惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
F
Fortinet All Blogs
U
Unit 42
F
Full Disclosure
雷峰网
雷峰网
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
罗磊的独立博客
D
DataBreaches.Net
C
Check Point Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
O
OpenAI News
C
CXSECURITY Database RSS Feed - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
S
Security @ Cisco Blogs
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Hacker News
The Hacker News
Webroot Blog
Webroot Blog
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
N
News | PayPal Newsroom
P
Proofpoint News Feed
B
Blog RSS Feed
MongoDB | Blog
MongoDB | Blog
C
Cybersecurity and Infrastructure Security Agency CISA
N
News and Events Feed by Topic
Google Online Security Blog
Google Online Security Blog
H
Help Net Security
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog
M
MIT News - Artificial intelligence
Vercel News
Vercel News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
IT之家
IT之家
MyScale Blog
MyScale Blog
腾讯CDC

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Simplify compliance with MFA, device trust, and policies
Olauhdo Stubbs · 2026-03-11 · via The Duo Blog

Product & Engineering

The four questions every compliance framework asks

Olauhdo Stubbs

6 minute read

I recently presented a webinar called "Compliance Made Simple with Cisco Duo for Public Sector." The audience included government IT teams, K-12 technology leaders, and law enforcement agencies.

These organizations share something in common with small and mid-size businesses: limited staff, strict requirements, and users who don't want security slowing them down.

As I prepared for that session, I realized the compliance challenges public sector teams face are nearly identical to what SMBs experience: whether you handle payment card data, work with government agencies, support healthcare patients, or simply need to satisfy your cyber insurance provider, the requirements all come down to the same four questions.

The barriers to success are the same. And the solutions that work are the same.

Ready to see how Duo simplifies compliance for your organization? Start your free trial and experience it yourself.

Every compliance framework asks the same four questions

Strip away the jargon and every compliance requirement asks:

  1. Who is the user?

  2. What device are they on?

  3. What policy applies?

  4. Can you prove it?

No matter how many pages the compliance document contains, it always comes back to these four. The rest is formatting.

When I share this with IT administrators, I see relief on their faces. Compliance feels overwhelming because the documents are written in language that looks like English but somehow isn't. Breaking it down to four questions makes the path forward clear.

Once you understand the four questions, you need controls to answer them. I organize these into three components:

  • Identity controls

  • Device controls

  • Access policies with audit capabilities

1. Identity controls answer "who is the user"

Compliance frameworks now require multi-factor authentication (MFA) for both privileged and non-privileged users. Static passwords alone no longer meet modern compliance standards. MFA is not optional for regular users. It is required for everyone who accesses sensitive systems.

Cisco Duo addresses identity requirements through a wide range of authentication methods.

  • Duo Push provides fast, familiar authentication for smartphone users, with options for number-matching and proximity-based verification.

  • Hardware tokens serve field workers and anyone without a smartphone.

  • Time-based one-time passwords (TOTP) and FIDO2/WebAuthn support offer additional options based on your security requirements against replay resistance.

See how Duo aligns with NIST 800-63-3 AAL2/AAL3 requirements for phishing-resistant authentication.

The adoption piece is also critical here. I've seen MFA rollouts fail because users fought the change. Duo succeeds because it stays out of the way. Duo Push takes seconds, and the experience feels familiar. If your MFA solution requires a 40-page deployment guide and a week of training, adoption is already in trouble.

2. Device controls answer "what device are they on"

Compliance frameworks now require endpoint validation and patching verification before granting access, making device trust essential. Auditors increasingly ask about endpoint posture, and "we authenticated the user" is no longer a complete answer.

Duo Device Health checks operating system version, patching status, encryption, and screen lock settings at every login. When a device doesn't meet requirements, Duo guides users to fix the issue themselves. This "self-remediation" process means fewer help desk tickets for IT teams already stretched thin.

This also solves a common problem for organizations dealing with bring-your-own-device (BYOD) environments. You can't install mobile device management (MDM) software on personal devices, but you're still responsible when those devices access your network. Duo validates device posture without requiring MDM installation. Users keep control of their personal devices while you maintain visibility into security posture.

3. Access policies and audit controls complete the picture

Compliance frameworks don't just ask whether you authenticated someone; they ask under what conditions. This is where context-based access policies become essential.

Duo lets you apply policies based on user role, device type, location, and network. A contractor accessing sensitive data from an unmanaged device might face stricter requirements than a full-time employee on a company laptop. With Duo, you define the rules based on your risk tolerance.

The audit piece completes the picture. At some point, someone will ask: who accessed this system, from where, on what device, and under what policy? Duo logs all authentication events with this detail. During an audit, you pull the report. During a security incident, you investigate quickly instead of reconstructing events from scattered sources.

When I ask customers why they chose Duo, the answer isn't technical. They tell me their users didn't fight it, their help desk tickets went down, and their audits got easier. For a small IT team, this matters more than any feature list.

Simplify compliance for your organization

I genuinely believe Duo makes the compliance journey simpler for organizations of any size. I've seen it work for public sector teams with the strictest government requirements and the smallest staff. The same approach works for small and mid-size businesses facing similar challenges.

The frameworks all ask the same four questions. The controls break down into three manageable components. And Duo deploys in hours, not weeks.

For a deeper dive into the four questions every auditor asks, watch the full replay of my webinar, Compliance Made Simple with Cisco Duo.

Start your free trial of Cisco Duo and see how Duo helps simplify compliance for your organization.

What IT administrators ask about compliance

What compliance frameworks require multi-factor authentication?

Most major compliance frameworks now require MFA for all users, not just administrators. These include CJIS (Criminal Justice Information Services) for law enforcement, NIST (National Institute of Standards and Technology) guidelines for government contractors, CMMC (Cybersecurity Maturity Model Certification) for defense suppliers, PCI DSS 4.0 (Payment Card Industry Data Security Standard) for organizations processing credit cards, and FFIEC (Federal Financial Institutions Examination Council) guidelines for financial institutions. Many cyber insurance policies also require MFA as a condition of coverage.

How do I simplify compliance for a small IT team?

Focus on the four questions every framework asks: who is the user, what device are they on, what policy applies, and can you prove it. Choose tools that address these questions without requiring dedicated expertise to manage. Duo deploys in hours and reduces help desk tickets rather than increasing them.

What is device trust and why does it matter for compliance?

Device trust means validating that a device meets security requirements before granting access to sensitive systems. Compliance frameworks now require endpoint validation including patching status and encryption. Duo Device Health checks these factors automatically at each login without requiring MDM installation on personal devices.

What is the difference between MFA and two-factor authentication?

Two-factor authentication (2FA) requires exactly two factors to verify identity. Multi-factor authentication (MFA) requires two or more factors. In practice, the terms are often used interchangeably, though MFA can include additional factors for higher security environments.

How does Duo handle compliance logging and audit requirements?

Duo logs all authentication events including user identity, device information, location, and which policy was applied. These detailed logs help you answer auditor questions about who accessed systems and under what conditions. During security incidents, the same logs enable faster investigation and response.