Embed Size (px)
Citation preview
CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES
Nicholas Roy Penn State (Pennsylvania State University, The) Andrea Harrington Penn State (Pennsylvania State University, The) Michael Corn Brandeis University Tom McMahon - Weill Cornell Medical College David Bantz University of Alaska – Fairbanks
© 2015 Internet2
[ 2 ]
What is the NET+ Security and Identity Portfolio A partnership focused on the needs of the broad higher educa3on community: • Internet2's Trust and Identity team will focus on the federation and the TIER
program
• NET+ Security and Identity portfolio will be the delivery mechanism for security and identity services.
• This alignment also reflects the linkages between identity and security within the higher education community and the affinities between some of these services, such as two-factor authentication and electronic signature solutions that are important to campus security and identity initiatives.
• Realigning the NET+ service portfolios is the first step in expanding engagement with security service providers and the higher education information security community.
Two-Factor (2FA) Duo Security Service
Penn State Identity Services
My Role • Technical Director for Penn State Identity Services • Responsibilities include managing:
– Software development (Central Person Registry) – Systems management (~135 Linux VMs – CPR, AMQ, LDAP, Shibboleth IdP, Web Services,
Web Apps, etc.) – Database Systems (Oracle RAC) – All highly sensitive, all now required to be protected by 2FA
How We Got There With Duo • Summer ‘13 – Project Kickoff – 50 stakeholders across PSU IT • Common requirements
– Many off-the-shelf integrations – Accessible – Smartphone, dumbphone, hardware tokens – Nervousness about cloud
Choosing Duo • Completed a marketplace analysis • Compiled requirements and analysis into assessment matrix • At the time, only Duo met all requirements • Rollout at scale has been highly successful
A Tidbit about Splunk> • In the process of buying a Splunk license • Will push person identifiers into security log streams and vice versa • Hope to correlate IDS events with Duo fraud alerts
Deployment Strategy
• Users are required to have a Penn State Access Account
• Funding – Central IT covers funding for licensing and telephony credits
– Departments cover funding for hardware tokens
• Project– Sponsorship by the Risk Management Office
and Information Technology Services (ITS)
– Team comprised of Identity Services (IdS) and Security Operations and Services (SOS)
Deployment Strategy • Policy
– Making the case for a central 2FA service
– Data Categorization • Public, Internal/Controlled, Restricted
– Minimum Security Baseline • Internal/Controlled data should implement 2FA authentication as soon as feasible
• Restricted data must use 2FA authentication• Pilots
– Identity Services and Security Office October – January
– Campus Health Center (University Park) November – February enrolled 8 users
– Talisma CRM for Student Recruitment May - June enrolled 300+ users
– Hershey Medical Center for Remote Access June - August enrolled 6,000+ users
– Systems for System Administrators August – March
Deployment Strategy • Service Development
– Duo role-based Administrative Console
– In-house development of a Self-Service Portal for user enrollment and management of devices (includes hardware tokens)
– Penn State Single Sign-On Authentication (WebAccess) integration with Duo 2FA service
– Other major integrations with Duo 2FA service (Unix, Windows, …)• Content/Marketing/Communications
– Web site service information
– Engaged central IT Communications
• Information postcards
• Enrollment video
• News releases for University online publications and email messaging
Deployment Strategy
• Service Desk– Training service desk staff
(Duo Administrative Console, Portal, Service)
• Training Services– Training the Trainers
• Outreach
– Dozens of meetings with departments sharing information about the service
– Presentations through University forums
Duo Stats Integrations - configured 275 Users - enrolled 9,117 Hardware Devices - registered to users 545 Phones - 10,372 ( iOS 5,371, Android 2,412, Landline 1,488, … ) Total Devices - registered to users 10,917
as of April 13, 2015
Skyhigh
Brandeis University Library and Technology Services
Skyhigh Networks • Three facets: Discover, Analyze, Secure • Focusing on Discover and Analyze • Deployed Log Processor 9 weeks ago • Began subnet tagging Friday • Sending logs from our border Palo Alto firewalls/IPS • Encrypting IP info
• Requires stepping back and thinking about service usage policy – Where on your network can you ask this question? – What do you need to know to have this conversation? – Where you can’t act, you can educate
Library and Technology Services
Duo and Splunk
Weill Cornell Medical College
Two Factor Replacement Duo Security
Our Problems • Password are no longer considered adequate to prevent fraudulent or unauthorized
