Educause Security Discussion mailing list archives
Re: Duo Security concern -- EDU support requested
From: Cam Beasley <cam () UTEXAS EDU>
Date: Tue, 26 Apr 2016 09:24:50 -0500
hi Steve - unfortunately, Duo wouldn’t share their internal ticket for this issue. ~cam.
On Apr 26, 2016, at 9:02 AM, Steve Bohrer <stephen_bohrer () EMERSON EDU> wrote: Cam, Do you have any case number or anything that would let us chime in on your ticket, or do you suggest that we all make new requests for these same features? Steve Bohrer Network & Security Admin IT Infrastructure, Emerson College 617-824-8523 ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Cam Beasley <cam () UTEXAS EDU> Sent: Tuesday, April 26, 2016 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Duo Security concern -- EDU support requested [ATTN: Duo Security campuses] colleagues - i wanted to share something we’ve discovered in our deployment of Duo in hopes that more attention from customers will help motivate the vendor to address an important security gap. Duo has tentatively projected a solution for late-2017, but has said that more feedback from EDU customers would allow them to bump it up on their development schedule. ————- issue ————- based on our testing, there is significant security gap around user notification for certain Duo events. these Duo events provide NO user communication and we believe users should have an option of being kept in the loop: - user registration - user de-registration - user status changed to active status - user status changed to bypass status - user status changed to disabled status - user status changed to locked out status this issue is made worse by the fact that many of these events are not reflected directly in the logs Duo generates. as a result, there are very limited options for us to ensure the security of our users for these types of events. ————- action ————- if you agree that this is a gap you would like for Duo to address sooner than 18-mos from now, then please reach out to your respective Duo representative as soon as possible. please let me know if you have any questions. thanks very much for your help, ~cam. -- Cam Beasley Chief Information Security Officer Information Security Office The University of Texas at Austin security () utexas edu | 512.475.9242 http://security.utexas.edu ======================================= https://www.facebook.com/utaustiniso https://twitter.com/UT_ISO =======================================
Attachment:
smime.p7s
Description:
Current thread:
- Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Romig, Steve (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Kevin Wilcox (Apr 26)
- Re: Duo Security concern -- EDU support requested Steve Bohrer (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 29)
- Re: Duo Security concern -- EDU support requested Brad Judy (Apr 29)
- Re: Duo Security concern -- EDU support requested Romig, Steve (Apr 26)