AWS Partner Network (APN) Blog
Enhance Identity Governance and Protection on AWS using Cisco Duo IAM
 |
 |
By: Sudha Thillai Govindarajan, Solutions Architect – AWS
By: Aamir Yousufzai, Senior Product Manager – Cisco
With the evolving cybersecurity landscape, identity governance and protection is becoming challenging for organizations with distributed teams and hybrid cloud environments. Siloed identity systems, password fatigue, and manual processes can compromise security and complicate user access.
In this blog we will dive into how the new Cisco Duo Identity and Access Management (IAM) tackles these challenges by unifying access across AWS and on-premises resources using a security-first strategy, thus reducing risk and simplifying identity management.
Solution overview
Faced with sophisticated cyber threats, organizations are looking to implement phishing-resistant authentication and passwordless solutions. With these authentication measures, customers can help prevent expensive data breaches and account compromises while improving user experience through streamlined access management and reduced password-related frustrations and vulnerabilities.
Cisco Duo on AWS offers phishing-resistant multi-factor authentication through its Proximity Verification feature. This validates user presence by confirming the physical proximity of their mobile phone to the device requesting access. The solution provides passwordless authentication from OS to application login, streamlining access to AWS and other applications while minimizing password-related vulnerabilities.
Duo Passport, with Session Theft Protection, implements continuous trust verification using adaptive policies and removes authentication cookies from the process, effectively avoiding session hijacking attempts. This integrated approach delivers both improved security and a simplified user experience by removing the need for physical tokens or complex configurations.
Identity Federation with Duo
As work and infrastructure decentralize in hybrid environments, security must change. Zero Trust principles emphasize identity verification and access control over traditional perimeter defense. Organizations also face the complex challenge of managing multiple identity stores resulting from acquisitions and inter-organizational collaboration. Identity federation is important in these hybrid architectures because it enables secure, efficient, and seamless access across multiple services, systems, and even organizations by allowing users to use a single digital identity.
The Duo Directory
Using Cisco Duo, an identity solution built on AWS, customers can build their own schema and store their identity context, including passwords or passwordless authentication factors.
Figure 1: Duo Directory standalone and aggregator use-cases
Duo Directory also offers flexibility and can be seamlessly deployed alongside existing IAM infrastructure to act as an identity aggregator. Duo’s routing rules in Duo Single Sign-On (SSO) allow administrators to direct authenticating users to the appropriate authentication source when multiple sources are configured, including Duo Directory, external Active Directory (AD), or SAML providers. This helps create a seamless and flexible sign-in experience by routing users based on conditions like the intended application, user email domain, or network IP address range.
Figure 2: Duo SSO Routing rules supporting multiple authentication sources
Identity Intelligence
Duo recognizes that protecting identity workflows isn’t enough. Organizations also need tools to consistently monitor and address identity risk changes (e.g., a user registering a mobile with an older OS). Duo’s built in Identity Intelligence, offers:
- Comprehensive Visibility: Gain insights across your identity environment, including on-premises, legacy, and non-human systems.
- Proactive Security Insights: Anticipate and mitigate risks with actionable recommendations.
- Dynamic Risk Assessment: A distilled User Trust Level dynamically informs access decisions and accelerates threat detection across the Cisco Security stack.
This functionality works with most identity stacks, giving organizations the flexibility to enhance their existing systems.
Figure 3: Cross-System Identity Insights with Cisco Identity Intelligence
Forrester Consulting that conducted a Total Economic Impact™ study for Cisco Duo ™ found that Duo delivered a remarkable 198% return on investment (ROI). Benefits of $6.6 with $4.4 million in net present value (NPV), and paid for itself in less than six months. Organizations reported improvements in security, such as a 60% reduction in credential-related breach costs and $1.6 million in risk reduction. Duo’s integration with SaaS and on-premises applications, automation of identity risk assessments, and streamlined help desk support compounded efficiency, resulting in $600,000 in annual operational savings.
Duo with IAM Identity Center
AWS IAM Identity Center enables centralized management of workforce access to AWS accounts and applications. Organizations can either use IAM Identity Center’s native identity source or integrate with their existing external Identity providers. Through the integration of Duo IAM as an external Identity provider, AWS customers gain unified access management across AWS and enterprise applications while leveraging Duo’s security controls, seamless user experience, enhanced access management and AI powered identity governance features.
This integration allows employees to use their organizational credentials, creating consistent and streamlined access management while maintaining centralized authentication and authorizations capabilities using AWS IAM Identity Center. Please refer to this documentation to configure Duo identity federation on AWS with automated user synchronization using SCIM (System for Cross-domain Identity Management).
Assign access to AWS accounts and resources
Every user or group synchronized from Duo to IAM Identity Center through SCIM will be mapped to one or more AWS accounts and IAM roles that provide the necessary permissions for the appropriate AWS access. Through IAM Identity Center, customers can publish both AWS-managed applications such as Amazon QuickSight or customer-managed applications. For example, you can create an Amazon Q application and choose IAM Identity Center as the access management system, allow access to appropriate users and groups, and publish through IAM Identity Center. This enables IAM Identity Center to be the central access point for AWS-managed applications and avoids the need to set up federation or user and group synchronization for each AWS application.
Now, publishing IAM Identity Center through Duo SSO enables organizations to have a single pane of glass for their enterprise and cloud applications.
Architectural diagram
Figure 4: Duo Deployment Architecture and integration with IAM Identity Center
Duo IAM on AWS not only provides seamless user experience to Duo users but also provides efficient troubleshooting and management capabilities with the AI powered Cisco AI Assistant for Duo.
Cisco AI Assistant for Duo
The Cisco AI Assistant, powered by Amazon Bedrock, interprets natural language prompts to help administrators troubleshoot user access issues and find setup and configuration answers from Duo documentation. It also enables admins to quickly access relevant information, such as recent admin activity, device registrations, and group memberships, without manually searching through multiple pages or logs. The Cisco AI Assistant respects administrator permissions, making sure users only access data they are authorized to see.
Duo built the AI Assistant on Amazon Bedrock because it is a model‑agnostic service and provides a wide range of model choices. This allows Duo to adopt new LLMs without reworking the core architecture. That flexibility keeps the Duo AI Assistant current while avoiding costly rebuilds, and provides additional opportunities for quickly iterating on new LLM-based features like summarization, tool input validation and output evaluation. We also benefit from the existing AWS integrations like built-in IAM permission management and observability with CloudWatch.
“I love how easy Duo integrates with different tech stacks. We integrated our AWS and Duo environments, which only took a couple of hours. Within another hour or so, we were already ingesting logs from these different sources.”
Conclusion
By using Duo IAM, you can boost AWS customer identity governance and security with identity federation and routing rules that support aggregating multiple identity sources, advanced access management such as proximity verification and passwordless authentication, fine-grained administrative controls, and AI driven identity intelligence.
To learn more about how to get started and leverage Duo for identity governance, start a trial of Cisco Duo for no additional cost through AWS Marketplace. Explore the new Duo IDP solution, find your ideal edition, and begin your Zero Trust journey at duo.com/aws.
.
Cisco Systems – AWS Partner Spotlight
Cisco Systems is an AWS Specialization Partner that helps customers optimize their cloud strategy by bringing together networking, security, analytics and management.