Multifactor Authentication: Reporting from the Field (236876847)

8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)

http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 1/23

MultifactorAuthenticationReport From the Field



Why Multifactor?

Passwords are not enough

User education about phishing and other social

engineering attacks - not completely effective

Consequences of breaches becoming more severe (fines,

ID protection costs, reputation damage, legal and

forensic costs)

Multifactor is currently the most effective defenseagainst compromised accounts



Multifactor Requirements

Secure

Easy to use

Platform agnostic

Flexibility regarding second factor (not everyone has a

smart phone)

Administrative and support overhead can be managedwith current staff



The Real Challenge

How to sell multifactor to your institution…

Get buy-in from the top

Know your selected product inside and out

Have a communications plan and create opportunities togive presentations in front of as many campus groups as

possible

Be prepared with easy to use self-service documentation as

well as knowledgeable phone support backup



Field Report: Medical University of

South Carolina

Academic medical center

2,500 students and 10,000 faculty and staff

Relentless phishing attacks were resulting incompromised accounts (email and VPN)

Initial focus on increasing user awareness, and on early

detection and containment

Spring 2012: two-factor evaluation and feasibility

testing



Strategy and Policy

Summer 2012: Proposed new policies

Two-factor authentication required for remote access to

sensitive systems

Mobile device management Including BYOD devices if used to access institutional systems

(including email via ActiveSync)

Policy vetting: Presidents Council, Deans, Faculty

Senate, Medical Center leadership…



Oct 2012: SC Department of Revenue

Breach



Leadership: Make It Happen

Draft policies and standards approved

Vendor selection consummated

Two-factor: PhoneFactor

MDM: Zenprise

Project teams organized

Joint project communications



MUSC: 2 Factor Rollout Plan

April 2013: 250-person Pilot for IT Staff

What we learned: more communications!

August: Hire 5 interns/temp personnel

Support/Enrollment Tables

• August-‐October: Massive Communications Push

• October 1: “Cut-‐off” date

• Post Go‐Live: Support Minimal



Communications

1000 Signs across campus

Focus Groups Catalyst Article

Facebook Page

MUSC Website Page Tech Fairs/ Student Fairs

MDM/2FA Websites

All Staff Emails

Over 100 presentations to different

on‐campus groups

iPad Mini Giveaway



Posters & Banners



Help Tables



Newspaper Articles



Surveys & Focus Groups

Surveys

Random survey to 10 students on campus:

Do you know what Mobile Device Management is?

0 out of 10 knew what it was. Do you know what 2 Factor Authentication is?

1 our of 10 knew what it was.

Focus Groups

Non-‐Technical Users

Started with 35 Page Instructions

Ended with 1 Page Front and Back After Focus Groups



Email Campaign

All-Staff Email

From President of MUSC

All-Staff emails every week for 4 weeks

Targeted Emails

To Non-‐compliant users

5 per week for 4 weeks

All Staff Email for Final Days

Non‐compliance emails: Auto-‐Generated



Presentations Over 100 Presentations

Individual Administrators

Department Heads

All-Staff Meetings

Town Hall Meetings

“VIP” One-‐on-‐one Sessions

Lots of push back at first

“This isn’t going to happen”

“No way I’m doing this”

“Why do we have to do this?” Use Compliance in these cases



Lessons Learned

KNOW the products.

Inside and Out

Have Focus Groups Before You Start

Have examples Ready 2 Factor Demo

Make sure they know, they can’t get out of

this

Train your Support Staff



Lessons Learned: Continued

Make sure you get approval at the top first.

Plan on backlash.

Prep Legal and Compliance and give them form emails for

responses.

Be readily accessible through dedicated email address,

phone, etc.

•

Get it done. Don’t put off deadline.Users will sign up if they have to.



Field Report: Northern Arizona

University

26,000 students, 3,500 faculty and staff

Previous two-factor limited to small number of sys

admins and developers (using RSA fobs or software

tokens)

Direct Deposit attack fall of 2013 led to approval for

broader multi-factor use

Review of available products led to selection of DUO asmultifactor solution



Progress

Test instance of DUO up and running

VPN replacement project launched (switching from MS

PPTP to Cisco AnyConnect)

Project buy-in from President and Cabinet

Information Security Committee selected as Stakeholder

group representing all areas, students, faculty, and staff

Currently defining levels of assurance (including vetting

strategies for each level) and identifying which

resources will be protected



Poster Child for Project Management

Push to establish a PMO within ITS – currently have two

staff members

Multifactor project one of our first projects to take

advantage of the new PM structure

Hoping to avoid mistakes of the past including

communication problems and neglecting to get input

from campus stakeholders





Date post:	03-Jun-2018
Category:	Documents
Upload:	educause
View:	220 times
Download:	0 times

Multifactor Authentication: Reporting from the Field (236876847)

Documents