CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES Nicholas Roy Penn State (Pennsylvania State University, The) Andrea Harrington Penn State (Pennsylvania State University, The) Michael Corn Brandeis University Tom McMahon - Weill Cornell Medical College David Bantz University of Alaska Fairbanks 2015 Internet2
What is the NET+ Security and Identity Portfolio A partnership focused on the needs of the broad higher educa3on community: Internet2's Trust and Identity team will focus on the federation and the TIER program NET+ Security and Identity portfolio will be the delivery mechanism for security and identity services. This alignment also reflects the linkages between identity and security within the higher education community and the affinities between some of these services, such as two-factor authentication and electronic signature solutions that are important to campus security and identity initiatives. Realigning the NET+ service portfolios is the first step in expanding engagement with security service providers and the higher education information security community. [ 2 ]
Penn State Identity Services Two-Factor (2FA) Duo Security Service
My Role Technical Director for Penn State Identity Services Responsibilities include managing: Software development (Central Person Registry) Systems management (~135 Linux VMs CPR, AMQ, LDAP, Shibboleth IdP, Web Services, Web Apps, etc.) Database Systems (Oracle RAC) All highly sensitive, all now required to be protected by 2FA
How We Got There With Duo Summer 13 Project Kickoff 50 stakeholders across PSU IT Common requirements Many off-the-shelf integrations Accessible Smartphone, dumbphone, hardware tokens Nervousness about cloud
Choosing Duo Completed a marketplace analysis Compiled requirements and analysis into assessment matrix At the time, only Duo met all requirements Rollout at scale has been highly successful
A Tidbit about Splunk> In the process of buying a Splunk license Will push person identifiers into security log streams and vice versa Hope to correlate IDS events with Duo fraud alerts
Deployment Strategy Users are required to have a Penn State Access Account Funding Central IT covers funding for licensing and telephony credits Departments cover funding for hardware tokens Project Sponsorship by the Risk Management Office and Information Technology Services (ITS) Team comprised of Identity Services (IdS) and Security Operations and Services (SOS)
Deployment Strategy Policy Making the case for a central 2FA service Data Categorization Public, Internal/Controlled, Restricted Minimum Security Baseline Internal/Controlled data should implement 2FA authentication as soon as feasible Restricted data must use 2FA authentication Pilots Identity Services and Security Office October January Campus Health Center (University Park) November February enrolled 8 users Talisma CRM for Student Recruitment May - June enrolled 300+ users Hershey Medical Center for Remote Access June - August enrolled 6,000+ users Systems for System Administrators August March
Deployment Strategy Service Development Duo role-based Administrative Console In-house development of a Self-Service Portal for user enrollment and management of devices (includes hardware tokens) Penn State Single Sign-On Authentication (WebAccess) integration with Duo 2FA service Other major integrations with Duo 2FA service (Unix, Windows, ) Content/Marketing/Communications Web site service information Engaged central IT Communications Information postcards Enrollment video News releases for University online publications and email messaging
Deployment Strategy Service Desk Training service desk staff (Duo Administrative Console, Portal, Service) Training Services Training the Trainers Outreach Dozens of meetings with departments sharing information about the service Presentations through University forums
Duo Stats Integrations - configured 275 as of April 13, 2015 Users - enrolled 9,117 Hardware Devices - registered to users 545 Phones - 10,372 ( ios 5,371, Android 2,412, Landline 1,488, ) Total Devices - registered to users 10,917
Brandeis University Library and Technology Services Skyhigh
Skyhigh Networks Three facets: Discover, Analyze, Secure Focusing on Discover and Analyze Deployed Log Processor 9 weeks ago Began subnet tagging Friday Sending logs from our border Palo Alto firewalls/ips Encrypting IP info
Requires stepping back and thinking about service usage policy Where on your network can you ask this question? What do you need to know to have this conversation? Where you can t act, you can educate Library and Technology
Weill Cornell Medical College Duo and Splunk
Two Factor Replacement Duo Security
Our Problems Password are no longer considered adequate to prevent fraudulent or unauthorized access User accounts are susceptible to phishing attack, malware infections and password guessing attacks WCMC VPN and email accounts have been compromised User acceptance of legacy 2FA system is low Deadline to meet NYS and DEA requirements for EPCS Password resets workflow is ineffective Our legacy two-factor authentication system, software and appliances where EOL
Why Duo Met most use cases and features in our requirements matrix Duo Push and similar user experience as Google Authenticator (OATH) 5 year TCO $25k Others where $225k and $150k Single non-intrusive option for accessing all of ITS systems with flexibility for other systems Free integrations and full API s to support other integrations Support of Android, ios, WinMobile, and other factor forms such as Tokens and SMS A solution that will not aggravate our users
Duo Multi-factor Roadmap Pilot Phase April Sept 2014 100+ Users ITS Administrative Systems Decommission and ITS Deployment Phase Sept Dec 2014 Removal of all RSA agents Shutdown of RSA SecurID System ITS Administrative Systems User Systems Phase 1 Dec April 2015 4000+ Users 2FA Verification Implementation into HIPM Deployment into Remote access systems EPCS Phase Feb Nov 2015 1200+ Users EPIC Electronic Prescription of Controlled Substances functionality User Systems Phase 2 April Oct 2015 5000+ Users Implementation to CMS and Web systems Deployment into SSO solutions SAP User (WBG) Future Concepts EPIC MyChart Integration EPIC Login SAP Administrative
SIEM Replacement Splunk
Our Problems Legacy SIEM deployment was 7 years old and at capacity and system issues make it challenging to fulfill some audit requests Vendor was purchased by a large company and support became unsatisfactory Legacy platform had limitations to data ingest and normalization Use cases needed to be updated to reflect new security challenges
Why Splunk? Met all use cases and features in our requirements matrix Splunk Apps, flexibility and ecosystem allows for fast and cheap deployment of integrations Data Normalization is at Read vs. Write Creating/Customizing parsers where much easier then other platforms Enterprise Security gave us functionality that a SIEM could not Distributed architecture lets it scale horizontally easily and increase as you go
Splunk Post Deployment Went live in October Changed metrics reporting to real-time from monthly Other ITS and college groups are approaching Security about utilizing Splunk Now implementing Splunk for all operational monitoring Increased our license from 100gb to 300gb within 6 months Increasing our Splunk infrastructure within 9 months
U Alaska integrated 2FA from DuoSecurity in its Shibboleth IdP [ 25 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Pilot as opt-in to gain acceptance Service opt in to require for authn Individuals opt in to require with their ID Opt in to facilitate phase in Required use anticipated only for key secure services [ 26 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Multi-Context Broker key to pilot Services opt in by specifying an authn context Individuals opt in based on a Directory attribute (group membership) Thanks to InCommon Assurance Program, Scalable Privacy Project https://spaces.internet2.edu/display/incassurance/multi-context+broker [ 27 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo Security 2FA Net+ and existing integrations with Shibboleth Duo Java Repository Wide range of additional integrations supported (Unix, VPN ) Robust array of 2FA supported, including out-of-band App SMS OTCs [ 28 ] Phone 2015 Internet2
Duo 2FA in combination with initial username/password Thanks David Langenberg, U Chicago: https://spaces.internet2.edu/display/incassurance/university+of+chicago Several Integration steps set up Duo account build & install duo java jar build & install a login handler (thanks David Langenberg, U Chicago) customize the login pages enable logging for testing [ 29 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (1/3) [ 30 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (2/3) [ 31 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (3/3) [ 32 ] 2015 Internet2
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA in combination with initial username/password in production for several months - Pretty much bullet proof, but still small pilot - Political and financial factors remain to enable wide deployment [ 33 ] 2015 Internet2
U Alaska Pilot of Two-factor AuthN in institutional SSO [ 34 ] 2015 Internet2
Questions?
PRESENTATION TITLE Presenter name Presenter title, organization 2014 Internet2