Educause Security Discussion mailing list archives

Re: Duo enforcement for students

From: Kristen Dietiker <000001c25973bc27-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Mon, 12 Oct 2020 09:03:09 -0700

Thanks Heather, I'm intrigued by your weekly rollout plan. My initial fear
is that it would create additional burden on IT staff to manage the
logistics and communications for so many enrollment days. How did you
manage that?
--
*Kristen Dietiker*
Chief Information Security Officer
Santa Clara University
(408) 554-5554



On Mon, Oct 12, 2020 at 6:50 AM Chester, Heather <htomley () luc edu> wrote:

First off, many thanks to the Educause community for constantly sharing.
There was a wealth of information we used to plan our roll-out. We focused
on a very collaborative deployment and balancing impact to the Service
Desk. See attached/below and use if helpful.

We had a roll-out plan over 5 months, for active faculty, staff,
students. We also requested Student Development, Deans of Schools, and
Leaders of Staff Divisions to identify when would be the best time for
their group to enable MFA over a couple weeks (and remind them that anyone
could opt-in at any time ahead of time). We enabled groups of people
weekly (comm outline below). Due to COVID, we deferred our initial launch
plans (Jan thru May, now May-Sept).

*Overview*

Pilot with internal IT teams (2 or 3 enablement’s)

Pilot “friendly” operations non-IT groups that use ITS service often (to
gain a wider university perspective)

Presented the launch of MFA to the Cabinet (and sent additional
communications to Dean’s Council of this initiative) and Global Comm to
University this would be required

Sought partnership with Student Development, Deans of Schools, and Leaders
of Staff Divisions when would be best for their areas to be enabled during
this timeframe (gave 2 weeks to respond. Goal was to have all groups
scheduled within 2-3 weeks & deploy over 4 mo’s).

Roll-out over 4 months, first with faculty after graduation (May/June),
then staff (June and July), then students (June/July/early August). Moved
all inactive accounts over the course of the deployment, or new accounts as
they were enabled.

Communicated through 5-7 unique channels (faculty, staff, and student)
encouraging self-enrollment (even before required by scheduled group dates,
which drove adoption).

Had video’s, we have detailed step-by-step instructions, and FAQ’s on the
website, and offered weekly Zoom Drop-In sessions on Monday & Tuesday (and
offered individuals to schedule a 1-1 walk thru with Info Security Office)

*Weekly Enablement’s*

Example, on Monday 6/1 we emailed individuals mentioning they would be
enabled the following Wednesday 6/10 at 9am (which gave users 10 days to
self-enroll)

Example, on Monday 6/8 we emailed individuals mentioning they would be
enabled the following Wednesday 6/10 at 9am (which gave users 2 days to
self-enroll)

Example, on Tuesday 6/9 we emailed individuals mentioning they would be
enabled the following Wednesday 6/10 at 9am (which gave users 1 day to
self-enroll, final reminder)

Due to COVID, we changed our deployment, however, the increased security
for our online community was important to everyone so the timing did not
matter as much. We did still take into consideration, avoiding Students,
Faculty, and Student Service (Bursar, Reg&Rec, etc) around 2 weeks before &
after start of school, which was preferred. We avoided staff around start
of school too and avoided staff around annual enrollment (as part of our
initial planning) or end of year around 2 weeks before & after end of year,
that is preferred.

Thank you,

Heather

*Heather Tomley Chester*, MBA, MEd, PMP, ITIL, MSIT (Spring 2021)

ITS Sr. Project Manager

Loyola University of Chicago

[image: LUC 150 logo]

*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *randy
*Sent:* Friday, October 9, 2020 4:36 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Duo enforcement for students

We picked a July 5, 2016 as our cutover date for everyone (F/S/S). We had
a voluntary 6 month cutover period prior to that (1/2016-6/2016) where
anyone could switch over before the official switchover date.

-Randy Marchany

VA Tech IT Security Office & Lab

On Fri, Oct 9, 2020 at 4:31 PM Kristen Dietiker <
000001c25973bc27-dmarc-request () listserv educause edu> wrote:

For those institutions that require Duo or some other multi-factor auth
for students, how did you time the enforcement in terms of the academic
calendar? Summer? Winter or Spring break? When classes were in session? And
would you keep that choice if given a do-over?

Thank you!

*Kristen Dietiker*
Chief Information Security Officer
Santa Clara University
(408) 554-5554

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://urldefense.com/v3/__https://www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Duo enforcement for students Kristen Dietiker (Oct 09)
- Re: Duo enforcement for students Telfer, Will (Oct 09)
- Re: Duo enforcement for students randy (Oct 09)
  - Re: Duo enforcement for students Chester, Heather (Oct 12)
    - Re: Duo enforcement for students Kristen Dietiker (Oct 12)
    - Re: Duo enforcement for students Chester, Heather (Oct 12)
    - Re: Duo enforcement for students Kristen Dietiker (Oct 12)
- Re: [EXTERNAL][SECURITY] Duo enforcement for students Bandy, John (Oct 09)