Words: Marco Pirovano, Bocconi University, Milan, Italy
Bocconi University was founded in 1902 in Milan and today is a leading research and education university at European level, and is specialised in social sciences with a strong orientation towards data science and artificial intelligence. When it comes to cybersecurity, the university has experienced, in recent years, several threats:
Phishing
Email is still widely used among users in the university, among students, professors and at administration level. Over the years, we have experienced a dramatic increase in phishing attempts via incoming emails, which are more and more sophisticated while users do not seem to be sufficiently aware to recognise them. Thus the university launched a cybersecurity awareness programme with the aim to bring more awareness to users when on the internet and, above all, when managing their inbox. Fake phishing campaigns are periodically sent with the objective to encourage users to analyse the emails they receive and make them aware that just one click could generate problems for the entire university. Despite the efforts, the threat is still there. After all, it only takes a single user and one click…
Password Policies
For users, the management of credentials to access university systems remains a problem, even a nuisance. Why must one change their password periodically? Why must the password contain certain characteristics? These questions have led users to gradually adopt password management systems, to securely store numerous passwords and generate new ones that meet the demands of the university’s policies. However, all it takes is a single user…
Users Are the Weakest Link
It is clear that users have a fundamental role in cybersecurity. Technology certainly helps and makes a lot of our work easier, but we must remember that:
Sec_rity is NOT complete without U!
Thus, the university decided to adopt Multi-Factor Authentication (MFA), where a second authentication factor (2FA) is entered, to make the chain more robust. This is our experience.
What is MFA?
Multi-Factor Authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has) and inherence (something only the user is).
Two-Factor Authentication (2FA) is a type, or subset, of Multi-Factor Authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors:
- something they know – password, pass phrase, PIN
- something they have – physical token, phone-based authenticator
- something they are – biometric, such as fingerprint or retina pattern
How 2FA Works
Two-Factor Authentication enhances the security of university credentials by using a secondary device to verify a user’s identity when accessing university applications. This service provides enhanced security and protects university accounts in the event that someone manages to obtain login credentials.
Here are the steps:
- Enter your credentials
- Use your phone to verify your identity
- You are now securely logged in
Single Sign-On: Where to Start
Access to any web application via single sign-on (SSO) has become mandatory for our university. Our SSO system is Shibboleth, so we have started taking steps to protect it. The Technology team decided that it needed a security solution that is not only simpler and more straightforward for users, but that can also help the university achieve its vision of a zero-trust security model. 2FA has been adopted through both commercial and open source solutions.
User Enrolment
This is a very important aspect to evaluate, especially in institutions with thousands of users. The adoption of 2FA began with staff, then moved on to faculty and finally to students. To trigger 2FA, the university decided to adopt the following solution: groupMembership is among the attributes released by Shibboleth; if a user is in a certain LDAP group then the second authentication factor is required. This allowed us to activate users at multiple times and allowed our HelpDesk to keep track of them in case of problems. After some initial inconvenience, we can say that users are now aware of the added value from 2FA regarding the security of their credentials.
Our main challenges after deployment:
“I changed my phone, how should I proceed?”
“I forgot my phone at home, so how can I access the various services?”
The responses to these requests vary depending on the solution adopted as 2FA, and it is important that the HelpDesk is equipped with the appropriate tools to manage such issues. In addition, before activating the second factor it is important to produce an effective communication strategy and information material for users, so that they can begin to familiarise with the new tools. In addition to the SSO system, 2FA is also active for VPN access as well as access to the main university systems.
About Marco Pirovano
In 1988 I started working at CNR (Italian National Research Council) in the Milan Research Area, in 1992 I created the first site www.cnr.it and started to organise an index of telematic references to information produced on the internet by the CNR organisations, the map of Italian WWW and Gopher sites and the first catalogue of Italian web resources (Italian General Subject Tree). Since 1996 I have been working at Bocconi University where I am responsible for the Networking and Cybersecurity team within the Technology division.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero‘. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23