At an institution with the size and scope of the University of Queensland, securing the people, systems, and intellectual assets is no small task. The undertaking is complicated further by the changing role of IT and an ever-growing attack surface. “I constantly remind my staff that the campus is a hostile environment,” Dr. David Stockdale notes. “There is no more solid border security in today’s world, if there ever was — the mindset that a firewall will take care of everything is outdated. There is no physical security stopping someone from walking onto campus and plugging in their laptop. Security needs to shift the focus from technology tools to education and the workforce itself.”
Many staff members have sets of credentials that enable access to a variety of University assets. “The real challenge is getting people to understand that compromise most often starts at the people or credential level,” Stockdale notes. “We’re looking to instill a culture where everyone is responsible for security.” The IT team at University of Queensland is looking to expand the scope of security beyond just technology to how technology interacts with people.
Choosing a Solution
In order to address the security needs of a world where perimeter security isn’t enough, the University of Queensland has begun to adopt some tenets of the Zero Trust philosophy. “We began segmenting our network,” Stockdale notes, “but we also wanted to move security closer to the user. We wanted to verify users were who they said they were before granting access to our environment.”
The team evaluated a few different MFA solutions before settling on Duo. “For one, solutions like Google Authenticator or Authy were far more confusing for the user during the enrollment process,” Stockdale said. Moreover, they were incredibly complex to integrate with the University’s technology stack.
The University of Queensland chose Duo over other competitors for two main reasons. To start, “the user experience is just so good,” Stockdale notes. Duo’s enrollment and authentication processes made it easy for even the most anti-tech users to get up and running with MFA. “It’s a credit to Duo that our users just got it. That’s not a simple requirement when it comes to security tools,” Stockdale says.
The second driver was the ease of backend integration. From experience, the IT team at University of Queensland typically expects a heavy technical lift to get a technology solution up and running. “In the case of Duo, the required integrations took days instead of weeks. It was very impressive,” Stockdale remembers. “We use a SAML SSO product and the integration with Duo made applying two-factor authentication on all of our applications incredibly easy.”
The University also uses Duo to protect access to their VPN. While many MFA solutions struggle to protect VPN access, especially if RADIUS is required, Duo stood up an integration quickly and effectively.
The University of Queensland has over 7,500 staff credentials to protect with MFA. Rolling out a new solution to such a wide audience is a large undertaking, so the IT team started with a pilot group: themselves. “Our initial test went really well, so we expanded out to a school, then faculty group,” Stockdale notes. “Our two primary metrics at each stage of deployment were the number of service desk calls and how quickly the user base got enrolled and authenticating.”
In each step of the deployment IT was amazed to see both how few service desk tickets were created and how rapidly Duo was adopted. “When we did one of our larger rollouts, we readied the service desk with a few extra staff, but it turned out they weren’t needed at all,” Stockdale remembers. “We did have a few users that wanted to use a key and one-time-password, but when they saw how easy it was to do the push, the majority started using that method.”
The Duo rollout to full-time staff has been so successful that the University of Queensland plans to expand their deployment to part-time staff and eventually to students. “Our security strategy moving forward boils down to adopting more segmentation, verifying the user, and decreasing our time to detect and remediate when something goes wrong,” Stockdale says. “Duo is a key component of that strategy as it confirms any user is who they say they are. And overall, I think it’s a fantastic product. I think very highly of it. The ease of use for end users combined with the simple technical integration in the background makes it a big win for us.”