Educause Security Discussion mailing list archives
Re: Duo enforcement for students
From: "Chester, Heather" <htomley () LUC EDU>
Date: Mon, 12 Oct 2020 20:06:15 +0000
Kristen, Thank you for asking. It depends on what you’d like to put into it, if you have project managers, and what communication channels/support you may have. The weekly enablement emails can be a lot of work but it’s very helpful to have a balanced enablement spread out over a couple months and let leaders decide when to enable their groups. We are fortunate b/c we had a dedicated PM and were able to get another resource to help with creating / refreshing the not-enrolled distribution groups, (b/c some people would have self-enrolled). The PM also created a lot of the marketing materials and shared with over 15 different communication touch points to help get the word out (newsletters, social media, weekly faculty communications, orientation materials, high traffic app log-in pages mentioning MFA required). If you can create generic communications (for faculty, staff, and students), and obtain support from campus partners with sending out the communications on a schedule, that would be immensely helpful. Perhaps you could share a general communication for the different communication channels to share, with their own emphasis (you just need a tag line – our tag line was “MFA protects you even if your password becomes compromised”). We are very lucky as collaboration and buy-in is very important across our institution and several academic and operational groups were committed to schedule a “best week” or “best month” for their areas to be enabled. You would need: 1 presentation at the Cabinet, requesting support 1 email for the Dean’s Council, requesting support (and that they can share with their schools) 1 email that you will be sending individually to each academic leader or operations leader requesting their support to schedule their division/group 1 email for the university community mentioning the kickoff and why the university is enabling MFA (formalizing what to expect, hi-level) A couple marketing ideas about how to pitch MFA (we mentioned, “MFA is required for the Fall. Enroll today! https://www.luc.edu/its/services/mfa/ “) or (“Get double the protection with MFA. Enroll today”). 1 enablement email that you will send three times A PM or IT resource to dedicate 20% of their time to coordinating the work, creation / deployment of the marketing materials, running weekly project mtgs to address any concerns/issues, create distribution groups for not-enrolled users. On another note, from our research, several other universities have deployed with a big bang approach and usually see an impact to the service desk for 2-3 days. With all the “change” around the pandemic, we wanted as little “new” to people’s adoption to technology and security, while ensuring the value of enabling MFA remained high (which we’ve even received several likes on social media, which was a bonus). Another smaller institution deployed as we also deployed and they mentioned it was very helpful with providing a balanced approach that was very supportive across the university community. Happy to discuss further if it may help. Thank you, Heather htomley () luc edu<mailto:htomley () luc edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kristen Dietiker Sent: Monday, October 12, 2020 11:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Duo enforcement for students Thanks Heather, I'm intrigued by your weekly rollout plan. My initial fear is that it would create additional burden on IT staff to manage the logistics and communications for so many enrollment days. How did you manage that? -- Kristen Dietiker Chief Information Security Officer Santa Clara University (408) 554-5554 On Mon, Oct 12, 2020 at 6:50 AM Chester, Heather <htomley () luc edu<mailto:htomley () luc edu>> wrote: First off, many thanks to the Educause community for constantly sharing. There was a wealth of information we used to plan our roll-out. We focused on a very collaborative deployment and balancing impact to the Service Desk. See attached/below and use if helpful. We had a roll-out plan over 5 months, for active faculty, staff, students. We also requested Student Development, Deans of Schools, and Leaders of Staff Divisions to identify when would be the best time for their group to enable MFA over a couple weeks (and remind them that anyone could opt-in at any time ahead of time). We enabled groups of people weekly (comm outline below). Due to COVID, we deferred our initial launch plans (Jan thru May, now May-Sept). Overview Pilot with internal IT teams (2 or 3 enablement’s) Pilot “friendly” operations non-IT groups that use ITS service often (to gain a wider university perspective) Presented the launch of MFA to the Cabinet (and sent additional communications to Dean’s Council of this initiative) and Global Comm to University this would be required Sought partnership with Student Development, Deans of Schools, and Leaders of Staff Divisions when would be best for their areas to be enabled during this timeframe (gave 2 weeks to respond. Goal was to have all groups scheduled within 2-3 weeks & deploy over 4 mo’s). Roll-out over 4 months, first with faculty after graduation (May/June), then staff (June and July), then students (June/July/early August). Moved all inactive accounts over the course of the deployment, or new accounts as they were enabled. Communicated through 5-7 unique channels (faculty, staff, and student) encouraging self-enrollment (even before required by scheduled group dates, which drove adoption). Had video’s, we have detailed step-by-step instructions, and FAQ’s on the website, and offered weekly Zoom Drop-In sessions on Monday & Tuesday (and offered individuals to schedule a 1-1 walk thru with Info Security Office) Weekly Enablement’s Example, on Monday 6/1 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 10 days to self-enroll) Example, on Monday 6/8 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 2 days to self-enroll) Example, on Tuesday 6/9 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 1 day to self-enroll, final reminder) Due to COVID, we changed our deployment, however, the increased security for our online community was important to everyone so the timing did not matter as much. We did still take into consideration, avoiding Students, Faculty, and Student Service (Bursar, Reg&Rec, etc) around 2 weeks before & after start of school, which was preferred. We avoided staff around start of school too and avoided staff around annual enrollment (as part of our initial planning) or end of year around 2 weeks before & after end of year, that is preferred. Thank you, Heather Heather Tomley Chester, MBA, MEd, PMP, ITIL, MSIT (Spring 2021) ITS Sr. Project Manager Loyola University of Chicago [LUC 150 logo] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of randy Sent: Friday, October 9, 2020 4:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Duo enforcement for students We picked a July 5, 2016 as our cutover date for everyone (F/S/S). We had a voluntary 6 month cutover period prior to that (1/2016-6/2016) where anyone could switch over before the official switchover date. -Randy Marchany VA Tech IT Security Office & Lab On Fri, Oct 9, 2020 at 4:31 PM Kristen Dietiker <000001c25973bc27-dmarc-request () listserv educause edu<mailto:000001c25973bc27-dmarc-request () listserv educause edu>> wrote: For those institutions that require Duo or some other multi-factor auth for students, how did you time the enforcement in terms of the academic calendar? Summer? Winter or Spring break? When classes were in session? And would you keep that choice if given a do-over? Thank you! -- Kristen Dietiker Chief Information Security Officer Santa Clara University (408) 554-5554 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Duo enforcement for students Kristen Dietiker (Oct 09)
- Re: Duo enforcement for students Telfer, Will (Oct 09)
- Re: Duo enforcement for students randy (Oct 09)
- Re: Duo enforcement for students Chester, Heather (Oct 12)
- Re: Duo enforcement for students Kristen Dietiker (Oct 12)
- Re: Duo enforcement for students Chester, Heather (Oct 12)
- Re: Duo enforcement for students Kristen Dietiker (Oct 12)
- Re: Duo enforcement for students Chester, Heather (Oct 12)