of the unauthorized access attempts. “We export Duo’s authentication logs to Splunk and thoroughly review and audit every single event. Our security incident teams then go out and investigate any fraudulent notifications.” says Mark, “we set aggressive access policies to match the intel we are learning by analyzing different reports. This ensures that our security policies continuously evolve to meet the extremely high bar of security standards we want to achieve.”
Solving For Unique Use Cases With Duo APIs
Box reduces costs to business and improves security by leveraging Duo’s APIs for custom integrations to solve unique, in-house, use cases. Box automates the process to unlock user accounts. “We use Active Directory and use Okta as our identity provider (IDP)in the cloud. If a user locks their account accidentally, in the past they would have to reach out to the IT helpdesk or wait 30 minutes. We wrote an integration with Duo to check for user account lockout and send a Duo push notification to unlock the user. This has dramatically reduced the number of tickets our helpdesk gets and saved us a lot of time that we can now invest in other value-add IT initiatives across the organization” says Mark.
Another integration that Box implemented with Duo is to achieve “+1 approval” for high impact user actions. For example, if an engineer needs to push a code change, to complete the action Duo sends a push notification to their peer to securely confirm that this action should be taking place.
With employees on-boarding and working remotely, the IT team at Box needs to ship devices wherever the employees are. To completely lockdown devices before shipping and ensure secure hand-off to the user, the IT team uses an integration with Duo and JAMF in the imaging process for a new device that is being provisioned remotely out in the field. This ensures that only an authorized user can logon to the device by authenticating with Duo.
In summary, Box’s security philosophy is that nothing should be inherently trusted. This closely aligns with Duo’s security philosophy of Zero Trust for the workforce. “It is really important for us to partner with vendors and deploy solutions that share this philosophy and journey,” says Mark.