Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MFA requirement for faculty

From: Tina Thorstenson <Tina.Thorstenson () ASU EDU>
Date: Wed, 12 Sep 2018 19:29:59 +0000
We have deployed MFA for all faculty, staff, and student workers when they connect to any enterprise university service.

    >   • Did you require it everywhere, or have exempt locations?  Like on your campus network, perhaps. 
We require for all faculty, staff, and students in all locations at all times
    >   • Did you allow devices to be “remembered?”
Yes,  7 days
    >   • Was there any blowback from “helicopter parents” that were used to accessing their “child’s” account?
Yes, we redirected them to our parent services.
    >   • If yes to #3, how did you deal with it?

Tina


On 9/12/18, 12:23 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Cam Beasley" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of cam () UTEXAS EDU> wrote:

    
    1 - yes for all central ID usage (for active faculty/staff/students) in all web services/applications — coming in 
Spring (partially rolled already)
    2 - yes, 30-days
    3 - yes, we use this option for those scenarios (http://eproxy.utexas.edu/)
    4 - see 3
    
    ~cam.
    
    
    
    --
    Cam Beasley
    Chief Information Security Officer
    Information Security Office
    The University of Texas at Austin
    security () utexas edu | 512.475.9242
    http://security.utexas.edu
    =======================================
    
    
    
