CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES

Transcription

1 CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES Nicholas Roy Penn State (Pennsylvania State University, The) Andrea Harrington Penn State (Pennsylvania State University, The) Michael Corn Brandeis University Tom McMahon - Weill Cornell Medical College David Bantz University of Alaska Fairbanks 2015 Internet2

2 What is the NET+ Security and Identity Portfolio A partnership focused on the needs of the broad higher educa3on community: Internet2's Trust and Identity team will focus on the federation and the TIER program NET+ Security and Identity portfolio will be the delivery mechanism for security and identity services. This alignment also reflects the linkages between identity and security within the higher education community and the affinities between some of these services, such as two-factor authentication and electronic signature solutions that are important to campus security and identity initiatives. Realigning the NET+ service portfolios is the first step in expanding engagement with security service providers and the higher education information security community. [ 2 ]

3 Penn State Identity Services Two-Factor (2FA) Duo Security Service

4 My Role Technical Director for Penn State Identity Services Responsibilities include managing: Software development (Central Person Registry) Systems management (~135 Linux VMs CPR, AMQ, LDAP, Shibboleth IdP, Web Services, Web Apps, etc.) Database Systems (Oracle RAC) All highly sensitive, all now required to be protected by 2FA

5 How We Got There With Duo Summer 13 Project Kickoff 50 stakeholders across PSU IT Common requirements Many off-the-shelf integrations Accessible Smartphone, dumbphone, hardware tokens Nervousness about cloud

6 Choosing Duo Completed a marketplace analysis Compiled requirements and analysis into assessment matrix At the time, only Duo met all requirements Rollout at scale has been highly successful

7 A Tidbit about Splunk> In the process of buying a Splunk license Will push person identifiers into security log streams and vice versa Hope to correlate IDS events with Duo fraud alerts

8 Deployment Strategy Users are required to have a Penn State Access Account Funding Central IT covers funding for licensing and telephony credits Departments cover funding for hardware tokens Project Sponsorship by the Risk Management Office and Information Technology Services (ITS) Team comprised of Identity Services (IdS) and Security Operations and Services (SOS)

9 Deployment Strategy Policy Making the case for a central 2FA service Data Categorization Public, Internal/Controlled, Restricted Minimum Security Baseline Internal/Controlled data should implement 2FA authentication as soon as feasible Restricted data must use 2FA authentication Pilots Identity Services and Security Office October January Campus Health Center (University Park) November February enrolled 8 users Talisma CRM for Student Recruitment May - June enrolled 300+ users Hershey Medical Center for Remote Access June - August enrolled 6,000+ users Systems for System Administrators August March

10 Deployment Strategy Service Development Duo role-based Administrative Console In-house development of a Self-Service Portal for user enrollment and management of devices (includes hardware tokens) Penn State Single Sign-On Authentication (WebAccess) integration with Duo 2FA service Other major integrations with Duo 2FA service (Unix, Windows, ) Content/Marketing/Communications Web site service information Engaged central IT Communications Information postcards Enrollment video News releases for University online publications and messaging

11 Deployment Strategy Service Desk Training service desk staff (Duo Administrative Console, Portal, Service) Training Services Training the Trainers Outreach Dozens of meetings with departments sharing information about the service Presentations through University forums

12 Duo Stats Integrations - configured 275 as of April 13, 2015 Users - enrolled 9,117 Hardware Devices - registered to users 545 Phones - 10,372 ( ios 5,371, Android 2,412, Landline 1,488, ) Total Devices - registered to users 10,917

13 Brandeis University Library and Technology Services Skyhigh

14 Skyhigh Networks Three facets: Discover, Analyze, Secure Focusing on Discover and Analyze Deployed Log Processor 9 weeks ago Began subnet tagging Friday Sending logs from our border Palo Alto firewalls/ips Encrypting IP info

15 Requires stepping back and thinking about service usage policy Where on your network can you ask this question? What do you need to know to have this conversation? Where you can t act, you can educate Library and Technology

