As is the case at many educational institutions, Xavier University’s information technology team is a lean organization. The constrained IT group’s responsibilities are vast and Brian Rappach, Director of Information Security, and Erik Ball, Director of IT Infrastructure take their mission seriously. “Our biggest priority is protecting the data we’ve been given by faculty, staff, and students,” Rappach noted.
Xavier’s IT/security team is responsible for ensuring Xavier’s application environment meets rigorous data compliance standards. Tools must be vetted for the highest security requirements, on the one hand, but also be easy to both deploy and maintain. Additionally, any security solution with workflow implications must pass muster with the faculty and staff. “There can be some skepticism around new processes,” Rappach said.
One example of the challenges Xavier’s IT team faces everyday is compromised credentials. When login credentials to university applications are phished or stolen, Xavier’s IT/security team must track down the compromised account and shut down access while simultaneously remediating the situation so the end user can still access their work. “In calendar year 2017-2018, we probably remediated about 500 lost accounts. We need about half an hour of work per account, so you can do the math on how much time this took up,” Rappach noted.
Given the limited team size, tracking down and remediating compromised faculty or staff accounts was a large drain on their limited time. However, implementing a security product posed other challenges. Any deployment would need to show success quickly and be accepted by the faculty and staff.
Choosing a Solution
When selecting a solution to protect against compromised credentials, Xavier University’s team evaluated Microsoft’s two-factor solution, but ended up choosing Duo. “To start, I had a great experience implementing Duo in another environment,” Rappach stated. “We’re a full Microsoft shop, but in this case we felt like Duo would integrate with our environment more easily.” One of the main multi-factor authentication use cases for Xavier was protecting their VPN, and Duo met this requirement in a way that was a lighter technical lift.
Additionally, though Xavier doesn’t have a formal zero-trust strategy, Rappach likes the philosophy in principle. When it comes to user trust, he appreciates that with Duo he can both “verify a user before trusting them,” and “make sure we’re only giving access to the people that need it.”
The Technical Lift
After selecting Duo for its multi-factor authentication solution, the team needed to stand up the product and get it ready for deployment to faculty and staff. Rappach and team opted to work with Duo’s customer success team (Duo Care), to strategically plan both the technical and user deployments.
“Our Duo Care team was fantastic,” Rappach recalled. “They worked with us really closely during pre-deployment.” When customers purchase Duo Care, they receive personalized guidance with respect to their environment and how to effectively protect their application authentication workflows. Traditionally, integration with VPN or on-premises applications can prove difficult, but Duo Care helped the team at Xavier protect their environment quickly and easily.
“If it wasn’t for the DuoCare team, we’d still be stuck on a few of our integrations,” Ball notes. “If there’s one thing I’d recommend to other universities, it’s that they need to get Duo Care.”
Deploying Duo to Xavier Faculty and Staff
After setting up their technical environment, the Xavier team knew that one of the critical metrics regarding the project’s success would be the ease and success of deployment. With the help of Duo’s strategic advisory service, Duo Care, Rappach, Ball, and team decided on a tiered enrollment approach. There was an open enrollment period which successfully garnered many early adopters. When it came time to enforce enrollment for other users, these faculty and staff now had peers as examples for how to authenticate with Duo.
Though there was some “hesitation initially,” it subsided pretty quickly as Xavier employees saw “how easy the system was to use,” Rappach reported. Xavier fully deployed Duo to faculty and staff in less than a semester. “We knew Duo would be successful, we just didn’t know it would be this successful.”
Now that Duo has been fully deployed to Xavier faculty and staff, Rappach has reported a drastic reduction in compromised credentials. “In the 2018-2019 academic year, the number of lost accounts went down to maybe 9 total,” Rappach said. “It was such a rare event that my team almost looked forward to remediating them.”
The Xavier team found an extra security use case. Now that there is full enrollment of Xavier’s faculty and staff credentials, the team can identify credentials that aren’t actively authenticating into any applications and clean them out of the directory. “There can be adjunct professors credentials hanging around long after they have left campus, now we get insight into those credentials and can de-provision them,” Rappach notes.
Given the successful launch and effective reduction of compromised credentials, Rappach states that Duo now serves as a “core piece of our identity management.” He expressed hopes to extend to Duo to more core applications, and eventually to the whole student body.