    
    > On Sep 12, 2018, at 1:49 PM, Jackson, William <WJackson () FLAGLER EDU> wrote:
    > 
    > 1.       No. Only staff and faculty accessing remote services must have Duo Security MFA. This is for the Remote 
Desktop and VPN.
    > 2.       No remembered devices allowed. The thought is that if the device is stolen the MFA protects the remote 
assets.
    > 3.       N/A
    > 4.       N/A
    >  
    > 
    > William M. Jackson Jr.
    > Director of Network and Desktop Support Services
    > 
    > Flagler College
    >  
    > Office Line: 904.819.6310
    > Mobile Line: 904.814-7877
    > Email: wjackson () flagler edu
    > 
    > Support Line: 904.819.6293
    > Support Email: support () flagler edu
    > Support Page: support.flagler.edu
    > 
    > Follow us to stay updated on scheduled
    > downtime, issues & solutions, and more:
    > Website | Facebook | Twitter
    > 
    > Questions or comments about our service? Fill out our brief survey and let us know!
    > 
    > <image001.jpg>
    >  
    > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hagan, 
Sean
    > Sent: Wednesday, September 12, 2018 1:47 PM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: Re: [SECURITY] MFA requirement for faculty
    >  
    > 1.       Yes, it is required regardless of physical/network location.
    > 2.       Yes, for a longer period than I would like, but it has dramatically reduced complaints during the 
enrollment/familiarization process… J
    > 3.       N/A – we do not currently require students to use MFA (we do however require student employees to use 
MFA).
    > 4.       N/A
    >  
    > And to Harvard’s original question, we require use of MFA by faculty (including adjuncts) for all of our major 
systems (ERP, LMS, Email, etc.)
    >  
    > Good luck with your implementations!
    >  
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > Sean Hagan
    > Chief Information Security Officer
    > Yavapai College
    > (928) 717-7651 – direct
    > https://www.yc.edu
    >  
    >  
    >  
    > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of McClenon, 
Brady
    > Sent: Wednesday, September 12, 2018 10:37 AM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: Re: [SECURITY] MFA requirement for faculty
    >  
    > For those that rolled out MFA:
    >  
    >   • Did you require it everywhere, or have exempt locations?  Like on your campus network, perhaps.
    >   • Did you allow devices to be “remembered?”
    >   • Was there any blowback from “helicopter parents” that were used to accessing their “child’s” account?
    >   • If yes to #3, how did you deal with it?
    >  
    >  
    >  
    > Brady McClenon
    > IT Security Administrator
    > ITS – IT Security
    > SUNY Oneonta
    >  
    > Information Security is Everyone’s Responsibility!  Learn more at http://staysafeonline.org/ncsam/
    >  
    >  
    >  
    >  
    > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Manjak, 
Martin
    > Sent: Wednesday, September 12, 2018 1:28 PM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: Re: [SECURITY] MFA requirement for faculty
    >  
    > As far as Azure AD MFA, and the lack of token support, our experience was similar to Chris’s. Out of nearly 16k 
student enrollments, we had less than a dozen who requested exemption based on not have a device to receive the second 
factor. We limited our rollout to students only.
    >  
    > Anyone whose account was compromised as a result of social engineering, regardless of their affiliation, is 
enrolled.
    >  
    > FAC/STAFF can request enrollment, but we haven’t mandated it yet.
    >  
    > BTW, here’s an article on 2-Step Login (our branding of MFA) that appeared in the last issue of our student 
press. [1]
    >  
    > Marty Manjak
    > CISO
    > University at Albany
    >  
    > [1] http://www.albanystudentpress.net/opinion-two-step-verification-long-overdue/
    >  
    > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gregg, 
Christopher S.
    > Sent: Wednesday, September 12, 2018 10:47 AM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: Re: [SECURITY] MFA requirement for faculty
    >  
    > We require MFA for all users (faculty, staff, and students) for Office365, Banner and a couple of other 
applications.  Adding MFA to other higher risk systems is in the works for this year.
    >  
    > We had executive support to include all users, and the rollout went smoother than I anticipated.  We’re using 
Microsoft Azure AD MFA which doesn’t support hardware tokens (yet) so we did need to exempt a small population of about 
40 users who didn’t have a cell phone, and couldn’t use a desk phone as their 2nd factor.  I expected we might get a 
run on people saying they didn’t have a cell phone if they thought it would get them out of MFA, but that didn’t really 
happen.  Most of those 40 people were faculty though so you may want to factor that in to your planning.
    >  
    > Thanks,
    >  
    > Chris
    >  
    >  
    > Chris Gregg
    > Associate Vice President of Information Security & Risk Management, CISO
    > Information Technology Services (ITS)
    > csgregg () stthomas edu
    > p 1 (651) 962-6265
    > University of St. Thomas | stthomas.edu
    >  
    >  
    >  
    > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pitt, 
Sharon
    > Sent: Wednesday, September 12, 2018 9:20 AM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: [SECURITY] Fw: MFA requirement for faculty
    >  
    > Sending to the security list for response.  Harvard, you may want to consider joining this constituent group 
list.  In the meantime, I ask that we copy Harvard on responses.  
    > 
    >  
    > 
    > As a quick response to Harvard, the University of Delaware requires MFA for all users (including faculty) on 
multiple tools, to include anything associated with our ERP and email.  
    > 
    >  
    > 
    > Thanks all!
    > 
    >  
    > 
    > Sharon P. Pitt
    > Vice President of Information Technologies
    > University of Delaware
    > 030 Smith Hall
    > Newark, DE 19716
    > (302) 831-0221
    >  
    > Co-Chair, Higher Education Information Security Council (HEISC)
    >  
    >  
    > spitt () udel edu
    > twitter@sppitt
    >  
    >  
    > 
    > From: The EDUCAUSE CIO Constituent Group Listserv <CIO () LISTSERV EDUCAUSE EDU> on behalf of Harvard Townsend 
<harvard.townsend () WHEATON EDU>
    > Sent: Wednesday, September 12, 2018 10:01 AM
    > To: CIO () LISTSERV EDUCAUSE EDU
    > Subject: [CIO] MFA requirement for faculty
    >  
    > Good morning,
    > We need some help selling multi-factor authentication to our faculty. Quick question - how many of you require 
MFA for faculty? We currently require it for staff and are now moving forward with faculty. Replies to the mailing list 
or directly to me are greatly appreciated. 
    > Regards,
    > --
    > Harvard Townsend
    > Director of Infrastructure & Security
    > Academic & Institutional Technology
    > Wheaton College, IL
    > Office: (630)752-5528
    > 
    > **********
    > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
    > 
    > 
    > 
    > 
    > This email contains CONFIDENTIAL information intended only for the use of the addressee(s) named above. If you 
are not the intended recipient of this email, you are hereby notified that any dissemination or copying of this email 
is strictly prohibited. If you have received this email in error, please notify us by reply email and delete this email 
from your records. Furthermore, the contents of this email do not necessarily represent official policy of Flagler 
College.
Previous By Date Next
Previous By Thread Next

Current thread: