Re: 2-Factor Authentication / FERPA

[Nicholas Garigliano <ngarigl8 () NAZ EDU>]

Hi Mike,

I'm not really addressing your question directly, just adding my 2 cents
worth if you are interested.  If I am stating the obvious I apologize.

While 2FA can be a integral part of an overall security program, there are
significant costs (capital, administrative and political).  Been there,
done that.  Outside of remote access (VPN), where it should be a
requirement, my feeling is that for internal access it should only be
considered if the following are already in place:

- Have a verifiable patch management process in place which includes
categorizing and applying patches on a regular schedule.  This would
include applying critical patches outside of the schedule.
- Run regular authenticated vulnerability assessments to discover,
inventory and asses systems on on your network.  This is also used to
verify patching.
- All sysadmins/domain admins/network admins/DBA's etc have dedicated
accounts that are used for administrative functions only and do not have
access to the internet.  In addition, they use dedicate workstations that
do not have access to the internet.  This is especially critical if you are
using AD.
- Developers should not have direct access to sensitive data, i.e sql
access to a database.
- Have a centralized logging system in place from which you can generate
alerts (SIEM like functionality).
- Segment the network to put those systems containing sensitive information
behind an enforcement point and control access to these systems from only
dedicated workstations/servers using only the protocols/ports that are
needed.
- Systems which store sensitive data should be dedicated to this purpose
and not used for other purposes as well.
- Do not use shared service accounts to access data and monitor the use of
these accounts.  Have a password management process in place which creates
an audit trail for password use.
- Do not use sensitive production data in non-production systems, if
possible.
- Have visibility into the traffic on your network (taps, aggregation
switches, span ports etc).  Use a tool such as Bro to monitor this traffic.
- Perform threat modeling/pen testing on the apps consuming the data.  Yes,
these are terms that can mean different things to different people.  The
app should undergo some basic assessment at the least.

This list is by no means comprehensive and I'm aware that doing all of the
above is no minor accomplishment.   For many institutions all or part might
be unrealistic for all sorts of reasons.  But, from my experience it makes
more since to direct limited resources into these areas before implementing
something like 2FA.


Nick Garigliano, CISSP, GCIH
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu> wrote:

> Greetings,
>
>
>
> A number of regional campuses are in discussions on requiring 2-factor for
> access to High Risk data and one of the elements would be non-directory
> (private) FERPA records.
>
> The consensus concern with such a rollout would be usability on such a
> large scale and backlash from Faculty.
>
>
>
> Has anyone implemented and required 2-factor authentication for faculty
> accessing non-directory records? And if so, any tips?
>
>
>
> Thank you.
>
>
>
> Mike Dodor
>
> Network Administrator/Information Security
>
> Learning and Information Technology
>
> University of Wisconsin – Stout
>
> 327 Millennium Hall
>
> Menomonie, WI  54751
>
> Phone: 715-232-2671
>
> dodorm () uwstout edu