Summary

This page describes the elements of justification for MFA at the University of Washington.

Our current MFA solution is an option of our authentication services.

Strategic Context : Who We Are

  • We are a proud member of the research and education (R&E) community
  • We are a global institution with members located all over the world
  • We compete for the best students, faculty, and staff
  • We thrive on interdisciplinary collaboration

Strategic Imperatives : Why MFA is Important

  • Must position the institution to address the information security and privacy issues of the 21st century
  • Must align strategy for trusted online identity with the national and international communities of which we're a part
  • Must invest in 21st century modes of trusted online identity to enable collaboration
  • Must respond to changing business drivers: mobile, social, personal, etc.

Historical Context

  • Late 1980s - SecurID (Security Dynamics) tokens introduced for Unisys MCP environment
  • Early 1990s - SecurID use expanded to Unix systems; shared root accounts
  • 1999 - SecurID use expanded to Web SSO (Pubcookie) environment
  • 2002 - "Secure Services" project completed; eliminates unprotected password authentication
  • 2008 - RFP issued; seeks vendor for one time password (OTP) tokens and server software
  • 2008 - Entrust Identity Guard phased in; first Entrust token issued; final SecurID token issued
  • 2009 - President’s Advisory Committee on Enterprise Risk Management (PACERM)
  • 2010 - Internal audit recommendation to strengthen user authentication for student information access
  • 2011 - Final SecurID token retired
  • 2012 - APS 2.10 retired (UW policy prescribing MFA for data classified as UW Confidential)
  • 2012 - "UW NetID Password Policy Foundations Project" begins; includes password risk assessment
  • 2013 - MFA Cohortium begins

Business Drivers

Business needs we serve today:

  • Administrative system (mainframe) user access
  • Administrative system (mainframe) developer access
  • Unix system privileged root account access
  • Network device access
  • Web access; widespread, standards-based MFA for use on the Web

Business needs we need to serve:

  • MFA as a personal choice; enable widespread opt-in by users
  • Respond to increased frequency, sophistication, and success of phishing attacks
  • Support non-Web application architectures (mobile, desktop)
  • Support specific line-of-business applications (Enterprise Data Warehouse, Dynamics CRM, Office 365)
  • InCommon Silver certification
  • NSTIC alignment
  • BYOD environment

Governance, Risk, Compliance Drivers

Costs

Project: introduce or change services

  • SecurID projects - various costs
  • "Replace Two-Factor Authentication Project" - 1700 hours (800 hours estimated); RFP issued in July 2008; project completed January 2009
  • "Business Continuity Initiative" - includes MFA solutions; improves disaster recovery; started 2010; has special funding
  • "Internet2 MFA Cohortium Project" - proposed project for FY14

Operation: ongoing, recurring, and sustaining costs

  • Labor (service management, support, required maintenance, etc)
  • Software licenses
  • Token costs
  • Platform costs (servers, databases, etc)

Intangible: hard to know or measure

  • Architectural debt - costs unknown
  • Lost opportunities - costs unknown
  • Reduced speed/agility - costs unknown
  • Audit costs - "Student Systems Security Infrastructure Improvements Project" - 1100 hours (200 hours estimated); a larger project to respond to internal audit related to access to student information, one recommendation to strengthen user authentication

Funding Model

  • Our current MFA service is funded by the Technology Recharge Fee (a per capita fee paid by all business units)

Benefits

  • Financial
  • User experience, customer satisfaction

Return On Investment

  • cost-benefit analysis
  • ROI calcuations
  • No labels