Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Duo Security concern -- EDU support requested

From: "Romig, Steve" <romig.1 () OSU EDU>
Date: Tue, 26 Apr 2016 13:23:37 +0000
Hey there, hope you're doing well!

Can I forward this to our duo team?  I can remove identifying info if you'd prefer.  

--- Steve


On Apr 26, 2016, at 8:47 AM, Cam Beasley <cam () UTEXAS EDU> wrote:


[ATTN: Duo Security campuses]


colleagues -

i wanted to share something we’ve discovered in our deployment of Duo in hopes that more attention from customers 
will help motivate the vendor to address an important security gap.  Duo has tentatively projected a solution for 
late-2017, but has said that more feedback from EDU customers would allow them to bump it up on their development 
schedule.

————-
issue
————-

based on our testing, there is significant security gap around user notification for certain Duo events.
these Duo events provide NO user communication and we believe users should have an option of being kept in the loop:

       - user registration
       - user de-registration
       - user status changed to active status
       - user status changed to bypass status
       - user status changed to disabled status
       - user status changed to locked out status

this issue is made worse by the fact that many of these events are not reflected directly in the logs Duo generates.  
as a result, there are very limited options for us to ensure the security of our users for these types of events.

————-
action
————-

if you agree that this is a gap you would like for Duo to address sooner than 18-mos from now, then please reach out 
to your respective Duo representative as soon as possible.

please let me know if you have any questions.

thanks very much for your help,


~cam.



--
Cam Beasley
Chief Information Security Officer
Information Security Office
The University of Texas at Austin
security () utexas edu | 512.475.9242
http://security.utexas.edu
=======================================
https://www.facebook.com/utaustiniso
https://twitter.com/UT_ISO
=======================================
Previous By Date Next
Previous By Thread Next

Current thread: