National Cybersecurity Awareness Month (NCSAM) is a good time for the higher education and research community to focus on their information security programs and educating students, faculty and staff. This focus brings reflections on the improvements made in the last year and planning for the next year.
Deployment of multi-factor authentication (MFA) continues to be one of the key aspects of many campus information security programs making strong gains across the community as institutions move from basic awareness to widespread deployment. The increasing deployment of MFA advances the NCSAM theme for 2019 of “Own IT. Secure IT. Protect IT.” where campuses continue to improve the protections for their institutions and their community.
Over the last year since our 2018 MFA blog, the EDUCAUSE Core Data Service reported MFA use in higher education has almost tripled for institution-wide deployments of MFA from 6 percent to 17 percent. The NET+ Duo program, in collaboration with Internet2 and Duo Security, now part of Cisco, allows accredited U.S.-based institutions to deploy Duo’s zero-trust security platform broadly, efficiently and cost-effectively. The NET+ Duo program has also grown almost 18 percent in the last year! The 2018 CDS data shows an increase from 73 percent to 92 percent of institutions that are either tracking, planning, have partially deployed or deployed institution-wide MFA on their campus. With this growth, millions more faculty, staff and students are now protected.
As MFA usage has matured, the NET+ Duo service advisory board has discussed gathering additional detailed metrics with the community to drive additional change around implementing and optimizing their deployments. Gathering this additional data will help campus information security teams to drive behavioral change on their campus. This change may be increasing the specific institution-wide systems covered by campus MFA deployments to be pervasive throughout campuses. More than half of institutions using MFA have deployed it to protect business-critical applications (like financial or HR systems) and IT admin access. Other common uses of MFA on campuses include remote access to IT services and email.
One of the areas of growth over the last year has been smaller campuses and community colleges. These institutions have been able to benefit from the community resources in planning their deployments. During NCSAM in October 2018, Pacific Lutheran University (PLU) joined the NET+ Duo service advisory board and as a smaller campus, they represent this viewpoint in oversight of the program. PLU started their Duo deployment work in 2018 and require all 4,200 of their students, faculty and staff to use Duo to keep personal information and institutional data secure. David Allen, director for enterprise systems at PLU, commented on how accounts are increasingly being targeted by attackers: “The added security by using multi-factor authentication is an increasingly important step to protect accounts if someone mistakenly provides their credentials or has their account compromised. We have found that the impact of deploying MFA broadly has nearly eliminated compromised accounts on campus and reduced the calls to our helpdesk.”
The other aspect of growth has been campuses expanding their existing deployments. During NCSAM 2018, Old Dominion University (ODU) initiated their deployment of MFA via the NET+ Duo program to all faculty and staff and have since expanded to include all students on their campus, totaling over 44,000 accounts being protected. “Adding students into our campus deployment protects their personal information and helps us protect our student accounts from being used to send phishing attacks and scams against other students,” stated Doug Streit, chief information security officer at ODU. As chair of the NET+ Duo advisory board, Streit helps provide oversight and guidance to the Internet2 program.
Expanding deployments to students is one of the developing trends. Where less than 10 percent of campuses are deploying MFA to students for student systems or applications, more and more campuses like ODU and PLU are choosing to protect their students. Students use many of the same systems as faculty and staff, and at times even support sensitive research where they need to use MFA. These students graduate from campuses and come to their employers ready and expecting to use MFA to protect their accounts.
The momentum is building for campuses deploying MFA! Our ask is for you to deploy MFA for all users on your campus to ensure everyone across your institution is protected. While not all users have access to sensitive data, the impact from compromised accounts can be broader than just the individual account. We may be able to help you if your campus isn’t evaluating using MFA, think your campus doesn’t need MFA, or there are additional community resources needed to aid in broadly deploying MFA across your campus. Please reach out to me if you have any feedback or questions about MFA usage in higher education at [email protected]
Higher education has several community resources around MFA on campuses
- The EDUCAUSE Information Security Almanac 2019: https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019
- Two-Factor Authentication: Lessons Learned: https://library.educause.edu/resources/2019/1/two-factor-authentication-lessons-learned
- EDUCAUSE Library page: Identity and Access Management: https://library.educause.edu/topics/cybersecurity/identity-and-access-management
- NET+ Duo program: https://www.internet2.edu/products-services/cloud-services-applications/duo-security/
- Internet2 Trust and Identity Infrastructure: https://www.internet2.edu/products-services/trust-identity/
Internet2 will have several sessions at the 2019 Technology Exchange taking place in New Orleans, LA, from December 9-12, where we will convene the community to discuss MFA and many other topics of interest to higher education information security: https://meetings.internet2.edu/2019-technology-exchange/
Duo Security also has several resources for campuses on deploying Duo:
Many campuses have shared their deployment resources with the rest of the community:
- Baylor University: https://www.baylor.edu/its/index.php?id=863033
- Indiana University: https://one.iu.edu/task/iu/duo
- Northwestern: https://www.it.northwestern.edu/security/multi-factor-authentication/
- Including posters for their campus: https://www.it.northwestern.edu/bin/docs/iso/Cybersecurity-Print-MFA-11×17.pdf
- Old Dominion University: https://www.odu.edu/ts/access/two-factor-authentication
- Pacific Lutheran University: https://www.plu.edu/helpdesk/multi-factor-authentication/
- Penn State University: https://www.identity.psu.edu/services/authentication-services/two-factor/
- University of Maryland Baltimore County: https://wiki.umbc.edu/display/faq/Two-Factor+Authentication+with+DUO
About Internet2: https://www.internet2.edu/about-us/
About EDUCAUSE: https://www.educause.edu/about
About Duo: https://duo.com/about
About the Author
Nick Lewis (CISSP) is a program manager for security and identity at Internet2, where he manages the NET+ security and identity services portfolio, while also contributing to the development of new NET+ offerings in cloud security. Nick rejoined Internet2 in 2015, after previously working there from 2002-2007. Nick has also held positions in information security at the University of Michigan and most recently was director of IT security and compliance and information security officer at Saint Louis University. He has also worked for Children’s Hospital Boston as an information security manager and for Michigan State University as an information technologist. Nick holds master’s degrees in information assurance from Norwich University and telecommunications from Michigan State University.