Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Aug 27 2024
Security

Identity and Access Management Solutions Bolster Higher Ed Security

Multifactor authentication and single sign-on solutions keep universities protected from cybercriminals.

Ray Stanley, vice president and CIO at Marian University in Indianapolis, knew he needed to shore up the institution’s cybersecurity stance when he couldn’t get an insurance policy without making some changes.

“We were looking at our cyber insurance requirements,” Stanley says. “We got to a point where we had to have multifactor authentication, or we weren’t going to get insurance.”

His main driver, however, was larger than insurance.

“We needed to protect the assets of the university,” he says. “We had already been improving our security posture with other tools, and MFA was the next step.”

Click the banner to discover how multifactor authentication helps unlock zero trust.

 

Multifactor authentication and its companion solution, single sign-on, are components of identity and access management, an approach that seeks to better control who is on a network and what they can access. MFA requires that users identify themselves with more than a login and password; factors can include biometrics (such as a fingerprint or face recognition scan), location information, a physical smartcard or security key, or a simple tap on an authenticated device.

SSO allows people to log in to a system with one set of credentials to access multiple applications. Both solutions typically provide high visibility to administrators, so they can easily add and remove users and give them access to only the tools and information for which they are authorized.

These technologies are now considered essential elements of a zero-trust environment, meant to keep universities and their constituents safe from bad actors.

“Many universities have been using these types of identity and access management technologies for a long time, but there are a couple of things that are changing simultaneously,” says Jesse Goldhammer, managing director in Deloitte’s cyber and strategic risk practice. “One is that the threats that universities face are getting a lot more sophisticated. The other is that university technologies are often using a mix of on-premises and cloud resources. And for the most part, they are highly decentralized, making it a lot more complex to use IAM tools.”

As Marian and other schools experienced, the complexity of the overall IT environment is just one factor in a successful MFA and SSO rollout.

RELATED: The top 3 reasons to modernize your university’s IAM program.

A Successful MFA and SSO Rollout Requires Campuswide Support

Stanley began his journey to MFA by surveying what his colleagues were doing.

“We have 32 Independent Colleges of Indiana schools, and almost everyone was using Cisco Duo,” he says. “We’re a Cisco shop. We use Cisco products very heavily in our switching, access points, routers and firewalls. It made sense to go with Cisco. The pricing was right for us, as well as the integration.”

The school first launched Duo’s MFA solution to 1,400 faculty and staff members.

“I introduced the concept at a faculty assembly, and I got pushback at first,” Stanley says. “I explained that they were already using MFA every day, when they log in to their back accounts or when they get a text and have to enter a code. I also addressed their concerns and configured Duo so that you authenticate once and you’re set for the entire day.”

Stanley continues, “After those initial steps, we got it rolled out very quickly without much broken glass. There were a ton of questions the first week. Once those were resolved, the rollout was uneventful. Everything worked like it should.”

Animation of waves hitting the rocks on a serene beach

 

After six months, Stanley and his team applied the Duo solution to the university’s 4,000 students.

“It’s a lot of communication in the beginning,” he says. “Self-registration took a while. Overall, I really thought that was going to bring in a lot more questions, but it just wasn’t an issue.”

Stanley considers the university’s MFA solution to be a major improvement in its security posture.

“MFA took our security grade from a C to a B-plus,” he says. “Network segmentation took us from a B-plus to an A-minus, and endpoint protection took us from an A-minus to an A. We’re at the point now where we’re looking at zero trust as a next step in cybersecurity.”

University of Notre Dame Streamlines MFA Use

While the University of Notre Dame has been using MFA for system administration staff since the mid-2000s, the school greatly expanded its use in 2015.

“We wanted to combat the advancement of cybersecurity threats at the time. During our initial implementation, we decided that the best thing to do was to deploy MFA broadly instead of just for a narrow population or privileged accounts,” says Michele Decker, director of identity and access management at Notre Dame.

Her team paired up with several cross-departmental working groups to communicate the changes to the university population.

“We had a great change management team,” Decker says. “They actually produced a little film and took it all across campus.”

Click the banner to gain insights from around higher ed in the 2024 Cybersecurity Report.

 

Several years ago, the university moved to Okta as its MFA solution. As in 2015, the team had to move users over to the new system by preparing everyone and holding enrollment fairs.

Okta’s MFA solution is adaptive, a feature that Decker appreciates as threats continue to become more sophisticated.

“It builds a profile of every user, so it can detect anomalies,” she says. “It knows your typical location and hours of the day when you log in. If you log in from another state or place in the world, it will flag that and step up the authentication.”

Even with adaptive profiles, Decker’s team at Notre Dame continues to build additional security into the system.

“Now we’re working on things like deprecating some of the factors that are not as resilient, including SMS and voice calls, and taking advantage of tools such as Device Trust, where people register their devices with the university,” Decker says. “We’re trying to remove those unreliable factors as much as possible.”

LEARN MORE: Why are colleges and universities slow to adopt zero trust?

Photography by Aaron Conway