What are the leading US colleges doing to protect their students, employees and academic research? Recently, I met with Derek Lustig, Director of Infrastructure and Security at Hobart and William Smith Colleges (HWS) in Geneva, New York, to discuss the cybersecurity challenges in higher education and how to successfully implement risk-based authentication as well as migrate to the cloud.
Recently, your team has upgraded your login flows across the campus to risk-based adaptive authentication. What was that key business driver for you?
“Pure security. I feel as a higher education institution we are under siege. Practically every week you are looking at a university that is unable to fulfill its academic mission, in fact, two prominent universities were unfortunately just taken offline. We are surrounded by persistent ransomware events, our college is no exception so this switch to risk-based authentication was less about user experience—believe me, we want to keep that in the equation––but it is 90% about security. ”
What stood out for you in the deployment of SecureAuth?
“It’s the unique implementation of how SecureAuth helps us deal with authentication checks throughout the entire authentication flow. Starting with half a dozen checks that we do before we even display the login screen. Then providing the ability to display a page saying, “There is no login page here,” because we’re seeing access at a high-risk IP address or someone exhibiting really weird behavior. Someone suspicious is not even going to type in a username, we can cut off that attack at the pre-authentication checks.”
As security breaches of colleges became more prevalent, how has the executive leadership at Hobart and William Smith Colleges responded?
The conversation of selling security internally has gotten much easier. The value of cybersecurity and what cybersecurity means to the college is now well understood. Our leadership has seen the increased insurance, they’ve seen the deductibles go up while the coverage goes down. Protection of user identities and user accounts now must be built-in into everything, which is what people have been saying for years. But it is now hitting home. We must invest in securing assets, users and resources.
You recently deployed MFA to more users than ever before. How did you go about it?
“The pilot started with the IT department and a cross-section of people throughout the institution. We took advantage of a number of multi-factor options that SecureAuth offers. As we rolled out MFA to the rest of the institution, our community gravitated to accepting SMS codes on their personal devices. Meanwhile, it delivered much better security and gave us the ability to cross the first hurdle with our users, before we guide them to push authentication”
For people at HWS, who already use the SecureAuth Authenticate app with push authentication, love it. I suspect that as we increase the number of MFA challenges we will probably do well. Push authentication is a game-changer for us who have to do that all the time as we administrate systems.”
What is your IT security team at HWS looking at doing next as your team advances further into the cloud?
“One of our priorities is to ramp up on the threat intelligence SecureAuth delivers. We’re now leveraging the ability to see if a single IP is trying to log into multiple identities. That’s an extremely important signal from a security standpoint. Another thing we are excited about with SecureAuth is the notion of trusted devices.
Cybersecurity and identity and access management is a journey, this is not a system where you set it up once and then walk away from it. It is something we constantly have to tweak, take advantage of new features such as passwordless login with FIDO2 biometric authenticators and adaptive authentication.
Today, the threat landscape is very different from when we first implemented SecureAuth in 2017. There are a lot of different higher education institutions out there, we’re not the smallest but surely not the biggest, and funding is an issue for us. But we were able to flex and come up with a robust, but cost-effective approach to managing security and identity. We definitely look to SecureAuth to help us secure identities.”
Read the case study: Hobart and William Smith Colleges Rely on SecureAuth