Nowcomm Limited

Cisco Duo Multi Factor Authentication (MFA) Cloud Service from Nowcomm

Secure all on-premise and cloud applications for office and remote workers with Cisco Duo MFA, regardless of end user device type. Duo integrates application technology vendors to extend security controls across cloud applications and services including Microsoft Office 365, Cisco AnyConnect, Amazon Web Services, Microsoft Azure and Google Cloud Platform.

Features

  • Duo employes on-tap-approval to verify user identity
  • Gain visibility into all devices before granting access
  • Ensure users and devices meet your security standards inadvance
  • Enforce access security policies based on user risk
  • Enforce access security policies based on device risk
  • Enforce access security policies based on application risk
  • Single platform for secure access service management, administration and reporting
  • Provide clientless remote access for multicloud environments and remote workers
  • Can generate event-based passcodes only valid until used once
  • Verify user identity over the phone when smartdevice unavailable

Benefits

  • Streamline security workflow with single dashboard for all application access
  • Secure access to on-premises and cloud applications with native integrations
  • Protect your login from hackers exploiting weak or stolen passwords
  • Duo safeguards users from social engineering and password brute-force attacks
  • Supports users who are offline or require temporary remote access
  • Reduces the risk of attackers intercepting passwords or unique codes
  • Seamlessly secures access to desired applications without using a VPN
  • Supports the creation of tailored contextual security access policies
  • Can help the organisation meet PCI DSS requirements
  • Zero-trust security enabled by establishing device trust for secure access

Pricing

£2.30 a licence a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nowcomm.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

5 9 8 1 5 0 4 0 3 5 7 4 5 4 1

Contact

Nowcomm Limited Corinne Stott
Telephone: 0133 2821106
Email: gcloud@nowcomm.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
The only limitation is the application service itself. Many leading cloud applications and services including Microsoft Office 365, AWS, Azure and Google Cloud Platform already have achieved integrations with DUO. SAML, direct integrations and REST API's are documented at: https://duo.com/product/remote-access/remote-access-integrations .
Cloud deployment model
Hybrid cloud
Service constraints
Some performance and operational features may be limited by an endpoint device manufacturer or the end device operating system, or an application or website provider. Such issues would be beyond the control of the Cisco Duo service. A variety of Auth methods are available meaning customers should only be limited by the application providers available connection interfaces. See http://www.duo.com/docs for more information.
Details of any specific manufacturer service optional or performance constraints or limitations will be set out at:
https://www.cisco.com/c/en/us/about/legal/cloud-and-software/cloud-terms.html .
System requirements
  • Microsoft Windows 7 and Windows 8 & 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012, 2012 R2, 2016
  • ChromeOS
  • Apple MacOS 10.12, 10.13
  • Apple OSX 10.11
  • Apple iOS 11 and above (requires separate MDM)
  • Red Hat Enterprise Linux or CentOS 6.x 7.x
  • Android 2.1 (Éclair) to 6.0 (Marshmallow) (requires separate MDM)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Cisco Technical Support operate the following response times for Cisco Duo as part of Cisco standard service.
Cisco response times operate 24/7/365.
Severity 1-2: Cisco response time within 1 hour.
(Covers items such as major outage, cloud service down or causing critical impact to the business).
Severity 3-4: Cisco response within the Next Business Day.
(Cloud Service is impaired however operations remain functional with little impact to business or general service queries).
Nowcomm can provide additional technical service desk expertise and managed services capabilities to complement Cisco Technical Support above. See "Nowcomm Monitor, Manage, Support and Optimise" G-Cloud service.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
There are 4 main support levels which Nowcomm offer for customers to select to further compliment Cisco Technical Support, providing additional Nowcomm technical service desk expertise and managed services capabilities. Nowcomm’s Service Desk operates 24/7/365 and a choice service levels including 24*7, 8*5 Mon-Fri or a NBD service offers to best suit the coverage required.

