Cisco Duo

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Cisco Duo can be integrated with other software services and platforms to enhance security and access control capabilities. For example, Cisco Duo can be integrated with cloud applications, VPNs, remote desktop services, and identity management platforms to provide multi-factor authentication and ensure secure access to these resources.
Cloud deployment model: Public cloud

Private cloud

Community cloud

Hybrid cloud
Service constraints: There are no constraints to this service.
System requirements: Supported operating systems: Windows, macOS, iOS, Android, Linux.

Compatible web browsers: Chrome, Firefox, Safari, Edge, Internet Explorer.

Internet connectivity for authentication and management operations.

Compatible VPN, remote desktop, or cloud applications for integration.

Mobile devices with supported versions of operating systems.

Active directory or LDAP for user authentication and sync.

Secure internet connection for cloud-based authentication services.

Optional hardware tokens for two-factor authentication.

Regular software updates for security patches and enhancements.

Adequate network bandwidth for seamless authentication and access operations.

User support

Email or online ticketing support: Email or online ticketing
Support response times: 08:30 - 18:00 Weekdays, excluding Bank Holidays. Out of hours support available where necessary. 30 minutes to 8 hour response dependent on priority call, P1 - 30 mins, P2 - 1 hour, P3 - 4 hours, and P4 - 8 hours. Performance in 2021 included an average call wait time of 8 seconds and 90% of tickets being resolved within one day.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 A
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: WCAG 2.1 A
Web chat accessibility testing: We have not conducted any testing of web chat accessibility with users employing assistive technology.
Onsite support: Onsite support
Support levels: End-user training can be provided at an ad hoc cost. We provide a UK based Service Desk for support. Out of hours support is available. Our helpdesk is made up of 1st, 2nd and 3rd Line technical expertise. A Technical Account Manager will be assigned as standard as a part of our standard and premium IT Support, see our pricing schedule and SFIA Rate Card for details.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Creative Networks assist users in getting started with the Cisco Duo service through a blend of onsite and online training, along with comprehensive user documentation.

For onsite training, our team conducts interactive sessions customised to the organisation's requirements. We guide users through setup procedures, authentication methods, and best practices for using Cisco Duo effectively. This hands-on approach enables users to ask questions, receive immediate feedback, and gain practical experience with the service.

Additionally, we offer online training sessions conducted via webinars or virtual classrooms, providing flexibility for remote attendance. These sessions cover similar topics to onsite training, allowing users to learn at their own pace and convenience.

Moreover, we provide detailed user documentation that outlines step-by-step instructions, troubleshooting tips, and frequently asked questions (FAQs). This documentation serves as a valuable resource for users to refer to whenever they encounter challenges or need additional guidance while using Cisco Duo.

In essence, our comprehensive training and documentation resources empower users to confidently adopt and utilise the Cisco Duo service, enhancing their security posture and user experience.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: At the conclusion of a contract with Cisco Duo, users can extract their data by adhering to specific procedures outlined by Cisco Duo or the contract agreement. Typically, this involves accessing the Cisco Duo administration interface to export relevant data, such as user accounts, authentication logs, configuration settings, and reports.

Within the Cisco Duo administration interface, users may have access to features facilitating data export, such as built-in reporting tools or data export functionality. Alternatively, users may require assistance from Cisco Duo support or their IT Managed Service Provider (MSP) to facilitate the data extraction process.

It's crucial for users to review the terms of their contract with Cisco Duo to understand their rights and obligations concerning data extraction and retention. Some contracts may include provisions for data extraction and transfer upon contract termination, while others may necessitate users to complete the process within a specified timeframe.

In summary, users should communicate with Cisco Duo or their MSP to ensure a seamless transition and compliance with data protection regulations when extracting their data at the end of the contract.
End-of-contract process: As a contract with Cisco Duo draws to a close, Creative Networks focuses on securely transferring all client data held within the Cisco Duo service according to contract terms. This entails exporting user accounts, authentication logs, and configuration settings, ensuring a smooth transition for the client. Additionally, Creative Networks reviews post-contract obligations, such as data retention requirements, and collaborates with the client to fulfil these obligations.

