Summary
This page describes the elements of justification for MFA at the University of Washington.
Our current MFA solution is an option of our authentication services.
Strategic Context : Who We Are
- We are a proud member of the research and education (R&E) community
- We are a global institution with members located all over the world
- We compete for the best students, faculty, and staff
- We thrive on interdisciplinary collaboration
Strategic Imperatives : Why MFA is Important
- Must position the institution to address the information security and privacy issues of the 21st century
- Must align strategy for trusted online identity with the national and international communities of which we're a part
- Must invest in 21st century modes of trusted online identity to enable collaboration
- Must respond to changing business drivers: mobile, social, personal, etc.
Historical Context
- Late 1980s - SecurID (Security Dynamics) tokens introduced for Unisys MCP environment
- Early 1990s - SecurID use expanded to Unix systems; shared root accounts
- 1999 - SecurID use expanded to Web SSO (Pubcookie) environment
- 2002 - "Secure Services" project completed; eliminates unprotected password authentication
- 2008 - RFP issued; seeks vendor for one time password (OTP) tokens and server software
- 2008 - Entrust Identity Guard phased in; first Entrust token issued; final SecurID token issued
- 2009 - President’s Advisory Committee on Enterprise Risk Management (PACERM)
- 2010 - Internal audit recommendation to strengthen user authentication for student information access
- 2011 - Final SecurID token retired
- 2012 - APS 2.10 retired (UW policy prescribing MFA for data classified as UW Confidential)
- 2012 - "UW NetID Password Policy Foundations Project" begins; includes password risk assessment
- 2013 - MFA Cohortium begins
Business Drivers
Business needs we serve today:
- Administrative system (mainframe) user access
- Administrative system (mainframe) developer access
- Unix system privileged root account access
- Network device access
- Web access; widespread, standards-based MFA for use on the Web
Business needs we need to serve:
- MFA as a personal choice; enable widespread opt-in by users
- Respond to increased frequency, sophistication, and success of phishing attacks
- Support non-Web application architectures (mobile, desktop)
- Support specific line-of-business applications (Enterprise Data Warehouse, Dynamics CRM, Office 365)
- InCommon Silver certification
- NSTIC alignment
- BYOD environment
Governance, Risk, Compliance Drivers
- Internal - Policies, Standards, and Guidelines
- External - Information Security and Privacy Laws and Regulations
- Enterprise Risk Management - a process to integrate risk into strategic deliberations, identifying the interrelations of risk factors across an organization's activities
- Enterprise Architecture - a set of practices that will align MFA solutions with business goals
Costs
Project: introduce or change services
- SecurID projects - various costs
- "Replace Two-Factor Authentication Project" - 1700 hours (800 hours estimated); RFP issued in July 2008; project completed January 2009
- "Business Continuity Initiative" - includes MFA solutions; improves disaster recovery; started 2010; has special funding
- "Internet2 MFA Cohortium Project" - proposed project for FY14
Operation: ongoing, recurring, and sustaining costs
- Labor (service management, support, required maintenance, etc)
- Software licenses
- Token costs
- Platform costs (servers, databases, etc)
Intangible: hard to know or measure
- Architectural debt - costs unknown
- Lost opportunities - costs unknown
- Reduced speed/agility - costs unknown
- Audit costs - "Student Systems Security Infrastructure Improvements Project" - 1100 hours (200 hours estimated); a larger project to respond to internal audit related to access to student information, one recommendation to strengthen user authentication
Funding Model
- Our current MFA service is funded by the Technology Recharge Fee (a per capita fee paid by all business units)
Benefits
- Financial
- User experience, customer satisfaction
Return On Investment
- cost-benefit analysis
- ROI calcuations