Duo. After Cisco bought out Duo, however, they did not like our original contract. Now our CISO is saying for us to explore Microsoft. 65k+ staffed company.
The problem I’ve had with duo is that a user counts towards a license just by existing within your duo tenant (correct term?). Meaning that even if the user has no devices associated and cannot perform 2fa, they still have a cost.
I found it eye opening when they talked about Duo SSO (their own identity provider, think adfs). I may be wrong but my thoughts was “okay, but duo is cost restrictive to us, are you saying we need to onboard everyone just so they can get to internally federated applications?”. Didn’t feel great.
You look at their directory synchronization tool, it’s the same thing, it will onboard users no problem, but you pay for those users the moment the account exists.
I have no problem saying everyone should have to perform mfa, but if you mfa all your ingress points and highly sensitive data, paying for everyone whom may not require or use it is a waste of money.
What we did was an opt in approach. You register on your own time via onpremise portal that uses their API to register the user and their device. If you don’t do that and end up needing it externally, well too bad. In extreme scenarios we can admin register a user .
Yes and no. The people that truly keep the lights on to critical systems I think are more insulated. I deal with active directory (and azure to an extent). I’m one of two engineers that are attuned to what is going on in AD in a 65k+ staffed company. I do other things than AD, but it needs care and feeding.
AD is going to stick around for a lot longer and may end up being in that cobol state where companies have it for critical things but there are few who truly understand how to work it.
Everyone else may end up in a DevOps-esque role. Then you have the scope of the industry too. I think this article overblows the premise it puts forth.