How Colleges Are Securing Mobile Devices with VDI and Two-Factor Authentication
When Louise Finn joined Loyola University Maryland six years ago, “things were still pretty basic,” she says, as far as enabling technologies go.
Very few people had Internet-enabled mobile phones, and those who did were using them for little more than checking institutional emails, says Finn, Loyola’s chief information officer and associate vice president of technology services. Security concerns were so new that anyone logging in to the university system could see both internal and outward-facing content. In fact, one of Finn’s first jobs was putting that internal information behind a portal that required authentication.
More Devices, More Data, More Security
Fast-forward to today, and the technology environment at Loyola — and pretty much everywhere else — has grown vastly more complicated. Administrators, faculty members and students access Loyola information through university-owned computers, their own computers, smartphones and other devices.
Finn now finds herself leading an effort to create a system that will ensure that each individual can access the information he or she is supposed to access, from a variety of devices, while maintaining the security of the system.
Personal devices, in particular, bring unique security risks, since university information can be downloaded and “once it’s on your personal device, we have no control over it,” Finn says.
As a solution, Loyola created a virtual desktop infrastructure (VDI), accessible through a single sign-in that requires both strong authentication and a user name. VDI offers a secure computing environment and enables IT to control user access to data that shouldn’t be downloaded onto unmanaged devices. Access to highly sensitive systems, such as medical records or performance evaluations, requires additional authentication and specific privileges.
“Some of these internal systems need to be more secure than others,” says Finn, who is now creating a matrix of security levels for information and individuals.
Two-Factor Authentication Done Right
Additional security is provided through a two-factor authentication system that basically works like this: A person logs in to the virtual system using his or her usual user name and password, receives a one-time passcode on his or her phone, and then enters the passcode to complete the login. Much like an ATM card that can be used only with a specific PIN, Finn says Loyola’s system can’t be breached by anyone who has stolen either a passcode or a phone.
The two-factor authentication system, Duo, requires that an application be installed on a mobile phone and that the phone be enrolled in order to receive passcodes via SMS. Duo was created through a partnership between Duo Security and Internet2, a member-owned technology community that also operates InCommon, an organization creating a common network of trust services for research and higher education institutions.
Jack Suess, CIO and vice president of IT at the University of Maryland, Baltimore County, is chairman of the InCommon steering committee. “One of the real challenges that has been identified is that people are not good at managing passwords across multiple systems,” Suess says, noting that users often employ obvious passwords, fail to change them, or use the same password across multiple systems — all of which pose security risks.
The Duo system eliminates that issue by creating a fresh code each time. “If your computer has gotten compromised and someone is capturing your keystrokes, by having this alternate way of connecting that isn’t in your computer, the keystroke logger can’t control your phone,” Seuss says.
Jason Youngers, associate director for information security and compliance at Loyola, says Duo is currently in use by some administrators on his campus. Eventually, it will be rolled out to other administrators, then to faculty members and possibly to students.
Balancing BYOD with Security
Youngers acknowledges that security concerns have changed since the early 2000s. Today, malware is more likely to be pulled down from the web by a browser, an action that requires no inbound connection to a computer, just normal Internet access. After clicking on ads or going to compromised web pages, users may later find that data has been stolen from their computers, or their computers have been used as a foothold for further attacks against the university.
Loyola is “getting pretty good at patch management” for university-owned computers, Youngers says, referring to myriad security updates that protect the university’s systems. But ensuring the appropriate patches are on all of the personal devices that end up on campus is a difficult problem.
The university still doesn’t trust personal devices, Youngers says, but “we’ve set up a system where we don’t have to.” VDI ensures the university’s computing environment is “pretty well protected and lets users operate with any device they want.”