A Case for Open-Source Multifactor Authentication Security in Higher Education

min read

Higher education has an opportunity to be a leader in establishing a practice and culture of cybersecurity.

Woman holding iPad with security icons floating around
Credit: Wright Studio / Shutterstock © 2018

Cybersecurity is a growing national concern, with real economic costs and national-prosperity implications. Colleges and universities are attractive targets due to their important role as our nation’s innovation hubs, thus upholding a tradition of open systems that contain treasure troves of information. Cyber thieves view these environments as meaningful monetization opportunities on the deep and dark webs, using strategies ranging from phishing for “soft targets” containing personal information to ransomware used to capture valuable research information on behalf of sophisticated state actors.

Defending against these attacks can be challenging, given that most educational institutions maintain a range of modern and legacy systems. Some systems are centrally managed, others are single servers running an experimental apparatus. There are independently operating research computing clusters, IoT devices (as simple as vending machines), and now even drones for research, all of which present attack vectors and require agile authentication solutions to create a holistic security perimeter.

Although some of these systems can use central identity and access management solutions to defend against common attacks, others cannot. Some systems are for staff, but others are for students, vendors, prospective students, or collaborators who may not want to get “affiliate” status at multiple institutions.

Given the multiplicity of systems, user types, and attack vectors, colleges and universities have a real challenge on their hands. However, they also have an opportunity to stay true to their roots and innovate with open cybersecurity solutions, especially when it comes to multifactor authentication (MFA). Some contend that trailblazing with open-source MFA presents other problems, but let’s review one of higher education’s most significant pioneering efforts—the internet.

Colleges and universities have a rich history in creating the modern internet. Email and networking were common on campuses long before they hit the corporate office, and certainly before mass consumerism. Open-source and open-software solutions were catalyzed by higher ed during this movement, as computers became an integral part of institutional research and beyond. At one point, higher ed IT far outpaced corporate IT in capability and was considered fertile ground where IT innovation flourished—because it was open and built by the campus.

The same opportunity for higher ed exists today in cybersecurity, especially as we approach the inflection point of viewing cybersecurity not simply as an afterthought but as a fundamental way of thinking and behaving, much like people think and behave before crossing a busy street.

But wait, do IT departments really have time to implement and maintain an open-source MFA solution? Security-minded faculty and staff already have their hands full, and procuring funding to expand staff can be challenging. These limitations, combined with the increase in cybercrime activity such as brute-force attacks, have prompted institutions to adopt outsourced, SaaS-based MFA platforms with license restrictions.

Centralized MFA is an excellent option for organizations with tight bounds; however, colleges and universities have a complex balance of centralized and decentralized systems. Faculty and staff who deal with decentralized systems must force-fit these technologies into their routines and computing resources, even though they might not entirely work, resulting in the need for further coding and augmentation anyway. Computing resources or networked systems that simply do not fit within the centralized platform are typically left unprotected. Research computing resources are a perfect example of systems that typically get left out due to their distinct differences.

Despite these challenges, a balanced approach for MFA does exist that can include protection for both decentralized and centralized systems, and it begins with open source as a flexible and adaptable foundation. Colleges and universities can use a proven, open-source solution for basic, on-premise use cases, while interacting and innovating with other community members located at other institutions. Code is shared, systems are continuously hardened, and a library of flexible adaptations becomes available for various integrations and use cases. If more-centralized MFA solutions are required individually or in combination with open-source solutions, institutions can hire enterprise-level expertise to implement enhanced, SaaS-based versions complete with dashboarding, analytics, ongoing support, and other features expected from a major supplier, but at a more affordable price point and without the need for licenses.

The end result in this scenario is a lightweight yet balanced MFA framework that allows institutions to secure systems and resources their way; spend time and resources responsibly while protecting all resources; and leave room for enterprise-level solutions or outsourcing help when it makes sense. More importantly, it positions higher ed as leaders of cybersecurity and identity access management, spawning new growth and innovation that can potentially bridge the cybersecurity expertise gap.

Colleges and universities have always been pioneers in finding solutions to our problems. Cybersecurity should be no different, and MFA is a perfect place to start.

Mike Roth is CEO of Evo Security Technologies.

© 2018 Mike Roth. The text of this work is licensed under a Creative Commons BY 4.0 International License.