In terms of pricing, the contract encompasses the base cost of the service, covering essentials like user authentication and basic support. However, certain features or services may incur additional charges, such as premium support or advanced reporting capabilities. Creative Networks will communicate these additional costs transparently to the client, helping them evaluate their suitability within budget constraints. Throughout the contract duration, Creative Networks maintains active engagement with the client, optimising the usage of Cisco Duo and maximising value for the client's investment.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari
Application to install: Yes
Compatible operating systems: Android

IOS

Linux or Unix

MacOS

Windows
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The mobile service of Cisco Duo, accessible through the Cisco Duo Mobile app, offers users convenient authentication methods like push notifications and biometric verification, tailored for on-the-go access. It emphasises portability and user-friendly interaction, suitable for mobile device interfaces. In contrast, the desktop service, accessed through web browsers, provides comprehensive administrative capabilities for managing authentication policies, user accounts, and access controls. It prioritises advanced configuration options and monitoring features suited for administrators overseeing authentication across the organisation's desktop and laptop devices. Both services ensure secure access, the mobile service focusing on user convenience and the desktop service on administrative control.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Cisco Duo does have a service interface. It provides a web-based administrative interface accessible through supported web browsers. This interface allows administrators to configure authentication policies, manage user accounts, view authentication logs, and perform other administrative tasks related to Cisco Duo. Additionally, Cisco Duo offers APIs (Application Programming Interfaces) that allow for integration with third-party systems and automation of various tasks, providing additional flexibility and customisation options for managing the service.
Accessibility standards: None or don’t know
Description of accessibility: Cisco Duo strives to be accessible by adhering to usability principles and offering multiple authentication methods suitable for various user needs. Users can authenticate using push notifications, passcodes, or biometric verification via the Cisco Duo Mobile app, enhancing accessibility across devices. However, users may face limitations accessing certain features if they rely solely on methods like push notifications, which require a compatible mobile device and internet connection. Ensuring alternative authentication methods are available enhances accessibility for all users, promoting inclusivity and ease of use.
Accessibility testing: Creative Networks have not conducted any interface testing with users of assistive technology.
API: Yes
What users can and can't do using the API: Users can leverage the Cisco Duo API to perform various tasks related to authentication and access management programmatically. Through the API, users can set up the service by creating and managing user accounts, configuring authentication methods and policies, and integrating Cisco Duo with their existing systems and applications. This allows for streamlined deployment and customisation tailored to specific organisational needs.

Additionally, users can make changes to the service through the API by updating user attributes, modifying authentication policies, retrieving authentication logs and reports, and automating administrative tasks. This enables efficient management of the Cisco Duo service and ensures that it aligns with evolving security requirements and user access needs.

However, there are certain limitations to what users can set up or change through the API. For instance, while users can perform most administrative tasks programmatically, there may be some advanced configurations or settings that are not accessible via the API and require manual intervention through the web-based administrative interface. Additionally, certain sensitive operations or actions may require appropriate permissions or authentication tokens to ensure security and prevent unauthorized access or modifications.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

HTML

PDF

Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Users can customise Cisco Duo's service to suit their specific authentication and access management requirements. This involves configuring authentication policies, integrating with existing systems, branding the authentication prompt and portal, and generating customised reports. Users can typically customise these aspects through the Cisco Duo administration interface, allowing for intuitive configuration and management of authentication settings, user accounts, and access controls. Depending on the organisation's structure, administrators or designated personnel with appropriate permissions can perform these customisations. This ensures that only authorised individuals can make changes to the Cisco Duo service, maintaining security and compliance. By offering these customisation options, Cisco Duo enables users to tailor the service to their unique security needs, user experience preferences, and organisational workflows, ultimately enhancing security posture and user satisfaction.

Scaling

Independence of resources: To ensure users aren't affected by demand placed on our service by others, we employ strategies like scalability, load balancing, and resource allocation. We monitor demand closely, scaling our infrastructure to accommodate increasing loads without compromising performance. Traffic is distributed across multiple servers to prevent overload, and resources are allocated dynamically based on demand. Redundancy measures such as backup servers and failover mechanisms ensure service availability in case of hardware failures or sudden spikes in demand. Real-time performance monitoring enables us to proactively identify and address issues, maintaining optimal performance and reliability for all users.

