Re: Deploying MFA

["Davis, Kevin" <kedavis () DAVIDSON EDU>]

We are beginning to plan our Duo MFA roll-out at Davidson. We’re still developing a plan but current thinking is to 
take a three-pronged approach: 

1) Mandatory for all central IT staff for RDP/ssh/SSO logins
2) For staff with known sensitive data access, mandatory for applications containing those data, more nuanced for others
3) Optional for all other faculty/staff - again, we may leverage some of Duo’s policies for certain use cases

As a small college with high-touch support expectations, I’m expecting hands-on support for group (2), but fortunately 
that group is small, less than 100 people. We have the luxury of offering 1-to-1 outreach to these individuals to help 
them enroll.

Of the key applications that we want to protect, we just finished moving one from local auth to SAML/ADFS, and have 
held up deploying SSO on the other until we could implement multifactor for groups (1) and (2) above. We have a 
separate project to roll out SSO to most of our other applications so will be looking to pull MFA along with it.


Kevin

-- 
Kevin Davis
Deputy CIO & Director, Core Services
Davidson College ITS






On 7/3/17, 1:12 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Reyor, William F." <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of wreyor () FAIRFIELD EDU> wrote:

> We're getting prepared to roll out Duo here at Fairfield and are using the transition to a new ERP system as a way to 
> boot strap the project and enroll everyone. We studied Yales deployment to benchmark against and found that the 
> biggest challenge is often user communication and creating strategies to avoid user pushback.
>
> Thanks,
> Bill
>
> On Jul 3, 2017, at 1:05 PM, James Monek <jmm616 () LEHIGH EDU<mailto:jmm616 () LEHIGH EDU>> wrote:
>
> We are looking to deploy MFA at Lehigh University. I’m reaching out to find out how other universities approached this 
> project. During the initial deployment, did you target specific data classifications, at risk systems or large 
> services such as mail. Depending on your scope, was it opt-in or mandatory? How did you capture the second factor? Did 
> you find you had to use different solutions for different applications/services?
>
> Jim
>
> --
> James Monek
> Director, Technology Infrastructure & Operations
> Lehigh University - Library and Technology Services
> P: 610-758-5010
> E: jamesmonek () lehigh edu<mailto:jamesmonek () lehigh edu>
>
> Follow Lehigh LTS at:
> Facebook: https://www.facebook.com/LehighLTS
> Twitter: https://twitter.com/lehighlts
>
> TIO Blog: https://wordpress.lehigh.edu/jmm616/