Hamilton College’s infrastructure and Information Security teams are passionate about providing a smooth and secure information technology experience to faculty, staff, and students. However, as with many small institutions, the teams are spread thin. The designated security resource was only added earlier this year.
Securing a college campus’ information technology environment is no small feat. Security controls are often hard to procure and even harder to deploy. Even if a technical integration goes smoothly, faculty and staff can be hesitant, wary, and even outright resistant to new technology tools — especially when they add an additional step between them and their work.
Due to these frustrations, security can sometimes be implemented too little too late — and this was almost the case at Hamilton. In April 2019, the institution was attacked with a spear phishing campaign. The attack aimed to gather enough personal data about any target that a password reset could be completed fraudulently by leveraging the stolen information to answer security questions. The compromised credentials could then be used to log into a variety of applications holding financial, admissions, and health data.
Fortunately, the IT team and a new Information Security resource were able to remediate the situation quickly and effectively. Nevertheless, the attack threw a spotlight onto ways in which Hamilton’s security posture could be hardened. In particular, by ensuring that even if credentials are compromised there would be another factor required to verify a user before allowing access to institutional assets. Moreover, after verifying users are who they say they are, Hamilton’s team wanted to implement granular access policies, allowing more stringent access based on application sensitivity, employee role, and geolocation.
The phishing attack spurred the Hamilton leadership and IT teams into action. The IT and Information Security teams knew that implementing MFA would be critical to the success of the security project, so they began evaluating vendors.
“Duo was one of the first vendors we looked at and we were impressed off the bat,” noted David Swartz, Network Systems Administrator at Hamilton. Hamilton was using Google Authenticator in front of some applications, but it wasn’t centrally manageable and didn’t provide in-depth authentication reporting. “We knew we needed something more robust.”
The team reviewed a few other MFA providers, and even completed trials with a couple, but Duo provided the broadest application coverage and integrated most simply into Hamilton’s current application environment.
In particular, the team at Hamilton was attracted to some of the granular access controls included with Duo. “We chose Duo because of the role-based access policies, device health visibility and access policies available based on a device’s security posture,” Swartz said. For example, the Hamilton team was interested in leveraging access policy that required devices to meet certain security criteria, like having screenlock enabled or disk-encryption.
The Technical Lift
After deciding on Duo, the Hamilton team began deciding which applications in the environment would be protected first. An easy place to start were applications that contained information relevant to FERPA or HIPPA compliance. “Anything with sensitive student data is considered paramount to protect,” said Swartz.
After setting application priority, the team began integrating Duo into the environment, a task that was made relatively simple due to Duo’s extensive and transparent technical documentation. “One of the things I really liked about Duo from the beginning is that the documentation is both very good and very broad,” Swartz noted.
As an example, Hamilton uses Shibboleth and InCommon federation, an SSO solution particular to higher education. Though not as common in corporate IT, Duo integrated into the environment quickly and simply.
Following Duo’s documentation, Hamilton now protects many of its important faculty and staff systems with MFA, ranging from administrative and admissions applications to grading and even alumni systems.
Deploying Duo to Hamilton Faculty and Staff
Though implementing Duo technically was relatively straightforward, deploying a new security solution to college faculty initially worried the IT and Information Security team. “At first, the faculty had a lot of concerns about the login flow,” said Swartz.
To address concerns, the IT and Information Security teams focused on two primary messages to faculty and staff: why secure access is important generally, and how Duo’s solution would be easy to use.
The IT and Information Security teams visited each department to educate faculty and staff about the new solution. They explained that protecting student data was the core motivation for the project. “We showed faculty how much student data they actually had access to, how that data could be lost, and how two-factor could protect that data,” Swartz notes. Additionally, the team trained faculty on the flexibility of authenticating with Duo since professors can use a variety of methods to perform second factor, from a push notification to a phone callback.
“We rolled it out department by department, and things went incredibly smoothly,” Swartz said. “Once people realized the myriad of authentication options they had nobody pushed back. Once they used Duo, folks were more than fine with the new tool.”
Even in rare cases where faculty had challenges, the Hamilton team had prepared their help desk with a process for providing end users a bypass code if the need arises. Faculty with lost devices or new phones were back up and running quickly and easily.
Additionally, to minimize the friction to users, the Hamilton team varies the amount of time a user can be remembered before needing to supply a second factor again. “For sensitive applications, we have faculty perform MFA every time, but we have other applications where they only need to provide a second factor once a day or once a week, which makes it easier on them.”
Through a broad technical and communications effort on the part of the IT and Information Security team Hamilton was able to successfully deploy Duo to all faculty and staff in under six weeks after the beginning of the school year. “We set goal of enrolling all our faculty and staff by October 1st,” Swartz said. “The rollout went as smoothly as these things can go.”
“Our help desk only received a couple calls, but nobody had trouble,” Swartz noted. “Duo’s end-user experience is intuitive, and with our communication effort we got to the application coverage we wanted quickly and effectively.”
In conclusion, when asked about the benefits of Duo, David Swartz said “Effectively securing access is the easiest way to make the largest positive effect, and Duo is one of the easiest security solutions to implement and use in my mind.”