1) Service Desk - providing remote based technical assistance, advice and guidance to day to day issues and questions. 2) On Site Experts - providing technical engineering, training or consulting experts on site with your team as and when required.
3) Analysis Service - providing scheduled proactive insight and advisory of performance operation data - for example analysing monthly performance data, security reports and behaviour and providing recommendations, guidance and expert insights. monitoring of devices with downtime alerts.
4) Managed Service - providing complete operational service as an extension to the in-house IT team. For example performing all moves, adds, changes and deletes (MACD's), making monthly backups as necessary, any patching updating, vulnerability scanning, monthly reporting, compliance documentation completion, change advisory board reviews and so on.
Nowcomm support and managed service offers can be purchased under the "Nowcomm Monitor, Manage, Support and Optimise" G-Cloud service.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Nowcomm onboards customers by gathering all key information required as part of the early data gathering activity that forms part of the planning phase within the on-boarding process. Typically the on-boarding activities, including training are provided remotely.
All go-live system information, service documentation and procedures required to describe, explain, test, educate, train and launch the service is developed and distributed to the customer as part of the on-boarding process. Any detailed design documentation is also derived from within the on-boarding process. All detailed designs are agreed and signed off by both parties within the on-boarding phase and prior to service implementation. Full copies of the system documentation and user documentation as applicable are provided as part of the user acceptance testing phase.
On-site on-boarding services and activities, including but not limited to administration training, user training and service launch workshops can be customised and delivered as required though the purchase of our additional G-Cloud Service "Nowcomm Specialist Cloud Consultancy Services".
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
As part of the Nowcomm off-boarding process, customers continue to benefit from full reporting access to the service management portal until the date of contract completion. From this service management portal customers can access, retrieve and download copies of all available data and reports as required for future use following the end of contract date. When the contract end date is reached the service is ended and customer access is no longer available. As part of contract completion, the service is considered ended and all data is erased for compliance and operational reasons as part of the customer being fully off-boarded and as such no longer subscribing to the service. Nowcomm notify the end customer with end of service data reminders and guidance to extract necessary data in advance of the contract completion date. This forms part of the Nowcomm remote off-boarding process provided as part of our standard service. Bespoke off-boarding requirements which extend beyond Nowcomm's standard off-boarding service model described above, for example Nowcomm specialists performing bespoke off-boarding activities on customer site can be purchased via our additional G-Cloud Service "Nowcomm Specialist Cloud Consultancy Services".
End-of-contract process
Full service functionality is provided for the duration of the cloud service contract with Nowcomm. Customers may have the opportunity to extend the contract based on the rules and governance of the framework agreement at that time. Customers wishing to explore extending the service and contract options should discuss feasibility questions to the Nowcomm account team no later than 90 days before the scheduled end of contact date. As the the services approaches the end of contract date, the organisation will be off-boarded from the service following Nowcomm's standard model, set out in the previous response and which is provided at no additional cost to the standard service.
At the end of the contract the customer will no longer receive the service and all service features, benefits, access and use will cease. Any retained data still held within the system up to contact end date will be securely deleted by the Nowcomm services team at the end of contract date. Bespoke and customised off-boarding requirements that are desired by the customer and which extend beyond the Nowcomm standard off-boarding service model can be purchased via our additional G-Cloud Service "Nowcomm Specialist Cloud Consultancy Services".

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Cisco Duo is designed to work on a variety of platforms including desktop operating systems and mobile operating systems. These include, Windows, MacOS, iOS and Android. The service is consistent and uniformed across the supported devices. Duo has the added features that should a mobile device be lost or out of power, the service offers an additional user security validation service over a standard secured PSTN phone line service.
Service interface
Yes
Description of service interface
A web based service management portal for configuration and user provisioning, day to day management, reporting and service usage and for application configuration policy enforcement is provided.

Cisco Duo offers dashboard views, granular end user and end device visibility, such as versions of end user device operating system, and associated vulnerabilities, risks and patching or update requirements.

These actionable dashboards built into Cisco Duo enable streamlined management and efficient support of the service across all end users.
Accessibility standards
WCAG 2.1 AAA
Accessibility testing
All assistive interface testing has been performed by Cisco who are the manufacturer of the cloud software service. Assistive testing details can be provided from Cisco on request.
API
Yes
What users can and can't do using the API
Cisco Duo is a highly expansive solution to protect any on premise or cloud application or web service.
For Example the Duo Auth API is a low-level, RESTful API for adding strong two-factor authentication to your website or application.
Additionally, developers and integrators can use Duo Security’s Web SDK to easily integrate with Drupal, Splunk, Confluence, Jira, Shibboleth and more. Duo also offer client libraries for Python, Ruby, Classic ASP, Java and more.
Please refer to the API documentation section of the Cisco Duo for full details. Information can be found at:
https://duo.com/product/remote-access/remote-access-integrations
and
https://duo.com/docs/authapi .
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
System Administrator can customise the aesthetics and user interface of the solution by importing their own company logo, graphics and organisational messages into the service (dashboards, user application interface, emails and system messages, system alerts etc.).

Scaling

Independence of resources
Cisco have designed a global platform with significant excess capacity to handle ongoing growth in demand. Performance of Cisco Duo continues to operate with up-time in at least the high 99.98%. For more details visit https://www.cisco.com/c/en/us/support/web/cloud-status.html.

Cisco operate through a validated design guide detailing system maximum's and minimums to enable customers to scale, adhering to many industry standards including ISO 9001 and 27001.

