• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Products & Services

Cisco Umbrella + Cisco Duo Are Better Together

Author avatar of Kedar HiremathAuthor avatar of Matt BrooksKedar Hiremath and Matt Brooks
February 14, 2023 • 7 minute read
View blog >

Moving to the cloud and securing applications and data globally is paramount to protect your business. Bad actors are always looking for ways to exploit the reality of digital communication. Zero Trust reflects this evolving threat landscape and has become a central framework for security practitioners to plan their defenses.

In this blog, we’ll discuss Cisco’s approach to Zero Trust, with Cisco Umbrella and Cisco Duo working together to deliver a comprehensive security solution for Internet and cloud application access. We’ll also discuss a Hitachi use case and how Cisco Duo, along with Cisco’s Secure Access Service Edge (SASE) offering, protects their global environment.

Zero Trust

Traditional security approaches assume that anything inside the corporate network can be trusted. A zero-trust model considers all resources to be external and continuously verifies trust before granting only the required access.

It’s a strategic approach to security that relies on the concept of eliminating trust from an organization’s network architecture, as trust is neither binary nor permanent and we shouldn’t assume that internal entities are trustworthy, can be managed to reduce security risk, or checking them once is enough. Zero trust prompts you to question assumptions of trust at every access attempt.

With Cisco Duo zero trust, you establish trust, enforce trust-based access, and verify trust continuously. You gain better visibility across your users, devices, networks, and applications because you are verifying their security states with every access request. You can reduce your organization’s attack surface by segmenting resources and only granting the absolute minimum access needed.

In the Cisco Security Outcomes Report, Volume 3 – one of the success factors to achieving security resilience was to maximize zero trust adoption. The study found that:

Respondents with mature zero trust implementations boosted their security resilience rating by 30% over organizations that hadn’t started that journey!

It also found that secure access service edge (SASE), which offers a strategy to converge networking and security into a cloud-delivered service, correlates with higher success rates for 8 out of the 9 desired security resilience outcomes and overall security resilience scores that were, on average, 15% higher than those that had no progress on the SASE front.

Umbrella and SASE

Cisco Umbrella is a cloud-delivered security platform that secures internet access and controls cloud app usage across networks, branch offices, and roaming users. It expands Cisco’s SASE offering, unifying security and network functionality in the cloud. Umbrella provides:

  • Cloud-delivered firewall
  • DNS-layer security
  • Cloud access security broker (CASB)
  • Secure web gateway (SWG)

This functionality is all included in a single cloud solution.

Graphic showing Cisco Umbrella functionality, which includes: DNS-layer security, firewall as a service, Cisco Talos threat intelligence, secure web gateway, remote browser isolation, and cloud access security broker.

The secure web gateway (SWG) prevents access to potentially dangerous or prohibited sites anywhere users go, and is enabled per user, and for devices, per production equipment or sensor. It helps to protect against malware, ransomware, & C2 callbacks, with no added latency. It also provides visibility into internet activity across all locations and users.

Umbrella also includes threat intelligence, remote browser isolation (RBI), data loss prevention (DLP), and cloud malware detection, all while acting as a secure onramp to the internet to provide protection against threats for users anywhere they connect.

This is important because IoT and data utilization are at the forefront of smart factories, production equipment and sensors transmitting operating status data to other systems via the Internet. Cisco Umbrella monitors devices to see if they are transmitting data to the correct destinations and checks for unauthorized activities, minimizing the risk of information leakage.

Duo and zero trust

The first step of the zero-trust journey for many organizations is verifying users and devices through multi-factor authentication (MFA). Among our Security Outcomes study respondents, rolling out MFA correlated with an 11% improvement in security resilience scores.

Duo is the world’s zero trust identity solution that protects access to all applications, for any user and device, from anywhere. It is cloud-based and designed to be easy to administer and deploy, while providing complete endpoint visibility and control. Duo verifies users’ identities with strong MFA, paired with deep insights into your users’ devices. Duo gives you the policies you need to limit access based on endpoint or user risk.

Duo supports leading MFA authentication protocols – including standards like FIDO2 WebAuthn – to enable methods including hardware keys and biometrics. With the support of FIDO2, Duo prevents session hijacking through phishing attacks by requiring channel binding. And it prevents man-in-the-middle attacks by requiring source binding. Duo also supports passwordless authentication, eliminating the issues with passwords altogether.

Umbrella + Duo provide better security together

Graphic showing how Umbrella and duo work together

Both Umbrella and Duo provide protection to secure users and their endpoints’ access to apps and data, and both have origins in zero trust. Cisco’s strategic approach to zero trust includes four groups of solutions to manage the trust lifecycle.

1. Establish trust

We start by establishing trust by verifying users and devices by increasing visibility. Systems like Cisco Secure Endpoint that manage endpoint operating systems may establish whether there are any existing threats. Duo Trusted Endpoints can communicate directly with it, and may be configured to prohibit authentication if the device status is out of compliance. Simultaneously, it can also use device enrollment as an indication of whether it is a corporate device which may be configured as a condition to allow authentication.

Regardless of whether the device is enrolled, especially for BYOD devices, Duo Device Health App can verify whether essential system components are safe to establish trust. This includes whether the OS and browser need to be patched, or whether storage encryption or the host-based firewall are disabled.