16 Weill Cornell Medical College Duo and Splunk

17 Two Factor Replacement Duo Security

18 Our Problems Password are no longer considered adequate to prevent fraudulent or unauthorized access User accounts are susceptible to phishing attack, malware infections and password guessing attacks WCMC VPN and accounts have been compromised User acceptance of legacy 2FA system is low Deadline to meet NYS and DEA requirements for EPCS Password resets workflow is ineffective Our legacy two-factor authentication system, software and appliances where EOL

19 Why Duo Met most use cases and features in our requirements matrix Duo Push and similar user experience as Google Authenticator (OATH) 5 year TCO $25k Others where $225k and $150k Single non-intrusive option for accessing all of ITS systems with flexibility for other systems Free integrations and full API s to support other integrations Support of Android, ios, WinMobile, and other factor forms such as Tokens and SMS A solution that will not aggravate our users

20 Duo Multi-factor Roadmap Pilot Phase April Sept Users ITS Administrative Systems Decommission and ITS Deployment Phase Sept Dec 2014 Removal of all RSA agents Shutdown of RSA SecurID System ITS Administrative Systems User Systems Phase 1 Dec April Users 2FA Verification Implementation into HIPM Deployment into Remote access systems EPCS Phase Feb Nov Users EPIC Electronic Prescription of Controlled Substances functionality User Systems Phase 2 April Oct Users Implementation to CMS and Web systems Deployment into SSO solutions SAP User (WBG) Future Concepts EPIC MyChart Integration EPIC Login SAP Administrative

21 SIEM Replacement Splunk

22 Our Problems Legacy SIEM deployment was 7 years old and at capacity and system issues make it challenging to fulfill some audit requests Vendor was purchased by a large company and support became unsatisfactory Legacy platform had limitations to data ingest and normalization Use cases needed to be updated to reflect new security challenges

23 Why Splunk? Met all use cases and features in our requirements matrix Splunk Apps, flexibility and ecosystem allows for fast and cheap deployment of integrations Data Normalization is at Read vs. Write Creating/Customizing parsers where much easier then other platforms Enterprise Security gave us functionality that a SIEM could not Distributed architecture lets it scale horizontally easily and increase as you go

24 Splunk Post Deployment Went live in October Changed metrics reporting to real-time from monthly Other ITS and college groups are approaching Security about utilizing Splunk Now implementing Splunk for all operational monitoring Increased our license from 100gb to 300gb within 6 months Increasing our Splunk infrastructure within 9 months

25 U Alaska integrated 2FA from DuoSecurity in its Shibboleth IdP [ 25 ] 2015 Internet2

26 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Pilot as opt-in to gain acceptance Service opt in to require for authn Individuals opt in to require with their ID Opt in to facilitate phase in Required use anticipated only for key secure services [ 26 ] 2015 Internet2

27 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Multi-Context Broker key to pilot Services opt in by specifying an authn context Individuals opt in based on a Directory attribute (group membership) Thanks to InCommon Assurance Program, Scalable Privacy Project [ 27 ] 2015 Internet2

28 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo Security 2FA Net+ and existing integrations with Shibboleth Duo Java Repository Wide range of additional integrations supported (Unix, VPN ) Robust array of 2FA supported, including out-of-band App SMS OTCs [ 28 ] Phone 2015 Internet2

29 Duo 2FA in combination with initial username/password Thanks David Langenberg, U Chicago: Several Integration steps set up Duo account build & install duo java jar build & install a login handler (thanks David Langenberg, U Chicago) customize the login pages enable logging for testing [ 29 ] 2015 Internet2

30 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (1/3) [ 30 ] 2015 Internet2

31 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (2/3) [ 31 ] 2015 Internet2

32 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (3/3) [ 32 ] 2015 Internet2

33 Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA in combination with initial username/password in production for several months - Pretty much bullet proof, but still small pilot - Political and financial factors remain to enable wide deployment [ 33 ] 2015 Internet2

34 U Alaska Pilot of Two-factor AuthN in institutional SSO [ 34 ] 2015 Internet2

35 Questions?

36 PRESENTATION TITLE Presenter name Presenter title, organization 2014 Internet2