Analytics

Service usage metrics: Yes
Metrics types: Creative Networks can typically furnish service usage metrics for Cisco Duo to clients. These metrics may encompass data such as the number of authentication requests processed, user login activity, usage trends over time, and system performance metrics. Creative Networks may gather this data from the Cisco Duo administration interface or through additional monitoring and reporting tools integrated with the service. Providing service usage metrics enables clients to evaluate the effectiveness of their security policies, identify areas for improvement, and make informed decisions about their authentication and access management strategies.

Resellers

Supplier type: Reseller providing extra features and support
Organisation whose services are being resold: Cisco

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users can export their data from Cisco Duo through the administration interface. They access reporting tools or data export options, specifying the desired data type, such as user accounts or authentication logs. After selecting the data, users initiate the export process, specifying parameters like date ranges or file formats. The exported data is then generated and made available for download, either directly from the interface or via a provided link.
Data export formats: CSV

ODF
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: All service level agreements are as per the ones supplied by Cisco Duo and published by them. Cisco Duo commonly aims for availability levels exceeding 99.9%. Any downtime during working hours is credited on a pro-rata basis.
Approach to resilience: The Cisco Duo service is designed with resilience to ensure uninterrupted access to authentication and secure access features. The service incorporates redundant infrastructure components, including servers, network elements, and data storage systems, to mitigate the impact of hardware failures and maintain continuous availability. Failover mechanisms automatically redirect traffic to alternate servers or data centres in case of primary system failure, minimising downtime.

Additionally, Creative Network's third party data centre has geographically distributed data centres enhancing resilience by strategically locating facilities in different regions, reducing the risk of service disruptions due to localised events such as power outages or natural disasters. These data centres feature high availability architecture with redundant power supplies, backup generators, and diverse network connectivity to maximise uptime and ensure consistent service delivery.

Continuous monitoring and maintenance, including real-time performance monitoring and security audits, help proactively identify and address potential issues to maintain service availability. Overall, the combination of Cisco Duo's resilient service architecture and the robust data centre setup ensures that Creative Networks can offer clients a reliable authentication and secure access solution, minimising the risk of service disruptions and maximising uptime.
Outage reporting: Our service employs various channels to report outages promptly and effectively. Firstly, we maintain a public dashboard offering real-time updates on service status and ongoing incidents. Users can access this dashboard to stay informed about outages and track resolution progress. Secondly, we provide an API allowing users to programmatically retrieve service status information, including reported outages. This facilitates integration with third-party monitoring tools and automated alerting systems for efficient incident management.

Additionally, we send email alerts to notify users about outages and service disruptions. These alerts contain comprehensive details such as the nature of the outage, affected services, and estimated time to resolution. This ensures that users receive timely and actionable information, enabling them to take appropriate measures and stay informed about the service status.

By leveraging multiple communication channels, including a public dashboard, API access, and email alerts, we enhance transparency, accessibility, and responsiveness in reporting outages. This approach enables us to minimise the impact of outages on our users and maintain high service availability and reliability.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Supplier defined controls. Access to management interfaces is restricted to designated users and controlled with user name and password protection.
Access restriction testing frequency: At least once a year
Management access authentication: Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Less than 1 month
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Less than 1 month
How long system logs are stored for: Less than 1 month