Duo Risk-Based Authentication may dynamically use device posture signals or context to determine whether stronger authenticators are required such as Verified Duo Push, biometric authenticators like Windows Hello and Apple Touch ID, or roaming security keys.

With Cisco Secure Email, endpoints will be protected from a significant threat vector. But if user’s personal email or just unguided surfing leads them to click on a phishing link, Cisco Umbrella will block the connection, log the threat, and notify the user appropriately. 

Nevertheless, if a user inadvertently navigated to a phishing site that feigns identification controls, Duo FIDO2 would block authentication and the establishment of trust from proceeding.

2. Enforce trust-based access

These solutions grant the appropriate level of access and enforce access policies based on the principle of least privilege. Here, other Cisco security components can be invoked. This includes Cisco ISE which may be used to establish north-south network segmentation. It also includes Cisco Secure Workload to establish east-west micro-segmentation for cloud services, to mitigate the risk of lateral movement in the event of an attack.

3. Continuously verify trust

Change is inevitable. So continuously verifying trust by reassessing trust level and adjusting access accordingly is critical, even after initial access has been granted. Here, Cisco Umbrella will continuously inspect and verify session payloads for any threats to endpoints, corporate systems, or data. 

4. Respond to change in trust

Cisco’s security solutions empower teams to respond to change in trust by investigating and orchestrating responses to potential incidents with increased visibility into suspicious changes in trust level.

Umbrella and Duo both can constantly feed threat data to Cisco SecureX, the company’s Extended detection and response (XDR) solution which delivers visibility into data across networks, clouds, endpoints, and applications. All of this is done while applying analytics and automation to detect, analyze, hunt for, and remediate today’s and tomorrow’s threats.

The Security Outcomes study found a whopping 45% better overall resilience score in organizations with progress toward XDR.

How Hitachi used Cisco Umbrella and Duo to deliver identity and security

“Cisco is a dependable partner who can share the same vision and help us tackle difficult challenges. We can do this together!”

Hitoshi Tanaka, GM of Global Solutions 2nd Office IT Strategy & Digital Integration Division Hitachi, Ltd.

Hitachi was working to restructure its security infrastructure, because users, devices, systems, and data are scattered widely inside and outside the company’s network due to diversified work styles, people working from home and across the world. Hitachi partnered with Cisco to enhance its security infrastructure to ensure strict authentication of users and devices using a zero-trust architecture. The goal was to safeguard all these different avenues of users’ data and Internet experience, so users could connect online with confidence.

The results of Hitachi implementing a zero-trust strategy and its partnership with Cisco were:

  • SASE deployment that enabled Hitachi to take a huge leap forward in security restructuring
  • Unauthorized data detected by authentication of users

Hitachi’s Cisco Umbrella + Duo partnership in zero trust security brought a decentralized approach to security where the policy follows the user, and verification is required for everything because anything that accesses the systems or data cannot and should not be automatically trusted. Factory sensors and production equipment are autonomously transmitting data and accessing systems and services, so safety must be verified against both the users and objects.

Hitachi implemented Cisco Umbrella for cloud security and Cisco Secure Access by Duo for ID/access management. Umbrella provides the comprehensive security suite, while Duo is the authentication solution supporting multi-factor authentication and biometrics.

Hitachi also required MFA for accessing the systems and services after starting a PC at home, inside the office, or from a remote location outside the office. Duo allows users to choose any combination of multifactor authentication, enabling Hitachi to design an authentication environment tailored to each work style and job type.

As digitization continues to advance in society, security will always be at the forefront.

Cisco and Hitachi both aim to bring societal benefits and superior IT solutions to customers, and Umbrella + Duo services have provided Hitachi the needed scalability to confidently rebuild the entire security infrastructure of the Hitachi Group. With this partnership there’s a common vision of security and agility for the global workforce, securing a staff of almost 350,000 people worldwide.

The benefits of Cisco Umbrella and Duo together

Duo and Umbrella are better together because they are complementary solutions. Umbrella will secure all the outbound traffic from the organization to determine where it is going on the internet. And Duo establishes user and device trust, which in turn adds another layer of protection for the organization’s information and data.

Hitachi has demonstrated well how to protect their global environments and mitigate the risk of cyber-attacks at scale with Cisco Umbrella and Duo working together.

Instant savings with a Secure Choice EA

Build your Duo and Umbrella solution together by buying and deploying through one easy-to-manage Cisco Secure Choice Enterprise Agreement. This single, flexible agreement lets you pay annually, as you go, over 3 or 5 years, with 0% financing. Find out how to get started with instant savings today.

Good things come in pairs

Want to learn more about how to use Cisco Umbrella and Duo together? Listen to our podcast, Cisco Duo and Umbrella are better together!

And if you’re ready to see our solutions in action on your network, be sure to sign up for Duo’s free 30-day trial.

Duo and Umbrella are better together because they are complementary solutions. Umbrella will secure all the outbound traffic...and Duo establishes user and device trust.

Tweet this quote

Additional Resources

  • Customer Story: Hitachi fortifies its remote workforce with zero trust
  • Podcast: Cisco Umbrella and Duo are better together

Suggested Blogs

  • Embrace SASE With Cisco February 28, 2023 3 minute read
  • Cisco Enhances Cloud DLP With Unified Management and More December 8, 2022 3 minute read
  • Introducing the New and Improved Cisco Umbrella APIs November 1, 2022 2 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella