Data derived from the 2018 EDUCAUSE Core Data Service module on information security illuminates campus multifactor authentication practices.
If you participated in the 2018 CDS survey, it's time to reap the rewards! Explore the most recent data on information security in the CDS Portal. EDUCAUSE members can also check out our easy-to-scan information security almanac featuring 2018 data highlights.
The recently released EDUCAUSE 2019 Trend Watch and Top 10 Strategic Technologies, coupled with its Top 10 IT Issues research, helps higher education IT leaders know "what's important and where to focus" in their IT planning. This year, information security is again a focus area for higher education as information security strategy (the #1 IT Issues) and the growing complexity of security threats (the #1 strategic trend) take center stage.
Understanding the current state of information security in higher education is key to developing effective strategies to combat increasingly sophisticated information security threats. The EDUCAUSE Core Data Service (CDS), created by EDUCAUSE members in 2002, documents the state of higher education IT practices. In 2018 the CDS information security module was revised and included as an optional module.1 In addition to asking long-standing questions about information security leadership and responsibilities, the module asked new and expanded questions about identity and access management practices, training and awareness activities, vulnerability management, and information security metrics.
Identity and access management practices are a staple of any information security program. They allow the institution to know who its community members are, and they allow students, faculty, and staff to have appropriate access to institutional IT resources and data. Without effective identity and access management practices, many of today's most common end-user computing expectations, from bring-your-own-everything to access anywhere, would be virtually impossible to manage in a way that permits access and ensures security.
In response to member requests to better understand campus use of multifactor authentication (MFA),2 the 2018 CDS information security module asked numerous questions about how colleges and universities use MFA. The data show that almost three-quarters of institutions were tracking or planning or had partially deployed nonbiometric MFA on campus and that 17% of institutions had institution-wide deployment of nonbiometric MFA (up from 8% in 2016). Unsurprisingly, the top uses of MFA at institutions using that type of authentication include business-critical applications, such as financial or HR systems (57%), IT administrative access (55%), remote access to IT services (46%), and email (38%). It makes sense that institutions would deploy MFA technologies to protect the systems that house some of its most critical financial and confidential (HR) data.
Institutions that deploy MFA use a number of different types of technologies. Mobile device authenticator apps were among the most popular technologies—72% of institutions using MFA offered this type of technology. Other popular technologies included text message one-time passwords (51%), key fobs (41%), and security tokens (41%). Figure 1 shows how each type of possession-based technology was deployed to faculty, staff, and students at institutions using MFA technologies. Use of these technologies is greater for faculty and staff groups, which makes sense given the large amounts of data that these two groups are entrusted to protect.
Multifactor authentication technology is but one important tool in the information security practitioner's toolbox. You can see more highlights on the current state of higher education information security service delivery by viewing the 2018 information security almanac and visiting the EDUCAUSE library to view all CDS information security research.
Read more about MFA campus implementations:
- Two-Factor Authentication: Lessons Learned
- The Adoption of Multifactor Authentication in Higher Education [https://staysafeonline.org/blog/adoption-mfa-higher-education/]
- The 2FA Honeymoon Is Over
Notes
- The first CDS module, IT Organization, Staffing, and Financing, is required and offered every year; other modules, including the information security module, are optional and offered on a rotating basis. The information security module was last offered in 2016. Read more about how CDS defines the information security domain. ↩
- Multifactor authentication verifies a user's identity by requiring multiple credentials, instead of just one. MFA usually refers to three general types authentication factors: something you have (such as a key fob), something you know (such as a password), and something you are (such as a fingerprint). ↩
Joanna Lyn Grama Senior Consultant with Vantage Technology Consulting Group.
© 2019 Joanna Lyn Grama. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.