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: UKAS
ISO/IEC 27001 accreditation date: 24/10/2022
What the ISO/IEC 27001 doesn’t cover: Areas not covered by ISO/IEC 27001 certification include specific business processes unrelated to information security, certain third-party services or suppliers, or compliance with other industry-specific regulations.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: As an ISO 27001 accredited organisation, Creative Networks adheres to stringent information security policies and processes to safeguard data and mitigate risks. Our framework comprises comprehensive policies covering data protection, access control, encryption, and incident response, regularly reviewed and communicated to all employees. We employ a structured risk management approach, conducting regular assessments and implementing controls to address identified risks. A clear reporting structure ensures prompt incident response and resolution, with designated individuals responsible for escalation and management. Regular audits and assessments monitor compliance with security standards, complemented by ongoing training and awareness programmes to educate employees on best practices. Continuous improvement drives enhancements to policies, processes, and controls in response to evolving threats and regulatory requirements. Through these measures, Creative Networks maintains a robust security posture, fostering a culture of security awareness and ensuring the protection of sensitive information.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Creative Networks adheres to ISO 20000 Standard-compliant Change Management Processes for managing configuration and changes within our services. We maintain a Configuration Management Database (CMDB) to track service components throughout their lifecycle, including hardware, software, and network devices. This ensures accurate inventory management and facilitates impact assessments for changes.

Our Change Management Process categorises changes based on impact and urgency, with thorough approval and review procedures. Before implementation, we conduct impact assessments to evaluate potential security implications, considering data confidentiality, integrity, and availability. Changes with significant security impacts undergo additional scrutiny and approval by designated security experts.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Creative Networks employs a rigorous Vulnerability Management process, continually assessing threats through sources like the National Cyber Security Centre and vendor newsletters. We swiftly deploy patches following thorough testing to mitigate risks, integrating with Incident and Change Management processes. Information about potential threats is gathered from various reputable sources, including official advisories, industry bulletins, and threat intelligence feeds. This approach ensures timely and effective identification, assessment, and mitigation of vulnerabilities, safeguarding the security and integrity of our services for our customers.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Creative Networks employs protective monitoring processes with monitoring agents on all devices to swiftly detect and respond to potential compromises. We assess incident severity upon identification to prioritise responses, maintaining a 4-hour SLA for remedial actions. Multiple alert systems are monitored continuously for timely detection. Upon detecting a potential compromise, we promptly investigate, contain the threat, and implement remedial measures to minimise impact. Our goal is to swiftly safeguard the security of our systems and data.
Incident management type: Supplier-defined controls
Incident management approach: Creative Networks follows an ISO 22301-aligned Incident Management Process. Common events have pre-defined procedures. Users report incidents to the Incident Manager, who logs them and gathers relevant evidence. Incidents are rectified using patches or workarounds. We analyse incidents to prevent future occurrences. Regular reviews of archived incidents identify trends and assess effectiveness. Incident reports are provided to stakeholders, detailing the incident and actions taken. Our process ensures prompt incident resolution and continuous improvement.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: Yes
Connected networks: Public Services Network (PSN)

Police National Network (PNN)

NHS Network (N3)

Joint Academic Network (JANET)

Scottish Wide Area Network (SWAN)

Health and Social Care Network (HSCN)

Social Value

Fighting climate change
Covid-19 recovery
Tackling economic inequality
Wellbeing

Fighting climate change

By providing secure remote access capabilities like Cisco Duo, we can enable organisations to support remote work initiatives. This can lead to reduced commuting and office energy consumption, contributing to lower carbon emissions.

Covid-19 recovery

Cisco Duo facilitates secure remote access to critical systems and data, enabling businesses to maintain operations during lockdowns and other restrictions. This supports business continuity efforts and aids in the recovery from Covid-19-related disruptions.

Tackling economic inequality

Secure access provided by Cisco Duo ensures that employees, regardless of their location or circumstances, can securely connect to their work systems and collaborate effectively. This promotes equal opportunities for remote and on-site workers alike.

Wellbeing

By enabling remote work, Cisco Duo can contribute to employee wellbeing by offering flexibility in work arrangements, reducing stress associated with commuting, and providing a safer working environment during health crises. Additionally, the security provided by Cisco Duo helps safeguard sensitive data, enhancing overall peace of mind for employees and organisations alike.

Pricing

Price: £2.41 to £7.33 a user a month
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: The free version includes basic multi-factor authentication for a limited number of users or devices. Advanced features and support options are not included. The trial is typically available for a 30 day period.
Link to free trial: https://signup.duo.com/?utm_source=cisco&utm_medium=referral&utm_campaign=smb-fy24-q3-na-0102-trials-and-demos-cc004573

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Cisco Duo

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents