Multifactor Authentication: Reporting from the Field (236876847)
Transcript of Multifactor Authentication: Reporting from the Field (236876847)
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 1/23
MultifactorAuthenticationReport From the Field
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 2/23
Why Multifactor?
Passwords are not enough
User education about phishing and other social
engineering attacks - not completely effective
Consequences of breaches becoming more severe (fines,
ID protection costs, reputation damage, legal and
forensic costs)
Multifactor is currently the most effective defenseagainst compromised accounts
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 3/23
Multifactor Requirements
Secure
Easy to use
Platform agnostic
Flexibility regarding second factor (not everyone has a
smart phone)
Administrative and support overhead can be managedwith current staff
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 4/23
The Real Challenge
How to sell multifactor to your institution…
Get buy-in from the top
Know your selected product inside and out
Have a communications plan and create opportunities togive presentations in front of as many campus groups as
possible
Be prepared with easy to use self-service documentation as
well as knowledgeable phone support backup
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 5/23
Field Report: Medical University of
South Carolina
Academic medical center
2,500 students and 10,000 faculty and staff
Relentless phishing attacks were resulting incompromised accounts (email and VPN)
Initial focus on increasing user awareness, and on early
detection and containment
Spring 2012: two-factor evaluation and feasibility
testing
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 6/23
Strategy and Policy
Summer 2012: Proposed new policies
Two-factor authentication required for remote access to
sensitive systems
Mobile device management Including BYOD devices if used to access institutional systems
(including email via ActiveSync)
Policy vetting: Presidents Council, Deans, Faculty
Senate, Medical Center leadership…
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 7/23
Oct 2012: SC Department of Revenue
Breach
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 8/23
Leadership: Make It Happen
Draft policies and standards approved
Vendor selection consummated
Two-factor: PhoneFactor
MDM: Zenprise
Project teams organized
Joint project communications
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 9/23
MUSC: 2 Factor Rollout Plan
April 2013: 250-person Pilot for IT Staff
What we learned: more communications!
August: Hire 5 interns/temp personnel
Support/Enrollment Tables
• August-‐October: Massive Communications Push
• October 1: “Cut-‐off” date
• Post Go‐Live: Support Minimal
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 10/23
Communications
1000 Signs across campus
Focus Groups Catalyst Article
Facebook Page
MUSC Website Page Tech Fairs/ Student Fairs
MDM/2FA Websites
All Staff Emails
Over 100 presentations to different
on‐campus groups
iPad Mini Giveaway
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 11/23
Posters & Banners
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 12/23
Help Tables
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 13/23
Newspaper Articles
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 14/23
Surveys & Focus Groups
Surveys
Random survey to 10 students on campus:
Do you know what Mobile Device Management is?
0 out of 10 knew what it was. Do you know what 2 Factor Authentication is?
1 our of 10 knew what it was.
Focus Groups
Non-‐Technical Users
Started with 35 Page Instructions
Ended with 1 Page Front and Back After Focus Groups
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 15/23
Email Campaign
All-Staff Email
From President of MUSC
All-Staff emails every week for 4 weeks
Targeted Emails
To Non-‐compliant users
5 per week for 4 weeks
All Staff Email for Final Days
Non‐compliance emails: Auto-‐Generated
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 16/23
Presentations Over 100 Presentations
Individual Administrators
Department Heads
All-Staff Meetings
Town Hall Meetings
“VIP” One-‐on-‐one Sessions
Lots of push back at first
“This isn’t going to happen”
“No way I’m doing this”
“Why do we have to do this?” Use Compliance in these cases
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 17/23
Lessons Learned
KNOW the products.
Inside and Out
Have Focus Groups Before You Start
Have examples Ready 2 Factor Demo
Make sure they know, they can’t get out of
this
Train your Support Staff
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 18/23
Lessons Learned: Continued
Make sure you get approval at the top first.
Plan on backlash.
Prep Legal and Compliance and give them form emails for
responses.
Be readily accessible through dedicated email address,
phone, etc.
•
Get it done. Don’t put off deadline.Users will sign up if they have to.
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 19/23
Field Report: Northern Arizona
University
26,000 students, 3,500 faculty and staff
Previous two-factor limited to small number of sys
admins and developers (using RSA fobs or software
tokens)
Direct Deposit attack fall of 2013 led to approval for
broader multi-factor use
Review of available products led to selection of DUO asmultifactor solution
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 20/23
Progress
Test instance of DUO up and running
VPN replacement project launched (switching from MS
PPTP to Cisco AnyConnect)
Project buy-in from President and Cabinet
Information Security Committee selected as Stakeholder
group representing all areas, students, faculty, and staff
Currently defining levels of assurance (including vetting
strategies for each level) and identifying which
resources will be protected
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 21/23
Poster Child for Project Management
Push to establish a PMO within ITS – currently have two
staff members
Multifactor project one of our first projects to take
advantage of the new PM structure
Hoping to avoid mistakes of the past including
communication problems and neglecting to get input
from campus stakeholders
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 22/23
8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)
http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 23/23