Multifactor Authentication Report From the Field

Why Multifactor? Passwords are not enough User education about phishing and other social engineering attacks - not completely effective Consequences of breaches becoming more severe (fines, ID protection costs, reputation damage, legal and forensic costs) Multifactor is currently the most effective defense against compromised accounts

Multifactor Requirements Secure Easy to use Platform agnostic Flexibility regarding second factor (not everyone has a smart phone) Administrative and support overhead can be managed with current staff

The Real Challenge How to sell multifactor to your institution… Get buy-in from the top Know your selected product inside and out Have a communications plan and create opportunities to give presentations in front of as many campus groups as possible Be prepared with easy to use self-service documentation as well as knowledgeable phone support backup

Field Report: Medical University of South Carolina Academic medical center 2,500 students and 10,000 faculty and staff Relentless phishing attacks were resulting in compromised accounts (email and VPN) Initial focus on increasing user awareness, and on early detection and containment Spring 2012: two-factor evaluation and feasibility testing

Strategy and Policy Summer 2012: Proposed new policies Two-factor authentication required for remote access to sensitive systems Mobile device management Including BYOD devices if used to access institutional systems (including email via ActiveSync) Policy vetting: Presidents Council, Deans, Faculty Senate, Medical Center leadership…

Oct 2012: SC Department of Revenue Breach

Leadership: Make It Happen Draft policies and standards approved Vendor selection consummated Two-factor: PhoneFactor MDM: Zenprise Project teams organized Joint project communications

MUSC: 2 Factor Rollout Plan April 2013: 250-person Pilot for IT Staff What we learned: more communications! August: Hire 5 interns/temp personnel Support/Enrollment Tables August-­‐October: Massive Communications Push October 1: “Cut-­‐off” date Post Go‐Live: Support Minimal

Communications 1000 Signs across campus Focus Groups Catalyst Article Facebook Page MUSC Website Page Tech Fairs/ Student Fairs MDM/2FA Websites All Staff Emails Over 100 presentations to different on‐campus groups iPad Mini Giveaway

Posters & Banners

Help Tables

Newspaper Articles

Surveys & Focus Groups Surveys Focus Groups Random survey to 10 students on campus: Do you know what Mobile Device Management is? 0 out of 10 knew what it was. Do you know what 2 Factor Authentication is? 1 our of 10 knew what it was. Focus Groups Non-­‐Technical Users Started with 35 Page Instructions Ended with 1 Page Front and Back After Focus Groups

Email Campaign All-Staff Email Targeted Emails From President of MUSC All-Staff emails every week for 4 weeks Targeted Emails To Non-­‐compliant users 5 per week for 4 weeks All Staff Email for Final Days Non‐compliance emails: Auto-­‐Generated

Presentations Over 100 Presentations Lots of push back at first Individual Administrators Department Heads All-Staff Meetings Town Hall Meetings “VIP” One-­‐on-­‐one Sessions Lots of push back at first “This isn’t going to happen” “No way I’m doing this” “Why do we have to do this?” Use Compliance in these cases

Lessons Learned KNOW the products. Inside and Out Have Focus Groups Before You Start Have examples Ready 2 Factor Demo Make sure they know, they can’t get out of this Train your Support Staff

Lessons Learned: Continued Make sure you get approval at the top first. Plan on backlash. Prep Legal and Compliance and give them form emails for responses. Be readily accessible through dedicated email address, phone, etc. Get it done. Don’t put off deadline. Users will sign up if they have to.

Field Report: Northern Arizona University 26,000 students, 3,500 faculty and staff Previous two-factor limited to small number of sys admins and developers (using RSA fobs or software tokens) Direct Deposit attack fall of 2013 led to approval for broader multi-factor use Review of available products led to selection of DUO as multifactor solution

Progress Test instance of DUO up and running VPN replacement project launched (switching from MS PPTP to Cisco AnyConnect) Project buy-in from President and Cabinet Information Security Committee selected as Stakeholder group representing all areas, students, faculty, and staff Currently defining levels of assurance (including vetting strategies for each level) and identifying which resources will be protected

Poster Child for Project Management Push to establish a PMO within ITS – currently have two staff members Multifactor project one of our first projects to take advantage of the new PM structure Hoping to avoid mistakes of the past including communication problems and neglecting to get input from campus stakeholders

Hoped-for End Result https://www.duosecurity.com/duo-push

Let’s Hear from You Anyone Have Words of Wisdom from a Multifactor implementation to share? Questions/Comments?