Candy Crush maker King.com has secured all its employee-owned devices used in the company through a cloud-based mobile access management service.
As the interactive mobile entertainment firm grew from a startup with around 200 employees, into an enterprise with nearly ten times that number of users, information security director Giacomo Collini faced a problem.
“Although we believed the open source remote access software we were using was secure, it was difficult to manage and to scale up as the company grew,” he told Computer Weekly.
However, the system had to cater for a variety of different computing devices, as the company encourages employees to choose their own hardware.
To solve these immediate problems, the company switched to Google Authenticator to verify users’ identities before granting them access to company networks and services.
Although the system used two-factor authentication (2FA), as required by the US Sarbanes-Oxley Act, Google Authenticator was also difficult to manage and was limited in features, especially in user provisioning.
Collini resumed his search for a mobile authentication and access management system that would meet King’s needs and Sarbanes-Oxley requirements for secure virtual private network (VPN) remote access.
“After looking at many options, we decided to conduct a proof of concept trial with cloud-based access security provider Duo Security, because the company had good references from some cool companies,” said Collini.
Ease of integration
Duo Security’s customers include Box, Facebook, Nasa, TripAdvisor, Twitter, Yelp and Zillow.
Collini was attracted to Duo Security’s wide range of authentication methods built on an open platform.
“Duo allows companies to authenticate using hard and soft tokens, as well as phone calls and text messages, and its open platform with a rich API [application program interface] makes it easier to integrate with – which we do a lot of in our company,” he said.
After King’s information security team conducted a two-week pilot – with input from across the company – King decided to implement the service. This allowed employees to authenticate to cloud services, on-premise resources, customised apps and remote virtual private networks (VPNs) using a single system.
“Being cloud-based, implementation is really easy. All you have to do is deploy a piece of software in a virtualised environment in your organisation. that communicates with the service. It is production-ready with very little integration necessary and no complex on-premise infrastructure to worry about from a management or network topology perspective,” said Collini.
The pilot, he said, took only a few hours to integrate with King’s Active Directory; the full implementation – including documentation and user training – took less than a month.
According to Duo Security, some UK customers have got up and running in 30 minutes, simply using phone support from the supplier.
Security and automation
Although some companies are still hesitant to adopt cloud-based security services, Collini said King was assured by Duo Security’s security credentials and operating model.
“The way it works ensures internal security is preserved and we were satisfied with the security model and availability, after examining Duo’s operations and infrastructure,” he said.
According to Collini, enrolment is automated and effortless, and using the system is easy because all the user must do is log in through the company’s VPN portal with a username and password, and then click a single button to use a soft token to enable authentication.
“If there is no 4G connectivity, the system allows authentication via a phone call, which is also used by BlackBerry die-hards who are unable to install the Duo Security app on their device and need to authenticate using a hard token or a phone call,” he said.
When a user authenticates, an administration portal tracks user information from the user’s desktop and the mobile device they are authenticating with. This means Collini and his security team can track where users are connecting from and what resources they are connecting to.
Duo also enables companies to identify if the mobile operating system, browser or other software on device is the most recent and therefore most secure version. If any software is out of date, the system allows employees to update to the right version, simply by clicking a button.
Harvesting data for security policy
King can use the software data, together with other information the service tracks, to build information security policies to allow or block access, based on a combination of factors – such as user role and the security state of their device.
“Duo enables us to know if users are connecting from an unusual location, and that information enables us to do anomaly detection,” said Collini. Users acn report authentication requests made on their behalf to block fraudulent access requests by would-be attackers.
In more than a year since the full implementation went live, there have been no security incidents, said Collini. On the few occasions King has needed technical support, the experience has been positive.
“It has been just like working with another member of my team, and – very importantly for us – user feedback has also been extremely positive, including third-party partners who can gain access quickly, whenever necessary, according to appropriate security policies,” said Collini.
“At King we do all we can to provide a creative environment in which people like the tools they use to work and, with security controls, there is always the risk that they are perceived as a barrier to working – which is why we allow access from wherever employees choose.”
Ease of use reinforces security
Being a cloud-based service means companies such as King.com can deploy security controls to employee-owned devices without getting in the way, or slowing down the user.
Duo’s patented push technology is a key factor in this regard, according to Henry Seddon, head of European operations at Duo Security.
“In our development organisation and throughout the company, our number one focus is continuing to be the easiest to use, because if it is easy to use, people don’t try to bypass it, ensuring the organisation remains secure,” he told Computer Weekly.
Duo is also focused on enabling fast deployment and easy integration, which Seddon said is particularly important for companies that want to shore up security controls quickly, in the wake of a breach.