Security

Identity and Access Management Solutions Bolster Higher Ed Security

Multifactor authentication and single sign-on solutions keep universities protected from cybercriminals.

Erika Gimbel is a Chicago-based freelance writer who specializes in B2B technology innovation and educational technology.

Ray Stanley, vice president and CIO at Marian University in Indianapolis, knew he needed to shore up the institution’s cybersecurity stance when he couldn’t get an insurance policy without making some changes.

“We were looking at our cyber insurance requirements,” Stanley says. “We got to a point where we had to have multifactor authentication, or we weren’t going to get insurance.”

His main driver, however, was larger than insurance.

“We needed to protect the assets of the university,” he says. “We had already been improving our security posture with other tools, and MFA was the next step.”

Click the banner to discover how multifactor authentication helps unlock zero trust.

Multifactor authentication and its companion solution, single sign-on, are components of identity and access management, an approach that seeks to better control who is on a network and what they can access. MFA requires that users identify themselves with more than a login and password; factors can include biometrics (such as a fingerprint or face recognition scan), location information, a physical smartcard or security key, or a simple tap on an authenticated device.

SSO allows people to log in to a system with one set of credentials to access multiple applications. Both solutions typically provide high visibility to administrators, so they can easily add and remove users and give them access to only the tools and information for which they are authorized.

These technologies are now considered essential elements of a zero-trust environment, meant to keep universities and their constituents safe from bad actors.

“Many universities have been using these types of identity and access management technologies for a long time, but there are a couple of things that are changing simultaneously,” says Jesse Goldhammer, managing director in Deloitte’s cyber and strategic risk practice. “One is that the threats that universities face are getting a lot more sophisticated. The other is that university technologies are often using a mix of on-premises and cloud resources. And for the most part, they are highly decentralized, making it a lot more complex to use IAM tools.”

As Marian and other schools experienced, the complexity of the overall IT environment is just one factor in a successful MFA and SSO rollout.

A Successful MFA and SSO Rollout Requires Campuswide Support

Stanley began his journey to MFA by surveying what his colleagues were doing.

“We have 32 Independent Colleges of Indiana schools, and almost everyone was using Cisco Duo,” he says. “We’re a Cisco shop. We use Cisco products very heavily in our switching, access points, routers and firewalls. It made sense to go with Cisco. The pricing was right for us, as well as the integration.”

The school first launched Duo’s MFA solution to 1,400 faculty and staff members.

“I introduced the concept at a faculty assembly, and I got pushback at first,” Stanley says. “I explained that they were already using MFA every day, when they log in to their back accounts or when they get a text and have to enter a code. I also addressed their concerns and configured Duo so that you authenticate once and you’re set for the entire day.”

Stanley continues, “After those initial steps, we got it rolled out very quickly without much broken glass. There were a ton of questions the first week. Once those were resolved, the rollout was uneventful. Everything worked like it should.”

Animation of waves hitting the rocks on a serene beach

After six months, Stanley and his team applied the Duo solution to the university’s 4,000 students.

“It’s a lot of communication in the beginning,” he says. “Self-registration took a while. Overall, I really thought that was going to bring in a lot more questions, but it just wasn’t an issue.”

Stanley considers the university’s MFA solution to be a major improvement in its security posture.

“MFA took our security grade from a C to a B-plus,” he says. “Network segmentation took us from a B-plus to an A-minus, and endpoint protection took us from an A-minus to an A. We’re at the point now where we’re looking at zero trust as a next step in cybersecurity.”

University of Notre Dame Streamlines MFA Use

While the University of Notre Dame has been using MFA for system administration staff since the mid-2000s, the school greatly expanded its use in 2015.

“We wanted to combat the advancement of cybersecurity threats at the time. During our initial implementation, we decided that the best thing to do was to deploy MFA broadly instead of just for a narrow population or privileged accounts,” says Michele Decker, director of identity and access management at Notre Dame.

Her team paired up with several cross-departmental working groups to communicate the changes to the university population.

“We had a great change management team,” Decker says. “They actually produced a little film and took it all across campus.”

Click the banner to gain insights from around higher ed in the 2024 Cybersecurity Report.

Several years ago, the university moved to Okta as its MFA solution. As in 2015, the team had to move users over to the new system by preparing everyone and holding enrollment fairs.

Okta’s MFA solution is adaptive, a feature that Decker appreciates as threats continue to become more sophisticated.

“It builds a profile of every user, so it can detect anomalies,” she says. “It knows your typical location and hours of the day when you log in. If you log in from another state or place in the world, it will flag that and step up the authentication.”

Even with adaptive profiles, Decker’s team at Notre Dame continues to build additional security into the system.

“Now we’re working on things like deprecating some of the factors that are not as resilient, including SMS and voice calls, and taking advantage of tools such as Device Trust, where people register their devices with the university,” Decker says. “We’re trying to remove those unreliable factors as much as possible.”

LEARN MORE: Why are colleges and universities slow to adopt zero trust?

Balancing Security with Usability in Higher Education

“There’s an old adage in the cybersecurity world that the perfectly secure system is also an entirely unusable one,” says Goldhammer. “To paraphrase, if you don’t have to worry about security anymore, it’s very hard to use that system.”

What’s better, he continues, is when security disappears into the background.

“Giving faculty, students and staff tools to make them more productive and do their research or their jobs is the most powerful solution,” Goldhammer says. “Schools need to embrace the mindset that, yes, we can be secure, and we can also create a great user experience.”

One way Notre Dame’s identity and access management team achieves this is by working with representatives from a wide range of departments to create policies for specific use cases.

“Just knowing your populations helps you better balance security. You don’t want to make it too difficult on your users,” says Decker.

For example, some students may be logging on from international locations or trying to access campus networks from unfamiliar browsers.

“Different departments can say, my group needs this, or my group does that. Since we have a lot of flexibility with our IAM solutions, we can write those scenarios into our sign-in policies, which we couldn’t do before,” Decker says.

Photography by Aaron Conway