Multifactor authentication strengthens cybersecurity across university campus

Ellucian’s layered approach protects information at Cheyney University of Pennsylvania
By: | Issue: November/December, 2019 | Case Study
September 16, 2019

After spending decades as a healthcare executive, Aaron Walton understands the importance of keeping information safe. Soon after he became president of Cheyney University of Pennsylvania, he oversaw a cybersecurity upgrade that featured multifactor authentication (MFA), among other measures, to secure the school’s network, users and devices.

“Safeguarding information is critical, particularly in today’s technological environment,” says Walton. “We owe it to our students and staff to protect their data and privacy. That’s why we made cybersecurity a focus through our partnership with Ellucian Managed Services.”

‘Passionate about cybersecurity’

“Our president is passionate about cybersecurity because he knows how it impacts the entire university,” says Chris Brown, the university’s executive director of technology. “But it’s not just about MFA. It’s making sure endpoints are protected, servers are secure, adequate firewalls are in place, and patches and updates are done regularly. Most important is training end users to identify suspicious emails and handle them properly—giving them the tools to keep themselves secure.”

Brown works for Ellucian Managed Services, which contracts with the university to provide information technology solutions. Cheyney, located about 25 miles south of Philadelphia, partnered with Ellucian 2 1/2 years ago, about the time Walton came on board.

The university’s layered approach to security includes MFA—a six-digit code in addition to a password—to access any university computer on campus or remotely through a virtual private network or remote desktop gateway. The code comes through a key fob, mobile phone app or telephone call.

Pilot program informs rollout

Deployment of the new process began after IT tested it for three months, and 10 university employees—representing various departments and levels of security and tech savvy—used it for 45 days. Feedback from that pilot was key to the smooth rollout across the 800-student campus.

“We used to get four or five alerts per day … We’ve seen those numbers drop since
implementation of MFA.”

“It’s extremely important to listen to end users to understand where hurdles may exist,” Brown says. “Understand that it takes a while for some people to adopt this. It’s important to educate them and let them know why you’re adding this extra layer.”

Improved cybersecurity

During implementation, each of the university’s 200 faculty and staff members met one-on-one with an IT professional to ensure “comfortable understanding” of the system and each person’s role in protecting information, Brown says. “That personal touch typically takes about two minutes per person, and it is worth every second.”

Cheyney has already seen improvement. “We used to get four or five alerts per day, meaning a password was compromised or a user’s information was found on the dark web,” Brown says. “We’ve seen those numbers drop since implementation of MFA.”

Cloud technology enhances higher ed data security

Ellucian identifies and mitigates fraud risks across schools

Q&A with Josh Sosnin,  Chief Information Security Officer, Ellucian

How does higher ed benefit by moving to the cloud?
Moving to the cloud can provide security benefits that many schools could not otherwise afford. As an example, when you move email to the cloud, you might get a base level of anti-virus, anti-malware and email hygiene (e.g., anti-spam, anti-phishing, etc.) software included, whereas when you run email on-premise, you have to bolt that on and have somebody run it. Also, your cloud vendor is almost certainly going to have a robust disaster-recovery process, so if one server fails, the information automatically rolls over to another one.

“The biggest bang for your security buck is often multifactor authentication. It’s a huge value and should be prioritized.”

Why is multifactor authentication (MFA) particularly important in maintaining secure cloud environments?
Passwords aren’t enough anymore. Even the most security-conscious person can fall for sophisticated phishing attacks. Once you’ve got the basics—anti-virus, anti-malware, patching, email hygiene and all of your awareness training—the biggest bang for your security buck is often multifactor authentication. It’s a huge value and should be prioritized.

What are some solutions to common challenges schools face when implementing MFA?
The challenges we’ve seen most often are cost and prioritization. And sometimes there is pushback from faculty and staff who are resistant to change. But attacks are only getting more frequent and more sophisticated. You’ve got to assess the risk and prioritize, and sometimes you’re going to have to find the funds or find open-source solutions that fit your institution. But it’s usually less costly and easier to implement MFA for your cloud-based solutions and systems than it might be for on-premise solutions.

What’s next for information security in higher ed?
A popular scam right now is fake submissions for enrollment to acquire a dot-edu email account, which gets you some great discounts and goes for about $5 on the black market. These unauthorized email accounts are sometimes used for phishing attacks because a person is more likely to believe an email appearing to come from within the school. Schools can avoid this scam by not providing an email account until a student has been accepted, has gone through more of the enrollment process, or has shown up on campus. By selecting cloud-based solutions, institutions also benefit from access to a team of security professionals who provide their dedicated expertise and insights to higher education institutions around the world.

For more information, please visit ellucian.com/cloud1


Interested in technology? Keep up with the UB Tech® conference.