access • User accounts are susceptible to phishing attack, malware infections and password
guessing attacks • WCMC VPN and email accounts have been compromised • User acceptance of legacy 2FA system is low • Deadline to meet NYS and DEA requirements for EPCS • Password resets workflow is ineffective • Our legacy two-factor authentication system, software and appliances where EOL
Why Duo
• Met most use cases and features in our requirements matrix • Duo Push and similar user experience as Google Authenticator
(OATH) • 5 year TCO $25k
– Others where $225k and $150k • Single non-intrusive option for accessing all of ITS systems with
flexibility for other systems • Free integrations and full API’s to support other integrations • Support of Android, iOS, WinMobile, and other factor forms such as
Tokens and SMS • A solution that will not aggravate our users
Duo Multi-factor Roadmap
Pilot Phase• April– Sept 2014
• 100+ Users• ITS Administrative Systems
Decommission and ITS Deployment Phase• Sept– Dec 2014• Removal of all RSA agents
• Shutdown of RSA SecurID System
• ITS Administrative Systems
User Systems Phase 1• Dec– April 2015• 4000+ Users• 2FA Verification Implementation into HIPM
• Deployment into Remote access systems
EPCS Phase• Feb– Nov 2015• 1200+ Users• EPIC Electronic Prescription of Controlled Substances functionality
User Systems Phase 2• April– Oct 2015• 5000+ Users• Implementation to CMS and Web systems
• Deployment into SSO solutions
• SAP User (WBG)
Future Concepts• EPIC MyChart Integration
• EPIC Login• SAP Administrative
Splunk
SIEM Replacement
Our Problems • Legacy SIEM deployment was 7 years old and at capacity and system issues make it
challenging to fulfill some audit requests • Vendor was purchased by a large company and support became unsatisfactory • Legacy platform had limitations to data ingest and normalization • Use cases needed to be updated to reflect new security challenges
Why Splunk? • Met all use cases and features in our requirements matrix • Splunk Apps, flexibility and ecosystem allows for fast and cheap deployment of
integrations • Data Normalization is at Read vs. Write • Creating/Customizing parsers where much easier then other platforms • Enterprise Security gave us functionality that a SIEM could not • Distributed architecture lets it scale horizontally easily and increase as you go
Splunk Post Deployment • Went live in October • Changed metrics reporting to real-time from monthly • Other ITS and college groups are approaching Security about utilizing Splunk
– Now implementing Splunk for all operational monitoring • Increased our license from 100gb to 300gb within 6 months • Increasing our Splunk infrastructure within 9 months
[ 25 ]
U Alaska integrated 2FA from DuoSecurity in its Shibboleth IdP
© 2015 Internet2
[ 26 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth)
• Pilot as opt-in to gain acceptance – Service opt in to require for authN
– Individuals opt in to require with their ID
– Opt in to facilitate phase in
– Required use anticipated only for key secure services
© 2015 Internet2
[ 27 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth)
Multi-Context Broker key to pilot
– Services opt in by specifying an authN context
– Individuals opt in based on a Directory attribute (group membership)
Thanks to InCommon Assurance Program, Scalable Privacy Project https://spaces.internet2.edu/display/InCAssurance/Multi-Context+Broker
© 2015 Internet2
[ 28 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth)
Duo Security 2FA
– Net+ and existing integrations with Shibboleth Duo Java Repository
– Wide range of additional integrations supported
(Unix, VPN…)
– Robust array of 2FA supported, including out-of-band • App
• SMS
• OTCs
• Phone
• Tokens © 2015 Internet2
[ 29 ]
Duo 2FA in combination with initial username/password Thanks David Langenberg, U Chicago: https://spaces.internet2.edu/display/InCAssurance/University+of+Chicago Several Integration steps
set up Duo account build & install duo java jar build & install a login handler (thanks David Langenberg, U Chicago) customize the login pages enable logging for testing
UA integration with consulting help from Michael Grady, UNICON
© 2015 Internet2
[ 30 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (1/3)
© 2015 Internet2
[ 31 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (2/3)
© 2015 Internet2
[ 32 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth) Duo 2FA w/ initial username/password (3/3)
© 2015 Internet2
[ 33 ]
Pilot Two-factor AuthN in institutional SSO (Shibboleth)
Duo 2FA in combination with initial username/password in production for several months - Pretty much bullet proof, but still small pilot - Political and financial factors remain to enable wide deployment
© 2015 Internet2
[ 34 ]
U Alaska Pilot of Two-factor AuthN in institutional SSO
© 2015 Internet2
Questions?
PRESENTATION TITLE
Presenter name
Presenter title, organization © 2014 Internet2
