The BGSU Information Security team operates with the mission to protect information and systems. Three pillars define BGSU’s cybersecurity strategy:
- Confidentiality: It is important for the university to keep sensitive data and systems safe in order to retain the trust of the students, faculty and staff. Exposure of this data can tarnish university’s brand and reputation.
- Integrity: From the dispersing of financial aid to students and payroll to faculty and staff, to ensuring payment to vendors is authorized and accurate, it is critical for the university to protect the integrity of all financial transactions.
- Availability: Ensuring that the university’s systems are operational and available to conduct business all the time is imperative.
BGSU needed a more proactive, preventative solution to support their cyber security strategy and to protect the personal accounts of students, faculty and staff; and their servers and infrastructure.
The BGSU security team investigated and tried various solutions available in the market. They needed a solution that provided effective, strong authentication, was easy for students, faculty and administrators to use and delivered a low total cost of ownership (TCO). “Duo checks the box on all three” says Matt Haschak, Director IT Security and Infrastructure, Bowling Green State University, adding that Duo delivers a solution that the university can support financially and also helps ensure that they meet all compliance requirements, such as PCI DSS.
Deploying Duo at BGSU
Haschak says multi-factor authentication plays a critical role in the university's security strategy. Duo was easy to deploy, so much so that the university was quickly able to expand its Duo deployment to all students, faculty and staff after starting with a few high-risk systems and users. At any given time, BGSU has approximately 30,000 active users of its internal systems and applications.
“Whenever you implement a change such as MFA, there will be people that will be resistant to the change. Duo, however, made it easy to enroll end users. Once a user was enrolled, they automatically received a push to their device and could quickly get access to everything they needed. That made them happy,” Haschak says.
Duo makes it so easy to enroll users that among BGSU’s 30,000 students, faculty and staff members the university had a 99 percent success rate of self-enrollment, Haschak says, adding “users at BGSU find it extremely easy to use.”
Simple and Effective Security
The first line of defense for the university was to enforce MFA on every device accessing the VPN. The second was to ensure that user accounts are not phished and confidential information is safe. BGSU rolled out Duo to its Central Authentication Service (CAS) Single Sign-On (SSO) portal, protecting all applications behind it, including class registration, benefits enrollment, and personal information.
One of the main improvements after implementing Duo was in the effective support of remote users. “I wasn't willing to open my systems to remote users – either not on campus or traveling overseas – but I’m now more confident to allow those types of transactions because we can trust the person on the other end,” says Haschak.
The next phase for the university is to gain visibility into the devices accessing applications and data and enforce the appropriate policies and control. This will strengthen security and reduce the risk of compromised device accessing information.
Streamline Access, Less Administrative Hassle
BGSU was live on Duo in under two weeks and is now protecting more than 30,000 users effectively. Integrating Duo into their system was easy and trouble-free.
Now that Duo is fully implemented, the calls to the help desk from users having trouble authenticating have decreased by 50 percent, adds Haschak.
“Since implementing Duo, BGSU has not seen any unauthorized access on account that are protected by Duo. While there is still a threat from hackers attempting to remotely exploit our applications and infrastructure, there are now enough safeguards from unintentional password sharing through successful phishing attacks. Duo provides an immeasurable layer in our defense-in-depth strategy to protect our systems and users” says Haschak.