Re: Duo Security concern -- EDU support requested

[Cam Beasley <cam () UTEXAS EDU>]

hi Steve -

unfortunately, Duo wouldn’t share their internal ticket for this issue.

~cam.

> On Apr 26, 2016, at 9:02 AM, Steve Bohrer <stephen_bohrer () EMERSON EDU> wrote:
>
> Cam,
>
> Do you have any case number or anything that would let us chime in on your ticket, or do you suggest that we all make 
> new requests for these same features?
>
> Steve Bohrer
> Network & Security Admin
> IT Infrastructure, Emerson College
> 617-824-8523
>
> ________________________________________
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Cam Beasley 
> <cam () UTEXAS EDU>
> Sent: Tuesday, April 26, 2016 8:46 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Duo Security concern -- EDU support requested
>
> [ATTN: Duo Security campuses]
>
>
> colleagues -
>
> i wanted to share something we’ve discovered in our deployment of Duo in hopes that more attention from customers 
> will help motivate the vendor to address an important security gap.  Duo has tentatively projected a solution for 
> late-2017, but has said that more feedback from EDU customers would allow them to bump it up on their development 
> schedule.
>
> ————-
> issue
> ————-
>
> based on our testing, there is significant security gap around user notification for certain Duo events.
> these Duo events provide NO user communication and we believe users should have an option of being kept in the loop:
>
>        - user registration
>        - user de-registration
>        - user status changed to active status
>        - user status changed to bypass status
>        - user status changed to disabled status
>        - user status changed to locked out status
>
> this issue is made worse by the fact that many of these events are not reflected directly in the logs Duo generates.  
> as a result, there are very limited options for us to ensure the security of our users for these types of events.
>
> ————-
> action
> ————-
>
> if you agree that this is a gap you would like for Duo to address sooner than 18-mos from now, then please reach out 
> to your respective Duo representative as soon as possible.
>
> please let me know if you have any questions.
>
> thanks very much for your help,
>
>
> ~cam.
>
>
>
> --
> Cam Beasley
> Chief Information Security Officer
> Information Security Office
> The University of Texas at Austin
> security () utexas edu | 512.475.9242
> http://security.utexas.edu
> =======================================
> https://www.facebook.com/utaustiniso
> https://twitter.com/UT_ISO
> =======================================

Attachment: smime.p7s
Description: