Duo Security doesn't expect customers to completely give up on VPNs if they deploy Duo Beyond, but based on the company's experience so far, customers can cut down VPN licensing costs by up to 80 percent. That's because most roaming employees only use VPN connections to access a few popular intranet web applications like Confluence, Jira or Sharepoint.
The Duo Beyond service is priced at $9 per user per month and includes everything in the company's older Duo Access service, plus the new certificate-based device identification and the mechanism for controlling which internal apps are accessible by remote users.
Moving towards a BeyondCorp security model, where the location of devices does not matter, can help companies avoid having to raise virtual walls inside their networks. Network segmentation, which relies on setting up firewalls and VLANs to restrict access to certain applications and services, is not easy to implement and can quickly become an administrative burden.
In fact, as evidenced by many publicly documented security breaches, attackers often succeed in moving laterally inside a network once they break in. Most hackers start with targeting low-level employees through phishing or other methods and then, once inside a network, jump from system to system, exploiting vulnerabilities and stealing access credentials along the way until they reach the organization's crown jewels.
Google's own network was breached in late 2009 as part of a cyberespionage campaign of Chinese origin known as Operation Aurora. The hackers, who started by targeting the company's employees, sought access to the Gmail accounts of human rights activists.
Other security vendors are embracing BeyondCorp too, and, while there are differences in the implementation, the general goal is the same: moving security beyond a strictly defined network perimeter.
Duo Beyond works only for web-based applications and its device insight technology is agentless. The information about a laptop's OS, browser and plug-ins is obtained through the browser itself.
This approach limits what kind of information can be gathered, but Duo believes that it strikes the right balance between security and usability, since convincing users to install company-mandated software on their personal devices can be problematic.
By comparison, another company called ScaleFT provides a BeyondCorp-inspired solution called Dynamic Access Management that works for SSH (Secure Shell) and RDP (Remote Desktop Protocol), remote access protocols for Linux and Windows servers. ScaleFT's service does requires the installation of client software that synchronizes short-lived access certificates and handles device enrolment and local account creation.
Pushed by the need to address the issue of roaming employees, BYOD and software-as-a-service, some networking vendors have even started to move security appliances outside the network perimeter and into the cloud.
On Monday, Cisco Systems announced what it calls the first Secure Internet Gateway (SIG), which is based on the cloud-based OpenDNS Umbrella service that the company acquired in 2015.
Sign up for CIO Asia eNewsletters.