Nowcomm perform our service delivery model based on ITIL v4 framework. Our service and support teams are scaled to respond to the needs of our customers of various sizes across both the public and private sector.

Analytics

Service usage metrics
Yes
Metrics types
Duo provides metrics for a number of elements, authentications success and failure, location of authentication, end point information such as versions of operating systems and authentication sources such as browser used and versions

Bespoke interpretation and advisory services to assist with understanding of service usage and reporting data that are desired by the customer can be purchased via our additional G-Cloud Service "Nowcomm Specialist Cloud Consultancy Services".
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Cisco

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Customers export data is performed via the manufacturer options available within the management portal. Exporting of data is provided to the customer on both a self service and as required basis. No charge or restrictions of the export of data is enforced by Nowcomm. Data is not hidden, restricted or locked from end users that hold the correct service access privileges. Data, reports and logs will be available for export from the service in the formats and options supported by the manufacturer, Cisco. Available data formats may be subject to change by the manufacturer from time to time.
Data export formats
  • CSV
  • Other
Other data export formats
  • HTML
  • PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Nowcomm are providing a service built on a global cloud infrastructure from the manufacturer Cisco and as such are beyond our control. Any Service Level Agreements (SLAs), availability guarantees and any service credit models will form part of the manufacturers terms, which may change from time to time and can be found at: https://www.cisco.com/c/en/us/about/legal/cloud-and-software/cloud-terms.html.
Approach to resilience
Available on request.
Outage reporting
Service outages are reported in a variety of ways. High level public dashboards of Cisco cloud services can be viewed at https://www.cisco.com/c/en/us/support/web/cloud-status.html.
Further detailed service outage information may be available to customers via their specific service portal access.
Automated email alerts and progress updates of a range of possible service outages or service matters are provided for each Cisco cloud service.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Access management is controlled and restricted via secure role-based access controls coupled with the Duo MFA service on a per user basis. This allows the configuration of system access and permissions to be set based on the designated role of the individual user, ensuring only the agreed specific tasks can be performed across the Cisco Duo Multi-factor Authentication cloud service.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
Nowcomm is a Cyber Essentials Plus certified organisation and follows the processes set out within it. Nowcomm are actively working towards ISO 27001 certification with our auditors and we have implemented the policies, processes and controls within the guidelines as we progress to formal certification.
Information security policies and processes
Nowcomm are an accredited Cyber Essentials Plus organisation and have adopted and incorporate key processes and procedures set out within ISO27001 and ISO9001 and ISO14001 standards. Nowcomm ensure our business services and operational delivery model processes including our security polices are performed within a structure of continual improvement and review. This includes regular internal audits and annual external audits from qualified third party organisations of our policies and processes.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes and configuration management follow ITIL V4 standards.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential vulnerabilities are identified via proactive, continual review and analysis. This combines Nowcomm's own vulnerability scans of systems and services with threat data from a variety of third party sources including but not limited to Cisco Talos, Cisco TAC, Microsoft, ATT Cybersecurity, Qualys, Google and Symantec.
Identified vulnerabilities are reviewed on the basis of risk and impact.
Standard system patching for low risk and ongoing items is performed monthly.
High risk or high impact vulnerabilities may require high priority patching within 7 days.
Items identified as critical risk or critical impact may require emergency patching, e.g. within 24 hours.
Protective monitoring type
Undisclosed
Protective monitoring approach
All external facing services are subject to monthly vulnerability scans. Standard patching policy is monthly, with critical patching being performed sooner including within the day if deemed necessary to protect the customer as part of our 24/7/365 operations. Nowcomm obtain continual vulnerability information and alerts from many third parties including Cisco Talos, Cisco TAC, Microsoft and AT&T Cybersecurity. We use independent third party scanning engines to correlate all known CVE's, enabling our experts to establish impact for all managed assets scanned. Additional proactive vulnerability protection can be purchased under the "Nowcomm Monitor, Manage, Support and Optimise" G-Cloud service if required.
Incident management type
Supplier-defined controls
Incident management approach
Nowcomm operates both proactive and reactive response services. All service requests and incidents to Nowcomm are logged via the Nowcomm Network Operation Centre with a unique case reference number and tracked from triage through to resolution via our service desk platform. Customers are encouraged to report incidents via email or telephone.

Nowcomm operate a pre-approved process / change model for certain tasks. However, bespoke customer requirements can also be designed and implemented depending on the organisation’s needs.
Reports are provided via email in either HTML or PDF format. Major incident reports are provided within 48 hours of the incident resolution.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£2.30 a licence a month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
A 14 day full feature trial is available. Trials are subject to availability and maybe for a limited number of users /devices only.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nowcomm.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.